├── Account_Details.sql ├── Account_Failed_Logon_Attempts.sql ├── Account_Logon_Activities.sql ├── AntiMalware_Discovery.sql ├── Attacker_Binaries_Activities.sql ├── BITSAdmin_Transfers.sql ├── Browser_Bookmarks_Discovery.sql ├── Bulk_Domain_Search.sql ├── Bulk_Hash_Search.sql ├── Bulk_Hash_Search_v2.sql ├── Bulk_Hash_Search_v3.sql ├── Bulk_Host_Audit.sql ├── Bulk_IP_Search.sql ├── Bulk_IP_Search_v2.sql ├── CMSTP_Abuse.sql ├── Certutil_Abuse.sql ├── Clear_Windows_Logs_Event.sql ├── Clear_Windows_Logs_Event_v2.sql ├── Control_Panel_Abuse.sql ├── Disable_Event_Tracing_for_Windows.sql ├── Disable_Windows_Firewall.sql ├── Enhanced_Attacker_Execution_Profiling_(EAEP)_events.sql ├── Exe_Run_Browser_Folders.sql ├── Exe_Run_Temp.sql ├── Exe_Run_User_Profile_Path.sql ├── Exe_Written_INetCache.sql ├── File_and_Directory_Discovery.sql ├── Files_Written_to_Removable_Media.sql ├── Files_Written_to_Removable_Media_v2.sql ├── Firewall_Set_Rules.sql ├── Indirect_Command_Execution.sql ├── Inhibit_System_Recovery.sql ├── Investigate_Child_Process.sql ├── Investigate_Data_Transfer_Command_Lines.sql ├── Investigate_Download_and_Execute_Command_Lines.sql ├── Investigate_Parent_Process.sql ├── Investigate_Post_Exploitation_Binaries.sql ├── Investigate_Recon_Binaries.sql ├── Investigate_Recon_Command_Lines.sql ├── Local_Account_Creation.sql ├── Local_Admin_Creation.sql ├── MSHTA_Abuse.sql ├── Outlook_Links.sql ├── Outlook_Office_Attachments.sql ├── PowerShell_Command_Lines_Clustered.sql ├── PowerShell_Download_Command_Lines.sql ├── PowerShell_Download_Command_Lines_v2.sql ├── PowerShell_Encoded_Command_Lines.sql ├── PowerShell_Hunt.sql ├── PowerShell_Malicious_Command_Lines.sql ├── Process_DNS_Requests.sql ├── Processes_Spawning_Under_PSExec.sql ├── RDP_Hijacking.sql ├── README.md ├── Rare_External_Connections.sql ├── Regsvcs_Regasm_Abuse.sql ├── Regsvr32_Abuse.sql ├── Responsible_Process_DNS_Request.sql ├── Responsible_Process_IP_Connection.sql ├── Rundll32_Abuse.sql ├── Scheduled_Tasks_Registered.sql ├── Suspicious_DNS_Request.sql ├── Suspicious_Written_Temp_Files.sql ├── System_Binary_Proxy_Execution.sql ├── System_Script_Proxy_Execution.sql ├── Team_Viewer_External_Connections.sql ├── Timestomp_Attempts.sql ├── Tor_Browser_Usage.sql ├── WMI_Abuse.sql └── XSL_Script_Processing.sql /Account_Details.sql: -------------------------------------------------------------------------------- 1 | /* Search for all relevant events for a specific UserName */ 2 | 3 | index=discover_summary report=user_logon ComputerName="*" cid="*" LogonDomain="*" UserName="*" (LogonType=Interactive OR LogonType="Cached Credentials" OR LogonType="Auditing" OR LogonType="Terminal Server" OR LogonType=Service) 4 | | lookup aid_master.csv aid OUTPUT HostHiddenStatus, event_platform 5 | | search event_platform IN (*) 6 | `hideHiddenHosts()` 7 | | timechart span=1d dc(aid) AS "Host Count", dc(LogonTime) AS "Logon Sessions" 8 | -------------------------------------------------------------------------------- /Account_Failed_Logon_Attempts.sql: -------------------------------------------------------------------------------- 1 | index=main event_simpleName=UserLogonFailed2 cid=* UserName=* event_platform IN (*) LogonType_decimal IN (2,5,10,11,12) earliest=-604801s 2 | | lookup aid_master.csv aid OUTPUT HostHiddenStatus 3 | `hideHiddenHosts()` 4 | | eval LogonTime_decimal=if(len(ContextTimeStamp_decimal)=18, round(ContextTimeStamp_decimal/10000000-11644473600), ContextTimeStamp_decimal) 5 | | fillnull value=NULL UserLogonFlags_decimal 6 | | eval UserName=upper(UserName) 7 | | eval Status = if(Status_decimal==0, SubStatus_decimal, Status_decimal) 8 | | eval match = case(isnotnull(LogonDomain) AND event_platform="Win", LogonDomain + "\\" + UserName, isnull(LogonDomain) AND event_platform="Win", ComputerName + "\\" + UserName, event_platform="Mac", UserPrincipal) 9 | | lookup win_status_codes.csv Status_code_decimal AS Status OUTPUT Description as Status 10 | | eval Status=if(event_platform="Mac" AND Status_decimal=1 AND SubStatus_decimal=9, "Invalid password entered", Status) 11 | | bucket _time span=1m 12 | | stats values(match) as match values(ClientComputerName) as ClientComputerName values(LogonDomain) as LogonDomain values(RemoteAddressIP4) as RemoteAddressIP4 values(Status) as Status values(LogonType_decimal) as LogonType_decimal count(eval(event_simpleName=="UserLogonFailed2")) AS Count, latest(UserLogonFlags_decimal) AS UserLogonFlags_decimal, max(LogonTime_decimal) AS FailedLogonAttempt by cid, UserName, ComputerName, _time 13 | | lookup userinfo.csv User AS match cid OUTPUT UserSid_readable, LogonTime AS LastSuccessfulLogon, PasswordLastSet, AccountType, LastLoggedOnHost, LocalAdminAccess 14 | | fillnull value="NOT FOUND" AccountType, LocalAdminAccess 15 | | search AccountType IN ("*") LocalAdminAccess IN (*) 16 | | eval monthsincereset=round((now()-(PasswordLastSet))/86400/30,0) 17 | | eval LastSuccessfulLogon=if(LastSuccessfulLogon=0,"NA",LastSuccessfulLogon) 18 | | lookup cid_name cid OUTPUT name 19 | | stats values(AccountType) as "Account Type" values(ClientComputerName) as "Remote Source Host" values(LogonDomain) as "Logon Domain" values(RemoteAddressIP4) as "Remote Source IP" values(Status) as Description values(LogonType_decimal) as "Logon Type" max(Count) AS Count, max(FailedLogonAttempt) AS FailedLogonAttempt, values(PasswordLastSet) AS PasswordLastSet_decimal, max(LastSuccessfulLogon) AS LastSuccessfulLogon, latest(LastLoggedOnHost) AS "Last Logged On Host", values(name) AS Company values(UserSid_readable) as UserSid_readable values(LocalAdminAccess) as "Local Admin" by UserName, ComputerName 20 | | eval SuspiciousAttempt=if(Count>3,"Yes","No") 21 | | eval fStart=FailedLogonAttempt-3600 22 | | eval fEnd=FailedLogonAttempt+3600 23 | | sort 0 -Count 24 | | rename ComputerName AS "Host Name", UserName AS "User Name", FailedLogonAttempt AS "Last Failed Logon Attempt", LastSuccessfulLogon AS "Last Successful Logon", PasswordLastSet_decimal AS "Password Last Set", Count AS "Max Failed Logons Per Min", SuspiciousAttempt AS "Suspicious Attempt?" 25 | `formatDate("Password Last Set")` 26 | `formatDate("Last Failed Logon Attempt")` 27 | `formatDate("Last Successful Logon")` 28 | -------------------------------------------------------------------------------- /Account_Logon_Activities.sql: -------------------------------------------------------------------------------- 1 | /* Search for all relevant Logon activities for a specific UserName */ 2 | 3 | | inputlookup userinfo.csv where cid=* 4 | | search UserName=* AccountType="*" LocalAdminAccess=* (LogonType="*") 5 | | eval LogonDomain=upper(mvindex(split(User,"\\"),0)) 6 | | where now()-LogonTime<604800 7 | | eval monthsincereset=if(PasswordLastSet=0,"NA",monthsincereset) 8 | | eval PasswordLastSet=if(PasswordLastSet=0,"NA",PasswordLastSet) 9 | | table cid, User, UserName, UserSid_readable, LogonDomain, AccountType, LocalAdminAccess, LogonType, LastLoggedOnHost, LogonTime, PasswordLastSet, monthsincereset 10 | | rename LogonDomain AS "Logon Domain", AccountType AS "Account Type", LocalAdminAccess AS "Local Admin Privileges", LogonType AS "Logon Type", LastLoggedOnHost AS "Logged On Host", LogonTime AS "Logon Time", PasswordLastSet AS "Password Last Set", monthsincereset AS "Months since Password Last Set", UserName AS "User Name" 11 | | lookup cid_name cid OUTPUT name 12 | | eval fStart=now()-604800 13 | | sort 0 -"User Name" 14 | | rename name AS Company 15 | `formatDate("Logon Time")` 16 | `formatDate("Password Last Set")` -------------------------------------------------------------------------------- /AntiMalware_Discovery.sql: -------------------------------------------------------------------------------- 1 | CommandLine="*wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List*" 2 | | stats dc(UserName) dc(ComputerName) count by CommandLine 3 | | sort + count -------------------------------------------------------------------------------- /Attacker_Binaries_Activities.sql: -------------------------------------------------------------------------------- 1 | ComputerName="*" event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked CommandLine=*\\arp.exe* OR CommandLine="at *" OR CommandLine=*\\at.exe* OR CommandLine="bitsadmin *" OR CommandLine=*\\bitsadmin.exe* OR CommandLine="*csvde.exe *" OR CommandLine="dsquery *" OR CommandLine=*\\dsquery.exe* OR CommandLine=*\\ftp.exe* OR CommandLine=*\\makecab.exe* OR CommandLine="*nbtstat *" OR CommandLine="net *" OR CommandLine=*\\net.exe* OR CommandLine=*\\net1.exe* OR CommandLine="netsh *" OR CommandLine=*\\netsh.exe* OR CommandLine="netstat *" OR CommandLine=*\\netstat.exe* OR CommandLine="*nslookup*" OR CommandLine="ping *" OR CommandLine=*\\ping.exe* OR CommandLine=*quser.exe* OR CommandLine=*\\reg.exe* OR CommandLine=*\\regsvr32.exe* OR CommandLine="route *" OR CommandLine=*\\route.exe* OR CommandLine="sc *" OR CommandLine=*\\sc.exe* OR CommandLine="schtasks *" OR CommandLine=*\\schtasks.exe* OR CommandLine=systeminfo* OR CommandLine="taskkill *" OR CommandLine=*\\taskkill.exe* OR CommandLine="tasklist *" OR CommandLine=*\\tasklist.exe* OR CommandLine=*wevtutil* OR CommandLine="whoami*" OR CommandLine=*\\whoami.exe* OR CommandLine=*\\xcopy.exe OR CommandLine="wmic *" OR CommandLine=*\\wmic.exe* OR CommandLine="psexec *" OR CommandLine=*\\psexec.exe* OR CommandLine=*\\psexesvc.exe* OR CommandLine="powershell.exe *" OR CommandLine=*\\powershell.exe* OR CommandLine=*\\cmd.exe* OR CommandLine="cmd *" OR CommandLine="cmd.exe *" 2 | | stats values(ComputerName) values(UserName) count by CommandLine 3 | | sort by -count 4 | -------------------------------------------------------------------------------- /BITSAdmin_Transfers.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 FileName=bitsadmin.exe (CommandLine=*/Transfer* OR CommandLine=*/Addfile*) 2 | | dedup CommandLine 3 | | table _time aid ComputerName UserName ImageFileName CommandLine TargetFileName MD5HashData SHA256HashData 4 | | sort -_time -------------------------------------------------------------------------------- /Browser_Bookmarks_Discovery.sql: -------------------------------------------------------------------------------- 1 | commandhistoryv2 (Get-ChildItem Path Users Filter Bookmarks) OR (where Bookmarks) OR (where R Users places.sqlite) OR (dir s b USERPROFILE Favorites) 2 | | fields ComputerName UserName CommandHistory -------------------------------------------------------------------------------- /Bulk_Domain_Search.sql: -------------------------------------------------------------------------------- 1 | eventtype=eam (ProcessRollup2 OR SyntheticProcessRollup2) cid=* 2 | [ search eventtype=eam (DnsRequest OR SuspiciousDnsRequest) cid=* 3 | [| stats count 4 | | eval DomainName="xxxxxxxxxxxx" 5 | | makemv DomainName delim=" " 6 | | fields DomainName ] 7 | | eval DomainName=lower(DomainName) 8 | | rename ContextProcessId_decimal AS TargetProcessId_decimal 9 | | table aid, TargetProcessId_decimal ] 10 | | join TargetProcessId_decimal, aid 11 | [ search eventtype=eam (DnsRequest OR SuspiciousDnsRequest) cid=* 12 | [| stats count 13 | | eval DomainName="xxxxxxxxxxxx" 14 | | makemv DomainName delim=" " 15 | | fields DomainName ] 16 | | eval DomainName=lower(DomainName) 17 | | rename ContextProcessId_decimal AS TargetProcessId_decimal 18 | | table DomainName, aid, TargetProcessId_decimal ] 19 | | stats values(ComputerName) AS "Host Name", values(UserName) AS "User Name", values(ParentProcessId_decimal) AS "Parent Process ID", values(RawProcessId_decimal) AS PID, values(MD5HashData) AS MD5, max(_time) AS TimeUTC by DomainName, FileName, SHA256HashData, TargetProcessId_decimal, aid, cid 20 | | eval "Process Explorer"="View" 21 | | eval Contain="Contain Host" 22 | | eval fStart=TimeUTC-3600 23 | | eval fEnd=TimeUTC+3600 24 | | table TimeUTC, DomainName, "Host Name", "User Name", "Parent Process ID", PID, TargetProcessId_decimal, FileName, MD5, SHA256HashData, aid, "Process Explorer", Contain, fStart, fEnd, cid 25 | | rename SHA256HashData AS SHA256, TargetProcessId_decimal AS "Process ID", FileName AS "File Name", DomainName AS "Domain Name", TimeUTC AS "Process Start Time (UTC)" 26 | | sort 0 -"Process Start Time (UTC)" 27 | | fieldformat "Process Start Time (UTC)"=strftime('Process Start Time (UTC)', "%Y-%m-%d %H:%M.%S") -------------------------------------------------------------------------------- /Bulk_Hash_Search.sql: -------------------------------------------------------------------------------- 1 | index=main cid=* sourcetype IN ("ProcessRollup2*", "SyntheticProcessRollup2*") FileName="*" ComputerName=* ( 2 | [| stats count 3 | | eval MD5HashData="xxxxxxxxx" 4 | | makemv MD5HashData delim=" " 5 | | fields MD5HashData ] OR 6 | [| stats count 7 | | eval SHA256HashData="xxxxxxxxx" 8 | | makemv SHA256HashData delim=" " 9 | | fields SHA256HashData ] ) 10 | | eval FileName=lower(FileName) 11 | | stats values(SHA256HashData) AS SHA256, values(FileName) AS "File Name", dc(FileName) AS "Unique File Count", count AS "# of Process Executions", dc(aid) AS "# of Hosts", earliest(ComputerName) AS "First Executed On", min(_time) AS "First Executed Date", latest(ComputerName) AS "Last Executed On", max(_time) AS "Last Executed Date" by MD5HashData 12 | | fillnull value="" UserName,UserPrincipal 13 | | search UserName=* OR UserPrincipal=* 14 | | rename MD5HashData AS MD5 15 | `formatDate("First Executed Date")` 16 | `formatDate("Last Executed Date")` 17 | | sort 0 +"# of Computers" -------------------------------------------------------------------------------- /Bulk_Hash_Search_v2.sql: -------------------------------------------------------------------------------- 1 | index=main eventtype=eam cid=* sourcetype IN ("ProcessRollup2*", "SyntheticProcessRollup2*") * * ( 2 | [| stats count 3 | | eval MD5HashData="xxxxxxxxx" 4 | | makemv MD5HashData delim=" " 5 | | fields MD5HashData ] OR 6 | [| stats count 7 | | eval SHA256HashData="xxxxxxxxx" 8 | | makemv SHA256HashData delim=" " 9 | | fields SHA256HashData ] ) 10 | | search CommandLine="*" FileName="*" ComputerName=* 11 | NOT FileName IN (NONE) 12 | NOT CommandLine IN (NONE) 13 | | fillnull value="" UserName,UserPrincipal 14 | | search UserName=* OR UserPrincipal=* 15 | | eval User=if(event_platform="Mac",upper(UserPrincipal),upper(UserName)) 16 | | eval FileName=lower(FileName) 17 | | rename TargetProcessId_decimal AS "Process ID", FileName AS "File Name", CommandLine AS "Command Line", RawProcessId_decimal AS PID, UserName AS "User Name", MD5HashData AS MD5 18 | | eval Timestamp=_time 19 | | eval fStart=Timestamp-600 20 | | eval fEnd=Timestamp+600 21 | `formatDate(Timestamp)` 22 | | table fStart, fEnd, Timestamp, ComputerName, "User Name", "File Name", PID, "Process ID", "Command Line", MD5, aid, cid 23 | | rename ComputerName AS "Host Name", Timestamp AS "Time (UTC)" -------------------------------------------------------------------------------- /Bulk_Hash_Search_v3.sql: -------------------------------------------------------------------------------- 1 | eventtype=eam cid=* ((ProcessRollup2 OR SyntheticProcessRollup2) OR ImageHash) ( 2 | [| stats count 3 | | eval MD5HashData="xxxxxxxxxx" 4 | | makemv MD5HashData delim=" " 5 | | fields MD5HashData ] OR 6 | [| stats count 7 | | eval SHA256HashData="xxxxxxxxxx" 8 | | makemv SHA256HashData delim=" " 9 | | fields SHA256HashData ] ) 10 | | stats values(FileName) AS "File Name", count AS Count, min(_time) AS FirstSeenDate, max(_time) AS LastSeenDate by MD5HashData, ComputerName, aid, cid 11 | | rename MD5HashData AS MD5, ComputerName AS "Host Name" 12 | | eval "First Seen Date"=FirstSeenDate 13 | | eval "Last Seen Date"=LastSeenDate 14 | | eval Contain="Contain Host" 15 | | table MD5, "Host Name", "File Name", Count, "First Seen Date", "Last Seen Date", FirstSeenDate, LastSeenDate, aid, Contain, cid 16 | `formatDate("First Seen Date")` 17 | `formatDate("Last Seen Date")` -------------------------------------------------------------------------------- /Bulk_Host_Audit.sql: -------------------------------------------------------------------------------- 1 | index=main event_simpleName=SensorHeartbeat ComputerName IN (xxxxxxxxx) cid="*" 2 | | lookup aid_master.csv ComputerName OUTPUT ComputerName AS "Host Name", aid, Version, AgentVersion, FirstSeen 3 | | stats latest(aid) as aid, values(Version) as Version, latest(AgentVersion) as "Agent Version", latest(FirstSeen) as "First Seen" by "Host Name" 4 | `formatDate("First Seen")` 5 | | sort "Host Name" -------------------------------------------------------------------------------- /Bulk_IP_Search.sql: -------------------------------------------------------------------------------- 1 | index=main event_simpleName=NetworkConnectIP4 cid=* [ | stats count | eval RemoteAddressIP4="*" | makemv RemoteAddressIP4 delim=" " | fields RemoteAddressIP4 ] 2 | | stats values(ComputerName) AS "Host Name", count AS Count, dc(ComputerName) AS "# of Hosts", last(ComputerName) AS "First Connection", min(_time) AS "First Connect Date", latest(ComputerName) AS "Last Connection", max(_time) AS "Last Connect Date" by RemoteAddressIP4 3 | | convert ctime("First Connect Date") | convert ctime("Last Connect Date") 4 | | table RemoteAddressIP4, "Host Name", "# of Hosts", "First Connection", "First Connect Date", "Last Connection", "Last Connect Date" 5 | | rename RemoteAddressIP4 AS "Destination IP" 6 | -------------------------------------------------------------------------------- /Bulk_IP_Search_v2.sql: -------------------------------------------------------------------------------- 1 | index=main event_simpleName=NetworkConnectIP4 cid=* (TERM("")) 2 | | search LocalAddressIP4 IN (*) AND aip IN (*) AND RemoteAddressIP4 IN (*) 3 | | stats values(ComputerName) AS "Host Name", count AS Count, dc(ComputerName) AS "# of Hosts", last(ComputerName) AS "First Connection", min(_time) AS "First Connect Date", latest(ComputerName) AS "Last Connection", max(_time) AS "Last Connect Date", values(LocalAddressIP4) AS "Source IP", values(aip) AS "External IP" by RemoteAddressIP4 4 | | convert ctime("First Connect Date") 5 | | convert ctime("Last Connect Date") 6 | | table "Source IP", RemoteAddressIP4, "External IP", "Host Name", "# of Hosts", "First Connection", "First Connect Date", "Last Connection", "Last Connect Date" 7 | | rename RemoteAddressIP4 AS "Destination IP" -------------------------------------------------------------------------------- /CMSTP_Abuse.sql: -------------------------------------------------------------------------------- 1 | /* https://attack.mitre.org/techniques/T1218/003/ */ 2 | /* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md */ 3 | 4 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 FileName="cmstp*" 5 | | eval timestamp=(timestamp / 1000) 6 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 7 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /Certutil_Abuse.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="certutil* -encode*" OR CommandLine="certutil* -decode*" 2 | | stats count by CommandLine -------------------------------------------------------------------------------- /Clear_Windows_Logs_Event.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="wevtutil* cl*" 2 | | stats count by CommandLine -------------------------------------------------------------------------------- /Clear_Windows_Logs_Event_v2.sql: -------------------------------------------------------------------------------- 1 | commandhistoryv2 2 | | search CommandHistory="*Clear-EventLog*" 3 | | fields ComputerName UserName CommandHistory 4 | | stats count by ComputerName UserName CommandHistory -------------------------------------------------------------------------------- /Control_Panel_Abuse.sql: -------------------------------------------------------------------------------- 1 | /* https://attack.mitre.org/techniques/T1218/002/ */ 2 | 3 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="*control.exe *.cpl*" NOT CommandLine="*control.exe desk.cpl,,3*" NOT CommandLine="*control.exe mmsys.cpl*" 4 | | eval timestamp=(timestamp / 1000) 5 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 6 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /Disable_Event_Tracing_for_Windows.sql: -------------------------------------------------------------------------------- 1 | /* https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ */ 2 | 3 | commandhistoryv2 4 | | search CommandHistory="*COMPlus_ETWEnabled=0*" OR CommandHistory="*REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0*" OR CommandHistory="*New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -force*" 5 | | fields ComputerName CommandHistory 6 | | stats count by ComputerName UserName ImageFileName CommandHistory -------------------------------------------------------------------------------- /Disable_Windows_Firewall.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="netsh* advfirewall* set* currentprofile* state* off*" 2 | | stats count by CommandLine -------------------------------------------------------------------------------- /Enhanced_Attacker_Execution_Profiling_(EAEP)_events.sql: -------------------------------------------------------------------------------- 1 | ComputerName=ComputerNameHere RpcClientProcessId_decimal=*|stats count by event_simpleName 2 | 3 | ScheduledTaskRegistered, ScheduledTaskDeleted, FirewallSetRule, FirewallDeleteRule, FirewallChangeOption 4 | ServiceStarted, HostedServiceStarted, ServiceStopped, HostedServiceStopped, UserAccountAddedToGroup, UserAccountCreated, UserAccountDeleted 5 | 6 | Sample Query: event_simpleName=UserAccountCreated OR event_simpleName=UserAccountAddedToGroup -------------------------------------------------------------------------------- /Exe_Run_Browser_Folders.sql: -------------------------------------------------------------------------------- 1 | (event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\*" OR ImageFileName="*\\AppData\\Local\\Mozilla\\Firefox\\Profiles*" OR ImageFileName="*\\AppData\\Local\\Google\\Chrome\\*" OR ImageFileName="*\\Downloads\\*") 2 | | regex ImageFileName=".*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\Temporary.Internet.Files\\\\\w+\.exe|.*\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\\w+\.exe|.*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\\w+\.exe|.*\\\\Downloads\\\\\w+\.exe" 3 | | table ComputerName UserName ImageFileName FileName SHA256HashData 4 | | stats count values(ImageFileName) by SHA256HashData -------------------------------------------------------------------------------- /Exe_Run_Temp.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked CommandLine="C:\\Windows\\Temp\\*.exe" 2 | | table ComputerName FileName CommandLine SHA256HashData 3 | | stats count values(CommandLine) by SHA256HashData -------------------------------------------------------------------------------- /Exe_Run_User_Profile_Path.sql: -------------------------------------------------------------------------------- 1 | (event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\AppData\\*" OR ImageFileName="*\\Desktop\\*" OR ImageFileName="*\\AppData\\Local\\*" OR ImageFileName="*\\AppData\\Local\\Temp\\*" OR ImageFileName="*\\AppData\\Roaming\\*") 2 | | regex ImageFileName=".*\\\\Desktop\\\\\w+\.exe|.*\\\\AppData\\\\\w+\.exe|.*\\\\AppData\\\\Local\\\\\w+.exe|.*\\\\AppData\\\\Local\\\\Temp\\\\\w+.exe|.*\\\\AppData\\\\Roaming\\\\\w+.exe" 3 | | fields ComputerName UserName ImageFileName FileName SHA256HashData 4 | | stats count values(FileName) by SHA256HashData -------------------------------------------------------------------------------- /Exe_Written_INetCache.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=NewExecutableWritten FilePath="*\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*\\" AND (FileName="*.exe" OR FileName="*.sct") 2 | | stats count by ComputerName TargetFileName 3 | | sort count -------------------------------------------------------------------------------- /File_and_Directory_Discovery.sql: -------------------------------------------------------------------------------- 1 | CommandLine="*dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*” OR CommandLine=”*dir ‘%systemdrive%\Users\*.*’ >> %temp%\*” OR CommandLine="*ls -recurse*" OR CommandLine=”*get-childitem –recurse*” OR CommandLine=”*gci –recurse*” 2 | | stats dc(UserName) dc(ComputerName) count by CommandLine 3 | | sort + count -------------------------------------------------------------------------------- /Files_Written_to_Removable_Media.sql: -------------------------------------------------------------------------------- 1 | IsOnRemovableDisk_decimal=1 event_simpleName=*Written UserName="*" 2 | | fields ComputerName UserName TargetFileName 3 | | cluster field=TargetFileName labelonly=t t=0.6 4 | | stats values(ComputerName) values(UserName) values(TargetFileName) by cluster_label 5 | | rename values(*) as * -------------------------------------------------------------------------------- /Files_Written_to_Removable_Media_v2.sql: -------------------------------------------------------------------------------- 1 | index=main eventtype=eam event_simpleName IN (*FileWritten, ExecutableRenamed,FsPostOpen,FileRenamed,NewScriptWritten) ComputerName=* aid=* FileName=* cid=* [ search index=main eventtype=eam event_simpleName=RemovableMediaVolumeMounted ComputerName=* aid=* cid=* earliest=-24h@h latest=now | stats count by aid, VolumeName | eval FilePath=VolumeName."*" | fields aid FilePath ] 2 | | rex field=event_simpleName mode=sed "s/([A-Z]+)/ \1/g s/_//g" 3 | | eval event_simpleName=trim(event_simpleName) 4 | | eval FileType=case(isnotnull(event_simpleName),'event_simpleName',event1=1,"unknown") 5 | | table FileType, ComputerName, FileName, TargetFileName, timestamp 6 | | eval "Time (UTC)"=timestamp/1000 7 | | rename ComputerName AS "Host Name", FileName AS "File Name", TargetFileName AS "Full Path", FileType AS "Action" 8 | | sort 0 -"Time (UTC)" 9 | | convert ctime("Time (UTC)") 10 | -------------------------------------------------------------------------------- /Firewall_Set_Rules.sql: -------------------------------------------------------------------------------- 1 | index=main event_simpleName=FirewallSetRule cid=* ComputerName=* aid=* 2 | | rex field=FirewallRule "App=(?(.*?))\|" 3 | | rex field=FirewallRule "Action=(?(.*?))\|" 4 | | rex field=FirewallRule max_match=0 "Profile=(?(.*?))\|" 5 | | rex field=FirewallRule "Protocol=(?(.*?))\|" 6 | | rex field=FirewallRule "Dir=(?(.*?))\|" 7 | | rex field=FirewallRule "Name=(?(.*?))\|" 8 | | rex field=App "(?[^\\\]+$)" 9 | | eval Protocol=case(Protocol=1, "ICMP", Protocol=6, "TCP", Protocol=17, "UDP", Protocol=58, "IPv6-ICMP") 10 | | search Action=Allow 11 | | eval ProcessID=aid."/".RpcClientProcessId_decimal 12 | | stats dc(aid) AS "Host Count", list(App) AS "File Path", list(Protocol) AS Protocol, list(ComputerName) AS "Host Name", list(Name) AS Name, list(Profile) AS Profile, list(ProcessID) AS "RPC Client Process ID", list(aid) AS aid by FileName, Direction 13 | | rename FileName AS "File Name" 14 | | search "Host Count"<20 15 | | sort 0 +"Host Count", +"File Name" 16 | -------------------------------------------------------------------------------- /Indirect_Command_Execution.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="*pcalua.exe* -a*" 2 | | eval timestamp=(timestamp / 1000) 3 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 4 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine 5 | 6 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="*forfiles* /p* c:\\windows\\system32* /m*" 7 | | eval timestamp=(timestamp / 1000) 8 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 9 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine 10 | -------------------------------------------------------------------------------- /Inhibit_System_Recovery.sql: -------------------------------------------------------------------------------- 1 | CommandLine="*vssadmin.exe delete shadows /all /quiet*" OR CommandLine=”*Get-WmiObject Win32_Shadowcopy*” OR CommandLine=”*wbadmin.exe delete catalog*” OR CommandLine=”*wmic.exe shadowcopy delete*” 2 | | stats dc(UserName) dc(ComputerName) count by CommandLine 3 | | sort + count -------------------------------------------------------------------------------- /Investigate_Child_Process.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked 2 | [ search event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked FileName=cmd.exe 3 | | rename TargetProcessId_decimal AS ParentProcessId_decimal 4 | | fields aid ParentProcessId_decimal] 5 | | stats count by FileName CommandLine -------------------------------------------------------------------------------- /Investigate_Data_Transfer_Command_Lines.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked (FileName=ftp.exe) OR (FileName=sftp.exe) OR (FileName=ssh.exe) OR (FileName=scp.exe) OR (FileName=copy.exe AND CommandLine="*\\\\*") OR (FileName=bitsadmin.exe) OR (FileName=rar.exe AND CommandLine="*\\temp\\*") OR (FileName=makecab.exe AND CommandLine="*\\temp\\*") 2 | | eval timestamp=(timestamp / 1000) 3 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 4 | | table timestamp_readable ComputerName FileName CommandLine 5 | | sort by CommandLine -------------------------------------------------------------------------------- /Investigate_Download_and_Execute_Command_Lines.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=ProcessBlocked (FileName=mshta.exe AND CommandLine="*script*") OR (FileName=regsrv32.exe AND CommandLine="*\/i*") OR (FileName=certutil.exe AND CommandLine="*-urlcache*") OR (FileName=wmic.exe AND CommandLine="*http*") OR (FileName=bitsadmin.exe AND CommandLine="*download*") 2 | | eval timestamp=(timestamp / 1000) 3 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 4 | | table timestamp_readable ComputerName FileName CommandLine -------------------------------------------------------------------------------- /Investigate_Parent_Process.sql: -------------------------------------------------------------------------------- 1 | /* Search for all ParentProcess of a specific file */ 2 | 3 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked 4 | [ search event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked FileName=excel.exe 5 | | rename ParentProcessId_decimal AS TargetProcessId_decimal 6 | | fields aid TargetProcessId_decimal] 7 | | stats count by FileName CommandLine -------------------------------------------------------------------------------- /Investigate_Post_Exploitation_Binaries.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked CommandLine=*\\arp.exe* OR CommandLine="at *" OR CommandLine=*\\at.exe* OR CommandLine="bitsadmin *" OR CommandLine=*\\bitsadmin.exe* OR CommandLine="*csvde.exe *" OR CommandLine="dsquery *" OR CommandLine=*\\dsquery.exe* OR CommandLine=*\\ftp.exe* OR CommandLine=*\\makecab.exe* OR CommandLine="*nbtstat *" OR CommandLine=*\\net1.exe* OR CommandLine="netstat *" OR CommandLine=*\\netstat.exe* OR CommandLine="*nslookup*" OR CommandLine="ping *" OR CommandLine=*\\ping.exe* OR CommandLine=*quser.exe* OR CommandLine="route *" OR CommandLine=*\\route.exe* OR CommandLine="sc *" OR CommandLine=*\\sc.exe* OR CommandLine="schtasks *" OR CommandLine=*\\schtasks.exe* OR CommandLine=systeminfo* OR CommandLine="taskkill *" OR CommandLine=*\\taskkill.exe* OR CommandLine="tasklist *" OR CommandLine=*\\tasklist.exe* OR CommandLine=*wevtutil* OR CommandLine="whoami*" OR CommandLine=*\\whoami.exe* OR CommandLine=*\\xcopy.exe OR CommandLine="wmic *" OR CommandLine=*\\wmic.exe* OR CommandLine="psexec *" OR CommandLine=*\\psexec.exe* OR CommandLine=*\\psexesvc.exe* 2 | | cluster field=CommandLine labelonly=t t=0.4 3 | | stats values(UserName) values(CommandLine) by cluster_label 4 | | rename values(*) as * 5 | | sort by -CommandLine -------------------------------------------------------------------------------- /Investigate_Recon_Binaries.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked (FileName=net.exe AND (CommandLine="*view*" OR CommandLine="*session*")) OR (FileName=nmap.exe) OR (FileName=nc.exe) OR (FileName=ncat.exe) OR (FileName=dir.exe AND CommandLine="*\\\\*") OR (FileName=wmic.exe AND CommandLine="*//node*") 2 | | eval timestamp=(timestamp / 1000) 3 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 4 | | table timestamp_readable ComputerName UserName FileName CommandLine -------------------------------------------------------------------------------- /Investigate_Recon_Command_Lines.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked CommandLine="net view" OR CommandLine="net user" OR CommandLine="tasklist /v" OR CommandLine="net localgroup administrators" OR CommandLine="net user administrator" OR CommandLine="regedit -e *" OR CommandLine="tasklist /svc" OR CommandLine="regsvr32 /s /u *" OR CommandLine="*CreateObject(\"WScript.Shell\").RegWrite*" OR CommandLine="bitsadmin /rawreturn /transfer getfile*" OR CommandLine="wmic qfe list full" OR CommandLine="schtasks.exe /create" OR CommandLine="wmic share get" OR CommandLine="wmic nteventlog get" OR CommandLine="wevtutil cl *" OR CommandLine="sc query type= service" OR CommandLine="arp -a *" 2 | | Table FileName CommandLine 3 | | stats count by CommandLine -------------------------------------------------------------------------------- /Local_Account_Creation.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="*net user /add*" OR CommandLine="*New-LocalUser*" OR CommandLine="*net localgroup administrators*" 2 | | stats count by CommandLine 3 | -------------------------------------------------------------------------------- /Local_Admin_Creation.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="*net localgroup Administrators /add*" 2 | | table ComputerName UserName CommandLine -------------------------------------------------------------------------------- /MSHTA_Abuse.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="mshta* javascript*" OR CommandLine="mshta* vbscript*" OR CommandLine="wscript* syncappvpublishingserver.vbs*" 2 | | eval timestamp=(timestamp / 1000) 3 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 4 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /Outlook_Links.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 FileName=outlook.exe 2 | | dedup aid TargetProcessId_decimal 3 | | rename FileName as Parent 4 | | rename CommandLine as ParentCmd 5 | | table aid TargetProcessId_decimal Parent ParentCmd 6 | | join max=0 aid TargetProcessId_decimal 7 | [ search event_simpleName=ProcessRollup2 FileName=chrome.exe OR FileName=firefox.exe OR FileName=iexplore.exe OR FileName=msedge.exe 8 | | rename ParentProcessId_decimal as TargetProcessId_decimal 9 | | rename MD5HashData as MD5 10 | | rename FilePath as ChildPath 11 | | dedup aid TargetProcessId_decimal MD5 12 | | fields aid TargetProcessId_decimal FileName CommandLine] 13 | | table Parent ParentCmd FileName CommandLine aid -------------------------------------------------------------------------------- /Outlook_Office_Attachments.sql: -------------------------------------------------------------------------------- 1 | ComputerName=* event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked CommandLine="*content.outlook*" FileName=winword.exe OR FileName=excel.exe OR FileName=powerpnt.exe 2 | | table timestamp ComputerName CommandLine 3 | | sort – timestamp 4 | | eval timestamp=strftime(timestamp/1000, "%Y-%m-%d %H:%M:%S") -------------------------------------------------------------------------------- /PowerShell_Command_Lines_Clustered.sql: -------------------------------------------------------------------------------- 1 | event_platform="Win" cid=* (ProcessRollup2 OR SyntheticProcessRollup2) FileName="powershell*" 2 | | cluster field=CommandLine labelonly=t t=0.6 3 | | stats first(_time) as min_time values(ComputerName) as ComputerNames values(CommandLine) as CommandLine by cluster_label 4 | | table min_time ComputerNames CommandLine cluster_label 5 | | convert ctime(min_time) -------------------------------------------------------------------------------- /PowerShell_Download_Command_Lines.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*Invoke-WebRequest* OR CommandLine=*Net.WebClient* OR 2 | CommandLine=*Start-BitsTransfer*) 3 | | table ComputerName UserName FileName CommandLine 4 | | stats count by CommandLine -------------------------------------------------------------------------------- /PowerShell_Download_Command_Lines_v2.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked FileName="powershell.exe" CommandLine="powershell.exe -w hidden -ep bypass -Enc*" OR CommandLine="*-w hidden -noni -nop -c \"iex(New-Object*" OR CommandLine="powershell.exe reg add * HKCU\\software\\microsoft\\windows\\currentversion\\run*" OR CommandLine= 2 | "*System.Net.WebClient).DownloadString(\"http*" OR CommandLine="*System.Net.WebClient).DownloadString('http*" OR CommandLine="*Process.Create(\"powershell.exe -nop -w hidden*" OR CommandLine="*.Run\"powershell.exe -nop -w hidden -c \"\"IEX *" OR CommandLine="*.Run \"powershell.exe -nop -w hidden -e *" OR CommandLine="*FileExists(path + \"\\..\\powershell.exe\")*" OR CommandLine="*window.moveTo -4000, -4000*" OR CommandLine="*.CreateObject(\"WScript.Shell\")*" OR CommandLine="powershell.exe -ExecutionPolicy Bypass [System.Convert]::FromBase64String(*" 3 | | Table FileName CommandLine 4 | | stats count by CommandLine -------------------------------------------------------------------------------- /PowerShell_Encoded_Command_Lines.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*-enc* OR CommandLine=*encoded*) 2 | | fields ComputerName FileName CommandLine 3 | | stats count by CommandLine -------------------------------------------------------------------------------- /PowerShell_Hunt.sql: -------------------------------------------------------------------------------- 1 | index=main event_platform="Win" event_simpleName IN (ProcessRollup2,SyntheticProcessRollup2) FileName IN ("powershell*","pwsh*") * 2 | | eval Exec=if(match(lower(CommandLine),"invoke[-\(][^wn][^me][^io]") OR match(lower(CommandLine), "(icm|iex)[ \(|]") OR match(lower(CommandLine), "[^r][^e]start-(service|process)"),4,0) 3 | | eval Dwnld=if(match(lower(CommandLine),"https?://") OR match(lower(CommandLine),"web(client|request)") OR match(lower(CommandLine),"sockets") OR match(lower(CommandLine),"download(file|string)") OR match(lower(CommandLine),"bitstransfer"),4,0) 4 | | eval Upld=if(match(lower(CommandLine),"uploadfile"),4,0) 5 | | eval Encode=if(match(lower(CommandLine),"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(lower(CommandLine),"frombase64string"),5,0) 6 | | eval ExecPol=if(match(lower(CommandLine),"bypass") OR match(lower(CommandLine),"unrestricted"),1,0) 7 | | eval NonI=if(match(lower(CommandLine),"-noni"),1,0) 8 | | eval NoProf=if(match(lower(CommandLine),"-nop"),1,0) 9 | | eval Hidden=if(match(lower(CommandLine)," hidden") OR match(lower(CommandLine),"-windowstyle") OR match(lower(CommandLine), "-nonewwindow"),1,0) 10 | | eval Domain=if(match(lower(CommandLine),"add-ad") OR match(lower(CommandLine),"get-ad"),3,0) 11 | | eval VM=if(match(lower(CommandLine),"vbox") OR match(lower(CommandLine),"prl_") OR match(lower(CommandLine),"vm(tool|ware)") OR match(lower(CommandLine),"vmu*srvc"),3,0) 12 | | eval Prxy=if(match(lower(CommandLine),"proxy"),4,0) 13 | | eval obf1=if(match(lower(CommandLine),"join[^-]") OR match(lower(CommandLine),"\[char\][^3][^4]") OR match(lower(CommandLine),"reverse") OR match(lower(CommandLine),"BXOR"),4,0) 14 | | eval NewCommand = CommandLine 15 | | rex field=NewCommand mode=sed "s/`[0abfnrtv#$\"]//g" 16 | | eval numTicks = mvcount(split(NewCommand,"`"))-1 17 | | eval numPluses = mvcount(split(NewCommand,"+"))-1 18 | | eval obf2 = if(numTicks > 5 OR numPluses > 5,4,0) 19 | | addtotals fieldname=Score Exec Dwnld Upld Encode ExecPol NonI NoProf Hidden Domain VM Prxy obf1 obf2 20 | | stats values(_time) AS Timestamp, values(UserName) AS "User Name", values(ParentProcessId_decimal) AS "Parent Process ID", values(RawProcessId_decimal) AS PID, values(Score) AS Score, values(Exec) AS Exec, values(Dwnld) AS Dwnld, values(Encode) AS Encode, values(ExecPol) AS ExecPol, values(NonI) AS NonI, values(NoProf) AS NoProf, values(Hidden) AS Hidden, values(Domain) AS Domain, values(Prxy) AS Prxy, values(VM) AS VM, values(obf1) AS obf1, values(obf2) AS obf2, values(CommandLine) AS "Command Line", values(aid) AS aid by ComputerName, TargetProcessId_decimal, cid 21 | | eval fStart=Timestamp-3600 22 | | eval fEnd=Timestamp+3600 23 | | rename TargetProcessId_decimal AS "Process ID", ComputerName AS "Host Name", Timestamp AS "Time (UTC)" 24 | | fieldformat "Time (UTC)"=strftime('Time (UTC)', "%Y-%m-%d %H:%M.%S") 25 | | sort 0 -Score, -"Time (UTC)" -------------------------------------------------------------------------------- /PowerShell_Malicious_Command_Lines.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked FileName="powershell.exe" CommandLine="*FromBase64String(*" OR CommandLine="*new-object net.webclient/*" OR CommandLine="*IEX $*.downloadstring\(*http/" OR CommandLine="*powershell.exe reg add * HKCU\\software\\microsoft\\windows\\currentversion\\run*" OR CommandLine="*System.Net.WebClient).DownloadString(*" OR CommandLine="*Process.Create(\"powershell.exe -nop -w hidden*" OR CommandLine="*.CreateObject(\"WScript.Shell\")*" OR CommandLine="*IEX*" OR CommandLine="*-enc*" OR CommandLine="*-EncodedCommand*" OR CommandLine="*-w hidden*" OR CommandLine="*-window hidden*" OR CommandLine="*-windowstyle hidden*" OR CommandLine="*-nop*" OR CommandLine="*-noprofile*" OR CommandLine="*-noni*" OR CommandLine="*-noninteractive*" OR CommandLine="*-ep bypass*" OR CommandLine="*-exec bypass*" OR CommandLine="*-executionpolicy bypass*" OR CommandLine="*-exec bypass*" OR CommandLine="*').Invoke(*" OR CommandLine="*/p[\^]?o[\^]?w[\^]?e[\^]?r[\^]?s[\^]?h[\^]?e[\^]?l\^l/*" OR CommandLine="*/p\^o[\^]?w[\^]?e[\^]?r[\^]?s[\^]?h[\^]?e[\^]?l[\^]?l/*" OR CommandLine="*p^o^w^e^r^s^h^e^l^l*" OR CommandLine="*decode('base64')*" OR CommandLine="*b64decode(*" OR CommandLine="*base64 --decode*" OR CommandLine="*decode64(*" OR CommandLine="*Net.WebClient*" OR CommandLine="*DownloadFile*" OR CommandLine="*Invoke-WebRequest*" OR CommandLine="*Invoke-Shellcode*" OR CommandLine="*http:*" OR CommandLine="*IEX*" OR CommandLine="*-NoP -sta -NonI -W Hidden -Enc *" OR CommandLine="*-noP -sta -w 1 -enc *" OR CommandLine="*-NoP -NonI -W Hidden -enc *"ù OR CommandLine="*-e JAB*" OR CommandLine="*-e JAB*" OR CommandLine="*-e JAB*" OR CommandLine="*-e JAB*" OR CommandLine="*-e JAB*" OR CommandLine="*-e JAB*" OR CommandLine="*-en JAB*" OR CommandLine="*-enc JAB*" OR CommandLine="*-enc* JAB*" OR CommandLine="*-w hidden -e* JAB*" OR CommandLine="*-e SUVYI*" OR CommandLine="*-e aWV4I*" OR CommandLine="*-e SQBFAFgA*" OR CommandLine="*-e aQBlAHgA*" OR CommandLine="*-enc SUVYI*" OR CommandLine="*-enc aWV4I*" OR CommandLine="*-enc SQBFAFgA*" OR CommandLine="*-enc aQBlAHgA*" OR CommandLine="*-windowstyle h *" OR CommandLine="*-windowstyl h*" OR CommandLine="*-windowsty h*" OR CommandLine="*-windowst h*" OR CommandLine="*-windows h*" OR CommandLine="*-windo h*" OR CommandLine="*-wind h*" OR CommandLine="*-win h*" OR CommandLine="*-wi h*" OR CommandLine="*-win h *" OR CommandLine="*-win hi *" OR CommandLine="*-win hid *" OR CommandLine="*-win hidd *" OR CommandLine="*-win hidde *" OR CommandLine="*-NoPr *" OR CommandLine="*-NoPro *" OR CommandLine="*-NoProf *" OR CommandLine="*-NoProfi *" OR CommandLine="*-NoProfil *" OR CommandLine="*-nonin *" OR CommandLine="*-nonint *" OR CommandLine="*-noninte *" OR CommandLine="*-noninter *" OR CommandLine="*-nonintera *" OR CommandLine="*-noninterac *" OR CommandLine="*-noninteract *" OR CommandLine="*-noninteracti *" OR CommandLine="*-noninteractiv *" OR CommandLine="*-ec *" OR CommandLine="*-encodedComman *" OR CommandLine="*-encodedComma *" OR CommandLine="*-encodedComm *" OR CommandLine="*-encodedCom *" OR CommandLine="*-encodedCo *" OR CommandLine="*-encodedC *" OR CommandLine="*-encoded *" OR CommandLine="*-encode *" OR CommandLine="*-encod *" OR CommandLine="*-enco *" OR CommandLine="*-en *" 2 | | fields FileName CommandLine ComputerName 3 | | stats count by ComputerName FileName CommandLine 4 | | sort -count -------------------------------------------------------------------------------- /Process_DNS_Requests.sql: -------------------------------------------------------------------------------- 1 | eventtype=eam (TERM(ProcessRollup2) OR TERM(SyntheticProcessRollup2)) FileName="cmd.exe" 2 | | join type=inner TargetProcessId_decimal, aid 3 | [ search eventtype=eam (TERM(DnsRequest) OR TERM(SuspiciousDnsRequest)) ] 4 | | eval DomainName=lower(DomainName) 5 | | stats values(DomainName) as DomainName by ContextProcessId_decimal aid 6 | | rename ContextProcessId_decimal AS TargetProcessId_decimal -------------------------------------------------------------------------------- /Processes_Spawning_Under_PSExec.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked 2 | [| search event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked (TERM(psexecsvc) AND FileName=psexecsvc.exe) OR (TERM(wsmprovhost) AND FileName=wsmprovhost.exe) 3 | | stats count by TargetProcessId_decimal 4 | | fields TargetProcessId_decimal 5 | | rename TargetProcessId_decimal as ParentProcessId_decimal 6 | | format] 7 | | stats values(FileName) AS FileName, values(CommandLine) AS ChildCommand values(ComputerName) as ComputerName values(UserName) as UserName by ParentProcessId_decimal -------------------------------------------------------------------------------- /RDP_Hijacking.sql: -------------------------------------------------------------------------------- 1 | CommandLine="*cmd.exe /k tscon*" OR CommandLine=”*tscon*” 2 | | stats dc(UserName) dc(ComputerName) count by CommandLine 3 | | sort + count -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Threat_Hunting 2 | Some Crowdstrike threat hunting queries useful for blue teamers and threat hunters 3 | -------------------------------------------------------------------------------- /Rare_External_Connections.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=NetworkConnectIP4 NOT (RemoteAddressIP4=10.0.0.1/8 OR RemoteAddressIP4=127.0.0.1) AND NOT (RemotePort_decimal=443 OR RemotePort_decimal=80) 2 | | rename ContextProcessId_decimal as TargetProcessId_decimal 3 | | join TargetProcessId_decimal, aid 4 | [ search eventtype=eam (ProcessRollup2 OR SyntheticProcessRollup2)] 5 | | stats count by ImageFileName UserName RemoteAddressIP4 RemotePort_decimal 6 | | sort - count desc -------------------------------------------------------------------------------- /Regsvcs_Regasm_Abuse.sql: -------------------------------------------------------------------------------- 1 | /* https://attack.mitre.org/techniques/T1218/009/ */ 2 | 3 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 FileName="regasm*" NOT (CommandLine="*Microsoft.NET\\Framework*") 4 | | eval timestamp=(timestamp / 1000) 5 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 6 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /Regsvr32_Abuse.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="*regsvr32.exe* /s /u /i*" 2 | | eval timestamp=(timestamp / 1000) 3 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 4 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /Responsible_Process_DNS_Request.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 OR event_simpleName=ProcessBlocked [search event_simpleName=DnsRequest (DomainName=google.com)] 2 | | rename ContextProcessId_decimal AS TargetProcessId_decimal 3 | | fields aid TargetProcessId_decimal] 4 | | table _time ComputerName UserName FileName CommandLine 5 | -------------------------------------------------------------------------------- /Responsible_Process_IP_Connection.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 [search event_simpleName=NetworkConnectIP4 (RemoteAddressIP4=1.1.1.1)] 2 | | rename ContextProcessId_decimal AS TargetProcessId_decimal 3 | | fields aid TargetProcessId_decimal] 4 | | table _time ComputerName UserName FileName CommandLine 5 | -------------------------------------------------------------------------------- /Rundll32_Abuse.sql: -------------------------------------------------------------------------------- 1 | /* https://attack.mitre.org/techniques/T1218/011/ */ 2 | 3 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=ProcessBlocked FileName="rundll32.exe" AND (CommandLine="*javascript:*" OR CommandLine="*vbscript:*" OR CommandLine="*advpack.dll,LaunchINFSection*" OR CommandLine="*ieadvpack.dll,LaunchINFSection*" OR CommandLine="*syssetup.dll,SetupInfObjectInstallAction*" OR CommandLine="*setupapi.dll,InstallHinfSection*") 4 | | eval timestamp=(timestamp / 1000) 5 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 6 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /Scheduled_Tasks_Registered.sql: -------------------------------------------------------------------------------- 1 | index=main event_simpleName=ScheduledTaskRegistered ComputerName=* aid=* cid=* 2 | | spath input=TaskXml output=Trigger path=Task.Triggers 3 | | rex field=Trigger "<(?P[^\s]+)>" 4 | | spath input=TaskXml output=Hidden path=Task.Settings.Hidden 5 | | spath input=TaskXml output=UserSid_readable path=Task.Principals.Principal.UserId 6 | | rex field=TaskExecCommand "(?[^\\\]+$)" 7 | | eval ProcessID=aid."/".RpcClientProcessId_decimal 8 | | fillnull value=NA RpcClientProcessId_decimal 9 | | stats list(TaskAuthor) AS "Task Author", list(ProcessID) AS "Registered By", list(_time) AS "Time (UTC)", values(ComputerName) AS "Host Name", list(TaskExecCommand) AS "Task Command", list(TaskExecArguments) AS "Exec Arguments", list(TaskName) AS "Task Name" by cid, FileName, aid, RpcClientProcessId_decimal 10 | | fieldformat "Time (UTC)"=strftime('Time (UTC)', "%Y-%m-%d %H:%M.%S") 11 | | lookup cid_name cid OUTPUT name 12 | | rename FileName AS "File Name", RpcClientProcessId_decimal AS TargetProcessId_decimal, name AS Company 13 | | join type=outer aid, TargetProcessId_decimal 14 | [ search index=main event_simpleName=ProcessRollup2 ComputerName=* aid=* cid=* 15 | [ search index=main event_simpleName=ScheduledTaskRegistered ComputerName=* aid=* cid=* 16 | | stats count by aid, RpcClientProcessId_decimal 17 | | rename RpcClientProcessId_decimal AS TargetProcessId_decimal 18 | | fields aid, TargetProcessId_decimal ] 19 | | stats count by aid, TargetProcessId_decimal, UserName 20 | | rename UserName AS "User Name" ] 21 | | fillnull "Task Author" value="Unknown" -------------------------------------------------------------------------------- /Suspicious_DNS_Request.sql: -------------------------------------------------------------------------------- 1 | (event_simpleName=SuspiciousDnsRequest) 2 | OR 3 | (event_simpleName=DnsRequest 4 | DomainName=*.cc 5 | OR DomainName=*.ru 6 | OR DomainName=*.top 7 | OR DomainName=*.xyz 8 | OR DomainName=*.pw 9 | OR DomainName=*.stream 10 | OR DomainName=*.loan 11 | OR DomainName=*.download 12 | OR DomainName=*.click 13 | OR DomainName=*.science 14 | OR DomainName=*.today 15 | OR DomainName=*.accountant 16 | OR DomainName=*.gdn 17 | OR DomainName=*sytes.net 18 | OR DomainName=*zapto.org 19 | OR DomainName=*hopto.org 20 | OR DomainName=*dynu.com 21 | OR DomainName=*redirectme.net 22 | OR DomainName=*servehttp.com 23 | OR DomainName=*serveftp.com 24 | OR DomainName=*servegame.com 25 | OR DomainName=*jkub.com 26 | OR DomainName=*itemdb.com) 27 | | eval timestamp=(timestamp / 1000) 28 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 29 | | stats count by DomainName 30 | | sort by - count -------------------------------------------------------------------------------- /Suspicious_Written_Temp_Files.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=NewScriptWritten FilePath="*\\Windows\\Temp\\*" NOT FilePath="*\\Windows\\Temp\\*\\*" 2 | | stats count by TargetFileName 3 | | where count < 10 4 | | sort - count asc -------------------------------------------------------------------------------- /System_Binary_Proxy_Execution.sql: -------------------------------------------------------------------------------- 1 | /* https://attack.mitre.org/techniques/T1218/ */ 2 | 3 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=ProcessBlocked (FileName="mavinject*" NOT CommandLine="*Microsoft Office\\root\\Client\\AppVIsvSubsystems32.dll*") OR FileName="Register-CimProvider*" OR FileName="InfDefaultInstall*" 4 | | eval timestamp=(timestamp / 1000) 5 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 6 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /System_Script_Proxy_Execution.sql: -------------------------------------------------------------------------------- 1 | /* https://attack.mitre.org/techniques/T1216/ */ 2 | 3 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 FileName="SyncAppvPublishingServer*" OR CommandLine="*cscript *manage-bde.wsf*" 4 | | eval timestamp=(timestamp / 1000) 5 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 6 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /Team_Viewer_External_Connections.sql: -------------------------------------------------------------------------------- 1 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 2 | [| search index=discover_summary FileName="TeamViewer*" OR CompanyName="TeamViewer*" 3 | | stats count by FileName 4 | | fields FileName] 5 | | join type=inner TargetProcessId_decimal 6 | [| search event_simpleName=NetworkConnectIP4 (RemoteAddressIP4=* NOT RemoteAddressIP4="10.*" NOT RemoteAddressIP4="127.0.0.1" ) 7 | [| search event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 8 | [| search index=discover_summary FileName="TeamViewer*" OR CompanyName="TeamViewer*" 9 | | stats count by FileName 10 | | fields FileName] 11 | | stats count by TargetProcessId_decimal 12 | | fields TargetProcessId_decimal 13 | | rename TargetProcessId_decimal as ContextProcessId_decimal] 14 | | rename ContextProcessId_decimal AS TargetProcessId_decimal 15 | | fields aid TargetProcessId_decimal RemoteAddressIP4] 16 | | table _time ComputerName UserName FileName CommandLine RemoteAddressIP4 -------------------------------------------------------------------------------- /Timestomp_Attempts.sql: -------------------------------------------------------------------------------- 1 | commandhistoryv2 2 | | search CommandHistory="*$_.CreationTime* =*" 3 | | fields ComputerName UserName CommandHistory 4 | | stats count by ComputerName UserName CommandHistory 5 | 6 | 7 | commandhistoryv2 8 | | search CommandHistory="*$_.LastWriteTime* =*" 9 | | fields ComputerName UserName CommandHistory 10 | | stats count by ComputerName UserName CommandHistory 11 | -------------------------------------------------------------------------------- /Tor_Browser_Usage.sql: -------------------------------------------------------------------------------- 1 | index=discover_summary report=sha256_hostusage cid=* "**" "Tor Browser*" "**" "*" ComputerName=* earliest=-7d@d 2 | | fillnull value="NA" CompanyName ProductName ProductVersion FileName UserName event_platform 3 | | search CompanyName="**" ProductName="Tor Browser*" ProductVersion="**" FileName IN (*) UserName="*" event_platform IN (*) 4 | | lookup aid_master.csv aid OUTPUT ProductType, SystemProductName, HostHiddenStatus 5 | `hideHiddenHosts()` 6 | | search ProductType=* 7 | | lookup cid_name cid OUTPUT name 8 | | stats max(_time) AS "Last Used", values(ProductVersion) AS "Application Version", values(UserName) as User, values(FileName) AS "File Name", values(SHA256HashData) AS SHA256, values(name) AS Company by ComputerName, CompanyName, ProductName 9 | | rename ComputerName AS "Host Name", CompanyName AS "Vendor", ProductName AS Application 10 | | sort 0 +CompanyName,Application,"Application Version" 11 | | eval "Last Used"=strftime('Last Used', "%Y-%m-%d %H:%M.%S") -------------------------------------------------------------------------------- /WMI_Abuse.sql: -------------------------------------------------------------------------------- 1 | /* https://attack.mitre.org/techniques/T1047/ */ 2 | 3 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 CommandLine="*wmic* useraccount get /ALL*" OR CommandLine="*wmic* process get caption,executablepath,commandline*" OR CommandLine="*wmic* qfe get description,installedOn*" OR CommandLine="*wmic* /node:* service*" OR CommandLine="*wmic* process call create*" OR CommandLine="*wmic* /node:* process call create*" 4 | | eval timestamp=(timestamp / 1000) 5 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 6 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine -------------------------------------------------------------------------------- /XSL_Script_Processing.sql: -------------------------------------------------------------------------------- 1 | /* https://attack.mitre.org/techniques/T1220/ */ 2 | 3 | event_simpleName=ProcessRollup2 OR event_simpleName=ProcessBlocked OR event_simpleName=SyntheticProcessRollup2 FileName="msxsl*" 4 | | eval timestamp=(timestamp / 1000) 5 | | convert timeformat="%FT%H:%M:%S.%3N UTC" ctime(timestamp) AS timestamp_readable 6 | | table timestamp_readable ComputerName UserName ImageFileName CommandLine --------------------------------------------------------------------------------