Skip to content

Instantly share code, notes, and snippets.

@Samirbous
Created November 12, 2023 12:13
Show Gist options
  • Save Samirbous/4ae52f63c28df262b3edc4d7c89bbe67 to your computer and use it in GitHub Desktop.
Save Samirbous/4ae52f63c28df262b3edc4d7c89bbe67 to your computer and use it in GitHub Desktop.
// requires 4688 - process creation audit to be enabled
// EQL query
process where event.action == "created-process" and
not startswith~(winlog.event_data.TargetUserSid, winlog.event_data.SubjectUserSid) and
winlog.event_data.TargetUserSid : "S-1-5-21-*" and not winlog.event_data.TargetUserSid: "S-1-0-0" and
not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\runtimebroker.exe")
// ES|QL query - frequency based - 1 host with a unique parent and child proc running as different user identities
from .ds-logs-system.security-default-*
| where event.code == "4688" and winlog.event_data.TargetUserSid like "S-1-5-21-*" and winlog.event_data.SubjectUserSid like "S-1-*" and winlog.event_data.TargetUserSid != winlog.event_data.SubjectUserSid
| stats cc = count(*), unique_count_host = count_distinct(host.id) by process.name, process.parent.name
| where cc <= 2 and unique_count_host == 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment