vikas891

//Test Rule Logic 1
ObjectType = "process" 
AND SrcProcParentName = "w3wp.exe" 
AND SrcProcName In Contains Anycase  ( "cmd.exe" , "powershell.exe" ) 
AND TgtProcName in Contains Anycase  ( "ipconfig.exe" , "quser.exe" )

//Test Rule Logic 2
OfficeActivity 
| where OfficeWorkload == “Exchange” and Operation == “Set-Mailbox”and Parameters has “DeliverToMailboxAndForward”
| extend Email = tostring(parse_json(Parameters)[1].Value)

vikas891

{
  "eventVersion": "1.09",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDARSCCN4A3X2YWZ37ZI",
    "arn": "arn:aws:iam::107513503799:user/temp-user",
    "accountId": "107513503799",
    "accessKeyId": "AKIARSCCN4A3WD4RO4P4",
    "userName": "temp-user"
  },

vikas891

Set-StrictMode -Version 2

function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {

vikas891

#Usage:
#
#NOTE: The script expects an argument which is the full File Path of the EVTX file.  
#
#C:\>ExtractAllScripts.ps1  
#The default behavior of the script is to assimilate and extract every script/command to disk.
#
#C:\ExtractAllScripts -List
#This will only list Script Block IDs with associated Script Names(if logged.)
#