Samirbous
Samirbous
/ ES|QL Scheduled Tasks based64 decoded actions
Created
June 25, 2024 22:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // hunting on scheduled task via registry.data.bytes | |
| from logs-endpoint.events.registry-* | |
| | where host.os.type == "windows" and event.category == "registry" and event.action == "modification" and | |
| registry.path like """HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*Actions*""" | |
| | eval scheduled_task_action = replace(TO_LOWER(FROM_BASE64(registry.data.bytes)), """\u0000""", "") | |
| | eval scheduled_task_action = replace(scheduled_task_action, """(\u0003\fauthorfff|\u0003\fauthorff\u000e)""", "") | |
| | where scheduled_task_action rlike """.*(users\\public\\|\\appdata\\roaming|programdata|powershell|rundll32|regsvr32|mshta.exe|cscript.exe|wscript.exe|cmd.exe|forfiles|msiexec).*""" and not scheduled_task_action like "localsystem*" | |
| | keep scheduled_task_action, registry.path, agent.id | |
| | stats count_agents = count_distinct(agent.id) by scheduled_task_action | where count_agents == 1 |
Samirbous
/ Detonate Dataset
Last active
March 8, 2024 11:27
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 98faaafd3b450d836415eff09da56591fe31c54b4a668498416537262f2cd4c6 | |
| d5760da745c915753a1364a3d9762e75b503192327473bb3bda85282a532f4bc | |
| ae67088e35d84034a56217bffe9aa3f830ea745b521432a6406106f446cfcee2 | |
| c382b67f4330082877b179fa1d7178cb8261f7519b2bf46965e6cabcd4c943b4 | |
| c7fb77d22e1d937220cc3a7527dd9eb6f5b663da81c830c67f1ba892a868ca27 | |
| 68864134a67842ac2f863dfd92ec6ad6567571a436663b0bceda9e2ef0222de2 | |
| e8cbafcf196bb80ccb2249e8f6a18c02d8d67926a298165592c4ec742851749f | |
| f67dd838b2a5fbb4739bd30ca721240f99f2f66e49c352aa600f2d443004c787 | |
| 159dc9de2d297a560eda6f1a1b861d4fe52a285aa475137fc32688ccde8de7e5 | |
| f900d5bebd2241a0f1bf969c7c2ece6b6f53440d97ee3ddcd19566866a2dca18 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "process": { | |
| "args": [ | |
| "rundll32.exe", | |
| "C:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie", | |
| "brukjanesis.com@80", | |
| "http://brukjanesis.com/TrdGallery/ResultTrd.bmp.url" | |
| ], | |
Samirbous
/ gist:b52ba47bd1d51294c9c16d93fe68549d
Created
November 18, 2023 15:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| get-date |
Samirbous
/ gist:4ae52f63c28df262b3edc4d7c89bbe67
Created
November 12, 2023 12:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // requires 4688 - process creation audit to be enabled | |
| // EQL query | |
| process where event.action == "created-process" and | |
| not startswith~(winlog.event_data.TargetUserSid, winlog.event_data.SubjectUserSid) and | |
| winlog.event_data.TargetUserSid : "S-1-5-21-*" and not winlog.event_data.TargetUserSid: "S-1-0-0" and | |
| not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\runtimebroker.exe") | |
| // ES|QL query - frequency based - 1 host with a unique parent and child proc running as different user identities | |
Samirbous
/ ES|QL Masquerading as MS Native DLL
Created
November 9, 2023 18:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // DLLs normally located in system32 but unsigned and loaded from elsewhere | |
| // https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html | |
| // example ENRICH libs-policy creation steps | |
| https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c | |
| ES|QL query: | |
| from .ds-logs-endpoint.events.library-* | |
| | where event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and |
Samirbous
/ ES|QL Native DLL Hijack
Created
November 9, 2023 18:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // DLLs normally located in system32 but unsigned and loaded from elsewhere | |
| // https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html | |
| // example ENRICH libs-policy creation steps | |
| https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c |
Samirbous
/ gist:9f9c3237a0ada745e71cc2ba3425311c
Created
November 8, 2023 13:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // create source index and define types | |
| PUT /libs | |
| { | |
| "mappings": { | |
| "properties": { | |
| "dll": { | |
| "properties": { | |
| "name": { | |
| "type": "text", | |
| "fields": { |
Samirbous
/ gist:81b40ff073ce4bf5d3c6ce558a9d0106
Created
November 7, 2023 20:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT /native_dll1_index | |
| { | |
| "mappings": { | |
| "properties": { | |
| "dll": { | |
| "properties": { | |
| "name": { | |
| "type": "text", | |
| "fields": { | |
| "keyword": { |
Samirbous
/ ms native dll hijack ernich policy
Created
November 7, 2023 10:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT /libs/_doc/1?refresh=wait_for | |
| { | |
| "dll.name": [ | |
| "aadauthhelper.dll", | |
| "aadcloudap.dll", | |
| "aadjcsp.dll", | |
| "aadtb.dll", | |
| "aadwamextension.dll", | |
| "aarsvc.dll", | |
| "abovelockapphost.dll", |
NewerOlder