Skip to content

Instantly share code, notes, and snippets.

View olafhartong's full-sized avatar

Olaf Hartong olafhartong

944 followers · 4 following
View GitHub Profile
@olafhartong
olafhartong / sunburst_countermeasures_sysmon.md
Last active December 20, 2020 14:29

FireEye Sunburst SPL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below

Blog post

All FireEye detections

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"
@olafhartong
olafhartong / sysmon-450-schema.xml
Created January 10, 2021 13:50
<manifest schemaversion="4.50" binaryversion="13.0">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
@olafhartong
olafhartong / 2021-1675-spooler-imageloads.kql
Last active August 3, 2021 17:34
2021-1675 - PrintNightmare KQL - MDE
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
@olafhartong
olafhartong / UserWritableLocations.ps1
Created June 2, 2020 07:27
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
@olafhartong
olafhartong / sysmon-11-schema.xml
Created April 23, 2020 18:36
<manifest schemaversion="4.30" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / feedly-olafhartong-2020-09-24.opml
Created September 24, 2020 20:06
<?xml version="1.0" encoding="UTF-8"?>
<opml version="1.0">
<head>
<title>Olaf subscriptions in feedly Cloud</title>
</head>
<body>
<outline text="PublicFeeds" title="PublicFeeds">
<outline type="rss" text="top scoring links : netsec" title="top scoring links : netsec" xmlUrl="http://www.reddit.com/r/netsec/top/.rss" htmlUrl="https://www.reddit.com/r/netsec/top/"/>
<outline type="rss" text="For [Blue|Purple] Teams in Cyber Defence" title="For [Blue|Purple] Teams in Cyber Defence" xmlUrl="https://www.reddit.com/r/blueteamsec.rss" htmlUrl="https://www.reddit.com/r/blueteamsec"/>
@olafhartong
olafhartong / sysmon-460-schema.xml
Created April 2, 2021 11:20
<manifest schemaversion="4.60" binaryversion="14.0">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
@olafhartong
olafhartong / sysmon-linux-sample-config.xml
Last active July 31, 2022 01:55
<Sysmon schemaversion="4.70">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">
<Rule name="" groupRelation="and">
<Image condition="is">/usr/bin/groups</Image>
<ParentImage condition="is">/usr/bin/bash</ParentImage>
</Rule>
<Rule name="" groupRelation="and">
<Image condition="is">/usr/bin/locale-check</Image>
@olafhartong
olafhartong / download-block-example.xml
Created August 16, 2022 17:19
<Sysmon schemaversion="4.82">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<FileBlockExecutable onmatch="include">
<TargetFilename condition="contains all">C:\Users;Downloads</TargetFilename>
</FileBlockExecutable>
</RuleGroup>
</EventFiltering>
</Sysmon>
@olafhartong
olafhartong / msoffice-fileblock.xml
Created August 16, 2022 17:28
<Sysmon schemaversion="4.82">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<FileBlockExecutable onmatch="include">
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">excel.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">winword.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">powerpnt.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">outlook.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">msaccess.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">mspub.exe</Image>