This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Packs.HAFNIUM.Windows.WebshellSearch | |
author: Matt Green - @mgreen27 | |
description: | | |
This artifact will hunt for Webshells associated with the HAFNIUM campaign as | |
reported by Microsoft and Volexity. | |
The default artifact will discover all ASPX files on C: then run a preconfigured | |
yara rule. Yara can be supplied by the YaraRule parameter or alternatively a | |
URL can be set to enable download of remote rule set. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.EZ.SBECmd | |
description: | | |
Execute Eric Zimmerman's SBECmd and return output for analysis | |
Objective: | |
- Find which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed. | |
Interpretation: | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.EventLogs.Bitsadmin | |
author: "Matt Green - @mgreen27" | |
description: | | |
This content will extract BITS Transfer events and enable filtering by URL | |
reference: | |
- https://attack.mitre.org/techniques/T1197/ | |
- https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html | |
parameters: |