Skip to content

Instantly share code, notes, and snippets.

@MHaggis
Last active October 28, 2022 08:13
Show Gist options
  • Save MHaggis/0dbe00ad401daa7137c81c99c268cfb7 to your computer and use it in GitHub Desktop.
Save MHaggis/0dbe00ad401daa7137c81c99c268cfb7 to your computer and use it in GitHub Desktop.
`powershell` EventCode=4104 
| eval DoIt = if(match(Message,"DoIt"), "1", 0)
| eval enccom = if(match(Message,"EncodedCommand"), "1", 0)
| eval base64 = if(match(Message,"FromBase64"), "1", 0)
| eval iex = if(match(Message,"IEX"), "1", 0)
| eval rundll32 = if(match(Message,"rundll32"), "1", 0)
| eval webclient = if(match(Message,"WebClient"), "1", 0)
| eval syswow64 = if(match(Message,"syswow64"), "1", 0)
| eval powver = if(match(Message,"powershell -version"), "1", 0)
| eval httplocal = if(match(lower(Message),"http://127.0.0.1"), "1", 0)
| eval reflection = if(match(Message,"Reflection"), "1", 0)
| eval startproc = if(match(Message,"Start-Process"), "1", 0)
| eval invokewmi = if(match(Message,"Invoke-WMIMethod"), "1", 0)
| eval invokecmd = if(match(Message,"Invoke-Command"), "1", 0)
| addtotals fieldname=Score DoIt, enccom, iex, rundll32, webclient, syswow64, powver, httplocal, reflection, startproc, invokewmi, invokecmd, base64
| stats values(Message) by Score
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
`powershell` EventCode=4104 
| eval DoIt = if(match(Message,"DoIt"), "1", 0)
| eval enccom = if(match(Message,"EncodedCommand"), "1", 0)
| eval base64 = if(match(Message,"FromBase64"), "1", 0)
| eval iex = if(match(Message,"IEX"), "1", 0)
| eval rundll32 = if(match(Message,"rundll32"), "1", 0)
| eval webclient = if(match(Message,"WebClient"), "1", 0)
| eval syswow64 = if(match(Message,"syswow64"), "1", 0)
| eval powver = if(match(Message,"powershell -version"), "1", 0)
| eval httplocal = if(match(lower(Message),"http://127.0.0.1"), "1", 0)
| eval reflection = if(match(Message,"Reflection"), "1", 0)
| eval startproc = if(match(Message,"Start-Process"), "1", 0)
| eval invokewmi = if(match(Message,"Invoke-WMIMethod"), "1", 0)
| eval invokecmd = if(match(Message,"Invoke-Command"), "1", 0)
| addtotals fieldname=Score DoIt, enccom, iex, rundll32, webclient, syswow64, powver, httplocal, reflection, startproc, invokewmi, invokecmd, base64
| stats values(Score) by DoIt, enccom, iex, rundll32, webclient, syswow64, powver, httplocal, reflection, startproc, invokewmi, invokecmd, base64
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`

lower all

`powershell` EventCode=4104 
| eval DoIt = if(match(lower(Message),"doit"), "1", 0)
| eval enccom = if(match(lower(Message),"encodedcommand"), "1", 0)
| eval base64 = if(match(lower(Message),"frombase64"), "1", 0)
| eval iex = if(match(lower(Message),"iex"), "1", 0)
| eval rundll32 = if(match(lower(Message),"rundll32"), "1", 0)
| eval webclient = if(match(lower(Message),"webclient"), "1", 0)
| eval syswow64 = if(match(lower(Message),"syswow64"), "1", 0)
| eval powver = if(match(lower(Message),"powershell -version"), "1", 0)
| eval httplocal = if(match(lower(Message),"http://127.0.0.1"), "1", 0)
| eval reflection = if(match(lower(Message),"reflection"), "1", 0)
| eval startproc = if(match(lower(Message),"start-process"), "1", 0)
| eval invokewmi = if(match(lower(Message),"invoke-wmimethod"), "1", 0)
| eval invokecmd = if(match(lower(Message),"invoke-command"), "1", 0)
| addtotals fieldname=Score DoIt, enccom, iex, rundll32, webclient, syswow64, powver, httplocal, reflection, startproc, invokewmi, invokecmd, base64
| stats values(Score) by DoIt, enccom, iex, rundll32, webclient, syswow64, powver, httplocal, reflection, startproc, invokewmi, invokecmd, base64
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`

Latest

`powershell` EventCode=4104 
| eval DoIt = if(match(lower(Message),"doit"), "1", 0)
| eval enccom = if(match(lower(Message),"encodedcommand"), "1", 0)
| eval base64 = if(match(lower(Message),"frombase64"), "1", 0)
| eval empire=if(match(lower(Message),"system.net.webclient") AND match(lower(Message), "frombase64string") ,1,0)
| eval mimikatz=if(match(lower(Message),"mimikatz") OR match(lower(Message), "-dumpcr") OR match(lower(Message), "SEKURLSA::Pth") OR match(lower(Message), "kerberos::ptt") OR match(lower(Message), "kerberos::golden") ,1,0)
| eval iex = if(match(lower(Message),"iex"), "1", 0)
| eval get = if(match(lower(Message),"get-"), "1", 0)
| eval rundll32 = if(match(lower(Message),"rundll32"), "1", 0)
| eval webclient = if(match(lower(Message),"webclient"), "1", 0)
| eval syswow64 = if(match(lower(Message),"syswow64"), "1", 0)
| eval powver = if(match(lower(Message),"powershell -version"), "1", 0)
| eval httplocal = if(match(lower(Message),"http://127.0.0.1"), "1", 0)
| eval reflection = if(match(lower(Message),"reflection"), "1", 0)
| eval startproc = if(match(lower(Message),"start-process"), "1", 0)
| eval invokewmi = if(match(lower(Message),"invoke-wmimethod"), "1", 0)
| eval invokecmd = if(match(lower(Message),"invoke-command"), "1", 0)
| addtotals fieldname=Score DoIt, enccom, mimikatz,iex,empire, rundll32, webclient, syswow64, powver, httplocal, reflection, startproc, invokewmi, invokecmd, base64, get
| stats values(Score) by DoIt, enccom, iex, mimikatz, rundll32,empire, webclient, syswow64, powver, httplocal, reflection, startproc, invokewmi, invokecmd, base64, get
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment