Skip to content

Instantly share code, notes, and snippets.

View hunt EoP via Service
sequence by winlog.computer_name with maxspan=5m
[authentication where event.action == "logged-in" and
// non Elevated Token
winlog.event_data.ElevatedToken : "%%1843"] by winlog.event_data.TargetLogonId
[iam where event.action == "service-installed"] by winlog.event_data.SubjectLogonId
View uptime c2 scripts
sequence by process.entity_id
[process where event.action == "start" and
process.pe.original_file_name : ("cscript.exe", "wscript.exe", "AutoIt*.exe", "python*.exe") ]
[network where process.uptime >= 300 and
event.action == "connection_attempted" and network.direction == "egress" and network.transport == "tcp" and source.port >= 49152 and not destination.address : ("127.*", "::1")]
View disabled services
"Top 1000 values of registry.path",Count
"HKLM\SYSTEM\ControlSet001\Services\WinDefend\Start","1,483"
"HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService\Start",6
"HKLM\SYSTEM\ControlSet001\Services\Sense\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdBoot\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdFilter\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdNisDrv\Start",6
View evasion_reg_values
"Top 10000 values of registry.value","Count of records"
TamperProtection,"1,400"
DisableAntiSpyware,"1,388"
DisableBehaviorMonitoring,"1,381"
DisableIOAVProtection,"1,368"
DisableOnAccessProtection,"1,359"
DisableRealtimeMonitoring,"1,344"
DisableScanOnRealtimeEnable,"1,323"
DisableNotifications,"1,312"
AUOptions,"1,280"
View example_stack
"thread": {
"Ext": {
"call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|acmigration.dll|appraiser.dll|ntdll.dll|kernel32.dll|ntdll.dll",
"call_stack": [
{
"symbol_info": "C:\\Windows\\System32\\ntdll.dll!ZwCreateUserProcess+0x14"
},
{
"symbol_info": "C:\\Windows\\System32\\KernelBase.dll!CreateProcessInternalW+0xfe3"
},
View rta_unhook_ntdll_ldrloaddll.cpp
#include <iostream>
#include <Windows.h>
#include <winternl.h>
#include <psapi.h>
typedef NTSTATUS(NTAPI* pLdrLoadDll) (
PWCHAR PathToFile,
ULONG Flags,
PUNICODE_STRING ModuleFileName,
View EQL - AD Mass Properties Enum
any where event.action == "Directory Service Access" and
event.code == "4662" and
not winlog.event_data.SubjectUserSid : "S-1-5-18" and
winlog.event_data.AccessListDescription : "Read Property" and
length(winlog.event_data.Properties) >= 800
View atomic_endpoint_behavior_rules
"Top 1000 values of rule.name","Count of records"
"Connection to WebService by a Signed Binary Proxy",342
"Managed .NET Code Execution via PowerShell",79
"Execution via a Suspicious WMI Client",57
"Credential Access via Known Utilities",40
"Regsvr32 Scriptlet Execution",39
"Suspicious Bitsadmin Activity",34
"Suspicious Windows Command Shell Execution",32
"Script Execution via Microsoft HTML Application",28
"Suspicious Execution via Windows Management Instrumentation",27
View EntAppSvc Incoming Netcon dcom
sequence by host.id, process.entity_id with maxspan=3s
[process where event.type == "start" and process.name : "svchost.exe" and process.args : "appmodel"]
[network where event.action == "connection_accepted" and
process.name : "svchost.exe" and
source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1"]
View susp exec via run key
sequence by host.id with maxspan=1m
[registry where registry.path : "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"] by registry.data.strings
[process where event.action == "start" and
/* recently created files */
process.Ext.relative_file_creation_time < 500] by process.executable