Samirbous
Samirbous
/ EQL - AD Mass Properties Enum
Created
January 28, 2023 23:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| any where event.action == "Directory Service Access" and | |
| event.code == "4662" and | |
| not winlog.event_data.SubjectUserSid : "S-1-5-18" and | |
| winlog.event_data.AccessListDescription : "Read Property" and | |
| length(winlog.event_data.Properties) >= 800 |
Samirbous
/ rta_unhook_ntdll_ldrloaddll.cpp
Created
May 18, 2023 11:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <psapi.h> | |
| typedef NTSTATUS(NTAPI* pLdrLoadDll) ( | |
| PWCHAR PathToFile, | |
| ULONG Flags, | |
| PUNICODE_STRING ModuleFileName, |
Samirbous
/ example_stack
Created
May 31, 2023 10:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "thread": { | |
| "Ext": { | |
| "call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|acmigration.dll|appraiser.dll|ntdll.dll|kernel32.dll|ntdll.dll", | |
| "call_stack": [ | |
| { | |
| "symbol_info": "C:\\Windows\\System32\\ntdll.dll!ZwCreateUserProcess+0x14" | |
| }, | |
| { | |
| "symbol_info": "C:\\Windows\\System32\\KernelBase.dll!CreateProcessInternalW+0xfe3" | |
| }, |
Samirbous
/ evasion_reg_values
Created
June 15, 2023 19:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Top 10000 values of registry.value","Count of records" | |
| TamperProtection,"1,400" | |
| DisableAntiSpyware,"1,388" | |
| DisableBehaviorMonitoring,"1,381" | |
| DisableIOAVProtection,"1,368" | |
| DisableOnAccessProtection,"1,359" | |
| DisableRealtimeMonitoring,"1,344" | |
| DisableScanOnRealtimeEnable,"1,323" | |
| DisableNotifications,"1,312" | |
| AUOptions,"1,280" |
Samirbous
/ disabled services
Created
June 19, 2023 13:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Top 1000 values of registry.path",Count | |
| "HKLM\SYSTEM\ControlSet001\Services\WinDefend\Start","1,483" | |
| "HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\Sense\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdBoot\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdFilter\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv\Start",6 |
Samirbous
/ uptime c2 scripts
Created
July 5, 2023 14:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by process.entity_id | |
| [process where event.action == "start" and | |
| process.pe.original_file_name : ("cscript.exe", "wscript.exe", "AutoIt*.exe", "python*.exe") ] | |
| [network where process.uptime >= 300 and | |
| event.action == "connection_attempted" and network.direction == "egress" and network.transport == "tcp" and source.port >= 49152 and not destination.address : ("127.*", "::1")] |
Samirbous
/ hunt EoP via Service
Created
September 18, 2023 15:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by winlog.computer_name with maxspan=5m | |
| [authentication where event.action == "logged-in" and | |
| // non Elevated Token | |
| winlog.event_data.ElevatedToken : "%%1843"] by winlog.event_data.TargetLogonId | |
| [iam where event.action == "service-installed"] by winlog.event_data.SubjectLogonId | |
Samirbous
/ ms native dll hijack ernich policy
Created
November 7, 2023 10:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT /libs/_doc/1?refresh=wait_for | |
| { | |
| "dll.name": [ | |
| "aadauthhelper.dll", | |
| "aadcloudap.dll", | |
| "aadjcsp.dll", | |
| "aadtb.dll", | |
| "aadwamextension.dll", | |
| "aarsvc.dll", | |
| "abovelockapphost.dll", |
Samirbous
/ gist:81b40ff073ce4bf5d3c6ce558a9d0106
Created
November 7, 2023 20:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT /native_dll1_index | |
| { | |
| "mappings": { | |
| "properties": { | |
| "dll": { | |
| "properties": { | |
| "name": { | |
| "type": "text", | |
| "fields": { | |
| "keyword": { |
Samirbous
/ gist:9f9c3237a0ada745e71cc2ba3425311c
Created
November 8, 2023 13:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // create source index and define types | |
| PUT /libs | |
| { | |
| "mappings": { | |
| "properties": { | |
| "dll": { | |
| "properties": { | |
| "name": { | |
| "type": "text", | |
| "fields": { |