Created
July 10, 2023 17:03
-
-
Save cbecks2/19f2c8a773e78f2b757ca203173ae823 to your computer and use it in GitHub Desktop.
Crowdstrike Browser Downloaded Archive Executions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ```This search looks at an archive embedded .lnk file being launched directly from the Browser Tray. This happens if a user opens something from a drive by or HTML Smuggle``` | |
| ```Create a similar search for other common initial access filetypes like js, cmd, bat, vbs, msi, exe, scr, xll, etc. You will need to remove LinkName below.``` | |
| index=your_fdr_index event_platform=Win (event_simpleName=ProcessRollup2) | |
| (LinkName="*\\AppData\\Local\\Temp\\Temp1_*.zip\\*.lnk" OR | |
| LinkName="*\\AppData\\Local\\Temp\\Temp1_*.rar\\*.lnk" OR | |
| LinkName="*\\AppData\\Local\\Temp\\Rar$*\\*.lnk" OR | |
| LinkName="*\\AppData\\Local\\Temp\\Temp1_*.iso\\*.lnk" OR | |
| LinkName="*\\AppData\\Local\\Temp\\Temp1_*.vhd\\*.lnk" OR | |
| LinkName="*\\AppData\\Local\\Temp\\Temp1_*.vhdx\\*.lnk" OR | |
| LinkName="*\\AppData\\Local\\Temp\\Temp1_*.7z\\*.lnk" OR | |
| LinkName="*\\AppData\\Local\\Temp\\Temp1_*.img\\*.lnk" OR | |
| LinkName="*\\AppData\\Local\\Temp\\7z*\\*.lnk") | |
| NOT ParentBaseFileName IN ("exclusions here") | |
| | eval ShowWindowFlags=case(ShowWindowFlags==0, "SW_HIDE", ShowWindowFlags==1, "SW_SHOWNORMAL", ShowWindowFlags==2, "SW_SHOWMINIMIZED", ShowWindowFlags==3, "SW_SHOWMAXIMIZED", ShowWindowFlags==4, "SW_SHOWNOACTIVATE", ShowWindowFlags==5, "SW_SHOW", ShowWindowFlags==6, "SW_MINIMIZE", ShowWindowFlags==7, "SW_SHOWMINNOACTIVE", ShowWindowFlags==8, "SW_SHOWNA", ShowWindowFlags==9, "SW_RESTORE", ShowWindowFlags==10, "SW_SHOWDEFAULT", ShowWindowFlags==11, "SW_FORCEMINIMIZE", 1=1, ShowWindowFlags) | |
| ~ user enrichment here ~ | |
| ~ asset enrichment here~ | |
| | rename aid as dest | |
| | eval mitre_technique=mvappend("T1204","T1204.002") | |
| | stats earliest(_time) AS _time values(user) AS user values(email) AS email values(dest_ip) AS dest_ip values(CommandLine) AS CommandLine values(mitre_technique) as mitre_technique count by index dest_host dest ParentBaseFileName LinkName ShowWindowFlags ImageFileName sid | |
| | table _time index dest_host dest_ip dest user sid email ParentBaseFileName LinkName ShowWindowFlags ImageFileName CommandLine mitre_technique |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment