Skip to content

Instantly share code, notes, and snippets.

View sysmon-450-schema.xml
<manifest schemaversion="4.50" binaryversion="13.0">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
View sunburst_countermeasures.md

FireEye Sunburst KQL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below

Blog post

All FireEye detections

DeviceEvents
View sunburst_countermeasures_sysmon.md

FireEye Sunburst SPL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below

Blog post

All FireEye detections

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"
View feedly-olafhartong-2020-09-24.opml
<?xml version="1.0" encoding="UTF-8"?>
<opml version="1.0">
<head>
<title>Olaf subscriptions in feedly Cloud</title>
</head>
<body>
<outline text="PublicFeeds" title="PublicFeeds">
<outline type="rss" text="top scoring links : netsec" title="top scoring links : netsec" xmlUrl="http://www.reddit.com/r/netsec/top/.rss" htmlUrl="https://www.reddit.com/r/netsec/top/"/>
<outline type="rss" text="For [Blue|Purple] Teams in Cyber Defence" title="For [Blue|Purple] Teams in Cyber Defence" xmlUrl="https://www.reddit.com/r/blueteamsec.rss" htmlUrl="https://www.reddit.com/r/blueteamsec"/>
@olafhartong
olafhartong / Get-InjectedThread.ps1
Created Jan 7, 2019 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
View UserWritableLocations.ps1
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
View sysmon-11.1-schema.xml
<manifest schemaversion="4.31" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
View sysmon-11-schema.xml
<manifest schemaversion="4.30" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
View sysmon-104-schema.xml
<manifest schemaversion="4.22" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
View sysmon-91-schema
<manifest schemaversion="4.21" binaryversion="9.10">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />