SecGroundZero secgroundzero
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let failed_threshold = 5; //threshold to use for failed login times i.e how much time between each failed login | |
| let failed_count = 2; //threshold for failed logins i.e how many times the account failed to login | |
| let stdev_threshold = 1; | |
| let start_time = startofday(datetime(2021-04-01)); //The date to start looking for events | |
| let end_time = endofday(datetime(2021-05-01)); // The date to stop looking for events | |
| SecurityEvent | |
| | where TimeGenerated between (start_time .. end_time) | |
| | where EventID == 4625 | |
| | project Account, TimeGenerated, Computer | |
| | sort by TimeGenerated asc, Account |
secgroundzero
/ kql_renamed_lolbins.klq
Created
May 6, 2021 10:36
KQL Query to hunt for renamed lolbins
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //KQL query to search for any lolbins that were renamed to avoid detection and are running outside the default locations. | |
| //The list includes lolbins which are either normally under c:\windows, c:\windows\syswow64 or c:\windows\system32. Lolbins installed normally under other directories are not included in this list. | |
| //Adjust the timeframe below accordingly | |
| let timeframe = 2d; | |
| let lolbins = dynamic(["advpack.dll","at.exe","atbroker.exe","bash.exe","bitsadmin.exe","Comsvcs.dll","devtoolslauncher.exe","diantz.exe","diskshadow.exe","dllhost.exe","Dnscmd.exe","dxcap.exe","Esentutl.exe","eventvwr.exe","expand.exe","explorer.exe","extrac32.exe","findstr.exe","forfiles.exe","ftp.exe","Gpscript.exe","hh.exe","Ie4uinit.exe","Ieadvpack.dll","ieframe.dll","Infdefaultinstall.exe","makecab.exe","manage-bde.exe","manage-bde.wsf","mavinject.exe","mmc.exe","msconfig.exe","msdt.exe","mshta.exe","Mshtml.dll","msiexec.exe","netsh.exe","ntdsutil.exe","odbcconf.exe","pcalua.exe","pcwrun.exe","Pcwutl.dll","pktmon.exe","pnputil.ex |
secgroundzero
/ Taskmanager_lsass_dump
Created
September 3, 2020 07:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sysmon | |
| | where EventID == 10 | |
| | where target_process_path contains "lsass" | |
| | extend process_id = tostring(process_id) | |
| | project user_created_time = TimeGenerated, Computer, process_id, process_path, process_granted_access, target_process_path | |
| | join (sysmon | |
| | where EventID == 11 | |
| | extend process_id = tostring(process_id) | |
| | project user_enabled_time = TimeGenerated, Computer, process_id, file_name) | |
| on process_id |
secgroundzero
/ kql_new_user.kql
Last active
August 21, 2020 20:08
KQL - User created vs user enabled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let timeframe = 7d; | |
| let user_created = SecurityEvent | |
| | where TimeGenerated >= ago(timeframe) | |
| | where EventID == 4720 | |
| | project user_created_time = TimeGenerated, Computer, Creator=SubjectAccount, TargetAccount; | |
| let user_enabled = SecurityEvent | |
| | where TimeGenerated >= ago(timeframe) | |
| | where EventID == 4722 | |
| | project user_enabled_time = TimeGenerated, Computer; | |
| user_created |