├── ATD-Dump-Full-Memory-Win11.bioc ├── ATD-Dump-Full-Memory-Win11.md ├── ATD-cdpsgshims.dll.bioc ├── ATD-cdpsgshims.dll.md ├── BIOC-Jetico_signed.bioc ├── BIOC-Jetico_signed.md ├── BIOC-Kerberoasting-Canary-Account.bioc ├── BIOC-Kerberoasting-Canary-Account.md ├── BIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc ├── BIOC-MadLicensing-CVE-2024-38077-RPC-Call.md ├── BIOC-POC-CVE-2024-49112.bioc ├── BIOC-PetitPotam-Authentication-Coercer.bioc ├── BIOC-PetitPotam-Authentication-Coercer.md ├── BIOC-PetitPotam-EventLog-ElfrOpenBELW.bioc ├── BIOC-PetitPotam-EventLog-ElfrOpenBELW.md ├── BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.bioc ├── BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.md ├── BIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc ├── BIOC-PetitPotam_Spoolss_Authentication_Coercer.md ├── BIOC-RBCD_Attack.bioc ├── BIOC-RBCD_Attack.md ├── BIOC-Rdrleakdiag-lolbas.bioc ├── BIOC-Rdrleakdiag-lolbas.md ├── BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc ├── BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.md ├── BIOC-SprintCSP.dll.bioc ├── BIOC-SprintCSP.dll.md ├── BIOC-TTTracerinjection-into-LSASS.bioc ├── BIOC-TTTracerinjection-into-LSASS.md ├── BIOC-add-User-to-LocalAdmin-Group ├── BIOC-suspicious-command-line to Critical registry and NTDS file.bioc ├── BIOC-suspicious-command-line to Critical registry and NTDS file.md ├── BIOC-suspicious-command-line-.md ├── BIOC-wlanapi.dll_LPE.bioc ├── BIOC-wlanapi.dll_LPE.md ├── BIOC_PingCastle_ADCS_scanning.bioc ├── BIOC_PingCastle_ADCS_scanning.md ├── Forensic_4624_type_10 ├── LICENCE ├── ProcDump.py ├── README.md ├── SCRT_PetitPotam-Authentication-Coercer.md ├── SCRT_PetitPotam_DFSNM_Authenticaton_Coercer.md ├── SCRT_PetitPotam_Spoolss_Authentication_Coercer.md ├── SCRT_invalid_driver_hunt.bioc ├── SCRT_invalid_driver_hunt.md ├── Widget_Agent_Type ├── Widget_Network_Probes_Last_events ├── XDR-Collector-config-DHCP-Filebeat.txt ├── XDR_Collector_Exchange_Msg_Tracking ├── XDR_Collector_config_IIS.txt ├── XDR_loldriver.io_update_IOC.md ├── XDR_loldriver.io_update_IOC.py ├── XQL_4624_successfull_Logons ├── XQL_Account_Lockout ├── XQL_Computer_Account_created.txt ├── XQL_Failed_Logins.txt ├── XQL_Failed_Logins_francais.txt ├── XQL_General_event_logs ├── XQL_Kerb_PreAuth_4771 ├── XQL_Kerberoasting_of_canary_account ├── XQL_Powershell_transcripts ├── XQL_RPC_LSAT ├── XQL_Threat_hunt_kerberos_request ├── XQL_driver_hunting ├── XQL_graph_process_by_hour ├── convert_to_md.py ├── fullmemorydump.py ├── images ├── README.md ├── xdr_loldriver_api_role.png └── xdr_malware_profile.PNG ├── xdr_log4j.py └── xdr_loldriver_api_role.png /ATD-Dump-Full-Memory-Win11.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/ATD-Dump-Full-Memory-Win11.bioc -------------------------------------------------------------------------------- /ATD-Dump-Full-Memory-Win11.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/ATD-Dump-Full-Memory-Win11.md -------------------------------------------------------------------------------- /ATD-cdpsgshims.dll.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/ATD-cdpsgshims.dll.bioc -------------------------------------------------------------------------------- /ATD-cdpsgshims.dll.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/ATD-cdpsgshims.dll.md -------------------------------------------------------------------------------- /BIOC-Jetico_signed.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-Jetico_signed.bioc -------------------------------------------------------------------------------- /BIOC-Jetico_signed.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-Jetico_signed.md -------------------------------------------------------------------------------- /BIOC-Kerberoasting-Canary-Account.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-Kerberoasting-Canary-Account.bioc -------------------------------------------------------------------------------- /BIOC-Kerberoasting-Canary-Account.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-Kerberoasting-Canary-Account.md -------------------------------------------------------------------------------- /BIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc -------------------------------------------------------------------------------- /BIOC-MadLicensing-CVE-2024-38077-RPC-Call.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-MadLicensing-CVE-2024-38077-RPC-Call.md -------------------------------------------------------------------------------- /BIOC-POC-CVE-2024-49112.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-POC-CVE-2024-49112.bioc -------------------------------------------------------------------------------- /BIOC-PetitPotam-Authentication-Coercer.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-PetitPotam-Authentication-Coercer.bioc -------------------------------------------------------------------------------- /BIOC-PetitPotam-Authentication-Coercer.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-PetitPotam-Authentication-Coercer.md -------------------------------------------------------------------------------- /BIOC-PetitPotam-EventLog-ElfrOpenBELW.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-PetitPotam-EventLog-ElfrOpenBELW.bioc -------------------------------------------------------------------------------- /BIOC-PetitPotam-EventLog-ElfrOpenBELW.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-PetitPotam-EventLog-ElfrOpenBELW.md -------------------------------------------------------------------------------- /BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.bioc -------------------------------------------------------------------------------- /BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.md -------------------------------------------------------------------------------- /BIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc -------------------------------------------------------------------------------- /BIOC-PetitPotam_Spoolss_Authentication_Coercer.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-PetitPotam_Spoolss_Authentication_Coercer.md -------------------------------------------------------------------------------- /BIOC-RBCD_Attack.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-RBCD_Attack.bioc -------------------------------------------------------------------------------- /BIOC-RBCD_Attack.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-RBCD_Attack.md -------------------------------------------------------------------------------- /BIOC-Rdrleakdiag-lolbas.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-Rdrleakdiag-lolbas.bioc -------------------------------------------------------------------------------- /BIOC-Rdrleakdiag-lolbas.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-Rdrleakdiag-lolbas.md -------------------------------------------------------------------------------- /BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc -------------------------------------------------------------------------------- /BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.md -------------------------------------------------------------------------------- /BIOC-SprintCSP.dll.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-SprintCSP.dll.bioc -------------------------------------------------------------------------------- /BIOC-SprintCSP.dll.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-SprintCSP.dll.md -------------------------------------------------------------------------------- /BIOC-TTTracerinjection-into-LSASS.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-TTTracerinjection-into-LSASS.bioc -------------------------------------------------------------------------------- /BIOC-TTTracerinjection-into-LSASS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-TTTracerinjection-into-LSASS.md -------------------------------------------------------------------------------- /BIOC-add-User-to-LocalAdmin-Group: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-add-User-to-LocalAdmin-Group -------------------------------------------------------------------------------- /BIOC-suspicious-command-line to Critical registry and NTDS file.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-suspicious-command-line to Critical registry and NTDS file.bioc -------------------------------------------------------------------------------- /BIOC-suspicious-command-line to Critical registry and NTDS file.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-suspicious-command-line to Critical registry and NTDS file.md -------------------------------------------------------------------------------- /BIOC-suspicious-command-line-.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-suspicious-command-line-.md -------------------------------------------------------------------------------- /BIOC-wlanapi.dll_LPE.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-wlanapi.dll_LPE.bioc -------------------------------------------------------------------------------- /BIOC-wlanapi.dll_LPE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC-wlanapi.dll_LPE.md -------------------------------------------------------------------------------- /BIOC_PingCastle_ADCS_scanning.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC_PingCastle_ADCS_scanning.bioc -------------------------------------------------------------------------------- /BIOC_PingCastle_ADCS_scanning.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/BIOC_PingCastle_ADCS_scanning.md -------------------------------------------------------------------------------- /Forensic_4624_type_10: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/Forensic_4624_type_10 -------------------------------------------------------------------------------- /LICENCE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/LICENCE -------------------------------------------------------------------------------- /ProcDump.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/ProcDump.py -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/README.md -------------------------------------------------------------------------------- /SCRT_PetitPotam-Authentication-Coercer.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/SCRT_PetitPotam-Authentication-Coercer.md -------------------------------------------------------------------------------- /SCRT_PetitPotam_DFSNM_Authenticaton_Coercer.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/SCRT_PetitPotam_DFSNM_Authenticaton_Coercer.md -------------------------------------------------------------------------------- /SCRT_PetitPotam_Spoolss_Authentication_Coercer.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/SCRT_PetitPotam_Spoolss_Authentication_Coercer.md -------------------------------------------------------------------------------- /SCRT_invalid_driver_hunt.bioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/SCRT_invalid_driver_hunt.bioc -------------------------------------------------------------------------------- /SCRT_invalid_driver_hunt.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/SCRT_invalid_driver_hunt.md -------------------------------------------------------------------------------- /Widget_Agent_Type: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/Widget_Agent_Type -------------------------------------------------------------------------------- /Widget_Network_Probes_Last_events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/Widget_Network_Probes_Last_events -------------------------------------------------------------------------------- /XDR-Collector-config-DHCP-Filebeat.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XDR-Collector-config-DHCP-Filebeat.txt -------------------------------------------------------------------------------- /XDR_Collector_Exchange_Msg_Tracking: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XDR_Collector_Exchange_Msg_Tracking -------------------------------------------------------------------------------- /XDR_Collector_config_IIS.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XDR_Collector_config_IIS.txt -------------------------------------------------------------------------------- /XDR_loldriver.io_update_IOC.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XDR_loldriver.io_update_IOC.md -------------------------------------------------------------------------------- /XDR_loldriver.io_update_IOC.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XDR_loldriver.io_update_IOC.py -------------------------------------------------------------------------------- /XQL_4624_successfull_Logons: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_4624_successfull_Logons -------------------------------------------------------------------------------- /XQL_Account_Lockout: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_Account_Lockout -------------------------------------------------------------------------------- /XQL_Computer_Account_created.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_Computer_Account_created.txt -------------------------------------------------------------------------------- /XQL_Failed_Logins.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_Failed_Logins.txt -------------------------------------------------------------------------------- /XQL_Failed_Logins_francais.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_Failed_Logins_francais.txt -------------------------------------------------------------------------------- /XQL_General_event_logs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_General_event_logs -------------------------------------------------------------------------------- /XQL_Kerb_PreAuth_4771: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_Kerb_PreAuth_4771 -------------------------------------------------------------------------------- /XQL_Kerberoasting_of_canary_account: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_Kerberoasting_of_canary_account -------------------------------------------------------------------------------- /XQL_Powershell_transcripts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_Powershell_transcripts -------------------------------------------------------------------------------- /XQL_RPC_LSAT: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_RPC_LSAT -------------------------------------------------------------------------------- /XQL_Threat_hunt_kerberos_request: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_Threat_hunt_kerberos_request -------------------------------------------------------------------------------- /XQL_driver_hunting: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_driver_hunting -------------------------------------------------------------------------------- /XQL_graph_process_by_hour: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/XQL_graph_process_by_hour -------------------------------------------------------------------------------- /convert_to_md.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/convert_to_md.py -------------------------------------------------------------------------------- /fullmemorydump.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/fullmemorydump.py -------------------------------------------------------------------------------- /images/README.md: -------------------------------------------------------------------------------- 1 | folder containing the images 2 | -------------------------------------------------------------------------------- /images/xdr_loldriver_api_role.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/images/xdr_loldriver_api_role.png -------------------------------------------------------------------------------- /images/xdr_malware_profile.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/images/xdr_malware_profile.PNG -------------------------------------------------------------------------------- /xdr_log4j.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/xdr_log4j.py -------------------------------------------------------------------------------- /xdr_loldriver_api_role.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/HEAD/xdr_loldriver_api_role.png --------------------------------------------------------------------------------