Skip to content

Instantly share code, notes, and snippets.

View Samirbous's full-sized avatar

Samirbous

42 followers · 19 following
View GitHub Profile
@Samirbous
Samirbous / Detonate Dataset
Last active March 8, 2024 11:27
This file has been truncated, but you can view the full file.
98faaafd3b450d836415eff09da56591fe31c54b4a668498416537262f2cd4c6
d5760da745c915753a1364a3d9762e75b503192327473bb3bda85282a532f4bc
ae67088e35d84034a56217bffe9aa3f830ea745b521432a6406106f446cfcee2
c382b67f4330082877b179fa1d7178cb8261f7519b2bf46965e6cabcd4c943b4
c7fb77d22e1d937220cc3a7527dd9eb6f5b663da81c830c67f1ba892a868ca27
68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2
e8cbafcf196bb80ccb2249e8f6a18c02d8d67926a298165592c4ec742851749f
f67dd838b2a5fbb4739bd30ca721240f99f2f66e49c352aa600f2d443004c787
159dc9de2d297a560eda6f1a1b861d4fe52a285aa475137fc32688ccde8de7e5
f900d5bebd2241a0f1bf969c7c2ece6b6f53440d97ee3ddcd19566866a2dca18
@Samirbous
Samirbous / zeft
Created February 14, 2024 15:01
"process": {
"args": [
"rundll32.exe",
"C:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie",
"brukjanesis.com@80",
"http://brukjanesis.com/TrdGallery/ResultTrd.bmp.url"
],
@Samirbous
Samirbous / gist:b52ba47bd1d51294c9c16d93fe68549d
Created November 18, 2023 15:30
get-date
@Samirbous
Samirbous / gist:4ae52f63c28df262b3edc4d7c89bbe67
Created November 12, 2023 12:13
// requires 4688 - process creation audit to be enabled
// EQL query
process where event.action == "created-process" and
not startswith~(winlog.event_data.TargetUserSid, winlog.event_data.SubjectUserSid) and
winlog.event_data.TargetUserSid : "S-1-5-21-*" and not winlog.event_data.TargetUserSid: "S-1-0-0" and
not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\runtimebroker.exe")
// ES|QL query - frequency based - 1 host with a unique parent and child proc running as different user identities
@Samirbous
Samirbous / ES|QL Masquerading as MS Native DLL
Created November 9, 2023 18:55
// DLLs normally located in system32 but unsigned and loaded from elsewhere
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html
// example ENRICH libs-policy creation steps
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c
ES|QL query:
from .ds-logs-endpoint.events.library-*
| where event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and
@Samirbous
Samirbous / ES|QL Native DLL Hijack
Created November 9, 2023 18:47
// DLLs normally located in system32 but unsigned and loaded from elsewhere
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html
// example ENRICH libs-policy creation steps
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c
@Samirbous
Samirbous / gist:9f9c3237a0ada745e71cc2ba3425311c
Created November 8, 2023 13:43
// create source index and define types
PUT /libs
{
"mappings": {
"properties": {
"dll": {
"properties": {
"name": {
"type": "text",
"fields": {
@Samirbous
Samirbous / gist:81b40ff073ce4bf5d3c6ce558a9d0106
Created November 7, 2023 20:05
PUT /native_dll1_index
{
"mappings": {
"properties": {
"dll": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
@Samirbous
Samirbous / ms native dll hijack ernich policy
Created November 7, 2023 10:49
PUT /libs/_doc/1?refresh=wait_for
{
"dll.name": [
"aadauthhelper.dll",
"aadcloudap.dll",
"aadjcsp.dll",
"aadtb.dll",
"aadwamextension.dll",
"aarsvc.dll",
"abovelockapphost.dll",
@Samirbous
Samirbous / hunt EoP via Service
Created September 18, 2023 15:24
sequence by winlog.computer_name with maxspan=5m
[authentication where event.action == "logged-in" and
// non Elevated Token
winlog.event_data.ElevatedToken : "%%1843"] by winlog.event_data.TargetLogonId
[iam where event.action == "service-installed"] by winlog.event_data.SubjectLogonId