Skip to content

Instantly share code, notes, and snippets.

View olafhartong's full-sized avatar

Olaf Hartong olafhartong

1.1k followers · 4 following
View GitHub Profile
@olafhartong
olafhartong / TLGMetadataParser.psm1
Created March 22, 2025 15:23 — forked from mattifestation/TLGMetadataParser.psm1
Retrieves TraceLogging metadata from a file.
#requires -version 5
<#
The things you find on Google searching for specific GUIDs...
Known Keyword friendly names:
"UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328"
"UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664"
"UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832"
"UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648"
@olafhartong
olafhartong / Windows-CLSID.csv
Last active March 9, 2025 04:35
We can't make this file beautiful and searchable because it's too large.
CLSID,ClassName
{0000031A-0000-0000-C000-000000000046},CLSID
{0000002F-0000-0000-C000-000000000046},CLSID CLSID_RecordInfo
{00000100-0000-0010-8000-00AA006D2EA4},CLSID DAO.DBEngine.36
{00000101-0000-0010-8000-00AA006D2EA4},CLSID DAO.PrivateDBEngine.36
{00000103-0000-0010-8000-00AA006D2EA4},CLSID DAO.TableDef.36
{00000104-0000-0010-8000-00AA006D2EA4},CLSID DAO.Field.36
{00000105-0000-0010-8000-00AA006D2EA4},CLSID DAO.Index.36
{00000106-0000-0010-8000-00AA006D2EA4},CLSID DAO.Group.36
{00000107-0000-0010-8000-00AA006D2EA4},CLSID DAO.User.36
@olafhartong
olafhartong / GetTracelogProviderSecurity.ps1
Created January 3, 2025 14:08
### USAGE:
###
### GetTracelogProviderSecurity.ps1 (to get all provider info)
###
### GetTracelogProviderSecurity.ps1 -ProviderName f2e68291-2367-5d51-3488-46f7a0e3f2cf
### (to get the info for 1 provider guid)
##
#
# Provider: f2e68291-2367-5d51-3488-46f7a0e3f2cf
# Control Flags: 45076
@olafhartong
olafhartong / 2021-1675-spooler-imageloads.kql
Last active November 2, 2024 13:39
2021-1675 - PrintNightmare KQL - MDE
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
@olafhartong
olafhartong / Sysmon-15-schema.xml
Created June 22, 2023 10:47
<manifest schemaversion="4.90" binaryversion="18">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
@olafhartong
olafhartong / sunburst_countermeasures.md
Created December 14, 2020 08:47

FireEye Sunburst KQL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below

Blog post

All FireEye detections

DeviceEvents
@olafhartong
olafhartong / Sysmon-14-schema.xml
Last active September 27, 2022 11:06
<manifest schemaversion="4.82" binaryversion="17">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
@olafhartong
olafhartong / msoffice-fileblock.xml
Created August 16, 2022 17:28
<Sysmon schemaversion="4.82">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<FileBlockExecutable onmatch="include">
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">excel.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">winword.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">powerpnt.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">outlook.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">msaccess.exe</Image>
<Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">mspub.exe</Image>
@olafhartong
olafhartong / download-block-example.xml
Created August 16, 2022 17:19
<Sysmon schemaversion="4.82">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<FileBlockExecutable onmatch="include">
<TargetFilename condition="contains all">C:\Users;Downloads</TargetFilename>
</FileBlockExecutable>
</RuleGroup>
</EventFiltering>
</Sysmon>
@olafhartong
olafhartong / sysmon-linux-sample-config.xml
Last active July 31, 2022 01:55
<Sysmon schemaversion="4.70">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">
<Rule name="" groupRelation="and">
<Image condition="is">/usr/bin/groups</Image>
<ParentImage condition="is">/usr/bin/bash</ParentImage>
</Rule>
<Rule name="" groupRelation="and">
<Image condition="is">/usr/bin/locale-check</Image>