├── AWS ├── Dashboards │ ├── CloudTrail Anomaly Detection.ndjson │ ├── CloudTrail Overview.ndjson │ ├── Flows - Local to Remote.ndjson │ ├── Flows - Remote to Local.ndjson │ ├── Flows Overview.ndjson │ ├── all-cloudtrail-dashboards.ndjson │ └── readme.md ├── aws-rules.ndjson └── readme.md ├── Hunt Catalog ├── Windows.md ├── authentication.md ├── cloud.md ├── correlation.md ├── cross-platform.md ├── database.md ├── exfiltration.md ├── linux.md ├── mac.md ├── machine learning.md ├── network.md ├── readme.md └── web.md ├── LICENSE.md ├── Linux ├── Rules │ ├── CVE-2019-14287 │ │ └── Sudo with # char in arguments; possible CVE 2019-14287 LPE.ndjson │ ├── ShmooCon 2020 │ │ ├── Linux - Dynamic Linker Configuration Change.ndjson │ │ ├── Linux - Dynamic Linker File in Process Arguments.ndjson │ │ └── shmoocon-2020-loader-siem-rules.ndjson │ ├── linux-rules.ndjson │ └── readme.md ├── Searches │ ├── .All Linux Searches.ndjson │ ├── .all Linux 2.ndjson │ ├── Linux Auditctl Command Activity.ndjson │ ├── Linux Base64 Command Activity.ndjson │ ├── Linux Compiler Activity.ndjson │ ├── Linux Cron Activity.ndjson │ ├── Linux Echo Command Activity.ndjson │ ├── Linux FTP Command Activity.ndjson │ ├── Linux Group Changes.ndjson │ ├── Linux Hping Activity.ndjson │ ├── Linux Ifconfig Command Activity.ndjson │ ├── Linux Iodine Activity.ndjson │ ├── Linux Java Process Connecting to the Internet.ndjson │ ├── Linux Kernel Module Activity.ndjson │ ├── Linux Mknod Activity.ndjson │ ├── Linux Netcat Network Connection.ndjson │ ├── Linux Netcat shell activity.ndjson │ ├── Linux Nmap Activity.ndjson │ ├── Linux Nping Activity.ndjson │ ├── Linux Passwd Command Activity.ndjson │ ├── Linux Port 22 Connection Outbound.ndjson │ ├── Linux Process Started in Temp Directory.ndjson │ ├── Linux Ptrace Activity.ndjson │ ├── Linux Rawshark Activity.ndjson │ ├── Linux Rdesktop Activity.ndjson │ ├── Linux SCP Activity.ndjson │ ├── Linux Shell Activity By Web Server.ndjson │ ├── Linux Socat activity.ndjson │ ├── Linux Strace Activity.ndjson │ ├── Linux Sudo Activity.ndjson │ ├── Linux Systemctl Activity.ndjson │ ├── Linux Tcpdump Activity.ndjson │ ├── Linux Traceroute Command Activity.ndjson │ ├── Linux User Changes.ndjson │ ├── Linux Web Client Activity.ndjson │ ├── Linux Web Download.ndjson │ ├── Linux Whoami Commmand.ndjson │ ├── Linux Whois Activity.ndjson │ ├── Linux busybox process activity.ndjson │ ├── Linux chmod +s command activity.ndjson │ ├── Linux dd process activity.ndjson │ ├── Linux dmesg activity.ndjson │ ├── Linux env process activity by a user.ndjson │ ├── Linux file editor activity.ndjson │ ├── Linux find command activity by a user.ndjson │ ├── Linux finger command activity.ndjson │ ├── Linux flock command activity by a user.ndjson │ ├── Linux gdb activity.ndjson │ ├── Linux git process activity.ndjson │ ├── Linux head command activity by a user.ndjson │ ├── Linux ionice command activity by a user.ndjson │ ├── Linux ip command activity by a user.ndjson │ ├── Linux jrunscript process activity.ndjson │ ├── Linux ld.so process activity.ndjson │ ├── Linux less command activity.ndjson │ ├── Linux lzop activity - possible @JulianRunnels.ndjson │ ├── Linux mail process activity.ndjson │ ├── Linux make process activity.ndjson │ ├── Linux makemime activity - possible @JulianRunnels.ndjson │ ├── Linux man command activity.ndjson │ ├── Linux more command activity.ndjson │ ├── Linux mount command activity by a user.ndjson │ ├── Linux mv command activity by a user.ndjson │ ├── Linux mysql command activity by a user.ndjson │ ├── Linux nano activity by a user.ndjson │ ├── Linux nice command activity.ndjson │ ├── Linux perl activity by a user.ndjson │ ├── Linux process named install.ndjson │ ├── Linux python activity by a user.ndjson │ ├── Linux readelf command activity.ndjson │ ├── Linux reverse shell, PHP.ndjson │ ├── Linux reverse shell, python.ndjson │ ├── Linux reverse shell, ruby.ndjson │ ├── Linux rpmquery command activity.ndjson │ ├── Linux rsynch command activity.ndjson │ ├── Linux ruby activity by a user.ndjson │ ├── Linux run-mailcap command activity.ndjson │ ├── Linux run-parts command activity by a user.ndjson │ ├── Linux screen command activity.ndjson │ ├── Linux sed command activity by a user.ndjson │ ├── Linux service command activity.ndjson │ ├── Linux sftp command activity.ndjson │ ├── Linux smbclient command activity.ndjson │ ├── Linux sort command activity by a user.ndjson │ ├── Linux sqlite process activity.ndjson │ ├── Linux start-stop-daemon process activity.ndjson │ ├── Linux tail command activity.ndjson │ ├── Linux tar command activity by a user.ndjson │ ├── Linux tcp device activity.ndjson │ ├── Linux tcpdump command execution.ndjson │ ├── Linux tee command activity.ndjson │ ├── Linux telnet activity.ndjson │ ├── Linux tftp activity.ndjson │ ├── Linux time command activity.ndjson │ ├── Linux uncommon process activity - possible gtfobin.ndjson │ ├── Linux uniq command activity.ndjson │ ├── Linux unusual shell activity.ndjson │ ├── Linux user command activity with shell command arguments.ndjson │ ├── Linux xargs command activity by a user.ndjson │ ├── Linux yum activity.ndjson │ └── Linux zip command activity.ndjson └── Tests │ ├── Linux Event Generators │ ├── README.md │ ├── process-atoms.json │ └── process-reaction.json │ ├── Linux Hping Activity.ndjson │ ├── Linux Iodine Activity.ndjson │ ├── Linux Kernel Module Activity.ndjson │ ├── Linux Mknod Activity.ndjson │ ├── Linux Netcat Network Connection.ndjson │ ├── Linux Nmap Activity.ndjson │ ├── Linux Nping Activity.ndjson │ ├── Linux Process Started in Temp Directory.ndjson │ ├── Linux Socat activity.ndjson │ ├── Linux Strace Activity.ndjson │ ├── Linux Tcpdump Activity.ndjson │ ├── Linux Whoami Commmand.ndjson │ └── Linux ld.so process activity.ndjson ├── Lists ├── 18001-list-directory-traversal.md ├── 23001-list-linux-accounts.md ├── 28001-list-SQL-commands.md ├── 28002-list-RCI-commands.md ├── 28003-list-environment-variables.md ├── 28004-list-XSS-strings.md ├── 28005-list-SQL-injection.md ├── 28006-list-SQL-Windows.md ├── 78001-list-web-scanner.md └── URI-list.md ├── Network ├── .all network searches.ndjson ├── Linux Network - Anomalous Process Using HTTPS Ports.ndjson ├── Network - DNS Directly to the Internet.ndjson ├── Network - FTP (File Transfer Protocol) Activity to the Internet.ndjson ├── Network - IRC (Internet Relay Chat) Protocol Activity to the Internet.ndjson ├── Network - NAT Traversal Port Activity.ndjson ├── Network - PPTP (Point to Point Tunneling Protocol) Activity.ndjson ├── Network - Port 26 Activity.ndjson ├── Network - Port 8000 Activity to the Internet.ndjson ├── Network - Port 8000 Activity.ndjson ├── Network - Proxy Port Activity to the Internet.ndjson ├── Network - RDP (Remote Desktop Protocol) from the Internet.ndjson ├── Network - RDP (Remote Desktop Protocol) to the Internet.ndjson ├── Network - RPC (Remote Procedure Call) from the Internet.ndjson ├── Network - RPC (Remote Procedure Call) to the Internet.ndjson ├── Network - SMB (Windows File Sharing) Activity to the Internet.ndjson ├── Network - SMTP to the Internet.ndjson ├── Network - SQL Server Port Activity to the Internet.ndjson ├── Network - SSH (Secure Shell) from the Internet.ndjson ├── Network - SSH (Secure Shell) to the Internet.ndjson ├── Network - Telnet Port Activity.ndjson ├── Network - Tor Activity to the Internet.ndjson ├── Network - VNC (Virtual Network Computing) From the Internet.ndjson ├── Network - VNC (Virtual Network Computing) To the Internet.ndjson ├── Network Event Generator │ ├── README.md │ ├── network-atoms.json │ └── network-reaction.json ├── README.md └── Windows Network - Anomalous Windows Process Using HTTPS Ports.ndjson ├── README.md ├── Suricata ├── Searches │ ├── .all Suricata searches.ndjson │ ├── Suricata Base64 Encoded Invoke-Command Powershell Execution.ndjson │ ├── Suricata Base64 Encoded New-Object Powershell Execution.ndjson │ ├── Suricata Base64 Encoded Start-Process Powershell Execution.ndjson │ ├── Suricata CobaltStrike Artifact in an DNS Request.ndjson │ ├── Suricata Commonly Abused DNS Domain Detected.ndjson │ ├── Suricata DNS Traffic on Unusual TCP Port.ndjson │ ├── Suricata DNS Traffic on Unusual UDP Port.ndjson │ ├── Suricata Directory Reversal Characters in an HTTP Request.ndjson │ ├── Suricata Directory Traversal Characters in HTTP Response.ndjson │ ├── Suricata Directory Traversal in Downloaded Zip File.ndjson │ ├── Suricata Double Encoded Characters in a URI.ndjson │ ├── Suricata Double Encoded Characters in an HTTP POST.ndjson │ ├── Suricata FTP Traffic on Unusual Port, Internet Destination.ndjson │ ├── Suricata HTTP Traffic On Unusual Port, Internet Destination.ndjson │ ├── Suricata IMAP Traffic on Unusual Port, internet Destination.ndjson │ ├── Suricata LaZagne Artifact in an HTTP POST.ndjson │ ├── Suricata Mimikatz Artifacts in an HTTP POST.ndjson │ ├── Suricata Mimikatz String Detected in HTTP Response.ndjson │ ├── Suricata Possible Cobalt Strike Malleable C2 Null Response.ndjson │ ├── Suricata Possible SQL Injection - SQL Commands in HTTP Transactions.ndjson │ ├── Suricata RPC Traffic on HTTP Ports.ndjson │ ├── Suricata SSH Traffic Not on Port 22, Internet Destination.ndjson │ ├── Suricata Serialized PHP Detected.ndjson │ ├── Suricata TLS Traffic on Unusual Port, Internet Destination.ndjson │ ├── Suricata Windows Executable Served by JPEG Web Content.ndjson │ ├── Suricata eval PHP Function in an HTTP Request.ndjson │ ├── Suricata non-DNS Traffic on TCP Port 53.ndjson │ ├── Suricata non-DNS Traffic on UDP Port 53.ndjson │ ├── Suricata non-FTP Traffic on Port 21.ndjson │ ├── Suricata non-HTTP Traffic on TCP Port 80.ndjson │ ├── Suricata non-IMAP Traffic on Port 1443 (IMAP).ndjson │ ├── Suricata non-SMB Traffic on TCP Port 139 (SMB).ndjson │ ├── Suricata non-SSH Traffic on Port 22.ndjson │ ├── Suricata non-TLS on TLS Port.ndjson │ ├── Suricata shell_exec PHP Function in an HTTP POST.ndjson │ └── readme.md ├── readme.md └── suricata-siem-rules.ndjson ├── Windows ├── .all windows rules.ndjson ├── Anomalous process started as SYSTEM.ndjson ├── Anomalous process started by Internet Explorer.ndjson ├── BlueKeep Activity Failed Logins for Username AAAAAAA.ndjson ├── CVE-2020-0601 │ ├── CVE-2020-0601-siem-rules.ndjson │ ├── README.md │ ├── Windows Audit-CVE Event Log Message - CVE-2020-0601 Indicator.ndjson │ └── Windows crypt32.dll Vulnerable to CVE-2020-0601.ndjson ├── CVE-2020-0688 │ └── Command Shell Started by IIS Worker.ndjson ├── Cacls command activity.ndjson ├── Command shell started by Internet Explorer.ndjson ├── Command shell started by Powershell.ndjson ├── Command shell started by Svchost.ndjson ├── FileZilla network activity.ndjson ├── FileZilla process activity.ndjson ├── Internet LOLBins │ ├── .all internet calling lolbins.ndjson │ ├── README.md │ ├── Windows Background Intelligent Transfer Service (BITS) Connecting to the Internet.ndjson │ ├── Windows Certutil Connecting to the Internet.ndjson │ ├── Windows Command Prompt Connecting to the Internet.ndjson │ ├── Windows HTML Help executable Program Connecting to the Internet.ndjson │ ├── Windows Microsoft HTML Application (HTA) Connecting to the Internet.ndjson │ ├── Windows Misc LOLBin Connecting to the Internet.ndjson │ ├── Windows Powershell Connecting to the Internet.ndjson │ ├── Windows Register Server Program Connecting to the Internet.ndjson │ └── Windows Script Interpreter Connecting to the Internet.ndjson ├── Ipconfig command activity.ndjson ├── MSBuild and Silent Trinity │ ├── MSBuild-searches.ndjson │ ├── MSBuild-siem-rules.ndjson │ └── README.md ├── PSexec activity.ndjson ├── Powershell download from a URI.ndjson ├── Powershell network connection.ndjson ├── Process started by Acrobat reader - possible payload.ndjson ├── Process started by MS Office program - possible payload.ndjson ├── Process started by Norton Security.ndjson ├── Process started by Windows Defender.ndjson ├── Sentinel │ ├── .all sentinel searches.ndjson │ ├── README.md │ ├── Windows Credential Dumping Commands.ndjson │ ├── Windows Credential Dumping via ImageLoad.ndjson │ ├── Windows Credential Dumping via Registry Save.ndjson │ ├── Windows Data Compression Using Powershell.ndjson │ ├── Windows Defense Evasion - Decoding Using Certutil.ndjson │ ├── Windows Defense Evasion or Persistence via Hidden Files.ndjson │ ├── Windows Defense Evasion via Windows Event Log Tools.ndjson │ ├── Windows Defense evasion via Filter Manager.ndjson │ ├── Windows Execution via .NET COM Assemblies.ndjson │ ├── Windows Execution via Compiled HTML File.ndjson │ ├── Windows Execution via Connection Manager.ndjson │ ├── Windows Execution via Microsoft HTML Application (HTA).ndjson │ ├── Windows Execution via Regsvr32.ndjson │ ├── Windows Execution via Trusted Developer Utilities.ndjson │ ├── Windows Indirect Command Execution.ndjson │ ├── Windows Management Instrumentation (WMI) Execution.ndjson │ ├── Windows Payload Obfuscation via Certutil.ndjson │ ├── Windows Persistence or Priv Escalation via Hooking.ndjson │ ├── Windows Persistence via Application Shimming.ndjson │ ├── Windows Persistence via BITS Jobs.ndjson │ ├── Windows Persistence via Modification of Existing Service.ndjson │ ├── Windows Persistence via Netshell Helper DLL.ndjson │ ├── Windows Priv Escalation via Accessibility Features.ndjson │ ├── Windows Process Discovery via Tasklist Command.ndjson │ ├── Windows Registry Query, Local.ndjson │ ├── Windows Registry Query, Network.ndjson │ ├── Windows Remote Management Execution.ndjson │ ├── Windows Scheduled Task Activity.ndjson │ ├── Windows Signed Binary Proxy Execution Download.ndjson │ └── Windows Signed Binary Proxy Execution.ndjson ├── Sigma Searches │ ├── Process Event Searches │ │ ├── .All Windows process rules.ndjson │ │ ├── Active Directory diagnostic tool utility - possible attack on the NTDS.DIT database.ndjson │ │ ├── Active Directory group policy directory access by a process.ndjson │ │ ├── Anomalous calculator process.ndjson │ │ ├── Anomalous child process started by the userinit process.ndjson │ │ ├── Anomalous parent process for csc.exe - possible payload delivery.ndjson │ │ ├── BITSadmin file download activity.ndjson │ │ ├── Certutil file encoding activity - possible data exfil.ndjson │ │ ├── Clearing of the WMI trace log - possible LockaerGoga ransomware activity.ndjson │ │ ├── Cmdkey Cached Credentials Recon.ndjson │ │ ├── Command execution with URL and AppData parameters - possible dropper.ndjson │ │ ├── Command that clears the WMI trace log - possible LockerGoga ransomware activity.ndjson │ │ ├── Empire PowerShell launch parameters - possible Empire activity.ndjson │ │ ├── Execution of Renamed PaExec.ndjson │ │ ├── IIS Native-Code Module Command Line Installation.ndjson │ │ ├── Java process activity in the AppData folder as used by Adwind JRAT malware.ndjson │ │ ├── Java process running with remote debugging enabled.ndjson │ │ ├── MBR modifications by bcdedit.exe - possible ransomware.ndjson │ │ ├── MS Office Product starting a process in a user directory - possible payload.ndjson │ │ ├── MSHTA Spawning Windows Shell.ndjson │ │ ├── MSHTA spwaned by SVCHOST as seen in LethalHTA.ndjson │ │ ├── MavInject Process Injection.ndjson │ │ ├── Microsoft Workflow Compiler activity - possible execution of arbitrary unsigned code.ndjson │ │ ├── Netsh Allow Incoming Connections by Port or Application on Windows Firewall.ndjson │ │ ├── Netsh Port Forwarding.ndjson │ │ ├── Netsh RDP Port Forwarding of Port 3389 - RDP tunneling.ndjson │ │ ├── Netsh RDP Port Forwarding.ndjson │ │ ├── Notepad++ updater in an anomalous directory - possible DLL side-loading attack.ndjson │ │ ├── Ping command using a hexidecimal IP address.ndjson │ │ ├── Possible Applocker Bypass.ndjson │ │ ├── Possible CVE-2017-1882 exploit starting child processes from EQNEDT32.EXE.ndjson │ │ ├── Possible shim database persistence via sdbinst.exe writing to default shim database path.ndjson │ │ ├── PowerShell Base64 Encoded Shellcode.ndjson │ │ ├── PowerShell download from URL - possible payload.ndjson │ │ ├── Powershell AMSI bypass via .NET reflection - possible attempt to disable AMSI scanning.ndjson │ │ ├── Powershell activity by the WMI service.ndjson │ │ ├── Powershell activity in an AppData folder - suspicious powershell activity.ndjson │ │ ├── Powershell execution via a DLL.ndjson │ │ ├── Powershell process started by a script interpreter.ndjson │ │ ├── Procdump activity on the lsass.exe process.ndjson │ │ ├── Process Execution in web server document root folder.ndjson │ │ ├── Process started by MMC - possible lateral movement using the MMC application's COM object.ndjson │ │ ├── Process started by the Task Manager.ndjson │ │ ├── Process started by the terminal service server - possible Bluekeep CVE-2019-0708 exploit activity.ndjson │ │ ├── PsExec Service Start.ndjson │ │ ├── RASdial process activity.ndjson │ │ ├── RDP session redirect activity using TSCON.ndjson │ │ ├── Renamed Powershell.exe.ndjson │ │ ├── Rundll32 execution from control.exe as used by Equation Group and Exploit Kits.ndjson │ │ ├── Scheduled task creation by a user.ndjson │ │ ├── Service principal name enumeration - possible Kerberoasting.ndjson │ │ ├── Shell process started by a web server - possible web shell or web exploit activity.ndjson │ │ ├── Suspicious Windows Parent Child Process Relationship.ndjson │ │ ├── Suspicious XOR Encoded PowerShell Command Line.ndjson │ │ ├── Suspicious command activity by a web server process - possible web shell activity.ndjson │ │ ├── Suspicious script file execution.ndjson │ │ ├── Svchost process with anomalous parent process.ndjson │ │ ├── Sysprep process activity in the AppData folder - possible Thrip activity.ndjson │ │ ├── Taskmgr process activity by the SYSTEM account.ndjson │ │ ├── Tscon process activity by the SYSTEM account.ndjson │ │ ├── Volume shadow deletion activity - possible ransomware.ndjson │ │ ├── WMI SquiblyTwo Attack.ndjson │ │ ├── WMI script event consumer activity - possible WMI persistence.ndjson │ │ ├── WScript or CScript dropper - possible payload.ndjson │ │ ├── Whoami command activity by a user.ndjson │ │ ├── Winword starting child process FLTLDR.exe - possible CVE-2017-0261 or 2017-0262 activity.ndjson │ │ ├── Winword starting child process MicroScMgmt.exe - possible CVE-2015-1641 activity.ndjson │ │ └── Winword starting child process csc.exe - possible CVE-2017-8759 activity.ndjson │ ├── README.md │ ├── SpaceCake to Sigma Matrix - Event Log Searches.md │ ├── SpaceCake to Sigma Matrix - Process Searches.md │ └── Windows Event Log Searches │ │ ├── .All Windows Event Searches.ndjson │ │ ├── DHCP server callout errors - possible DLL injection.ndjson │ │ ├── DHCP server loaded the callout DLL - possible DLL injection.ndjson │ │ ├── DNS server error failed loading the ServerLevelPluginDLL - possible DLL injection.ndjson │ │ ├── Malicious service installed.ndjson │ │ ├── Malware indicators in Windows event log.ndjson │ │ ├── Microsoft malware protection engine crashed.ndjson │ │ ├── Mimikatz indicators in Windows event log.ndjson │ │ ├── Overpass the hash attempt - logon type 9 (NewCredentials) = possible Mimikatz activity.ndjson │ │ ├── Pass the hash activity in event logs - possible lateral movement.ndjson │ │ ├── Password change on a DSRM account - possible persistence.ndjson │ │ ├── Remote login by an admin user.ndjson │ │ ├── Ruler hacktool activity.ndjson │ │ ├── SAM dump activity - password dumping.ndjson │ │ ├── SID history added to Active Directory object - possible privilege elevation.ndjson │ │ ├── Security event log was cleared.ndjson │ │ ├── Suspicious system time modification.ndjson │ │ ├── System backup catalog deleted.ndjson │ │ ├── USB device connected.ndjson │ │ ├── Unusual failed logon codes - possible account tampering.ndjson │ │ ├── Windows event log cleared.ndjson │ │ └── smbexec.py service installed.ndjson ├── Spoofed Windows process name - possible malware.ndjson ├── Suspicious process activity in a Windows directory.ndjson ├── Suspicious process started by a script.ndjson ├── WinDump activity.ndjson ├── WinRar activity.ndjson ├── WinSCP network activity.ndjson ├── WinSCP process activity.ndjson ├── Windows - New External Device Attached.ndjson ├── Windows 7Zip activity.ndjson ├── Windows Burp CE activity.ndjson ├── Windows Fiddler proxy activity.ndjson ├── Windows Iodine activity.ndjson ├── Windows Mimikatz activity.ndjson ├── Windows Netcat activity.ndjson ├── Windows Netcat network activity.ndjson ├── Windows Network Monitor activity.ndjson ├── Windows Pipeline Tampering │ ├── README.md │ └── tampering.ndjson ├── Windows WMI command activity.ndjson ├── Windows Wireshark activity.ndjson ├── Windows bulk file copy commands.ndjson ├── Windows certutil command activity.ndjson ├── Windows device driver loaded - event 7045.ndjson ├── Windows device driver loaded - sysmon event 6.ndjson ├── Windows ftp command activity.ndjson ├── Windows image load from a temp directory.ndjson ├── Windows net command activity by the SYSTEM account.ndjson ├── Windows net command activity.ndjson ├── Windows net localgroup command activity.ndjson ├── Windows net use command activity.ndjson ├── Windows net user command activity.ndjson ├── Windows netsh command activity.ndjson ├── Windows networking command activity.ndjson ├── Windows nmap activity.ndjson ├── Windows nmap scan activity.ndjson ├── Windows password dumper activity - pwdump.ndjson ├── Windows process activity in a temp directory.ndjson ├── Windows process activity in a user folder.ndjson ├── Windows process activity in the downloads folder.ndjson ├── Windows process in a suspicious path.ndjson ├── Windows process started by the Java runtime.ndjson ├── Windows putty activity.ndjson ├── Windows runas command activity.ndjson ├── Windows sc command activity.ndjson ├── Windows scheduled task creation.ndjson ├── Windows schtasks command activity.ndjson ├── Windows script interpreter activity.ndjson ├── Windows tasklist command activity.ndjson └── Windows whoami command activity.ndjson └── img ├── adama-cic-2.jpg ├── adama-cic.jpg ├── cylon 2.jpg ├── cylon.jpg ├── pacu.png ├── snorts.png └── snorts2.png /AWS/Dashboards/readme.md: -------------------------------------------------------------------------------- 1 | 2 | ### AWS / CloudTrail Dashboards 3 | 4 | Five Dashboards containing 29 viz objects for CloudTrail and VPC flow events; 5 | 6 | - CloudTrail Anomaly Detection.ndjson - for spotting suspicious API activity using the significant terms aggregation 7 | - CloudTrail Overview.ndjson - dashboards for pattern spotting in CloudTrail events 8 | - Flows - Local to Remote.ndjson - outbound flows with a remote destination for charting outgoing traffic and exfil 9 | - Flows - Remote to Local.ndjson - inbound flows from a remote source for charting incoming traffic 10 | - Flows Overview.ndjson - dashboards for pattern spotting in VPC flow events 11 | -------------------------------------------------------------------------------- /Hunt Catalog/readme.md: -------------------------------------------------------------------------------- 1 | ### Contents: this is a catalog of hunts compiled over the past 16 years. 2 | 3 | Authentication - searches for authentication data sets hunting for brute force, credential compromise, credentialed persistence and session fixation / hijacking 4 | 5 | Cloud - searches for cloud and virtualization specific threats using API and cloud centric data 6 | 7 | Correlation - search techniques that combine different events in order to make complex and sophisticated detections 8 | 9 | Cross-platform - general purpose searches for threat hunting on hosts. These behavioral detection techniques are relevant to Linux, MacOS and Windows hosts 10 | 11 | Database - searches for database monitoring and compromise 12 | 13 | Exfiltration - a list of known data exfiltration techniques and related searches 14 | 15 | Linux - searches for threat hunting on Linux hosts 16 | 17 | Mac - searches for threat hunting on Linux hosts 18 | 19 | Machine Learning - Anomaly detection searches using the significant terms aggregation; good for finding things that evade conventional rules. 20 | 21 | Network - searches for threat hunting using network data like IDS, proxy and flow events 22 | 23 | Web - searches for detecting attacks on web servicers using web server logs 24 | 25 | Windows - searches for threat hunting on Windows hosts 26 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright (C) 2018 - 2020 by Craig Chamberlain. 2 | 3 | Licensed under the Creative Commons Attribution-NonCommercial 4.0 International Public License (https://creativecommons.org/licenses/by-nc/4.0/legalcode) 4 | 5 | Sharing is permitted — users may copy and redistribute the material in any medium or format. 6 | 7 | Adaptation is permitted — users may remix, transform, and build upon the material. 8 | 9 | Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. 10 | 11 | You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. 12 | 13 | NonCommercial — You may not use the material, or derivitives thereof, for commercial purposes such as productization; resale; incorporation into a product or service for resale; or other activities involving renumerartion. This shall not be construed to prohibit use by commericial entities provided the material, or its derivitives, are not incorporated into a product or service that is sold or resold for monetary gain or renumeration. 14 | 15 | No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. 16 | -------------------------------------------------------------------------------- /Linux/Rules/CVE-2019-14287/Sudo with # char in arguments; possible CVE 2019-14287 LPE.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:sudo and process.args: *#*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Sudo with # char in arguments; possible CVE 2019-14287 LPE","version":1},"id":"4dc578d0-f05e-11e9-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-10-16T21:45:43.389Z","version":"WzY3LDJd"} -------------------------------------------------------------------------------- /Linux/Rules/ShmooCon 2020/Linux - Dynamic Linker Configuration Change.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["event.action","file.path"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"file.path:\\\"/etc/ld.so.conf\\\" and event.action:updated\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux - Dynamic Linker Configuration Change","version":1},"id":"b3dabb10-452e-11ea-b796-ff9a3817d961","migrationVersion":{"search":"7.0.0"},"references":[{"id":"23153120-3bcc-11ea-a92d-6b3f4e967591","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-02-01T20:09:07.649Z","version":"Wzc2MCw3XQ=="} -------------------------------------------------------------------------------- /Linux/Rules/ShmooCon 2020/Linux - Dynamic Linker File in Process Arguments.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.args:\\\"/etc/ld.so.conf\\\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux - Dynamic Linker File in Process Arguments","version":1},"id":"e60e7220-452e-11ea-b796-ff9a3817d961","migrationVersion":{"search":"7.0.0"},"references":[{"id":"23153120-3bcc-11ea-a92d-6b3f4e967591","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-02-01T20:11:17.601Z","version":"Wzc2NCw3XQ=="} -------------------------------------------------------------------------------- /Linux/Searches/Linux Ptrace Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["user.name","process.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name: ptrace\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"process_started\",\"params\":{\"query\":\"process_started\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"process_started\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux: Ptrace Activity","version":1},"id":"596e7e30-9f59-11e9-88e8-f7ed010edb9d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T18:41:21.166Z","version":"WzY5OCwxXQ=="} -------------------------------------------------------------------------------- /Linux/Searches/Linux Shell Activity By Web Server.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["user.name","process.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name: bash and (user.name: apache or www)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux: Shell Activity By Web Server","version":1},"id":"fc1ecae0-9f4f-11e9-88e8-f7ed010edb9d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T18:41:21.166Z","version":"WzY3NCwxXQ=="} -------------------------------------------------------------------------------- /Linux/Searches/Linux Socat activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:socat\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux socat activity","version":1},"id":"0113d8d0-b187-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T22:32:58.765Z","version":"WzEwNTEsMl0="} -------------------------------------------------------------------------------- /Linux/Searches/Linux Tcpdump Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["user.name","process.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name: tcpdump\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"process_started\",\"params\":{\"query\":\"process_started\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"process_started\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux: Tcpdump Activity","version":1},"id":"45c4f800-9f4f-11e9-88e8-f7ed010edb9d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T18:41:21.166Z","version":"WzY3MywxXQ=="} -------------------------------------------------------------------------------- /Linux/Searches/Linux Web Client Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["user.name","process.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name: (curl or wget)\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"process_started\",\"params\":{\"query\":\"process_started\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"process_started\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux: Web Client Activity","version":1},"id":"16a4b7f0-9f4e-11e9-88e8-f7ed010edb9d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T18:41:21.166Z","version":"WzY4MSwxXQ=="} -------------------------------------------------------------------------------- /Linux/Searches/Linux Web Download.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["user.name","process.name","destination.ip","destination.port"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name: curl or wget\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"socket_opened\",\"params\":{\"query\":\"socket_opened\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"socket_opened\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux: Web Download","version":1},"id":"ad8ae550-9f4d-11e9-88e8-f7ed010edb9d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T18:38:03.692Z","version":"WzYwNCwxXQ=="} -------------------------------------------------------------------------------- /Linux/Searches/Linux busybox process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:busybox\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux busybox process activity","version":1},"id":"76860c20-b6d0-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:19.048Z","version":"WzEyNzYsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux chmod +s command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:chmod and process.args:*+s*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux chmod +s command activity","version":1},"id":"ebfdbec0-b186-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T22:32:58.765Z","version":"WzEwNTAsMl0="} -------------------------------------------------------------------------------- /Linux/Searches/Linux dd process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:dd\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux dd process activity","version":1},"id":"2e197070-b6d1-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:19.048Z","version":"WzEyNzIsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux dmesg activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:dmesg\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux dmesg activity","version":1},"id":"47926f70-b6d1-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:19.048Z","version":"WzEyNzQsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux file editor activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:nano or process.name:pico or process.name:vi or process.name:vim\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux file editor activity","version":1},"id":"7d8e14e0-b6da-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNDMsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux finger command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:finger\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux finger command activity","version":1},"id":"639c8420-b6d2-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:19.048Z","version":"WzEyNzUsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux gdb activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:gdb\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux gdb activity","version":1},"id":"a86acdf0-b6d2-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:19.048Z","version":"WzEyNzgsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux git process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:git\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux git process activity","version":1},"id":"d5874430-b6d2-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:19.048Z","version":"WzEyNzksM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux jrunscript process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:jrunscript\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux jrunscript process activity","version":1},"id":"38a8ebe0-b6d3-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:19.048Z","version":"WzEyNzMsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux ld.so process activity.ndjson: -------------------------------------------------------------------------------- 1 | { 2 | "attributes": { 3 | "columns": [], 4 | "description": "", 5 | "hits": 0, 6 | "kibanaSavedObjectMeta": { 7 | "searchSourceJSON": "{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"process.name:ld-linux-x86-64\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}" 8 | }, 9 | "sort": [ 10 | "@timestamp", 11 | "desc" 12 | ], 13 | "title": "Linux ld.so process activity", 14 | "version": 1 15 | }, 16 | "id": "fc46e4d0-b6d3-11e9-b596-11b7f2248f6e", 17 | "migrationVersion": { 18 | "search": "7.0.0" 19 | }, 20 | "references": [ 21 | { 22 | "id": "7eee3a60-a7e2-11e9-b9eb-ebf6d961315d", 23 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 24 | "type": "index-pattern" 25 | } 26 | ], 27 | "type": "search", 28 | "updated_at": "2019-08-04T18:03:13.147Z", 29 | "version": "WzEyNzAsM10=" 30 | } 31 | -------------------------------------------------------------------------------- /Linux/Searches/Linux less command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:less\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux less command activity","version":1},"id":"0cd15c40-b6d4-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMjgsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux lzop activity - possible @JulianRunnels.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:lzop\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux lzop activity - possible @JulianRunnels","version":1},"id":"8b9645e0-b6e8-11e9-997e-2d161c63f49a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:49:10.206Z","version":"WzEzOTUsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux mail process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:mail\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux mail process activity","version":1},"id":"3abd7e90-b6d4-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMzIsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux make process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:make\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux make process activity","version":1},"id":"44d17350-b6d4-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMzQsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux makemime activity - possible @JulianRunnels.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:makemime\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux makemime activity - possible @JulianRunnels","version":1},"id":"844214c0-b6e5-11e9-997e-2d161c63f49a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:27:29.419Z","version":"WzEzMzgsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux man command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:man\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux man command activity","version":1},"id":"52860e70-b6d4-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMzcsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux more command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:more\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux more command activity","version":1},"id":"5f0e5e90-b6d4-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMzksM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux mysql command activity by a user.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:mysql\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux mysql command activity by a user","version":1},"id":"974fc460-b6d4-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNDksM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux nice command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:nice\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux nice command activity","version":1},"id":"c2344c00-b6d4-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNTUsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux process named install.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"process.name:*install*\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux process named \"install\"","version":1},"id":"8a449000-b6d1-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNDYsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux python activity by a user.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:python\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux python activity by a user","version":1},"id":"aee9d4c0-b6d5-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNTIsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux readelf command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:readelf\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux readelf command activity","version":1},"id":"c4cfe900-b6d5-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNTYsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux reverse shell, PHP.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:*php* and process.args:*fsockopen*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux reverse shell, PHP","version":1},"id":"474d2450-b187-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T22:32:58.765Z","version":"WzEwNTQsMl0="} -------------------------------------------------------------------------------- /Linux/Searches/Linux reverse shell, python.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:*python* and process.args:*socket*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux reverse shell, python","version":1},"id":"34d42350-b187-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T22:32:58.765Z","version":"WzEwNTMsMl0="} -------------------------------------------------------------------------------- /Linux/Searches/Linux reverse shell, ruby.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:*ruby* and process.args:*socket*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux reverse shell, ruby","version":1},"id":"246ceb50-b187-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T22:32:58.765Z","version":"WzEwNTIsMl0="} -------------------------------------------------------------------------------- /Linux/Searches/Linux rpmquery command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:rpmquery\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux rpmquery command activity","version":1},"id":"dcb24270-b6d5-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNjAsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux rsynch command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:rsynch\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux rsynch command activity","version":1},"id":"e8157380-b6d5-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNjMsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux ruby activity by a user.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:ruby\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux ruby activity by a user","version":1},"id":"f4c0b4f0-b6d5-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNjgsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux run-mailcap command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:\\\"run-mailcap\\\"\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux run-mailcap command activity","version":1},"id":"56311840-b6d8-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMzgsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux screen command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:screen\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux screen command activity","version":1},"id":"8f8dd920-b6d8-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNDgsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux service command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:service\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux service command activity","version":1},"id":"e16aba10-b6d8-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNjEsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux sftp command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:sftp\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux sftp command activity","version":1},"id":"06aadc10-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMjcsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux smbclient command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:smbclient\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux smbclient command activity","version":1},"id":"205942f0-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMjksM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux sqlite process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:sqlite*\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux sqlite process activity","version":1},"id":"4dd76130-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMzYsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux start-stop-daemon process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:\\\"start-stop-daemon\\\"\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux start-stop-daemon process activity","version":1},"id":"69a39f00-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNDAsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux tail command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:tail\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux tail command activity","version":1},"id":"898935a0-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNDUsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux tcp device activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.args:*dev* and process.args:*tcp*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux tcp device activity","version":1},"id":"b2d617a0-b186-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T22:32:58.765Z","version":"WzEwNDksMl0="} -------------------------------------------------------------------------------- /Linux/Searches/Linux tee