What users are logging into machines?
Windows.Sys.AllUsers
SELECT Name, UUID, Mtime, count()
FROM source(artifact="Windows.Sys.AllUsers")
WHERE Name
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generic.Search.PDF | |
| description: | | |
| This artifact searches PDF files for a keyword. | |
| parameters: | |
| - name: PDFGlob | |
| default: /tmp/*.pdf | |
| description: A glob to find PDF files | |
| - name: YaraRule | |
| type: yara |
scudette
/ disk_remapping.yaml
Created
August 24, 2022 04:06
A Sample remapping configuration for raw disk access.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| remappings: | |
| - type: permissions | |
| permissions: | |
| - COLLECT_CLIENT | |
| - FILESYSTEM_READ | |
| - FILESYSTEM_WRITE | |
| - READ_RESULTS | |
| - MACHINE_STATE | |
| - SERVER_ADMIN | |
| - type: impersonation |
scudette
/ extended_attributes.ps1
Created
May 9, 2022 00:42
— forked from mgreen27/00_ntfs.ps1
Auscert 2022 NTFS Exercise setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Extended Attribute | |
| # 1. Download https://github.com/jschicht/EaTools to C:\PerfLogs (this step was run previously if you ran our setup script) | |
| https://github.com/jschicht/EaTools/raw/master/EaInject64.exe | |
| https://github.com/jschicht/EaTools/raw/master/EaQuery64.exe | |
| # 2. Add EA to file | |
| copy C:\Windows\System32\calc.exe C:\PerfLogs\calc.exe | |
| C:\PerfLogs\EaInject64.exe /Payload:C:\PerfLogs\calc.exe /Container:C:\PerfLogs\just_a_file.txt /Mode:0 /Identifier:NOTHINGTOSEEHERE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Extended Attribute | |
| # 1. Download https://github.com/jschicht/EaTools to C:\PerfLogs (this step was run previously if you ran our setup script) | |
| https://github.com/jschicht/EaTools/raw/master/EaInject64.exe | |
| https://github.com/jschicht/EaTools/raw/master/EaQuery64.exe | |
| # 2. Add EA to file | |
| copy C:\Windows\System32\calc.exe C:\PerfLogs\calc.exe | |
| C:\PerfLogs\EaInject64.exe /Payload:C:\PerfLogs\calc.exe /Container:C:\PerfLogs\just_a_file.txt /Mode:0 /Identifier:NOTHINGTOSEEHERE |
scudette
/ remapping.yaml
Created
March 23, 2022 06:50
Sample flat disk image remapping configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| remappings: | |
| - type: permissions | |
| permissions: | |
| - COLLECT_CLIENT | |
| - FILESYSTEM_READ | |
| - FILESYSTEM_WRITE | |
| - READ_RESULTS | |
| - MACHINE_STATE | |
| - SERVER_ADMIN | |
| - type: impersonation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sysmon Field | ECS Field | |
|---|---|---|
| System.EventID | maps to event.type = "start" | |
| EventData.Image | strip directory part and store in `process.name` | |
| EventData.OriginalFileName | stored in `process.pe.original_file_name` | |
| EventData.CommandLine | is split into array and stored in `process.args` |
scudette
/ spool_enrichment.sql
Created
July 12, 2021 02:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT "C:/" + FullPath AS FullPath, | |
| InUse,FileName,FileSize, | |
| dict( | |
| Created0x10 = Created0x10, | |
| LastModified0x10 = LastModified0x10, | |
| LastRecordChange0x10 = LastRecordChange0x10, | |
| LastAccess0x10 = LastAccess0x10 | |
| ) as SI, | |
| dict( |
scudette
/ Custom.GDPRCheck.yaml
Last active
June 4, 2021 16:38
Artifact to check for GDPR Compliance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.Audit.SCA | |
| sources: | |
| - query: | | |
| LET results <= SELECT * FROM chain( | |
| id0_0={ | |
| SELECT 14500 AS ID, | |
| '''Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' ''' AS Title, | |
| get(field='''LimitBlankPasswordUse''') AS ActualValue, | |
| '''1''' AS ExpectedValue, |
scudette
/ Custom.Windows.ETW.DNSQueries.yaml
Created
February 14, 2021 11:54
Artifact to watch dns queries using ETW
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.ETW.DNSQueries | |
| type: CLIENT_EVENT | |
| sources: | |
| - precondition: | |
| SELECT OS From info() where OS = 'windows' | |
| query: | | |
| SELECT System.TimeStamp AS Timestamp, | |
| EventData.QueryName AS Query, |
NewerOlder