Jonathan Johnson jsecurity101

## LDAPQueries.md

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              2 stars
            
          
                jsecurity101
                / LDAPQueries.md
            
            
              Created
              October 25, 2023 15:05
            
              
                List of known LDAP queries used by attackers
              
          
    List was compiled by Jonathan Johnson (@jsecurity101) and Carlos Perez (@Carlos_Perez)

Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains within the query language.

Kerberoasting

(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))


Attributes with passwords
(userpassword=*)


## LOLDriverConfig.ps1
#Author: Jonathan Johnson (@jsecurity101)

function New-DriverConfig {

<#
	.EXAMPLE
    New-DriverConfig -Block
    Creates driver block config in the current directory

    .EXAMPLE

## winlogbeat.yml
###################### Winlogbeat Configuration Example ########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

# ======================== Winlogbeat specific options =========================

## gist:dc8bfc035cdaa42f87b2937dd2cef83b
enum MACRO_STATUS : __int64
{
  STATUS_WAIT_0 = 0x0,
  STATUS_SEVERITY_INFORMATIONAL = 0x1,
  STATUS_SEVERITY_WARNING = 0x2,
  STATUS_SEVERITY_ERROR = 0x3,
  STATUS_SUCCESS = 0x0,
  STATUS_WAIT_1 = 0x1,
  STATUS_WAIT_2 = 0x2,
  STATUS_WAIT_3 = 0x3,

## Threat-Intelligence-Events.csv

          
            EventId
            Event Description

            
              1
              THREATINT_ALLOCVM_REMOTE

            
              2
              THREATINT_PROTECTVM_REMOTE

            
              3
              THREATINT_MAPVIEW_REMOTE

            
              4
              THREATINT_QUEUEUSERAPC_REMOTE

            
              5
              THREATINT_SETTHREADCONTEXT_REMOTE

            
              6
              THREATINT_ALLOCVM_LOCAL

            
              7
              THREATINT_PROTECTVM_LOCAL

            
              8
              THREATINT_MAPVIEW_LOCAL

            
              11
              THREATINT_READVM_LOCAL

## ProtectionChecks.ps1
#Author: Jonthan Johnson (@jsecurity101)

if (-not ('ProtectedObjects.ProcessNativeMethods' -as [Type])) {
    $TypeDef = @'
using System;
using System.Runtime.InteropServices;
namespace ProtectedObjects {

    [Flags]
    public enum ProcessAccess {

## KerberosCorrelation.ipynb

      
              3 files
            
          
              4 forks
            
          
              1 comment
            
          
              13 stars
            
          
                jsecurity101
                / KerberosCorrelation.ipynb
            
            
              Last active
              June 18, 2023 17:03
            
              
                Kerberos Detection/Investigation
              
          
      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
      
    
## Get-IntegrityLevel.ps1

if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
    $TypeDef = @'
 using System;
 using System.Runtime.InteropServices;
 namespace TokenInformation {
     [Flags]
     public enum ProcessAccess {
         All = 0x001FFFFF,
         Terminate = 0x00000001,

## NtfsControlFile.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jsecurity101
                / NtfsControlFile.md
            
            
              Created
              April 27, 2023 13:18
            
          
## Prevent_Relay_RPC_Filter.txt
rpc
filter
add rule layer=um actiontype=permit
add condition field=if_uuid matchtype=equal data=<uuidguid>
add condition field=auth_type matchtype=equal data=16
add condition field=auth_level matchtype=equal data=6
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=<uuidguid>
add filter
	#Author: Jonathan Johnson (@jsecurity101)

	function New-DriverConfig {

	<#
	.EXAMPLE
	New-DriverConfig -Block
	Creates driver block config in the current directory

	.EXAMPLE
	###################### Winlogbeat Configuration Example ########################

	# This file is an example configuration file highlighting only the most common
	# options. The winlogbeat.reference.yml file from the same directory contains
	# all the supported options with more comments. You can use it as a reference.
	#
	# You can find the full configuration reference here:
	# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

	# ======================== Winlogbeat specific options =========================
	enum MACRO_STATUS : __int64
	{
	STATUS_WAIT_0 = 0x0,
	STATUS_SEVERITY_INFORMATIONAL = 0x1,
	STATUS_SEVERITY_WARNING = 0x2,
	STATUS_SEVERITY_ERROR = 0x3,
	STATUS_SUCCESS = 0x0,
	STATUS_WAIT_1 = 0x1,
	STATUS_WAIT_2 = 0x2,
	STATUS_WAIT_3 = 0x3,
	EventId	Event Description
	1	THREATINT_ALLOCVM_REMOTE
	2	THREATINT_PROTECTVM_REMOTE
	3	THREATINT_MAPVIEW_REMOTE
	4	THREATINT_QUEUEUSERAPC_REMOTE
	5	THREATINT_SETTHREADCONTEXT_REMOTE
	6	THREATINT_ALLOCVM_LOCAL
	7	THREATINT_PROTECTVM_LOCAL
	8	THREATINT_MAPVIEW_LOCAL
	11	THREATINT_READVM_LOCAL
	#Author: Jonthan Johnson (@jsecurity101)

	if (-not ('ProtectedObjects.ProcessNativeMethods' -as [Type])) {
	$TypeDef = @'
	using System;
	using System.Runtime.InteropServices;
	namespace ProtectedObjects {

	[Flags]
	public enum ProcessAccess {

	if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
	$TypeDef = @'
	using System;
	using System.Runtime.InteropServices;
	namespace TokenInformation {
	[Flags]
	public enum ProcessAccess {
	All = 0x001FFFFF,
	Terminate = 0x00000001,
	rpc
	filter
	add rule layer=um actiontype=permit
	add condition field=if_uuid matchtype=equal data=<uuidguid>
	add condition field=auth_type matchtype=equal data=16
	add condition field=auth_level matchtype=equal data=6
	add filter
	add rule layer=um actiontype=block
	add condition field=if_uuid matchtype=equal data=<uuidguid>
	add filter