seajaysec

Cypher Queries

Cypher Queries can be entered into the neo4j console, accessible at http://localhost:7474. These often return text-based content. There's a max of 1000 displayed rows within the console, however each query result can be downloaded as a CSV for more in depth analysis. When pasting, replace all instances of "EXAMPLE.COM" with the domain name that you are operating on. These are from a wide range of sources. A lot of them came or were inspired by discussions on the Bloodhound Slack.

Basic

Generate list of all operating systems

MATCH (c:Computer)

ChrisYounger

# the output from running "/opt/splunk/bin/splunk btool searchbnf list" on a fairly default Splunk 7.2 instance

[abstract-command]
alias = excerpt
appears-in = 3.0
category = formatting
commentcheat = Show a summary of up to 5 lines for each search result.
description = Produce an abstract -- a summary or brief representation -- of the text of search results.  The original text is replaced by the summary, which is produced by a scoring mechanism.  If the event is larger than the selected maxlines, those with more terms and more terms on adjacent lines are preferred over those with fewer terms.  If a line has a search term, its neighboring lines also partially match, and may be returned to provide context. When there are gaps between the selected lines, lines are prefixed with "...". \p\
            If the text of a result has fewer lines or an equal number of lines to maxlines, no change will occur.\i\
            * <maxlines> accepts values from 1 - 500. \i\

GossiTheDog

//Invoke-WebRequest in Powershell - manually whitelist legit content first: 
Mozilla/*WindowsPowerShell/*

System.Net.WebClient.DownloadFile():
None

//Start-BitsTransfer - manually whitelist legit content first:
Microsoft BITS/*

//certutil.exe - manually whitelist legit content first: 

olafhartong

function Get-InjectedThread
{
    <# 
    
    .SYNOPSIS 
    
    Looks for threads that were created as a result of code injection.
    
    .DESCRIPTION
    

Cyb3rWard0g

CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON');

CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL

ion-storm

FreeNAS

Here are straight-forward instructions to setting up a bunch of different software on FreeNAS. If you make a terrible error, just throw up another plugin sandbox and repeat.

ToC

• LEMP Server - FreeBSD, Nginx, MariaDB & PHP FastCGI (FMP)
• Couch Potato
• nzbget
• Sonarr

mattifestation

logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets

# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass

# logman stop dotNetTrace -ets

# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe
# I got the process ID by running a procmon trace
$TargetProcessId = 8256

olafhartong

<DataCollectorSet><Status>0</Status><Duration>0</Duration><Description/><DescriptionUnresolved/><DisplayName/><DisplayNameUnresolved/><SchedulesEnabled>-1</SchedulesEnabled><LatestOutputLocation>C:\temp\</LatestOutputLocation><Name>sysmon</Name><OutputLocation>D:\temp\</OutputLocation><RootPath>D:\temp</RootPath><Segment>0</Segment><SegmentMaxDuration>0</SegmentMaxDuration><SegmentMaxSize>0</SegmentMaxSize><SerialNumber>7</SerialNumber><Server/><Subdirectory/><SubdirectoryFormat>1</SubdirectoryFormat><SubdirectoryFormatPattern/><Task/><TaskRunAsSelf>0</TaskRunAsSelf><TaskArguments/><TaskUserTextArguments/><UserAccount>SYSTEM</UserAccount><Security>O:BAG:DUD:AI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FR;;;LU)(A;;0x1301ff;;;S-1-5-80-2661322625-712705077-2999183737-3043590567-590698655)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200ab;;;LU)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)</Security><StopOnCompletion>0</StopOnCompletion><PerformanceCounterDataCollector><DataCollectorType>0</DataCollectorType><Name>System Monitor Log</Name>

countercept

import time
import etw
import etw.evntrace
import sys
import argparse
import threading


class RundownDotNetETW(etw.ETW):
    def __init__(self, verbose, high_risk_only):

MHaggis

Source: https://www.splunk.com/blog/2017/11/03/you-can-t-hyde-from-dr-levenshtein-when-you-use-url-toolbox.html
Data type required: Carbon Black Response, CrowdStrike Falcon

`cb` process_path=*\\users\\*
| `ut_shannon(process_path)`
| where ut_shannon > 4.5
| stats values(ut_shannon)  as "Shannon Entropy Score" by process_path, computer_name
| rename process_path as Process, computer_name as Endpoint

sourcetype="crowdstrike:falconhost:json" ImageFileName=*\\users\\*