FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
Olaf Hartong olafhartong
olafhartong
/ sysmon-linux-sample-config.xml
Last active
April 2, 2026 04:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.70"> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <ProcessCreate onmatch="exclude"> | |
| <Rule name="" groupRelation="and"> | |
| <Image condition="is">/usr/bin/groups</Image> | |
| <ParentImage condition="is">/usr/bin/bash</ParentImage> | |
| </Rule> | |
| <Rule name="" groupRelation="and"> | |
| <Image condition="is">/usr/bin/locale-check</Image> |
olafhartong
/ dnstoblock.txt
Created
December 17, 2025 11:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sinkhole copilot | |
| 0.0.0.0 copilot.microsoft.com | |
| 0.0.0.0 cdp.copilot.microsoft.com | |
| 0.0.0.0 nochat.bing.com | |
olafhartong
/ Windows-CLSID.csv
Last active
November 20, 2025 21:32
We can't make this file beautiful and searchable because it's too large.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CLSID,ClassName | |
| {0000031A-0000-0000-C000-000000000046},CLSID | |
| {0000002F-0000-0000-C000-000000000046},CLSID CLSID_RecordInfo | |
| {00000100-0000-0010-8000-00AA006D2EA4},CLSID DAO.DBEngine.36 | |
| {00000101-0000-0010-8000-00AA006D2EA4},CLSID DAO.PrivateDBEngine.36 | |
| {00000103-0000-0010-8000-00AA006D2EA4},CLSID DAO.TableDef.36 | |
| {00000104-0000-0010-8000-00AA006D2EA4},CLSID DAO.Field.36 | |
| {00000105-0000-0010-8000-00AA006D2EA4},CLSID DAO.Index.36 | |
| {00000106-0000-0010-8000-00AA006D2EA4},CLSID DAO.Group.36 | |
| {00000107-0000-0010-8000-00AA006D2EA4},CLSID DAO.User.36 |
olafhartong
/ TLGMetadataParser.psm1
Created
March 22, 2025 15:23
— forked from mattifestation/TLGMetadataParser.psm1
Retrieves TraceLogging metadata from a file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 5 | |
| <# | |
| The things you find on Google searching for specific GUIDs... | |
| Known Keyword friendly names: | |
| "UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328" | |
| "UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664" | |
| "UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832" | |
| "UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648" |
olafhartong
/ GetTracelogProviderSecurity.ps1
Created
January 3, 2025 14:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### USAGE: | |
| ### | |
| ### GetTracelogProviderSecurity.ps1 (to get all provider info) | |
| ### | |
| ### GetTracelogProviderSecurity.ps1 -ProviderName f2e68291-2367-5d51-3488-46f7a0e3f2cf | |
| ### (to get the info for 1 provider guid) | |
| ## | |
| # | |
| # Provider: f2e68291-2367-5d51-3488-46f7a0e3f2cf | |
| # Control Flags: 45076 |
olafhartong
/ 2021-1675-spooler-imageloads.kql
Last active
November 2, 2024 13:39
2021-1675 - PrintNightmare KQL - MDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let serverlist=DeviceInfo | |
| | where DeviceType != "Workstation" | |
| | distinct DeviceId; | |
| let suspiciousdrivers=DeviceImageLoadEvents | |
| | where DeviceId in (serverlist) | |
| | where FolderPath startswith @"c:\windows\system32\spool\drivers" | |
| | distinct SHA1 | |
| | invoke FileProfile(SHA1, 1000) | |
| | where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid"; | |
| suspiciousdrivers |
olafhartong
/ Sysmon-15-schema.xml
Created
June 22, 2023 10:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <manifest schemaversion="4.90" binaryversion="18"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
olafhartong
/ sunburst_countermeasures.md
Created
December 14, 2020 08:47
olafhartong
/ Sysmon-14-schema.xml
Last active
September 27, 2022 11:06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <manifest schemaversion="4.82" binaryversion="17"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
olafhartong
/ msoffice-fileblock.xml
Created
August 16, 2022 17:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.82"> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <FileBlockExecutable onmatch="include"> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">excel.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">winword.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">powerpnt.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">outlook.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">msaccess.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">mspub.exe</Image> |
NewerOlder