Braxton Williams cthulhusec
ecapuano
/ gist:13386852fb80beac4561f2bed569095e
Created
March 7, 2021 04:00
HAFNIUM IIS Log Search Patterns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs... | |
| # Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1 | |
| # | |
| # https://twitter.com/eric_capuano | |
| # Quick check for likely successful attacks | |
| ## Bash (faster) | |
| egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log | |
| ## PowerShell | |
| Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log |
IISResetMe
/ Log-ChromeExtension.ps1
Created
June 13, 2019 13:48
Discover chrome extensions and log information about them to event log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Inventory Chrome Extension information and dump the info to the Windows Event Log | |
| .DESCRIPTION | |
| This is a simplified adaptation of zsattler's Set-ChromeExtensions.ps1 which writes extension info to a WMI namespace for SCCM to pick up | |
| This version writes the information to a custom Windows Event Log instead, easily picked up for WEF or similar log forwarding tools. | |
| Original script: https://github.com/zsattler/PowerShell/blob/master/Set-ChromeExtensions/Set-ChromeExtensions.ps1 | |
| Original blog post: https://zsattler.wordpress.com/2017/02/27/chrome-extension-inventory-for-sccm/ |