Samirbous
Samirbous
/ log4j-auditd-log-example
Created
December 13, 2021 08:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| type=PROCTITLE msg=audit(12/13/2021 01:49:50.838:66) : proctitle=/bin/bash | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=1 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=0 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=CWD msg=audit(12/13/2021 01:49:50.838:66) : cwd=/home/kali | |
| type=EXECVE msg=audit(12/13/2021 01:49:50.838:66) : argc=1 a0=clear | |
| type=SYSCALL msg=audit(12/13/2021 01:49:50.838:66) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5613225618a0 a1=0x56132257a310 a2= |
Samirbous
/ gist:bce42125fb2fba95d676941e7808ecaf
Created
April 6, 2022 14:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id, process.entity_id with maxspan=1s | |
| [process where event.code : "10" and process.name : "sihost.exe" and | |
| winlog.event_data.CallTrace : "*CoreShellExtFramework*" and winlog.event_data.GrantedAccess : "0x40"] | |
| [process where event.code : "10" and process.name : "sihost.exe" and | |
| not winlog.event_data.GrantedAccess : ("0x*00", "0x1010", "0x1410", "0x40")] |
Samirbous
/ NtUserGetWindowProcessHandle
Created
April 7, 2022 18:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.code : "10" and not process.executable : "?:\\Windows\\Explorer.exe" and | |
| winlog.event_data.CallTrace : "?:\\WINDOWS\\System32\\win32u.dll*" and not winlog.event_data.GrantedAccess : ("0x*00", "0x*10", "0x*01") |
Samirbous
/ SeDebug_ProcessAccess_EQL
Created
April 8, 2022 21:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5s | |
| [any where event.code : "4703" and winlog.event_data.EnabledPrivilegeList:"SeDebugPrivilege"] by winlog.event_data.ProcessName | |
| [process where event.code : "10" and not process.name in ("Procmon64.exe", "procexp64.exe")] by process.executable |
Samirbous
/ sysmon PROCESS_TERMINATE sequence
Created
April 14, 2022 22:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5s | |
| [process where event.code : "10" and winlog.event_data.GrantedAccess:"0x1"] by winlog.event_data.TargetProcessGUID | |
| [process where event.code : "5" /* you can add process.name : ("seecurity-proc1", "security-proc2") */] by process.entity_id |
Samirbous
/ KrbRelayUp EQL Winlog
Created
April 26, 2022 16:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5m | |
| [authentication where | |
| /* event 4624 need to be logged */ | |
| event.action == "logged-in" and event.outcome == "success" and | |
| /* authenticate locally using relayed kerberos TGS */ | |
| winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and | |
| source.ip == "127.0.0.1" and source.port > 0 and |
Samirbous
/ EQL - Exec pwd protected zip
Created
May 8, 2022 19:36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [any where event.code : "5379" and winlog.event_data.TargetName : "Microsoft_Windows_Shell_ZipFolder*"] | |
| [process where event.action == "start" and process.executable : "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and process.parent.name : "explorer.exe"] |
Samirbous
/ EQL - exec from pwd protected archive
Created
May 9, 2022 20:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [process where process.name : ("7zG.exe", "WinRAR.exe") and not process.args : "a"] by process.pid | |
| [registry where process.name : ("7zG.exe", "WinRAR.exe") and registry.value : "ShowPassword" and registry.data.strings : "0"] by process.pid | |
| [process where event.action == "start" and process.parent.name : ("7zG.exe", "WinRAR.exe")] by process.parent.pid |
Samirbous
/ maldoc hashes
Created
May 28, 2022 17:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 76f7247dcb2f7dfb50a21eb9fe35a55a | |
| fea98f3eb09ddfc5686d45c91ed887fd | |
| d3b8822c5107aaeb1704dcdea673eeb0 | |
| d4d738c7d917261c6b504de932fc36ec | |
| d0ee5895a471bdeafcb5a1d759ff3879 | |
| 759e2d7e3820770f2ed1e95f4207242f | |
| e641c2fb4b71b12e4f7abae53d89a5a8 | |
| 9bf5a424d33fc007310d18255e053986 | |
| e3ca32ebe9b538cd74bafeb6aa0440f5 | |
| 2ce0a4bc8db0f54d6b0b8d681f42bb5b |
Samirbous
/ dir traversal office
Created
May 31, 2022 15:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.type in ("start", "process_started") and | |
| process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") and | |
| /* u can add other dir traversal patterns here */ | |
| process.command_line : ("*../../../..*", "*..\\..\\..\\..*", "*..//..//..//..*") and | |
| process.executable : ("?:\\windows\\system32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") |