Created
March 2, 2018 10:36
-
-
Save MHaggis/5601650d36d231298e0d7c86e28f4fad to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [POWERSHELL-DOWNLOAD-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=powershell.exe (CommandLine=*DownloadFile* OR CommandLine=*invoke-webrequest*) | stats values(CommandLine) as "commands" by ComputerName | |
| [BCDEDIT-OFF-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=bcdedit.exe CommandLine=*off | stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-REG-ADD-HUNT] | |
| dispatch.earliest_time = @w0 | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=cmd.exe CommandLine=*reg add* NOT citrix NOT dinocapture| stats values(CommandLine) as "commands" by ComputerName | |
| [SCHEDULED-TASK-CREATION-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=cmd.exe CommandLine=*schtasks* NOT WizMouse| stats values(CommandLine) as "commands" by ComputerName | |
| [SCHEDULED-TASK-CREATION-USER-PROFILE-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=cmd.exe CommandLine=*schtasks* *appdata* NOT WizMouse| stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-MSHTA-USAGE-HUNT] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=mshta.exe NOT CommandLine=*.hta| stats values(CommandLine) as "commands" by ComputerName | |
| [CLI-NET-HIDDENSHARE-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=net.exe CommandLine=*ipc$*| stats values(CommandLine) as "commands" by ComputerName | |
| [CLI-NETVIEW-USAGE-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| search = FileName=netview.exe | stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-NTDSUTIL-USAGE-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=ntdsutil.exe NOT svcdsrm| stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-QWINSTA-USAGE-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| search = FileName=qwinsta.exe | stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-REGSVR32-NOT-DLL-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=regsvr32.exe CommandLine=*.jpg* | stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-REGSVR32-PROGRAMDATA-HUNT] | |
| description = Regsvr32.exe executing file out of programdata directory FilePath. | |
| dispatch.earliest_time = @d | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=regsvr32.exe CommandLine="\\programdata\\"| stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-RUNDLL32-SCROBJ-APPBYPASS-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=rundll32.exe CommandLine=*scrobj.dll* | stats values(CommandLine) as "commands" by _time,ComputerName | |
| [PROC-WATCHDOG-CLI-HUNT] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = CommandLine=watchdogproc*| stats values(CommandLine) as "commands" by ComputerName | |
| [WINWORD-INVOICE-HUNT] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| search = FileName=winword.exe Outlook\\ \\invoice*.doc | bucket _time span=1d | stats values(CommandLine) as "comamnds" by ComputerName | |
| [WIN-WSCRIPT-VBS-VBE-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=wscript.exe CommandLine=*..vbs* OR CommandLine=*.vbe* NOT SUBSCRIPTS NOT Loginscript.vbe | stats values(CommandLine) as "commands" by _time,ComputerName | |
| [WIN-REGSVR32-USER-PROFILE-HUNT] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=regsvr32.exe CommandLine="\\AppData\\"| stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-RUNDLL32-CONTROL-RUNDLL-HUNT] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=rundll32.exe CommandLine="*,Control_RunDLL" | bucket _time span=1d | stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-RUNDLL32-DLLREGISTERSERVER-HUNT] | |
| dispatch.earliest_time = @w0 | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=rundll32.exe CommandLine=*DllRegisterServer | bucket _time span=1d | stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-PROGRAMDATA-BAT-HUNT] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=cmd.exe CommandLine=*\\programdata\\* AND CommandLine=*.bat NOT bginfo NOT onconnect NOT biomedical NOT goloader NOT kace| stats values(CommandLine) by ComputerName | |
| [BITSADMIN-USAGE-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=bitsadmin.exe | stats values(CommandLine) by ComputerName | |
| [BITSADMIN-DOWNLOAD-ALERT] | |
| dispatch.earliest_time = -1h: | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=bitsadmin.exe CommandLine:"*//transfer //Download" | table ComputerName, UserName, CommandLine, _time | |
| [POWERSHELL-ENC-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| search = FileName=powershell.exe (base64 OR -enc OR -ec OR -en OR -enco OR -encod OR -encode OR -encoded OR -encodedC OR -encodedco OR -encodedcom OR -encodedcomm OR -encodedcomma OR -encodedcomman OR -encodedcommand)| stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-NETSH-OPMODE-HUNT] | |
| dispatch.earliest_time = @w0 | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=netsh.exe CommandLine="*opmode*"| stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-PSEXEC-USAGE-HUNT] | |
| dispatch.earliest_time = @w0 | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| search = FileName=psexec.exe OR FileName=psexesvc.exe | stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-RUNDLL32-ROAMINGDIR-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=rundll32.exe Roaming NOT shopenverbshortcut | stats values(CommandLine) as "commands" by ComputerName | |
| [SUSP-MAIL-SPAMMING-HUNT] | |
| dispatch.earliest_time = @d | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = event_simpleName=NetworkConnectIP4 RPort=25 OR RPort=587 |stats count values(RPort) by ComputerName | |
| [WIN-CSCRIPT-URL-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = fast | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| search = FileName=cscript.exe http | stats values(CommandLine) as commands by ComputerName | |
| [VSS-DELETE-CLI-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.show = 0 | |
| search = FileName=vssadmin.exe CommandLine=*delete* | stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-POWERSHELL-INVOKE-EXPRESSION-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=powershell.exe iex earliest = -1h| stats values(CommandLine) as "commands" by ComputerName | |
| [WIN-NET-USER-HUNT] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.patterns.sensitivity = 0.6 | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=net.exe net use user| stats count values(CommandLine) by ComputerName,UserName | |
| [WIN-WSCRIPT-JS-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.patterns.sensitivity = 0.6 | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=wscript.exe \\Rar$*\\ OR ".zip" \\appdata\\ | stats values(CommandLine) by ComputerName | |
| [WIN-WMIC-SHADOWCOPY-DELETE-ALERT] | |
| dispatch.earliest_time = -7d@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.page.search.mode = verbose | |
| display.page.search.patterns.sensitivity = 0.6 | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=wmic.exe shadowcopy OR delete | table ComputerName, UserName, CommandLine, _time | |
| [WIN-WSCRIPT-VBS-VBE-ALERT] | |
| counttype = number of events | |
| dispatch.earliest_time = -1h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| quantity = 0 | |
| relation = greater than | |
| search = FileName=wscript.exe CommandLine=*..vbs* OR CommandLine=*.vbe* NOT SUBSCRIPTS NOT Loginscript.vbe | table ComputerName, UserName, CommandLine, _time | |
| [WIN-BAT-PROGRAMDATA-ALERT] | |
| counttype = number of events | |
| dispatch.earliest_time = -1h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| quantity = 0 | |
| relation = greater than | |
| search = FileName=cmd.exe CommandLine=\\programdata\\ AND CommandLine=*x.bat NOT bginfo NOT onconnect NOT biomedical NOT goloader NOT kace | table ComputerName, UserName, CommandLine, _time | |
| [VSS-DELETE-CLI-ALERT] | |
| counttype = number of events | |
| dispatch.earliest_time = -1h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.show = 0 | |
| quantity = 0 | |
| relation = greater than | |
| search = CommandLine="vssadmin.exe Delete Shadows /All /Quiet" OR CommandLine="\"C:\\Windows\\System32\\vssadmin.exe\" Delete Shadows /All /Quiet " | table ComputerName, UserName, CommandLine, _time | |
| [WIN-WSCRIPT-ZIP-RAR-JS-ALERT] | |
| counttype = number of events | |
| dispatch.earliest_time = -1h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.patterns.sensitivity = 0.6 | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| quantity = 0 | |
| relation = greater than | |
| search = FileName=wscript.exe \\Rar$*\\ OR ".zip" \\appdata\\ | table ComputerName, UserName, CommandLine, _time | |
| [WIN-RUNDLL32-DLLREGISTERSERVER-ALERT] | |
| counttype = number of events | |
| dispatch.earliest_time = -1h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| quantity = 0 | |
| relation = greater than | |
| search = FileName=rundll32.exe CommandLine=*DllRegisterServer NOT CommandLine="*xapauthenticodesip.dll*" NOT veraport20.dll NOT \\devmcopy\\| table ComputerName, UserName, CommandLine, _time | |
| [WIN-WSCRIPT-USAGE-HUNT] | |
| counttype = number of events | |
| dispatch.earliest_time = -1h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.page.search.mode = verbose | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| quantity = 0 | |
| relation = greater than | |
| search = FileName=wscript.exe CommandLine=*..vbs* OR CommandLine=*.vbe* NOT SUBSCRIPTS NOT Loginscript.vbe | |
| [WIN-MSHTA-JAVASCRIPT-ALERT] | |
| counttype = number of events | |
| dispatch.earliest_time = -1h | |
| dispatch.latest_time = now | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.patterns.sensitivity = 0.6 | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| quantity = 0 | |
| relation = greater than | |
| search = FileName=mshta.exe CommandLine=*javascript:* | table ComputerName, UserName, CommandLine, _time | |
| [POWERSHELL-ENCODEDCOMMAND-ALERT] | |
| counttype = number of events | |
| description = A Powershell Encoded Command was executed | |
| dispatch.earliest_time = -1h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = line | |
| display.visualizations.show = 0 | |
| quantity = 0 | |
| relation = greater than | |
| search = FileName=powershell.exe (base64 OR -enc OR -ec OR -en OR -enco OR -encod OR -encode OR -encoded OR -encodedC OR -encodedco OR -encodedcom OR -encodedcomm OR -encodedcomma OR -encodedcomman OR -encodedcommand) | table ComputerName, UserName, CommandLine, _time |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment