This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "3c08b569-801f-4158-b17b-e363d6ae696a": "ms-TS-Endpoint-Plugin", | |
| "281416e2-1968-11d0-a28f-00aa003049e2": "Type-Library", | |
| "bf967a86-0de6-11d0-a285-00aa003049e2": "Computer", | |
| "50c8673a-8f56-4614-9308-9e1340fb9af3": "ms-WMI-Genus", | |
| "9a0dc32d-c100-11d1-bbc5-0080c76670c0": "MSMQ-Service-Type", | |
| "bf967aa8-0de6-11d0-a285-00aa003049e2": "Print-Queue", | |
| "4c51e316-f628-43a5-b06b-ffb695fcb4f3": "ms-DS-SD-Reference-Domain", | |
| "9c1495a5-4d76-468e-991e-1433b0a67855": "ms-net-ieee-80211-GP-PolicyData", | |
| "f0722311-aef5-11d1-bdcf-0000f80367c1": "ACS-Max-Size-Of-RSVP-Account-File", |
0xffhh
/ msobjs_message_table.txt
Created
October 27, 2022 12:36
— forked from brianreitz/msobjs_message_table.txt
msobjs.dll Message Table by MessageID
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %%279 : Undefined Access (no effect) Bit 7 | |
| %%1536 : Unused message ID | |
| %%1537 : DELETE | |
| %%1538 : READ_CONTROL | |
| %%1539 : WRITE_DAC | |
| %%1540 : WRITE_OWNER | |
| %%1541 : SYNCHRONIZE | |
| %%1542 : ACCESS_SYS_SEC | |
| %%1543 : MAX_ALLOWED | |
| %%1552 : Unknown specific access (bit 0) |
0xffhh
/ ADCS detections
Last active
June 23, 2021 20:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecurityEvent | |
| | where TimeGenerated >= ago(14d) | |
| | where EventID == 4768 | |
| | project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData) | |
| | mv-apply d=EventData.EventData.Data on | |
| ( | |
| where d["@Name"]=="CertIssuerName" | |
| | project CIN=tostring(d["#text"]) | |
| ) | |
| | where not(isempty(CIN)) |
0xffhh
/ randomrules
Last active
June 21, 2021 09:11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceFileEvents | |
| | where ActionType == "FileCreated" or ActionType == "FileModified" | |
| | where FileName endswith ".hta" | |
| | where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "outlook.exe") | |
| | where FileName != "<SNIP>" | |
| DeviceProcessEvents | |
| | where InitiatingProcessFileName == "mshta.exe" | |
| | where not(InitiatingProcessCommandLine contains "<SNIP>") | |
| | where not(InitiatingProcessCommandLine contains "<SNIP>") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let timeframe=7d; | |
| let lolbins = dynamic(["at.exe", "atbroker.exe", "bash.exe", "bitsadmin.exe", "certreq.exe", "certutil.exe", "cmd.exe", "cmdkey.exe", "cmstp.exe", "control.exe", "csc.exe", "cscript.exe", "desktopimgdownldr.exe", "dfsvc.exe", "diantz.exe", "diskshadow.exe", "dnscmd.exe", "esentutl.exe", "eventvwr.exe", "expand.exe", "extexport.exe", "extrac32.exe", "findstr.exe", "forfiles.exe", "ftp.exe", "gfxdownloadwrapper.exe", "gpscript.exe", "hh.exe", "ie4uinit.exe", "ieexec.exe", "ilasm.exe", "infdefaultinstall.exe", "installutil.exe", "jsc.exe", "makecab.exe", "mavinject.exe", "microsoft.workflow.compiler.exe", "mmc.exe", "mpcmdrun.exe", "msbuild.exe", "msconfig.exe", "msdt.exe", "mshta.exe", "msiexec.exe", "netsh.exe", "odbcconf.exe", "pcalua.exe", "pcwrun.exe", "pktmon.exe", "presentationhost.exe", "print.exe", "psr.exe", "rasautou.exe", "reg.exe", "regasm.exe", "regedit.exe", "regini.exe", "register-cimprovider.exe", "regsvcs.exe", "regsvr32.exe", "replace.exe", "rpcping.exe", "rundll32.exe", "run |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| List is based on the documentation provided on https://docs.microsoft.com/en-us/graph/permissions-reference as of 15-02-2021 | |
| AccessReview.Read.All | |
| AccessReview.ReadWrite.All | |
| AccessReview.ReadWrite.Membership | |
| AdministrativeUnit.Read.All | |
| AdministrativeUnit.ReadWrite.All | |
| Agreement.Read.All | |
| Agreement.ReadWrite.All | |
| AgreementAcceptance.Read |
0xffhh
/ MS-Teams RCE detection
Created
December 8, 2020 16:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let allowedProcs = dynamic(["teams.exe", "msedge.exe", "onenote.exe", "firefox.exe", "protocolhandler.exe", "werfault.exe", | |
| "OneDrive.exe", "winproj.exe", "chrome.exe", "mspub.exe", "outlook.exe", "iexplore.exe", "winword.exe", "excel.exe", "7zG.exe", | |
| "7zFM.exe", "AcroRd32.exe", "crashpad_handler.exe", "mspaint.exe", "notepad.exe", "PBIDesktop.exe", "Powerpnt.exe", "wermgr.exe", "visio.exe"]); | |
| DeviceProcessEvents | |
| | where InitiatingProcessFileName =~ "teams.exe" | |
| | where not(FileName in~ (allowedProcs)) | |
| | where not(FolderPath matches regex @"[C-Z]:\\Users\\(\w|[\.\-\s])+\\AppData\\Local\\Microsoft\\Teams\\Update.exe") and | |
| not(FolderPath matches regex @"[C-Z]:\\Users\\(\w|[\.\-\s])+\\AppData\\Local\\SquirrelTemp\\Update.exe") and | |
| not(FolderPath matches regex @"[C-E]:\\ProgramData\\(\w+|[\.\-\s])\\SquirrelTemp\\Update\.exe") and //assuming ProgramData is on C, D or E | |
| not(FolderPath matches regex @"[C-E]:\\ProgramData\\(\w+|[\.\-\s])\\Microsoft\\Teams\\Update\.exe")//assuming ProgramDat |
0xffhh
/ CredGuard_PoC
Created
December 4, 2020 15:56
— forked from N4kedTurtle/CredGuard_PoC
PoC for enabling wdigest to bypass credential guard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _CRT_SECURE_NO_WARNINGS | |
| #include <Windows.h> | |
| #include <Psapi.h> | |
| #include <TlHelp32.h> | |
| #include <iostream> | |
| DWORD GetLsassPid() { | |
| PROCESSENTRY32 entry; | |
| entry.dwSize = sizeof(PROCESSENTRY32); |
0xffhh
/ allhashes.csv
Created
October 13, 2020 11:42
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FileName, SHA1 | |
| sshsession.exe,27b5c1f766f7fd8db9450464297655784c09897d | |
| sshsession.exe,8a86daa4d717ea78fedd7fb577b807222e74e01e | |
| sshsession.exe,4fe568ce6bd281e9322fc35aaea870c144b401fd | |
| sshsession.exe,ad4c83a0fd4e3d2abf9cd39afda499dfbdae5d3e | |
| sshsession.exe,27b7d5b86efae0ac345a92d6911b0866f073b795 | |
| sshsession.exe,dc5abad427b04d42f62bbf81bfd89dfd49cbbbb0 | |
| sshsession.exe,42d48d75c16992d96e5e536b739974caa25d4631 | |
| sshsession.exe,d2e668ee7b97f8ad3d0d9c339791ec55a916ac90 | |
| sshsession.exe,d8d3682bf987b5fed5a2cefefcf6210695b3845d |
0xffhh
/ LAPSPasswordQueried-improved.kql
Created
October 6, 2020 08:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let allLAPSAdminHashes = DeviceProcessEvents | |
| | where FileName =~ "admpwd.ui.exe" | |
| | summarize by SHA1 | |
| | invoke FileProfile(SHA1, 100) | |
| | where IsRootSignerMicrosoft and IsCertificateValid | |
| | project SHA1; | |
| DeviceEvents | |
| | where ActionType == "LdapSearch" | |
| | where AdditionalFields has "ms-MCS-AdmPwd" | |
| | where InitiatingProcessSHA1 !in (allLAPSAdminHashes) |
NewerOlder