command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:tee\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux tee command activity","version":1},"id":"cf3ab380-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNTgsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux telnet activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:telnet\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux telnet activity","version":1},"id":"e8d80360-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNjQsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux tftp activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:telnet\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux tftp activity","version":1},"id":"f18478e0-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNjcsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux time command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:time\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux time command activity","version":1},"id":"ffd52cf0-b6d9-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNzEsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux uniq command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:uniq\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux uniq command activity","version":1},"id":"467ca390-b6da-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyMzUsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux yum activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:yum\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux yum activity","version":1},"id":"e5ec86c0-b6da-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNjIsM10="} -------------------------------------------------------------------------------- /Linux/Searches/Linux zip command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query\": \"process.name:zip\",\n \"language\": \"kuery\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"sort":["@timestamp","desc"],"title":"Linux zip command activity","version":1},"id":"f10604a0-b6da-11e9-b596-11b7f2248f6e","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-08-04T18:03:13.147Z","version":"WzEyNjYsM10="} -------------------------------------------------------------------------------- /Linux/Tests/Linux Event Generators/README.md: -------------------------------------------------------------------------------- 1 | 2 | ### Linux Event Generators 3 | 4 | A Chain Reactor (https://github.com/redcanaryco/chain-reactor) manifest for generating Linux activity in order to test Auditbeat threat hunting searches and rules. The SpaceCake project has over 100 hunting searches for Linux here: https://github.com/randomuserid/Adama/tree/master/Linux 5 | 6 | ### Setup 7 | 8 | Chain Reactor requires `python3`. 9 | 10 | Install dependencies: 11 | 12 | Debian: 13 | ``` 14 | sudo apt install musl-tools 15 | ``` 16 | 17 | RPM: 18 | ``` 19 | sudo yum install musl-tools 20 | ``` 21 | 22 | *Note: If your repository system doesn't contain musl-tools, you can build it from source:* 23 | 24 | ``` 25 | git clone git://git.musl-libc.org/musl 26 | cd musl && ./configure && sudo make install 27 | ``` 28 | 29 | Build Chain Reactor: 30 | ``` 31 | make 32 | ``` 33 | 34 | ### Usage 35 | 36 | Run the command below to make the ELF binary. NOTE: make and run this in /tmp because certain hunting rules look for execution in the Linux /tmp directory. This manifest runs both a hidden and a visible process from /tmp. 37 | 38 | `python3 compose_reaction atoms.json reaction.json ` 39 | -------------------------------------------------------------------------------- /Linux/Tests/Linux Event Generators/process-reaction.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "linux", 3 | "atoms": [ 4 | "whoami", 5 | "hping3", 6 | "iodine", 7 | "insmod", 8 | "kmod", 9 | "ld.so", 10 | "mknod", 11 | "modprobe", 12 | "ld.so.conf", 13 | "nmap", 14 | "nping", 15 | "rmmod", 16 | "socat", 17 | "strace", 18 | "tcpdump", 19 | "netcat", 20 | "visible", 21 | "hidden" 22 | ] 23 | } 24 | -------------------------------------------------------------------------------- /Linux/Tests/Linux Socat activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:socat\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux socat activity","version":1},"id":"0113d8d0-b187-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T22:32:58.765Z","version":"WzEwNTEsMl0="} -------------------------------------------------------------------------------- /Linux/Tests/Linux Tcpdump Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["user.name","process.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name: tcpdump\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"process_started\",\"params\":{\"query\":\"process_started\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"process_started\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux: Tcpdump Activity","version":1},"id":"45c4f800-9f4f-11e9-88e8-f7ed010edb9d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T18:41:21.166Z","version":"WzY3MywxXQ=="} -------------------------------------------------------------------------------- /Linux/Tests/Linux ld.so process activity.ndjson: -------------------------------------------------------------------------------- 1 | { 2 | "attributes": { 3 | "columns": [], 4 | "description": "", 5 | "hits": 0, 6 | "kibanaSavedObjectMeta": { 7 | "searchSourceJSON": "{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"process.name:ld-linux-x86-64\"\n },\n \"filter\": [],\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}" 8 | }, 9 | "sort": [ 10 | "@timestamp", 11 | "desc" 12 | ], 13 | "title": "Linux ld.so process activity", 14 | "version": 1 15 | }, 16 | "id": "fc46e4d0-b6d3-11e9-b596-11b7f2248f6e", 17 | "migrationVersion": { 18 | "search": "7.0.0" 19 | }, 20 | "references": [ 21 | { 22 | "id": "7eee3a60-a7e2-11e9-b9eb-ebf6d961315d", 23 | "name": "kibanaSavedObjectMeta.searchSourceJSON.index", 24 | "type": "index-pattern" 25 | } 26 | ], 27 | "type": "search", 28 | "updated_at": "2019-08-04T18:03:13.147Z", 29 | "version": "WzEyNzAsM10=" 30 | } 31 | -------------------------------------------------------------------------------- /Lists/18001-list-directory-traversal.md: -------------------------------------------------------------------------------- 1 | Directory Traversal search strings - used by 18001, Directory Traversal 2 | 3 | 4 | | Search String | 5 | |---------------------| 6 | | "../.." | 7 | | "..\.." | 8 | | ae%c0%ae/etc/passwd | 9 | | %2F | 10 | -------------------------------------------------------------------------------- /Lists/23001-list-linux-accounts.md: -------------------------------------------------------------------------------- 1 | Linux Service Accounts - needed by search 23001 - Shell activity by service account 2 | 3 | | username | 4 | |----------| 5 | | apache | 6 | | bin | 7 | | cdrom | 8 | | console | 9 | | daemon | 10 | | ftp | 11 | | guest | 12 | | halt | 13 | | info | 14 | | lp | 15 | | mail | 16 | | mysql | 17 | | named | 18 | | nobody | 19 | | nogroup | 20 | | ossec | 21 | | portmap | 22 | | postfix | 23 | | psql | 24 | | rpc | 25 | | shell | 26 | | shutdown | 27 | | sshd | 28 | | sync | 29 | | user | 30 | | users | 31 | | uucp | 32 | | www | 33 | -------------------------------------------------------------------------------- /Lists/28003-list-environment-variables.md: -------------------------------------------------------------------------------- 1 | Environment varaibels - used by search 28003 - RCI - environment variable present in URI 2 | 3 | | Variable Name | 4 | |---------------| 5 | | ${CDPATH} | 6 | | ${DIRSTACK} | 7 | | ${HOME} | 8 | | ${HOSTNAME} | 9 | | ${IFS} | 10 | | ${OLDPWD} | 11 | | ${OSTYPE} | 12 | | ${PATH} | 13 | | ${PWD} | 14 | | $CDPATH | 15 | | $DIRSTACK | 16 | | $HOME | 17 | | $HOSTNAME | 18 | | $IFS | 19 | | $OLDPWD | 20 | | $OSTYPE | 21 | | $PATH | 22 | | $PWD | 23 | -------------------------------------------------------------------------------- /Network/Linux Network - Anomalous Process Using HTTPS Ports.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(destination.port:443 or destination.port:80) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16 and not process.name:curl and not process.name:http and not process.name:https and not process.name:nginx and not process.name:packetbeat and not process.name:python2 and not process.name:snapd and not process.name:wget\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Linux Network - Anomalous Process Using HTTP/S Ports","version":1},"id":"90cbc7a0-13af-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7eee3a60-a7e2-11e9-b9eb-ebf6d961315d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5MywyXQ=="} -------------------------------------------------------------------------------- /Network/Network - DNS Directly to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:53 and not destination.ip: 169.254.169.254/32 and not destination.ip:127.0.0.53/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - DNS Directly to the Internet\t","version":1},"id":"eef52930-13a4-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzQwNSwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - FTP (File Transfer Protocol) Activity to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(destination.port:20 or destination.port:21) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - FTP (File Transfer Protocol) Activity to the Internet\t","version":1},"id":"84ae52d0-13a5-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5MCwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - IRC (Internet Relay Chat) Protocol Activity to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(destination.port:6665 or destination.port:6666 or destination.port:6667 or destination.port:6668 or destination.port:6669) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - IRC (Internet Relay Chat) Protocol Activity to the Internet\t","version":1},"id":"8fb86760-13a5-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T02:31:04.075Z","version":"WzYxMiwzXQ=="} -------------------------------------------------------------------------------- /Network/Network - NAT Traversal Port Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:4500\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - NAT Traversal Port Activity\t","version":1},"id":"9c99d400-13a5-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5NSwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - PPTP (Point to Point Tunneling Protocol) Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:1723\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - PPTP (Point to Point Tunneling Protocol) Activity\t","version":1},"id":"cfd16680-13a5-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzQwMiwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - Port 26 Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:26\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - Port 26 Activity\t","version":1},"id":"a77d74d0-13a5-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5NywyXQ=="} -------------------------------------------------------------------------------- /Network/Network - Port 8000 Activity to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:8000 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - Port 8000 Activity to the Internet\t","version":1},"id":"be67b2a0-13a5-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzQwMCwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - Port 8000 Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:8000\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - Port 8000 Activity","version":1},"id":"b3d9abe0-13a5-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5OCwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - Proxy Port Activity to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(destination.port:8080 or destination.port:3128) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - Proxy Port Activity to the Internet\t","version":1},"id":"6beaf2c0-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM4OCwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - RDP (Remote Desktop Protocol) from the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:3389 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - RDP (Remote Desktop Protocol) from the Internet\t","version":1},"id":"77452320-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T02:33:36.863Z","version":"WzYxMywzXQ=="} -------------------------------------------------------------------------------- /Network/Network - RDP (Remote Desktop Protocol) to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:3389 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - RDP (Remote Desktop Protocol) to the Internet\t","version":1},"id":"8600ce00-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5MSwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - RPC (Remote Procedure Call) from the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:135 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - RPC (Remote Procedure Call) from the Internet\t","version":1},"id":"92b33b60-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5NCwyXQ=="} 2 | -------------------------------------------------------------------------------- /Network/Network - RPC (Remote Procedure Call) to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:135 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - RPC (Remote Procedure Call) to the Internet\t","version":1},"id":"a14f2940-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5NiwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - SMB (Windows File Sharing) Activity to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(destination.port:139 or destination.port:445) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - SMB (Windows File Sharing) Activity to the Internet\t","version":1},"id":"bb373dc0-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM5OSwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - SMTP to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:25 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - SMTP to the Internet\t","version":1},"id":"c9ad7b30-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzQwMSwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - SQL Server Port Activity to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:1433 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - SQL Server Port Activity to the Internet\t","version":1},"id":"d74fc6d0-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzQwMywyXQ=="} -------------------------------------------------------------------------------- /Network/Network - SSH (Secure Shell) from the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:22 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - SSH (Secure Shell) from the Internet\t","version":1},"id":"e7404830-13a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzQwNCwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - SSH (Secure Shell) to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:22 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - SSH (Secure Shell) to the Internet\t","version":1},"id":"09eacb30-13a7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM4MiwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - Telnet Port Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:23\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - Telnet Port Activity\t","version":1},"id":"16ad3e20-13a7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM4MywyXQ=="} -------------------------------------------------------------------------------- /Network/Network - Tor Activity to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(destination.port:9001 or destination.port:9030) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - Tor Activity to the Internet\t","version":1},"id":"25060880-13a7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM4NCwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - VNC (Virtual Network Computing) From the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:5800 and not source.ip:10.0.0.0/8 and not source.ip:172.16.0.0/12 and not source.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - VNC (Virtual Network Computing) From the Internet\t","version":1},"id":"30e67fe0-13a7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM4NSwyXQ=="} -------------------------------------------------------------------------------- /Network/Network - VNC (Virtual Network Computing) To the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"destination.port:5800 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Network - VNC (Virtual Network Computing) To the Internet\t","version":1},"id":"3c59dd90-13a7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"0b070b40-1394-11ea-89c9-297ba237856a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:22:36.834Z","version":"WzM4NywyXQ=="} -------------------------------------------------------------------------------- /Network/Network Event Generator/network-reaction.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "test-atoms", 3 | "atoms": [ 4 | "DNS-TCP4", 5 | "DNS2-TCP4", 6 | "DNS-UDP4", 7 | "DNS2-UDP4", 8 | "DNS-UDP6", 9 | "DNS2-UDP6", 10 | "DNS-TCP6", 11 | "DNS2-TCP6", 12 | "FTP", 13 | "IRC1", 14 | "IRC2", 15 | "IRC3", 16 | "NAT", 17 | "8000", 18 | "26", 19 | "PPTP", 20 | "PROXY", 21 | "PROXY2", 22 | "RDP", 23 | "RPC", 24 | "SMB", 25 | "SMB2", 26 | "SMTP", 27 | "SQL", 28 | "SSH", 29 | "TELNET", 30 | "TOR1", 31 | "TOR2", 32 | "VNC" 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ![things](/img/adama-cic-2.jpg?raw=true "text") 3 | # Adama 4 | 5 | ### Searches For Threat Hunting and Security Analytics 6 | 7 | A collection of known log and / or event data searches for threat hunting and detection. They enumerate sets of searches used across many different data pipelines. Implementation details are for ELK. Adama is part of the SpaceCake project which is a set of hunts, searches, alerts, visualizations and data pipelines for intrusion detection, security analytics and threat hunting using F/OSS (free and open source) tools 8 | -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Base64 Encoded Invoke-Command Powershell Execution.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610182 or 2610183 or 2610184 or 2610185 or 2610186 or 2610187)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Base64 Encoded Invoke-Command Powershell Execution","version":1},"id":"4e47ba90-1fa5-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:42:40.268Z","version":"WzU0NywzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Base64 Encoded New-Object Powershell Execution.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610188 or 2610189 or 2610190 or 2610191 or 2610192 or 2610193)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Base64 Encoded New-Object Powershell Execution","version":1},"id":"dfb77ab0-1fa5-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:46:27.163Z","version":"WzU0OCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Base64 Encoded Start-Process Powershell Execution.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610194 or 2610195 or 2610196 or 2610197 or 2610198 or 2610199)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Base64 Encoded Start-Process Powershell Execution","version":1},"id":"4e31cc20-1fa6-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:49:32.514Z","version":"WzU0OSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata CobaltStrike Artifact in an DNS Request.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610166 or 2610167 or 2610168)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata CobaltStrike Artifact in an DNS Request","version":1},"id":"66097e90-1fa3-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:28:44.025Z","version":"WzU0MiwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Commonly Abused DNS Domain Detected.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature:(TGI* and *HUNT* and *Abused* and *TLD*) and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Commonly Abused DNS Domain Detected","version":1},"id":"d9b5e240-1f97-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T00:06:04.132Z","version":"WzUyNSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata DNS Traffic on Unusual TCP Port.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610013 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata DNS Traffic on Unusual TCP Port","version":1},"id":"de183ce0-1f95-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:51:52.494Z","version":"WzUxNywzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata DNS Traffic on Unusual UDP Port.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610015 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata DNS Traffic on Unusual UDP Port","version":1},"id":"152197e0-1f96-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:53:24.830Z","version":"WzUxOSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Directory Reversal Characters in an HTTP Request.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610161 or 2610162)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Directory Reversal Characters in an HTTP Request","version":1},"id":"136cd010-1fa3-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:26:25.425Z","version":"WzU0MSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Directory Traversal Characters in HTTP Response.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610086 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Directory Traversal Characters in HTTP Response","version":1},"id":"50743880-1f9a-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T00:23:42.344Z","version":"WzUyOSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Directory Traversal in Downloaded Zip File.