This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
type=PROCTITLE msg=audit(12/13/2021 01:49:50.838:66) : proctitle=/bin/bash | |
type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=1 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=0 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
type=CWD msg=audit(12/13/2021 01:49:50.838:66) : cwd=/home/kali | |
type=EXECVE msg=audit(12/13/2021 01:49:50.838:66) : argc=1 a0=clear | |
type=SYSCALL msg=audit(12/13/2021 01:49:50.838:66) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5613225618a0 a1=0x56132257a310 a2= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sequence by host.id, process.entity_id with maxspan=1s | |
[process where event.code : "10" and process.name : "sihost.exe" and | |
winlog.event_data.CallTrace : "*CoreShellExtFramework*" and winlog.event_data.GrantedAccess : "0x40"] | |
[process where event.code : "10" and process.name : "sihost.exe" and | |
not winlog.event_data.GrantedAccess : ("0x*00", "0x1010", "0x1410", "0x40")] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
process where event.code : "10" and not process.executable : "?:\\Windows\\Explorer.exe" and | |
winlog.event_data.CallTrace : "?:\\WINDOWS\\System32\\win32u.dll*" and not winlog.event_data.GrantedAccess : ("0x*00", "0x*10", "0x*01") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sequence by host.id with maxspan=5s | |
[any where event.code : "4703" and winlog.event_data.EnabledPrivilegeList:"SeDebugPrivilege"] by winlog.event_data.ProcessName | |
[process where event.code : "10" and not process.name in ("Procmon64.exe", "procexp64.exe")] by process.executable |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sequence by host.id with maxspan=5s | |
[process where event.code : "10" and winlog.event_data.GrantedAccess:"0x1"] by winlog.event_data.TargetProcessGUID | |
[process where event.code : "5" /* you can add process.name : ("seecurity-proc1", "security-proc2") */] by process.entity_id |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sequence by host.id with maxspan=5m | |
[authentication where | |
/* event 4624 need to be logged */ | |
event.action == "logged-in" and event.outcome == "success" and | |
/* authenticate locally using relayed kerberos TGS */ | |
winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and | |
source.ip == "127.0.0.1" and source.port > 0 and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sequence by host.id with maxspan=1m | |
[any where event.code : "5379" and winlog.event_data.TargetName : "Microsoft_Windows_Shell_ZipFolder*"] | |
[process where event.action == "start" and process.executable : "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and process.parent.name : "explorer.exe"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sequence by host.id with maxspan=1m | |
[process where process.name : ("7zG.exe", "WinRAR.exe") and not process.args : "a"] by process.pid | |
[registry where process.name : ("7zG.exe", "WinRAR.exe") and registry.value : "ShowPassword" and registry.data.strings : "0"] by process.pid | |
[process where event.action == "start" and process.parent.name : ("7zG.exe", "WinRAR.exe")] by process.parent.pid |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
76f7247dcb2f7dfb50a21eb9fe35a55a | |
fea98f3eb09ddfc5686d45c91ed887fd | |
d3b8822c5107aaeb1704dcdea673eeb0 | |
d4d738c7d917261c6b504de932fc36ec | |
d0ee5895a471bdeafcb5a1d759ff3879 | |
759e2d7e3820770f2ed1e95f4207242f | |
e641c2fb4b71b12e4f7abae53d89a5a8 | |
9bf5a424d33fc007310d18255e053986 | |
e3ca32ebe9b538cd74bafeb6aa0440f5 | |
2ce0a4bc8db0f54d6b0b8d681f42bb5b |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
process where event.type in ("start", "process_started") and | |
process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") and | |
/* u can add other dir traversal patterns here */ | |
process.command_line : ("*../../../..*", "*..\\..\\..\\..*", "*..//..//..//..*") and | |
process.executable : ("?:\\windows\\system32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") |