Samirbous
Samirbous
/ EQL - Exec pwd protected zip
Created
May 8, 2022 19:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [any where event.code : "5379" and winlog.event_data.TargetName : "Microsoft_Windows_Shell_ZipFolder*"] | |
| [process where event.action == "start" and process.executable : "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and process.parent.name : "explorer.exe"] |
Samirbous
/ KrbRelayUp EQL Winlog
Created
April 26, 2022 16:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5m | |
| [authentication where | |
| /* event 4624 need to be logged */ | |
| event.action == "logged-in" and event.outcome == "success" and | |
| /* authenticate locally using relayed kerberos TGS */ | |
| winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and | |
| source.ip == "127.0.0.1" and source.port > 0 and |
Samirbous
/ sysmon PROCESS_TERMINATE sequence
Created
April 14, 2022 22:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5s | |
| [process where event.code : "10" and winlog.event_data.GrantedAccess:"0x1"] by winlog.event_data.TargetProcessGUID | |
| [process where event.code : "5" /* you can add process.name : ("seecurity-proc1", "security-proc2") */] by process.entity_id |
Samirbous
/ SeDebug_ProcessAccess_EQL
Created
April 8, 2022 21:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=5s | |
| [any where event.code : "4703" and winlog.event_data.EnabledPrivilegeList:"SeDebugPrivilege"] by winlog.event_data.ProcessName | |
| [process where event.code : "10" and not process.name in ("Procmon64.exe", "procexp64.exe")] by process.executable |
Samirbous
/ NtUserGetWindowProcessHandle
Created
April 7, 2022 18:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.code : "10" and not process.executable : "?:\\Windows\\Explorer.exe" and | |
| winlog.event_data.CallTrace : "?:\\WINDOWS\\System32\\win32u.dll*" and not winlog.event_data.GrantedAccess : ("0x*00", "0x*10", "0x*01") |
Samirbous
/ gist:bce42125fb2fba95d676941e7808ecaf
Created
April 6, 2022 14:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id, process.entity_id with maxspan=1s | |
| [process where event.code : "10" and process.name : "sihost.exe" and | |
| winlog.event_data.CallTrace : "*CoreShellExtFramework*" and winlog.event_data.GrantedAccess : "0x40"] | |
| [process where event.code : "10" and process.name : "sihost.exe" and | |
| not winlog.event_data.GrantedAccess : ("0x*00", "0x1010", "0x1410", "0x40")] |
Samirbous
/ process started via seclogon
Created
January 4, 2022 14:27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event.code:4688 and winlog.event_data.TargetUserSid :"S-1-0-0" and not winlog.event_data.TargetUserName:*$ and | |
| not winlog.event_data.TargetUserName:- and not winlog.event_data.TargetUserName:"defaultuser100000" and | |
| not winlog.event_data.TargetUserName : ("LOCAL SERVICE" or "NETWORK SERVICE") and | |
| not winlog.event_data.TargetDomainName : ("NT Service" or "Font Driver Host") |
Samirbous
/ log4j-auditd-log-example
Created
December 13, 2021 08:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| type=PROCTITLE msg=audit(12/13/2021 01:49:50.838:66) : proctitle=/bin/bash | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=1 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=0 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=CWD msg=audit(12/13/2021 01:49:50.838:66) : cwd=/home/kali | |
| type=EXECVE msg=audit(12/13/2021 01:49:50.838:66) : argc=1 a0=clear | |
| type=SYSCALL msg=audit(12/13/2021 01:49:50.838:66) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5613225618a0 a1=0x56132257a310 a2= |
Samirbous
/ EQL hunt for Potential Macro on close
Created
November 16, 2021 14:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1s | |
| [process where event.action : "creation_event" and | |
| process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe") and | |
| not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and | |
| process.args_count >= 2) | |
| ] by process.parent.entity_id | |
| [process where event.action : "termination_event" and | |
| process.name : ("winword.exe", "excel.exe", "powerpnt.exe") and | |
| process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe") | |
| ] by process.entity_id |
Samirbous
/ detect xpertrat behavior
Created
October 26, 2021 16:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.action : "start" and | |
| process.executable : "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" and | |
| process.args_count <= 2 and process.args_count > 1 and | |
| not process.args : "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" |