Created
November 14, 2018 15:46
-
-
Save trevorbryant/125c593823d4d47325ce4463766f3492 to your computer and use it in GitHub Desktop.
Splunk dashboard for Windows Event Collection - Offensive PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<form> | |
<label>Windows Event Collection - Offensive PowerShell</label> | |
<description>Detect Offensive PowerShell Attacks. Not every result is offensive; requires verification</description> | |
<fieldset submitButton="false" autoRun="true"> | |
<input type="time" token="time" searchWhenChanged="true"> | |
<label>Time Range</label> | |
<default> | |
<earliest>-24h@h</earliest> | |
<latest>now</latest> | |
</default> | |
</input> | |
</fieldset> | |
<row> | |
<panel> | |
<title>Encoded Commands</title> | |
<table> | |
<search> | |
<query>index=windows LogName=*PowerShell* (TERM(*powershell*) TERM(*-enc*)) | |
| rex field=_raw "HostApplication="(?<op_hostapplication>\w.+)"" | |
| search NOT (op_hostapplication="C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe -Embedding") | |
| stats values(ComputerName) as computer, values(ParameterBinding_Out_Default_) as out_text, values(op_user) as user, count(op_hostapplication) as count by op_hostapplication | |
| sort - count</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
<sampleRatio>1</sampleRatio> | |
</search> | |
</table> | |
</panel> | |
</row> | |
<row> | |
<panel> | |
<title>PowerSploit</title> | |
<table> | |
<title>https://github.com/PowerShellMafia/PowerSploit</title> | |
<search> | |
<query>index=windows host=* LogName="*PowerShell*" (TERM(Add-NetUser) | |
OR TERM(Add-ObjectAcl) | |
OR TERM(Add-Persistence) | |
OR TERM(Add-ServiceDacl) | |
OR TERM(Convert-NameToSid) | |
OR TERM(Convert-NT4toCanonical) | |
OR TERM(Convert-SidToName) | |
OR TERM(Copy-ClonedFile) | |
OR TERM(Find-AVSignature) | |
OR TERM(Find-ComputerField) | |
OR TERM(Find-ForeignGroup) | |
OR TERM(Find-ForeignUser) | |
OR TERM(Find-GPOComputerAdmin) | |
OR TERM(Find-GPOLocation) | |
OR TERM(Find-InterestingFile) | |
OR TERM(Find-LocalAdminAccess) | |
OR TERM(Find-PathDLLHijack) | |
OR TERM(Find-ProcessDLLHijack) | |
OR TERM(Find-ManagedSecurityGroups) | |
OR TERM(Find-UserField) | |
OR TERM(Get-ADObject) | |
OR TERM(Get-ApplicationHost) | |
OR TERM(Get-CachedRDPConnection) | |
OR TERM(Get-ComputerDetails) | |
OR TERM(Get-ComputerProperty) | |
OR TERM(Get-CurrentUserTokenGroupSid) | |
OR TERM(Get-DFSshare) | |
OR TERM(Get-DomainPolicy) | |
OR TERM(Get-ExploitableSystem) | |
OR TERM(Get-GPPPassword) | |
OR TERM(Get-HttpStatus) | |
OR TERM(Get-Keystrokes) | |
OR TERM(Get-LastLoggedOn) | |
OR TERM(Get-ModifiablePath) | |
OR TERM(Get-ModifiableRegistryAutoRun) | |
OR TERM(Get-ModifiableScheduledTaskFile) | |
OR TERM(Get-ModifiableService) | |
OR TERM(Get-ModifiableServiceFile) | |
OR TERM(Get-NetComputer) | |
OR TERM(Get-NetDomain) | |
OR TERM(Get-NetDomainController) | |
OR TERM(Get-NetDomainTrust) | |
OR TERM(Get-NetFileServer) | |
OR TERM(Get-NetForest) | |
OR TERM(Get-NetForestCatalog) | |
