`powershell` EventCode=4104
| eval DoIt = if(match(Message,"DoIt"), "1", 0)
| eval enccom = if(match(Message,"EncodedCommand"), "1", 0)
| eval base64 = if(match(Message,"FromBase64"), "1", 0)
| eval iex = if(match(Message,"IEX"), "1", 0)
| eval rundll32 = if(match(Message,"rundll32"), "1", 0)
| eval webclient = if(match(Message,"WebClient"), "1", 0)
| eval syswow64 = if(match(Message,"syswow64"), "1", 0)
| eval powver = if(match(Message,"powershell -version"), "1", 0)
MHaggis
/ matching.md
Last active
October 28, 2022 08:13
shipilev
/ jndi-response.md
Last active
February 6, 2022 17:12
- Generate the file:
$ awk 'BEGIN { for(c=0;c<10000000;c++) printf "<p>LOL</p>" }' > 100M.html
$ (for I in `seq 1 100`; do cat 100M.html; done) | pv | gzip -9 > 10G.boomgz
- Check it is indeed good: