eduardomcm
/ HAFNIUM_Webshell.yaml
Created
August 30, 2021 16:14
— forked from mgreen27/HAFNIUM_Webshell.yaml
HAFNIUM Webshell VQL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Packs.HAFNIUM.Windows.WebshellSearch | |
| author: Matt Green - @mgreen27 | |
| description: | | |
| This artifact will hunt for Webshells associated with the HAFNIUM campaign as | |
| reported by Microsoft and Volexity. | |
| The default artifact will discover all ASPX files on C: then run a preconfigured | |
| yara rule. Yara can be supplied by the YaraRule parameter or alternatively a | |
| URL can be set to enable download of remote rule set. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.EZ.SBECmd | |
| description: | | |
| Execute Eric Zimmerman's SBECmd and return output for analysis | |
| Objective: | |
| - Find which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed. | |
| Interpretation: | |
eduardomcm
/ Bitsadmin.yaml
Created
May 21, 2021 23:20
— forked from mgreen27/Bitsadmin.yaml
VQL for BitsAdmin suspicious download
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.EventLogs.Bitsadmin | |
| author: "Matt Green - @mgreen27" | |
| description: | | |
| This content will extract BITS Transfer events and enable filtering by URL | |
| reference: | |
| - https://attack.mitre.org/techniques/T1197/ | |
| - https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html | |
| parameters: |