OR TERM(Get-NetForestDomain) | |
OR TERM(Get-NetForestTrust) | |
OR TERM(Get-NetGPO) | |
OR TERM(Get-NetGPOGroup) | |
OR TERM(Get-NetGroup) | |
OR TERM(Get-NetGroupMember) | |
OR TERM(Get-NetLocalGroup) | |
OR TERM(Get-NetLoggedon) | |
OR TERM(Get-NetOU) | |
OR TERM(Get-NetProcess) | |
OR TERM(Get-NetRDPSession) | |
OR TERM(Get-NetSession) | |
OR TERM(Get-NetShare) | |
OR TERM(Get-NetSite) | |
OR TERM(Get-NetSubnet) | |
OR TERM(Get-NetUser) | |
OR TERM(Get-ObjectAcl) | |
OR TERM(Get-PathAcl) | |
OR TERM(Get-Proxy) | |
OR TERM(Get-RegistryAlwaysInstallElevated) | |
OR TERM(Get-RegistryAutoLogon) | |
OR TERM(Get-SecurityPackages) | |
OR TERM(Get-ServiceDetail) | |
OR TERM(Get-ServiceUnquoted) | |
OR TERM(Get-SiteListPassword) | |
OR TERM(Get-System) | |
OR TERM(Get-TimedScreenshot) | |
OR TERM(Get-UnattendedInstallFile) | |
OR TERM(Get-UserEvent) | |
OR TERM(Get-UserProperty) | |
OR TERM(Get-VaultCredential) | |
OR TERM(Get-VolumeShadowCopy) | |
OR TERM(Get-Webconfig) | |
OR TERM(Install-ServiceBinary) | |
OR TERM(Install-SSP) | |
OR TERM(Invoke-ACLScanner) | |
OR TERM(Invoke-AllChecks) | |
OR TERM(Invoke-CheckLocalAdminAccess) | |
OR TERM(Invoke-CredentialInjection) | |
OR TERM(Invoke-DllInjection) | |
OR TERM(Invoke-EnumerateLocalAdmin) | |
OR TERM(Invoke-EventHunter) | |
OR TERM(Invoke-FileFinder) | |
OR TERM(Invoke-MapDomainTrust) | |
OR TERM(Invoke-Mimikatz) | |
OR TERM(Invoke-NinjaCopy) | |
OR TERM(Invoke-Portscan) | |
OR TERM(Invoke-ProcessHunter) | |
OR TERM(Invoke-ReflectivePEInjection) | |
OR TERM(Invoke-ReverseDnsLookup) | |
OR TERM(Invoke-ServiceAbuse) | |
OR TERM(Invoke-ShareFinder) | |
OR TERM(Invoke-Shellcode) | |
OR TERM(Invoke-TokenManipulation) | |
OR TERM(Invoke-UserHunter) | |
OR TERM(Invoke-WmiCommand) | |
OR TERM(Mount-VolumeShadowCopy) | |
OR TERM(New-ElevatedPersistenceOption) | |
OR TERM(New-UserPersistenceOption) | |
OR TERM(New-VolumeShadowCopy) | |
OR TERM(Out-CompressedDll) | |
OR TERM(Out-EncodedCommand) | |
OR TERM(Out-EncryptedScript) | |
OR TERM(Out-Minidump) | |
OR TERM(Remove-Comments) | |
OR TERM(Remove-VolumeShadowCopy) | |
OR TERM(Restore-ServiceBinary) | |
OR TERM(Set-ADObject) | |
OR TERM(Set-CriticalProcess) | |
OR TERM(Set-MacAttribute) | |
OR TERM(Set-MasterBootRecord) | |
OR TERM(Set-ServiceBinPath) | |
OR TERM(Test-ServiceDaclPermission) | |
OR TERM(Write-HijackDll) | |
OR TERM(Write-ServiceBinary) | |
OR TERM(Write-UserAddMSI)) | |
| stats count by ComputerName | |
| sort - count</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
<sampleRatio>1</sampleRatio> | |
</search> | |
</table> | |
</panel> | |
<panel> | |
<title>PowerView</title> | |
<table> | |
<title>https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1</title> | |
<search> | |
<query>index=windows host=* LogName="*PowerShell*" (TERM(Get-NetUser) | |
OR TERM(Get-NetGroup) | |
OR TERM(Get-NetGroupMember) | |
OR TERM(Get-NetLocalGroup) | |
OR TERM(Get-NetSession) | |
OR TERM(Invoke-UserHunter) | |
OR TERM(Get-NetOU) | |
OR TERM(Find-GPOLocation) | |
