Samirbous
Samirbous
/ process started via seclogon
Created
January 4, 2022 14:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event.code:4688 and winlog.event_data.TargetUserSid :"S-1-0-0" and not winlog.event_data.TargetUserName:*$ and | |
| not winlog.event_data.TargetUserName:- and not winlog.event_data.TargetUserName:"defaultuser100000" and | |
| not winlog.event_data.TargetUserName : ("LOCAL SERVICE" or "NETWORK SERVICE") and | |
| not winlog.event_data.TargetDomainName : ("NT Service" or "Font Driver Host") |
Samirbous
/ gist:bce42125fb2fba95d676941e7808ecaf
Created
April 6, 2022 14:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id, process.entity_id with maxspan=1s | |
| [process where event.code : "10" and process.name : "sihost.exe" and | |
| winlog.event_data.CallTrace : "*CoreShellExtFramework*" and winlog.event_data.GrantedAccess : "0x40"] | |
| [process where event.code : "10" and process.name : "sihost.exe" and | |
| not winlog.event_data.GrantedAccess : ("0x*00", "0x1010", "0x1410", "0x40")] |
Samirbous
/ NtUserGetWindowProcessHandle
Created
April 7, 2022 18:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.code : "10" and not process.executable : "?:\\Windows\\Explorer.exe" and | |
| winlog.event_data.CallTrace : "?:\\WINDOWS\\System32\\win32u.dll*" and not winlog.event_data.GrantedAccess : ("0x*00", "0x*10", "0x*01") |
Samirbous
/ SeDebug_ProcessAccess_EQL
Created
April 8, 2022 21:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5s | |
| [any where event.code : "4703" and winlog.event_data.EnabledPrivilegeList:"SeDebugPrivilege"] by winlog.event_data.ProcessName | |
| [process where event.code : "10" and not process.name in ("Procmon64.exe", "procexp64.exe")] by process.executable |
Samirbous
/ sysmon PROCESS_TERMINATE sequence
Created
April 14, 2022 22:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5s | |
| [process where event.code : "10" and winlog.event_data.GrantedAccess:"0x1"] by winlog.event_data.TargetProcessGUID | |
| [process where event.code : "5" /* you can add process.name : ("seecurity-proc1", "security-proc2") */] by process.entity_id |
Samirbous
/ KrbRelayUp EQL Winlog
Created
April 26, 2022 16:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5m | |
| [authentication where | |
| /* event 4624 need to be logged */ | |
| event.action == "logged-in" and event.outcome == "success" and | |
| /* authenticate locally using relayed kerberos TGS */ | |
| winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and | |
| source.ip == "127.0.0.1" and source.port > 0 and |
Samirbous
/ EQL - Exec pwd protected zip
Created
May 8, 2022 19:36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [any where event.code : "5379" and winlog.event_data.TargetName : "Microsoft_Windows_Shell_ZipFolder*"] | |
| [process where event.action == "start" and process.executable : "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and process.parent.name : "explorer.exe"] |
Samirbous
/ EQL - exec from pwd protected archive
Created
May 9, 2022 20:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [process where process.name : ("7zG.exe", "WinRAR.exe") and not process.args : "a"] by process.pid | |
| [registry where process.name : ("7zG.exe", "WinRAR.exe") and registry.value : "ShowPassword" and registry.data.strings : "0"] by process.pid | |
| [process where event.action == "start" and process.parent.name : ("7zG.exe", "WinRAR.exe")] by process.parent.pid |
Samirbous
/ maldoc hashes
Created
May 28, 2022 17:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 76f7247dcb2f7dfb50a21eb9fe35a55a | |
| fea98f3eb09ddfc5686d45c91ed887fd | |
| d3b8822c5107aaeb1704dcdea673eeb0 | |
| d4d738c7d917261c6b504de932fc36ec | |
| d0ee5895a471bdeafcb5a1d759ff3879 | |
| 759e2d7e3820770f2ed1e95f4207242f | |
| e641c2fb4b71b12e4f7abae53d89a5a8 | |
| 9bf5a424d33fc007310d18255e053986 | |
| e3ca32ebe9b538cd74bafeb6aa0440f5 | |
| 2ce0a4bc8db0f54d6b0b8d681f42bb5b |
Samirbous
/ dir traversal office
Created
May 31, 2022 15:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.type in ("start", "process_started") and | |
| process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") and | |
| /* u can add other dir traversal patterns here */ | |
| process.command_line : ("*../../../..*", "*..\\..\\..\\..*", "*..//..//..//..*") and | |
| process.executable : ("?:\\windows\\system32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") |