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610085 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Directory Traversal in Downloaded Zip File","version":1},"id":"17fb1650-1f99-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T00:15:15.222Z","version":"WzUyOCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Double Encoded Characters in a URI.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610092 or 2610093 or 2610094 or 2610095)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Double Encoded Characters in a URI","version":1},"id":"23ad3110-1fa1-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:12:33.697Z","version":"WzUzNiwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Double Encoded Characters in an HTTP POST.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610090 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Double Encoded Characters in an HTTP POST","version":1},"id":"2daff680-1f9b-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T00:29:53.512Z","version":"WzUzMiwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata FTP Traffic on Unusual Port, Internet Destination.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610005 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata FTP Traffic on Unusual Port, Internet Destination","version":1},"id":"5d43f610-1f93-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:56:06.968Z","version":"WzUyMSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata HTTP Traffic On Unusual Port, Internet Destination.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["suricata.eve.alert.signature_id","destination.ip","suricata.eve.alert.signature"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\" suricata.eve.alert.signature_id:2610001 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata HTTP Traffic On Unusual Port, Internet Destination","version":1},"id":"535a10d0-1f8e-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T02:04:47.651Z","version":"WzU1MiwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata IMAP Traffic on Unusual Port, internet Destination.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610009 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata IMAP Traffic on Unusual Port, internet Destination","version":1},"id":"236a2080-1f94-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:56:20.391Z","version":"WzUyMiwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata LaZagne Artifact in an HTTP POST.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610149 or 2610150)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata LaZagne Artifact in an HTTP POST","version":1},"id":"a1968260-1fa2-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:23:14.438Z","version":"WzUzOSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Mimikatz Artifacts in an HTTP POST.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610155 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Mimikatz Artifacts in an HTTP POST","version":1},"id":"dcfdb940-1fa2-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:24:54.100Z","version":"WzU0MCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Mimikatz String Detected in HTTP Response.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610144 or 2610145 or 2610146 or 2610147 or 2610148)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Mimikatz String Detected in HTTP Response","version":1},"id":"3d3555d0-1fa2-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:20:26.029Z","version":"WzUzOCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Possible Cobalt Strike Malleable C2 Null Response.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610202 or 2610203)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Possible Cobalt Strike Malleable C2 Null Response","version":1},"id":"a15250a0-1fa6-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:51:51.978Z","version":"WzU1MCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Possible SQL Injection - SQL Commands in HTTP Transactions.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.module:suricata and event.kind:alert) and suricata.eve.alert.signature_id: (2610117 or 2610118 or 2610118 or 2610119 or 2610121 or 2610122 or 2610123)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Possible SQL Injection - SQL Commands in HTTP Transactions","version":1},"id":"b6d66100-1fa1-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T01:16:40.592Z","version":"WzUzNywzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata RPC Traffic on HTTP Ports.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610012 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata RPC Traffic on HTTP Ports","version":1},"id":"60bd2c60-1f95-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:48:22.182Z","version":"WzUxNiwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata SSH Traffic Not on Port 22, Internet Destination.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610007 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata SSH Traffic Not on Port 22, Internet Destination","version":1},"id":"b20b4cc0-1f93-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:36:19.596Z","version":"WzUxMSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Serialized PHP Detected.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610091 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Serialized PHP Detected","version":1},"id":"67db2af0-1f9b-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T00:31:31.103Z","version":"WzUzMywzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata TLS Traffic on Unusual Port, Internet Destination.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610003 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata TLS Traffic on Unusual Port, Internet Destination","version":1},"id":"510c48e0-1f91-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T02:04:27.393Z","version":"WzU1MSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Windows Executable Served by JPEG Web Content.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610084 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata Windows Executable Served by JPEG Web Content","version":1},"id":"e9589c50-1f98-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T00:13:39.861Z","version":"WzUyNiwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata eval PHP Function in an HTTP Request.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610088 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata eval PHP Function in an HTTP Request","version":1},"id":"acdbc4d0-1f9a-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T00:26:17.373Z","version":"WzUzMSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-DNS Traffic on TCP Port 53.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610014 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata non-DNS Traffic on TCP Port 53","version":1},"id":"f591e970-1f95-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:52:31.879Z","version":"WzUxOCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-DNS Traffic on UDP Port 53.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610016 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata non-DNS Traffic on UDP Port 53","version":1},"id":"2d49ace0-1f96-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:54:05.358Z","version":"WzUyMCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-FTP Traffic on Port 21.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610006 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata non-FTP Traffic on Port 21","version":1},"id":"84939720-1f93-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:35:03.314Z","version":"WzUxMCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-HTTP Traffic on TCP Port 80.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610002 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata non-HTTP Traffic on TCP Port 80","version":1},"id":"0dba3ed0-1f91-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:25:50.314Z","version":"WzUwNywzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-IMAP Traffic on Port 1443 (IMAP).ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610010 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata non-IMAP Traffic on Port 1443 (IMAP)","version":1},"id":"59b24e60-1f94-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:41:00.870Z","version":"WzUxNCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-SMB Traffic on TCP Port 139 (SMB).ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610011 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata non-SMB Traffic on TCP Port 139 (SMB)","version":1},"id":"85d59790-1f94-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:42:14.921Z","version":"WzUxNSwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-SSH Traffic on Port 22.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610008 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata non-SSH Traffic on Port 22","version":1},"id":"fd6f8820-1f93-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:38:26.082Z","version":"WzUxMiwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-TLS on TLS Port.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610004 and (event.module:suricata and event.kind:alert) and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata non-TLS on TLS Port","version":1},"id":"8d9c6f60-1f91-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-15T23:29:24.509Z","version":"WzUwOCwzXQ=="} -------------------------------------------------------------------------------- /Suricata/Searches/Suricata shell_exec PHP Function in an HTTP POST.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"suricata.eve.alert.signature_id:2610087 and (event.module:suricata and event.kind:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suricata shell_exec PHP Function in an HTTP POST","version":1},"id":"6fb8ad20-1f9a-11ea-88a2-7b658be60b2a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"9b20e180-1f8b-11ea-88a2-7b658be60b2a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-16T00:24:34.802Z","version":"WzUzMCwzXQ=="} -------------------------------------------------------------------------------- /Windows/BlueKeep Activity Failed Logins for Username AAAAAAA.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["source.ip","user.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"user.name:AAAAAAA\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"query\":{\"match\":{\"event.code\":{\"query\":4625,\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.code\",\"value\":\"4625\",\"params\":{\"query\":4625},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"}}]}"},"sort":["@timestamp","desc"],"title":"BlueKeep Activity: Failed Logins for Username AAAAAAA","version":1},"id":"4ad53210-8573-11e9-8304-6563802d21a9","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:31.653Z","version":"Wzk4MiwyXQ=="} -------------------------------------------------------------------------------- /Windows/CVE-2020-0601/Windows Audit-CVE Event Log Message - CVE-2020-0601 Indicator.