Shivam Malaviya Shivammalaviya
Shivammalaviya
/ Detects Medusa Locker Ransomware
Last active
September 21, 2022 12:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecurityEvent | |
| | where EventID == 4688 | where ((ParentProcessName endswith @'\scpvss.exe') | |
| and (NewProcessName endswith @'\vssadmin.exe' or NewProcessName endswith @'\WMIC.exe' or NewProcessName endswith @'\wbadmin.exe' | |
| or NewProcessName endswith @'\bcdedit.exe')) |
Shivammalaviya
/ Tor
Created
June 22, 2022 15:41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let TorRelayData = ( | |
| externaldata (Nickname:string,Fingerprint:string,EntryAddress:string,IPAddress:string,Port:string,AddressType:string,Hostname:string,CountryCode:string,IsRunning:bool,RelayPublishDate:string,LastChangedIPData:string) | |
| [h@'https://raw.githubusercontent.com/Shivammalaviya/Tor/main/torexitnodes.csv'] with (ignoreFirstRecord=true,format="csv") | |
| | where AddressType == "IPv4" | |
| ); | |
| TorRelayData | |
| | join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP | |
| | join kind=inner (DeviceInfo | distinct DeviceId, PublicIP) on DeviceId | |
| | project Timestamp, DeviceId, LocalPublicIP = PublicIP, LocalIP, RemoteIP, TorIP = IPAddress, Hostname, CountryCode, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath |
Shivammalaviya
/ Online C2s
Created
June 16, 2022 16:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| externaldata(RemoteIP: string, RemotePort: int, Status: string) | |
| [ | |
| "https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json" | |
| ] | |
| with(format="MultiJSON", ingestionMapping='[{"Column":"RemoteIP","Properties":{"Path":"$.ip_address"}}, {"Column":"RemotePort","Properties":{"Path":"$.port"}}, {"Column":"Status","Properties":{"Path":"$.status"}}]') | |
| | where Status == "online" | |
| | join kind=inner DeviceNetworkEvents on RemoteIP, RemotePort |
Shivammalaviya
/ Detect Tor connections
Created
June 14, 2022 13:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let TorRelayData = ( | |
| externaldata (Nickname:string,Fingerprint:string,EntryAddress:string,IPAddress:string,Port:string,AddressType:string,Hostname:string,CountryCode:string,IsRunning:bool,RelayPublishDate:string,LastChangedIPData:string) | |
| [h@'https://torinfo.blob.core.windows.net/public/TorRelayIPs.csv'] with (ignoreFirstRecord=true,format="csv") | |
| | where AddressType == "IPv4" | |
| ); | |
| TorRelayData | |
| | join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP | |
| | join kind=inner (DeviceInfo | distinct DeviceId, PublicIP) on DeviceId | |
| | project Timestamp, DeviceId, LocalPublicIP = PublicIP, LocalIP, RemoteIP, TorIP = IPAddress, Hostname, CountryCode, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath |
Shivammalaviya
/ Confluence Zero Day Remote Code Execution
Created
June 7, 2022 16:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let CVE202226134 = externaldata(ip:string)[@"https://gist.githubusercontent.com/Shivammalaviya/8529563a6d4dca8a3617b79272d87d68/raw/47eafc8d2038b32a641022ed3dbe8b290dfd24cf/CVE-2022-26134%2520IPs"] | |
| | distinct ip; | |
| CVE202226134 | |
| | join (DeviceNetworkEvents | |
| | where ActionType in ("ConnectionSuccess","InboundConnectionAccepted","ConnectionFound") | |
| ) | |
| on $left.ip == $right.RemoteIP | |
| | project Timestamp,LocalIP,RemoteIP,DeviceName,RemoteUrl,InitiatingProcessFileName,ActionType |
Shivammalaviya
/ CVE-2022-26134 IPs
Created
June 7, 2022 15:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 66.42.41.213 | |
| 173.255.223.253 | |
| 81.70.242.26 | |
| 45.251.241.82 | |
| 103.200.97.34 | |
| 108.61.144.67 | |
| 172.104.82.246 | |
| 183.194.150.135 | |
| 195.181.170.209 | |
| 62.204.41.233 |
Shivammalaviya
/ MSDT Suspicious Command Execution
Last active
May 31, 2022 16:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceProcessEvents | |
| | where (FolderPath endswith @"\msdt.exe" and (ProcessCommandLine contains "IT_RebrowseForFile" | |
| or ProcessCommandLine contains "IT_BrowseForFile")) |
Shivammalaviya
/ KrbRelayUp Attack Pattern
Created
May 27, 2022 06:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecurityEvent | |
| | where (EventID == 4624 and LogonType == "3" and AuthenticationPackageName =~ 'Kerberos' | |
| and IpAddress =~ '127.0.0.1' and TargetUserSid startswith 'S-1-5-21-' and TargetUserSid endswith '-500') |
Shivammalaviya
/ KrbRelayUp Hack Tool
Last active
May 27, 2022 06:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecurityEvent | |
| | where EventID == 1 | |
| | where (NewProcessName endswith @'\KrbRelayUp.exe' or OriginalFilename =~ 'KrbRelayUp.exe' | |
| or (CommandLine contains ' relay ' and CommandLine contains ' -Domain ' and CommandLine contains ' -ComputerName ') | |
| or (CommandLine contains ' krbscm ' and CommandLine contains ' -sc ') or (CommandLine contains ' spawn ' | |
| and CommandLine contains ' -d ' and CommandLine contains ' -cn ' and CommandLine contains ' -cp ')) |
Shivammalaviya
/ Detecting Verblecon Cryptocurrency Miner Activity
Last active
April 12, 2022 16:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceProcessEvents | |
| | where (FolderPath endswith "javaw.exe" and (ProcessCommandLine contains "-jar" or ProcessCommandLine contains ".jar")) |
NewerOlder