OR TERM(Get-NetGPOGroup) | |
OR TERM(Get-ObjectACL) | |
OR TERM(Add-ObjectACL) | |
OR TERM(Invoke-ACLScanner) | |
OR TERM(Set-ADObject) | |
OR TERM(Invoke-DowngradeAccount) | |
OR TERM(Get-NetForest) | |
OR TERM(Get-NetForestTrust) | |
OR TERM(Get-NetForestDomain) | |
OR TERM(Get-NetDomainTrust) | |
OR TERM(Get-MapDomainTrust)) | |
| stats count by ComputerName | |
| sort - count</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
<sampleRatio>1</sampleRatio> | |
</search> | |
</table> | |
</panel> | |
</row> | |
<row> | |
<panel> | |
<title>PowerUp</title> | |
<table> | |
<title>https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1</title> | |
<search> | |
<query>index=windows host=* LogName="*PowerShell*" (TERM(Get-ServiceUnquoted) | |
OR TERM(Get-ServiceFilePermission) | |
OR TERM(Get-ServicePermission) | |
OR TERM(Invoke-ServiceAbuse) | |
OR TERM(Install-ServiceBinary) | |
OR TERM(Get-RegAutoLogon) | |
OR TERM(Get-VulnAutoRun) | |
OR TERM(Get-VulnSchTask) | |
OR TERM(Get-UnattendedInstallFile) | |
OR TERM(Get-WebConfig) | |
OR TERM(Get-ApplicationHost) | |
OR TERM(Get-RegAlwaysInstallElevated)) | |
| stats count by ComputerName | |
| sort - count</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
</search> | |
<option name="drilldown">none</option> | |
</table> | |
</panel> | |
<panel> | |
<title>Nishang</title> | |
<table> | |
<title>https://github.com/samratashok/nishang</title> | |
<search> | |
<query>index=windows host=* LogName="*PowerShell*" (TERM(Get-Unconstrained) | |
OR TERM(Add-RegBackdoor) | |
OR TERM(Add-ScrnSaveBackdoor) | |
OR TERM(Gupt-Backdoor) | |
OR TERM(Invoke-ADSBackdoor) | |
OR TERM(Enabled-DuplicateToken) | |
OR TERM(Invoke-PsUaCme) | |
OR TERM(Remove-Update) | |
OR TERM(Check-VM) | |
OR TERM(Copy-VSS) | |
OR TERM(Get-Information) | |
OR TERM(Get-LSASecret) | |
OR TERM(Get-PassHashes) | |
OR TERM(Invoke-Mimikatz) | |
OR TERM(Show-TargetScreen) | |
OR TERM(Port-Scan) | |
OR TERM(Invoke-PoshRatHttp) | |
OR TERM(Invoke-PowerShellTCP) | |
OR TERM(Invoke-PowerShellWMI) | |
OR TERM(Add-Exfiltration) | |
OR TERM(Add-Persistence) | |
OR TERM(Do-Exfiltration) | |
OR TERM(Start-CaptureServer)) | |
| stats count by ComputerName | |
| sort - count</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
</search> | |
<option name="drilldown">none</option> | |
</table> | |
</panel> | |
</row> | |
<row> | |
<panel> | |
<title>PowerShell Empire</title> | |
<table> | |
<title>https://github.com/EmpireProject/Empire</title> | |
<search> | |
<query>index=windows host=* LogName="*PowerShell*" (TERM(Invoke-DllInjection) | |
OR TERM(Invoke-ReflectivePEInjection) | |
OR TERM(Invoke-ShellCode) | |
OR TERM(Get-ChromeDump) | |
OR TERM(Get-ClipboardContents) | |
OR TERM(Get-FoxDump) | |
OR TERM(Get-IndexedItem) | |
OR TERM(Get-Keystrokes) | |
OR TERM(Get-Screenshot) | |
OR TERM(Invoke-Inveigh) | |
OR TERM(Invoke-NetRipper) | |
OR TERM(Invoke-NinjaCopy) | |
OR TERM(Out-Minidump) | |
OR TERM(Invoke-EgressCheck) | |
OR TERM(Invoke-PostExfil) | |
OR TERM(Invoke-PSInject) | |
OR TERM(Invoke-RunAs) | |
OR TERM(MailRaider) | |
OR TERM(New-HoneyHash) | |
OR TERM(Set-MacAttribute) | |
OR TERM(Get-VaultCredential) | |
OR TERM(Invoke-DCSync) | |
OR TERM(Invoke-Mimikatz) | |
OR TERM(Invoke-PowerDump) | |
OR TERM(Invoke-TokenManipulation) | |
OR TERM(Exploit-Jboss) | |
OR TERM(Invoke-ThunderStruck) | |
OR TERM(Invoke-VoiceTroll) | |
OR TERM(Set-Wallpaper) | |
OR TERM(Invoke-InveighRelay) | |
OR TERM(Invoke-PsExec) | |
OR TERM(Invoke-SSHCommand) | |
OR TERM(Get-SecurityPackages) | |
OR TERM(Install-SSP) | |
OR TERM(Invoke-BackdoorLNK) | |
OR TERM(PowerBreach) | |
OR TERM(Get-GPPPassword) | |
OR TERM(Get-SiteListPassword) | |
OR TERM(Get-System) | |
OR TERM(Invoke-BypassUAC) | |
OR TERM(Invoke-Tater) | |
OR TERM(Invoke-WScriptBypassUAC) | |
OR TERM(PowerUp) | |
OR TERM(PowerView) | |
OR TERM(Get-RickAstley) | |
OR TERM(Find-Fruit) | |
OR TERM(HTTP-Login) | |
OR TERM(Find-TrustedDocuments) | |
OR TERM(Get-ComputerDetails) | |
OR TERM(Get-SystemDNSServer) | |
OR TERM(Invoke-Paranoia) | |
OR TERM(Invoke-WinEnum) | |
OR TERM(Get-SPN) | |
OR TERM(Invoke-ARPScan) | |
OR TERM(Invoke-PortScan) | |
OR TERM(Invoke-ReverseDNSLookup) | |
OR TERM(Invoke-SMBScanner)) | |
| stats count by ComputerName | |
| sort - count</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
</search> | |
<option name="drilldown">none</option> | |
</table> | |
</panel> | |
<panel> | |
<title>Libraries or Access Rights</title> | |
<table> | |
<search> | |
<query>index=windows host=* LogName="*PowerShell*" (TERM(AdjustTokenPrivileges) | |
OR TERM(IMAGE_NT_OPTIONAL_HDR64_MAGIC) | |
OR TERM(Management.Automation.RuntimeException) | |
OR TERM(Microsoft.Win32.UnsafeNativeMethods) | |
OR TERM(ReadProcessMemory.Invoke) | |
OR TERM(Runtime.InteropServices) | |
OR TERM(SE_PRIVILEGE_ENABLED) | |
OR TERM(System.Security.Cryptography) | |
OR TERM(System.Reflection.AssemblyName) | |
OR TERM(System.Runtime.InteropServices) | |
OR TERM(LSA_UNICODE_STRING) | |
OR TERM(MiniDumpWriteDump) | |
OR TERM(PAGE_EXECUTE_READ) | |
OR TERM(Net.Sockets.SocketFlags) | |
OR TERM(Reflection.Assembly) | |
OR TERM(SECURITY_DELEGATION) | |
OR TERM(TOKEN_ADJUST_PRIVILEGES) | |
OR TERM(TOKEN_ALL_ACCESS) | |
OR TERM(TOKEN_ASSIGN_PRIMARY) | |
OR TERM(TOKEN_DUPLICATE) | |
OR TERM(TOKEN_ELEVATION) | |
OR TERM(TOKEN_IMPERSONATE) | |
OR TERM(TOKEN_INFORMATION_CLASS) | |
OR TERM(TOKEN_PRIVILEGES) | |
OR TERM(TOKEN_QUERY) | |
OR TERM(Metasploit) | |
OR TERM(Advapi32.dll) | |
OR TERM(kernel32.dll) | |
OR TERM(msvcrt.dll) | |
OR TERM(ntdll.dll) | |
OR TERM(secur32.dll) | |
OR TERM(user32.dll)) | |
| rex field=_raw "ScriptName="(?<op_scriptname>\w.+)"" | |
| search NOT (op_scriptname="" | |
OR Path="C:\\WINDOWS\\CCM\\SystemTemp\\*-*-*-*-*.ps1") | |
| stats count by ComputerName | |
| sort - count</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
</search> | |
<option name="drilldown">cell</option> | |
</table> | |
</panel> | |
</row> | |
</form> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment