Skip to content

Instantly share code, notes, and snippets.

@scudette
Last active June 6, 2021 17:23
Show Gist options
  • Save scudette/b58a2ac2b4890bd18eedfcd900c244a7 to your computer and use it in GitHub Desktop.
Save scudette/b58a2ac2b4890bd18eedfcd900c244a7 to your computer and use it in GitHub Desktop.
Search event logs for bad user accounts
name: Custom.Windows.EventLog.BadAccounts
description: |
Parses all the event logs on the endpoint and sends back any single event that is
related to a certain user account or SID (or any string pattern actually).
This is very useful for finding unknown application event logs related to lateral
movement.
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: logFiles
default: C:/Windows/System32/Winevt/Logs/**/*.evtx
- name: yaraRule
default: |
rule X {
strings:
$a = "CompromizedAccount1" wide nocase ascii
$c = "S-1-5-21-BAD-SID" wide nocase ascii
condition:
any of them
}
sources:
- queries:
- LET files = SELECT FullPath FROM glob(globs=logFiles)
- LET events = SELECT * FROM foreach(
row=files,
query={
SELECT *, format(format='%v %v', args=[
get(field="EventData"),
get(field="UserData")]) AS RawEvent
FROM parse_evtx(filename=FullPath)
})
- SELECT * FROM foreach(row=events,
query={
SELECT str(str=String.Data) AS Hit, message,
System, EventData, UserData
FROM yara(rules=yaraRule, files=RawEvent, accessor="data", key="A")
})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment