Skip to content

Instantly share code, notes, and snippets.

View olafhartong's full-sized avatar

Olaf Hartong olafhartong

950 followers · 4 following
View GitHub Profile
@olafhartong
olafhartong / UserWritableLocations.ps1
Created June 2, 2020 07:27
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
@olafhartong
olafhartong / 2021-1675-spooler-imageloads.kql
Last active August 3, 2021 17:34
2021-1675 - PrintNightmare KQL - MDE
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
@olafhartong
olafhartong / sysmon-450-schema.xml
Created January 10, 2021 13:50
<manifest schemaversion="4.50" binaryversion="13.0">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
@olafhartong
olafhartong / sunburst_countermeasures_sysmon.md
Last active December 20, 2020 14:29

FireEye Sunburst SPL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below

Blog post

All FireEye detections

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"
@olafhartong
olafhartong / Get-InjectedThread.ps1
Created January 7, 2019 12:44 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@olafhartong
olafhartong / sysmon-11.1-schema.xml
Created May 13, 2020 07:45
<manifest schemaversion="4.31" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / sysmon-104-schema.xml
Created August 27, 2019 18:38
<manifest schemaversion="4.22" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / sysmon-91-schema
Created June 5, 2019 06:28
<manifest schemaversion="4.21" binaryversion="9.10">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / sysmon-7-schema.xml
Created June 7, 2018 19:37
<manifest schemaversion="4.0" binaryversion="1.01">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="none" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / daan
Created March 21, 2019 11:26
# Required module > ImportExcel
# Install it like this > "Install-Module ImportExcel"
#
# Get the dataset from the ATT&CK matrix
# TODO:
# Diff online and offline, to only download on updates
# parameters for download, xlsx file and so on.
write-host "[+] Loading MITRE ATT&CK Data" -ForegroundColor Cyan
$dataset=Get-Content -Path enterprise-attack.json | ConvertFrom-Json | Select-Object -ExpandProperty objects | where type -eq "attack-pattern"