FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
Olaf Hartong olafhartong
olafhartong
/ sysmon-11.1-schema.xml
Created
May 13, 2020 07:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <manifest schemaversion="4.31" binaryversion="9.20"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
olafhartong
/ UserWritableLocations.ps1
Created
June 2, 2020 07:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Paths that we've already excluded via AppLocker. | |
| $exclusions = @() | |
| # Paths to process. | |
| $paths = @( | |
| "C:\Windows" | |
| ) | |
| # Setup log. | |
| $log = "$PSScriptRoot\UserWritableLocations.log" |
olafhartong
/ feedly-olafhartong-2020-09-24.opml
Created
September 24, 2020 20:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <opml version="1.0"> | |
| <head> | |
| <title>Olaf subscriptions in feedly Cloud</title> | |
| </head> | |
| <body> | |
| <outline text="PublicFeeds" title="PublicFeeds"> | |
| <outline type="rss" text="top scoring links : netsec" title="top scoring links : netsec" xmlUrl="http://www.reddit.com/r/netsec/top/.rss" htmlUrl="https://www.reddit.com/r/netsec/top/"/> | |
| <outline type="rss" text="For [Blue|Purple] Teams in Cyber Defence" title="For [Blue|Purple] Teams in Cyber Defence" xmlUrl="https://www.reddit.com/r/blueteamsec.rss" htmlUrl="https://www.reddit.com/r/blueteamsec"/> |
olafhartong
/ sunburst_countermeasures.md
Created
December 14, 2020 08:47
olafhartong
/ sunburst_countermeasures_sysmon.md
Last active
December 20, 2020 14:29
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"
olafhartong
/ sysmon-450-schema.xml
Created
January 10, 2021 13:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <manifest schemaversion="4.50" binaryversion="13.0"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
olafhartong
/ sysmon-460-schema.xml
Created
April 2, 2021 11:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <manifest schemaversion="4.60" binaryversion="14.0"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
olafhartong
/ Windows-CLSID.csv
Last active
March 14, 2024 02:48
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CLSID,ClassName | |
| {0000031A-0000-0000-C000-000000000046},CLSID | |
| {0000002F-0000-0000-C000-000000000046},CLSID CLSID_RecordInfo | |
| {00000100-0000-0010-8000-00AA006D2EA4},CLSID DAO.DBEngine.36 | |
| {00000101-0000-0010-8000-00AA006D2EA4},CLSID DAO.PrivateDBEngine.36 | |
| {00000103-0000-0010-8000-00AA006D2EA4},CLSID DAO.TableDef.36 | |
| {00000104-0000-0010-8000-00AA006D2EA4},CLSID DAO.Field.36 | |
| {00000105-0000-0010-8000-00AA006D2EA4},CLSID DAO.Index.36 | |
| {00000106-0000-0010-8000-00AA006D2EA4},CLSID DAO.Group.36 | |
| {00000107-0000-0010-8000-00AA006D2EA4},CLSID DAO.User.36 |
olafhartong
/ 2021-1675-spooler-imageloads.kql
Last active
August 3, 2021 17:34
2021-1675 - PrintNightmare KQL - MDE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let serverlist=DeviceInfo | |
| | where DeviceType != "Workstation" | |
| | distinct DeviceId; | |
| let suspiciousdrivers=DeviceImageLoadEvents | |
| | where DeviceId in (serverlist) | |
| | where FolderPath startswith @"c:\windows\system32\spool\drivers" | |
| | distinct SHA1 | |
| | invoke FileProfile(SHA1, 1000) | |
| | where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid"; | |
| suspiciousdrivers |
olafhartong
/ sysmon-linux-sample-config.xml
Last active
July 31, 2022 01:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.70"> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <ProcessCreate onmatch="exclude"> | |
| <Rule name="" groupRelation="and"> | |
| <Image condition="is">/usr/bin/groups</Image> | |
| <ParentImage condition="is">/usr/bin/bash</ParentImage> | |
| </Rule> | |
| <Rule name="" groupRelation="and"> | |
| <Image condition="is">/usr/bin/locale-check</Image> |