Skip to content

Instantly share code, notes, and snippets.

Avatar

Alex Verboon alexverboon

View GitHub Profile
@alexverboon
alexverboon / macos mde channel.md
Created August 21, 2022 12:56
MacOS MDE channel
View macos mde channel.md

You can check the update channel using the following command: mdatp --health releaseRing

If your device is not already in the InsiderSlow update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).

defaults write com.microsoft.autoupdate2 ChannelName InsiderSlow

@alexverboon
alexverboon / log4jvariable.ps1
Created January 13, 2022 15:22
log4j variable
View log4jvariable.ps1
[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS", $null, [EnvironmentVariableTarget]::Machine)
@alexverboon
alexverboon / mde_cmpivot.kql
Created December 20, 2021 11:07
CM Pivot for Defender Troubleshooting
View mde_cmpivot.kql
// CM Pivot for Defender Troubleshooting
// Defender Event logs
WinEvent('Microsoft-Windows-Windows Defender/Operational', 1d)
// MDE Eent logs
WinEvent('Microsoft-Windows-SENSE/Operational', 1d)
// MDE Service Status
Service
| where Name == 'Sense'
@alexverboon
alexverboon / compare-log4j-core hashes
Created December 14, 2021 21:17
Code snippets How To Detect the Log4Shell Vulnerability (CVE-2021-44228) with Microsoft Endpoint Configuration Manager
View compare-log4j-core hashes
$log4 = Get-log4files
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$vulnerablesums = -split $(Invoke-WebRequest https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt -UseBasicParsing).content | ? {$_.length -eq 64}
($log4 | Select-Object).FH | Compare-Object -ReferenceObject $vulnerablesums -IncludeEqual
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$chck = ((invoke-webrequest https://gist.githubusercontent.com/spasam/7b2b2e03c6dd7bd6f1029e88c7cc82ad/raw/ed104b9bed088c04069b3139ae9adbdc9b99b2ac/log4j-core.csv -UseBasicParsing).content | ConvertFrom-Csv -Delimiter "," | Select-Object).sha256
($log4 | Select-Object).FH | Compare-Object -ReferenceObject $chck -IncludeEqual
@alexverboon
alexverboon / Get-log4files.ps1
Created December 14, 2021 21:14
PowerShell script to find log4j-core.jar files
View Get-log4files.ps1
Function Get-log4files(){
$Drives = Get-PSDrive | Select-Object -ExpandProperty 'Name' | Select-String -Pattern '^[a-e]$'
$FileInfo = [System.Collections.ArrayList]::new()
$Filetypes = @("*.jar")
ForEach($DriveLetter in $Drives)
{
$Drive = "$DriveLetter" + ":\"
$Log4Files = Get-ChildItem -Path $Drive -Filter "*log4j-core*" -Include $Filetypes -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName
Foreach($file in $Log4Files)
{
View c2threadview_io_kql.md

C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io

https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment

Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/

// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
@alexverboon
alexverboon / T1562.001 - Defender Exclusions modification.md
Last active April 21, 2022 13:09
T1562.001 - Defender Exclusions modification
View T1562.001 - Defender Exclusions modification.md

T1562.001 - Defender Exclusions modification

Use the below query to detect Windows Defender exclusion changes.


Query

// T1562.001 - Impair Defenses: Disable or Modify Tools
@alexverboon
alexverboon / T1087.002 Account Discovery: Domain Account.md
Created June 21, 2021 12:04
T1087.002 Account Discovery: Domain Account
View T1087.002 Account Discovery: Domain Account.md

T1087.002 Account Discovery: Domain Account

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

Use the bellow queries when you get alerts from Microsoft Defender for Identity: Account enumeration reconnaissance on one endpoint

Example:

An actor on performed suspicious account enumeration, exposing while trying to access

@alexverboon
alexverboon / T1484 Domain Policy Modification.md
Last active June 14, 2021 23:19
T1484 Domain Policy Modification
View T1484 Domain Policy Modification.md

T1484 Domain Policy Modification

Use the below advanced hunting queries to detect when scripts are added/modified within the SYSVOL share and Group Policy logon scripts executed on clients.


Query

// scripts added/modified in SSYSVVOL
@alexverboon
alexverboon / MDE-CMPivitEvents.txt
Last active June 5, 2021 13:50
MDE-CMPivotEvents
View MDE-CMPivitEvents.txt
// Use the below query to find the Microsoft Endpoint Configuration Manager - CMPivot initiated queries executed on devices
// Microsoft Endpoint Configuration Manager
DeviceEvents
// | where DeviceName == "client01.corp.net"
| where ActionType == "PowerShellCommand"
| where InitiatingProcessCommandLine contains @"C:\windows\CCM\ScriptStore"
| extend pcommand = parse_command_line(InitiatingProcessCommandLine, "windows")
| where pcommand contains "-wmiquery"
| extend pcommand2 = split(pcommand, "-wmiquery")
| mv-expand pcommand2