Samirbous
Samirbous
/ EQL - AD Mass Properties Enum
Created
January 28, 2023 23:05
View EQL - AD Mass Properties Enum
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| any where event.action == "Directory Service Access" and | |
| event.code == "4662" and | |
| not winlog.event_data.SubjectUserSid : "S-1-5-18" and | |
| winlog.event_data.AccessListDescription : "Read Property" and | |
| length(winlog.event_data.Properties) >= 800 |
Samirbous
/ atomic_endpoint_behavior_rules
Created
October 22, 2022 15:16
View atomic_endpoint_behavior_rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Top 1000 values of rule.name","Count of records" | |
| "Connection to WebService by a Signed Binary Proxy",342 | |
| "Managed .NET Code Execution via PowerShell",79 | |
| "Execution via a Suspicious WMI Client",57 | |
| "Credential Access via Known Utilities",40 | |
| "Regsvr32 Scriptlet Execution",39 | |
| "Suspicious Bitsadmin Activity",34 | |
| "Suspicious Windows Command Shell Execution",32 | |
| "Script Execution via Microsoft HTML Application",28 | |
| "Suspicious Execution via Windows Management Instrumentation",27 |
Samirbous
/ EntAppSvc Incoming Netcon dcom
Created
October 13, 2022 19:12
View EntAppSvc Incoming Netcon dcom
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id, process.entity_id with maxspan=3s | |
| [process where event.type == "start" and process.name : "svchost.exe" and process.args : "appmodel"] | |
| [network where event.action == "connection_accepted" and | |
| process.name : "svchost.exe" and | |
| source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1"] |
Samirbous
/ susp exec via run key
Created
October 12, 2022 16:37
View susp exec via run key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [registry where registry.path : "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"] by registry.data.strings | |
| [process where event.action == "start" and | |
| /* recently created files */ | |
| process.Ext.relative_file_creation_time < 500] by process.executable |
Samirbous
/ pwdvault_test
Created
September 23, 2022 18:17
View pwdvault_test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] | |
| (new-object Windows.Security.Credentials.PasswordVault).RetrieveAll()|%{$_.RetrievePassword();$_}>"pwds.tmp" |
Samirbous
/ eql hunt recent svc or task
Created
September 7, 2022 14:28
View eql hunt recent svc or task
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.action == "start" and | |
| ( | |
| (process.parent.name : "svchost.exe" and process.parent.args : "schedule") or | |
| process.parent.name : "services.exe" | |
| ) | |
| and | |
| (process.Ext.relative_file_creation_time < 300 or process.Ext.relative_file_name_modify_time < 300) |
View mal_lnk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Top 1000 values of process.executable","Top 1000 values of process.command_line","Top 1000 values of process.working_directory","Count of records" | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""Program Files (x86)""","C:\Users\user\Desktop\",6 | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""Windows""","C:\Users\user\Desktop\",8 | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""ProgramData""","C:\Users\user\Desktop\",6 | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""Recovery""","C:\Users\user\Desktop\",7 | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""Documents and Settings""","C:\Users\user\Desktop\",11 | |
| "C:\Windows\System32\rundll32.exe |
View tiest
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $iWli=('011K110,01110101,01101110,011K011,011101K,01101K1,01101111,01101110,K1KK0,011101K,01K1101,01KK11,011K110,01101011,0101K11,01K01K,K1KK0,01111011,KK1101,KK1010,KK1101,KK1010,KK1K1,01011011,01KK11,01101101,011K1K,011011K,011K101,011101K,01KK10,01101K1,01101110,011K1K,01101K1,01101110,011K111,K101K0,K101K1,01011101,KK1101,KK1010,K1KK0,K1KK0,K1KK0,K1KK0,0101KK,011KK1,0111K10,011KK1,01101101,K1KK0,K101K0,01011011,011K010,01111K1,011101K,011K101,01011011,01011101,01011101,K1KK0,K1K1K,011K010,01111K1,011101K,011K101,01KK01,0111K10,0111K10,011KK1,01111K1,K101K1,KK1101,KK1010,K1KK0,KK1101,KK1010,KK1K1,0101KK,0111K10,01101111,011K011,011K101,0111K11,0111K11,K1KK0,01111011,KK1101,KK1010,KK1K1,K1KK0,K1KK0,K1KK0,K1KK0,K1K1K,011K111,01101011,011K1K,011K110,K111101,K101K0,K1K111,K101K0,01011011,01K1K1,01K1111,K101110,01KK11,01101111,01101101,0111KK,0111K10,011K101,0111K11,0111K11,01101K1,01101111,01101110,K101110,01KK11,01101111,01101101,0111KK,0111K10,011K101,0111K11,0111K11,01101K1,01101111,01101110,01K1101,0110111 |
Samirbous
/ gist:2e9a84f56bd6e7ee2da2da2e743f65cf
Created
July 30, 2022 19:41
View gist:2e9a84f56bd6e7ee2da2da2e743f65cf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence with maxspan=1m | |
| [file where event.action != "deletion" and | |
| file.extension : "doc*" and | |
| /* xml or mht file header renamed as doc smuggling maldoc */ | |
| file.Ext.header_bytes : ("3c3f786d6c2076657273696f6e*", "4d494d452d56657273696f6e3a*") and | |
| process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE")] by process.entity_id | |
| [process where event.action == "start" and | |
| process.parent.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE")] by process.parent.entity_id |
Samirbous
/ suspicious office child http cache
Created
June 2, 2022 21:34
View suspicious office child http cache
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence with maxspan=30s | |
| [registry where process.name : "winword.exe" and | |
| registry.path : "HKEY_USERS\\*\\Software\\Microsoft\\Office\\*\\Common\\Internet\\Server Cache\\https*"] by process.entity_id | |
| [file where event.action == "creation" and | |
| file.path : "?:\\Users\\*\\AppData\\*\\Content.MSO\\*" and process.name : "winword.exe" and | |
| file.extension : "htm*" and file.size >= 4096] by process.entity_id | |
| [process where event.action == "start" and process.parent.name : "winword.exe" and | |
| not process.name : ("splwow64.exe", "DWWIN.EXE", "WerFault.exe")] by process.parent.entity_id |
NewerOlder