Skip to content

Instantly share code, notes, and snippets.

View olafhartong's full-sized avatar

Olaf Hartong olafhartong

947 followers · 4 following
View GitHub Profile
@olafhartong
olafhartong / sunburst_countermeasures.md
Created December 14, 2020 08:47

FireEye Sunburst KQL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below

Blog post

All FireEye detections

DeviceEvents
@olafhartong
olafhartong / feedly-olafhartong-2020-09-24.opml
Created September 24, 2020 20:06
<?xml version="1.0" encoding="UTF-8"?>
<opml version="1.0">
<head>
<title>Olaf subscriptions in feedly Cloud</title>
</head>
<body>
<outline text="PublicFeeds" title="PublicFeeds">
<outline type="rss" text="top scoring links : netsec" title="top scoring links : netsec" xmlUrl="http://www.reddit.com/r/netsec/top/.rss" htmlUrl="https://www.reddit.com/r/netsec/top/"/>
<outline type="rss" text="For [Blue|Purple] Teams in Cyber Defence" title="For [Blue|Purple] Teams in Cyber Defence" xmlUrl="https://www.reddit.com/r/blueteamsec.rss" htmlUrl="https://www.reddit.com/r/blueteamsec"/>
@olafhartong
olafhartong / UserWritableLocations.ps1
Created June 2, 2020 07:27
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
@olafhartong
olafhartong / sysmon-11.1-schema.xml
Created May 13, 2020 07:45
<manifest schemaversion="4.31" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / sysmon-11-schema.xml
Created April 23, 2020 18:36
<manifest schemaversion="4.30" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / sysmon-104-schema.xml
Created August 27, 2019 18:38
<manifest schemaversion="4.22" binaryversion="9.20">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / sysmon-91-schema
Created June 5, 2019 06:28
<manifest schemaversion="4.21" binaryversion="9.10">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="optional" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / daan
Created March 21, 2019 11:26
# Required module > ImportExcel
# Install it like this > "Install-Module ImportExcel"
#
# Get the dataset from the ATT&CK matrix
# TODO:
# Diff online and offline, to only download on updates
# parameters for download, xlsx file and so on.
write-host "[+] Loading MITRE ATT&CK Data" -ForegroundColor Cyan
$dataset=Get-Content -Path enterprise-attack.json | ConvertFrom-Json | Select-Object -ExpandProperty objects | where type -eq "attack-pattern"
@olafhartong
olafhartong / sysmon-9-schema
Created February 19, 2019 08:35
<manifest schemaversion="4.2" binaryversion="8.00">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="none" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
@olafhartong
olafhartong / Get-InjectedThread.ps1
Created January 7, 2019 12:44 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION