Skip to content

Instantly share code, notes, and snippets.


Alex Verboon alexverboon

View GitHub Profile
View log4jvariable.ps1
[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS", $null, [EnvironmentVariableTarget]::Machine)
alexverboon / mde_cmpivot.kql
Created Dec 20, 2021
CM Pivot for Defender Troubleshooting
View mde_cmpivot.kql
// CM Pivot for Defender Troubleshooting
// Defender Event logs
WinEvent('Microsoft-Windows-Windows Defender/Operational', 1d)
// MDE Eent logs
WinEvent('Microsoft-Windows-SENSE/Operational', 1d)
// MDE Service Status
| where Name == 'Sense'
alexverboon / compare-log4j-core hashes
Created Dec 14, 2021
Code snippets How To Detect the Log4Shell Vulnerability (CVE-2021-44228) with Microsoft Endpoint Configuration Manager
View compare-log4j-core hashes
$log4 = Get-log4files
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$vulnerablesums = -split $(Invoke-WebRequest -UseBasicParsing).content | ? {$_.length -eq 64}
($log4 | Select-Object).FH | Compare-Object -ReferenceObject $vulnerablesums -IncludeEqual
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$chck = ((invoke-webrequest -UseBasicParsing).content | ConvertFrom-Csv -Delimiter "," | Select-Object).sha256
($log4 | Select-Object).FH | Compare-Object -ReferenceObject $chck -IncludeEqual
alexverboon / Get-log4files.ps1
Created Dec 14, 2021
PowerShell script to find log4j-core.jar files
View Get-log4files.ps1
Function Get-log4files(){
$Drives = Get-PSDrive | Select-Object -ExpandProperty 'Name' | Select-String -Pattern '^[a-e]$'
$FileInfo = [System.Collections.ArrayList]::new()
$Filetypes = @("*.jar")
ForEach($DriveLetter in $Drives)
$Drive = "$DriveLetter" + ":\"
$Log4Files = Get-ChildItem -Path $Drive -Filter "*log4j-core*" -Include $Filetypes -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName
Foreach($file in $Log4Files)

C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by IP,Date of Detection,Host,Protocol,Beacon Config,Comment


// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
alexverboon / T1562.001 - Defender Exclusions
Last active Apr 21, 2022
T1562.001 - Defender Exclusions modification
View T1562.001 - Defender Exclusions

T1562.001 - Defender Exclusions modification

Use the below query to detect Windows Defender exclusion changes.


// T1562.001 - Impair Defenses: Disable or Modify Tools
alexverboon / T1087.002 Account Discovery: Domain
Created Jun 21, 2021
T1087.002 Account Discovery: Domain Account
View T1087.002 Account Discovery: Domain

T1087.002 Account Discovery: Domain Account

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

Use the bellow queries when you get alerts from Microsoft Defender for Identity: Account enumeration reconnaissance on one endpoint


An actor on performed suspicious account enumeration, exposing while trying to access

alexverboon / T1484 Domain Policy
Last active Jun 14, 2021
T1484 Domain Policy Modification
View T1484 Domain Policy

T1484 Domain Policy Modification

Use the below advanced hunting queries to detect when scripts are added/modified within the SYSVOL share and Group Policy logon scripts executed on clients.


// scripts added/modified in SSYSVVOL
View MDE-CMPivitEvents.txt
// Use the below query to find the Microsoft Endpoint Configuration Manager - CMPivot initiated queries executed on devices
// Microsoft Endpoint Configuration Manager
// | where DeviceName == ""
| where ActionType == "PowerShellCommand"
| where InitiatingProcessCommandLine contains @"C:\windows\CCM\ScriptStore"
| extend pcommand = parse_command_line(InitiatingProcessCommandLine, "windows")
| where pcommand contains "-wmiquery"
| extend pcommand2 = split(pcommand, "-wmiquery")
| mv-expand pcommand2
View AzureADConditionalAccessStateChanges.kql
// AzureAD Conditinoal Access State cmparisson
let CAStateBefore = CloudAppEvents
| where Timestamp > startofday(ago(30d)) and Timestamp < startofday(ago(1d))
| where ActionType == "Set-ConditionalAccessPolicy"
| extend CAId = tostring((split(tostring(parse_json(ActivityObjects)[2].Value), @"\"))[1])
| extend CAState = extractjson("$.State", tostring((parse_json(ActivityObjects)[3].Value)))
| extend CAName = tostring(parse_json(ActivityObjects)[6].Value)
| where isnotempty(CAState)
| where CAName != "Default Policy"
| summarize arg_max(Timestamp, *) by CAId