Samirbous
Samirbous
/ hunt EoP via Service
Created
September 18, 2023 15:24
View hunt EoP via Service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by winlog.computer_name with maxspan=5m | |
| [authentication where event.action == "logged-in" and | |
| // non Elevated Token | |
| winlog.event_data.ElevatedToken : "%%1843"] by winlog.event_data.TargetLogonId | |
| [iam where event.action == "service-installed"] by winlog.event_data.SubjectLogonId | |
Samirbous
/ uptime c2 scripts
Created
July 5, 2023 14:22
View uptime c2 scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by process.entity_id | |
| [process where event.action == "start" and | |
| process.pe.original_file_name : ("cscript.exe", "wscript.exe", "AutoIt*.exe", "python*.exe") ] | |
| [network where process.uptime >= 300 and | |
| event.action == "connection_attempted" and network.direction == "egress" and network.transport == "tcp" and source.port >= 49152 and not destination.address : ("127.*", "::1")] |
Samirbous
/ disabled services
Created
June 19, 2023 13:08
View disabled services
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Top 1000 values of registry.path",Count | |
| "HKLM\SYSTEM\ControlSet001\Services\WinDefend\Start","1,483" | |
| "HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\Sense\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdBoot\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdFilter\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv\Start",6 |
Samirbous
/ evasion_reg_values
Created
June 15, 2023 19:54
View evasion_reg_values
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Top 10000 values of registry.value","Count of records" | |
| TamperProtection,"1,400" | |
| DisableAntiSpyware,"1,388" | |
| DisableBehaviorMonitoring,"1,381" | |
| DisableIOAVProtection,"1,368" | |
| DisableOnAccessProtection,"1,359" | |
| DisableRealtimeMonitoring,"1,344" | |
| DisableScanOnRealtimeEnable,"1,323" | |
| DisableNotifications,"1,312" | |
| AUOptions,"1,280" |
Samirbous
/ example_stack
Created
May 31, 2023 10:22
View example_stack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "thread": { | |
| "Ext": { | |
| "call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|acmigration.dll|appraiser.dll|ntdll.dll|kernel32.dll|ntdll.dll", | |
| "call_stack": [ | |
| { | |
| "symbol_info": "C:\\Windows\\System32\\ntdll.dll!ZwCreateUserProcess+0x14" | |
| }, | |
| { | |
| "symbol_info": "C:\\Windows\\System32\\KernelBase.dll!CreateProcessInternalW+0xfe3" | |
| }, |
Samirbous
/ rta_unhook_ntdll_ldrloaddll.cpp
Created
May 18, 2023 11:43
View rta_unhook_ntdll_ldrloaddll.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <psapi.h> | |
| typedef NTSTATUS(NTAPI* pLdrLoadDll) ( | |
| PWCHAR PathToFile, | |
| ULONG Flags, | |
| PUNICODE_STRING ModuleFileName, |
Samirbous
/ EQL - AD Mass Properties Enum
Created
January 28, 2023 23:05
View EQL - AD Mass Properties Enum
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| any where event.action == "Directory Service Access" and | |
| event.code == "4662" and | |
| not winlog.event_data.SubjectUserSid : "S-1-5-18" and | |
| winlog.event_data.AccessListDescription : "Read Property" and | |
| length(winlog.event_data.Properties) >= 800 |
Samirbous
/ atomic_endpoint_behavior_rules
Created
October 22, 2022 15:16
View atomic_endpoint_behavior_rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Top 1000 values of rule.name","Count of records" | |
| "Connection to WebService by a Signed Binary Proxy",342 | |
| "Managed .NET Code Execution via PowerShell",79 | |
| "Execution via a Suspicious WMI Client",57 | |
| "Credential Access via Known Utilities",40 | |
| "Regsvr32 Scriptlet Execution",39 | |
| "Suspicious Bitsadmin Activity",34 | |
| "Suspicious Windows Command Shell Execution",32 | |
| "Script Execution via Microsoft HTML Application",28 | |
| "Suspicious Execution via Windows Management Instrumentation",27 |
Samirbous
/ EntAppSvc Incoming Netcon dcom
Created
October 13, 2022 19:12
View EntAppSvc Incoming Netcon dcom
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id, process.entity_id with maxspan=3s | |
| [process where event.type == "start" and process.name : "svchost.exe" and process.args : "appmodel"] | |
| [network where event.action == "connection_accepted" and | |
| process.name : "svchost.exe" and | |
| source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1"] |
Samirbous
/ susp exec via run key
Created
October 12, 2022 16:37
View susp exec via run key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [registry where registry.path : "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"] by registry.data.strings | |
| [process where event.action == "start" and | |
| /* recently created files */ | |
| process.Ext.relative_file_creation_time < 500] by process.executable |
NewerOlder