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Audit-CVE Event Log Message - CVE-2020-0601 Indicator","version":1},"id":"11fe2f40-37e9-11ea-a905-3f2d2e294037","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-01-15T22:47:55.699Z","version":"WzYyMyw1XQ=="} -------------------------------------------------------------------------------- /Windows/CVE-2020-0601/Windows crypt32.dll Vulnerable to CVE-2020-0601.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"hash.sha256:e832e3a58b542e15a169b1545ce82451ace19bd361fd81764383048528f9b540 or hash.sha1:7a9dd389b0e3c124d4bfe5c1ff15f9a93285514f\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows crypt32.dll Vulnerable to CVE-2020-0601","version":1},"id":"c1b50db0-37e8-11ea-a905-3f2d2e294037","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-02-01T20:03:13.060Z","version":"Wzc1Nyw3XQ=="} -------------------------------------------------------------------------------- /Windows/Cacls command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:cacls.exe or process.name:icacls.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"cacls command activity","version":1},"id":"69922e90-b162-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk1NywyXQ=="} 2 | -------------------------------------------------------------------------------- /Windows/FileZilla network activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:filezilla.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Network connection detected (rule: NetworkConnect)\",\"params\":{\"query\":\"Network connection detected (rule: NetworkConnect)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Network connection detected (rule: NetworkConnect)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"FileZilla network activity","version":1},"id":"ba453150-b169-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk3MiwyXQ=="} -------------------------------------------------------------------------------- /Windows/FileZilla process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:filezilla.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"FileZilla process activity","version":1},"id":"d4525a00-b169-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk3NiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Background Intelligent Transfer Service (BITS) Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:bitsadmin.exe and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: Background Intelligent Transfer Service (BITS) Connecting to the Internet","version":1},"id":"68392d30-0ef7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:17:15.651Z","version":"WzEzMiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Certutil Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:certutil.exe and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: Certutil Connecting to the Internet","version":1},"id":"85048b80-0ef7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:18:03.959Z","version":"WzEzMywyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Command Prompt Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:cmd.exe and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: Command Prompt Connecting to the Internet","version":1},"id":"9a0f5af0-0ef7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:18:39.263Z","version":"WzEzNCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows HTML Help executable Program Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:hh.exe and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: HTML Help executable Program Connecting to the Internet","version":1},"id":"e908cb00-0ef7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:20:51.760Z","version":"WzEzOSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Microsoft HTML Application (HTA) Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:mshta.exe and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: Microsoft HTML Application (HTA) Connecting to the Internet","version":1},"id":"50ad3120-0ef7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:16:36.146Z","version":"WzEzMSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Misc LOLBin Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(process.name:expand.exe or process.name:extrac.exe or process.name:ieexec.exe or process.name:makecab.exe) and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: Misc LOLBin Connecting to the Internet","version":1},"id":"1056e570-0ef8-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:21:57.703Z","version":"WzE0MSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Powershell Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:powershell.exe and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: Powershell Connecting to the Internet","version":1},"id":"03a44670-0ef7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:14:26.903Z","version":"WzEyOSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Register Server Program Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: Register Server Program Connecting to the Internet","version":1},"id":"1c1ee840-0ef7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:26:12.477Z","version":"WzE0MywyXQ=="} -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Script Interpreter Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(process.name:cscript.exe or process.name:wscript.exe) and event.action:\\\"Network connection detected (rule: NetworkConnect)\\\" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows: Script Interpreter Connecting to the Internet","version":1},"id":"fba1d720-0ef7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-24T20:21:22.962Z","version":"WzE0MCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Ipconfig command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:ipconfig.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Ipconfig command activity","version":1},"id":"1fe856c0-b149-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk0NCwyXQ=="} -------------------------------------------------------------------------------- /Windows/PSexec activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.parent.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:PsExec.exe or process.name:PsExec64.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"PSexec activity","version":1},"id":"79093800-b153-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2MCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Powershell download from a URI.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.args:\\\"Invoke-WebRequest\\\" and process.args:\\\"-Uri\\\" and process.args:\\\"-OutFile\\\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"type\":\"phrase\",\"key\":\"process.name\",\"value\":\"powershell.exe\",\"params\":{\"query\":\"powershell.exe\"},\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"process.name\":{\"query\":\"powershell.exe\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Powershell download from a URI","version":1},"id":"ceef3560-b164-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk3NSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Process started by Acrobat reader - possible payload.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.parent.name:AcroRd32.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Process started by Acrobat reader - possible payload","version":1},"id":"5151b3f0-b180-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk1MiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Process started by Norton Security.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"parent.process.name:NortonSecurity.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Process started by Norton Security","version":1},"id":"fcb72580-b172-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk4MCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Process started by Windows Defender.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"parent.process.name:MsMpEng.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Process started by Windows Defender","version":1},"id":"e1d23a70-b172-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk3NywyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Credential Dumping Commands.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code: 1 and process.args:*Invoke-Mimikatz-DumpCreds* or process.args:*gsecdump* or process.args:*wce* or (process.args:*procdump* and process.args:*lsass*) or (process.args:*ntdsutil* and process.args:*ntds*ifm*create*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Credential Dumping Commands","version":1},"id":"1a0cc450-148d-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T22:55:17.064Z","version":"WzI2MiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Credential Dumping via ImageLoad.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:7 and not process.name:Sysmon.exe and not process.name:Sysmon64.exe and not process.name:svchost.exe and not process.name:logonui.exe and (file.path:*samlib.dll* or file.path:*WinSCard.dll* or file.path:*cryptdll.dll* or file.path:*hid.dll* or file.path:*vaultcli.dll*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Credential Dumping via ImageLoad","version":1},"id":"94533ea0-1489-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T22:26:11.978Z","version":"WzI1OSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Credential Dumping via Registry Save.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code: 1 and process.name:reg.exe and process.args:*save* and (process.args:*sam* or process.args:*system*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Credential Dumping via Registry Save","version":1},"id":"911deaf0-148e-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T23:01:54.078Z","version":"WzI2MywyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Data Compression Using Powershell.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code: 1 and process.name:powershell.exe and (process.args:*Recurse* and process.args:*Compress-Archive*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Data Compression Using Powershell","version":1},"id":"feb1ea20-1485-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T22:54:46.345Z","version":"WzI2MSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Defense Evasion - Decoding Using Certutil.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Defense Evasion - Decoding Using Certutil","version":1},"id":"fbc8a280-14a9-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:18:09.448Z","version":"WzI3OSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Defense Evasion or Persistence via Hidden Files.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:attrib.exe and (process.args:*+h* or process.args:*+s*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Defense Evasion or Persistence via Hidden Files","version":1},"id":"57d4bdd0-14a9-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:13:34.381Z","version":"WzI3OCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Defense Evasion via Windows Event Log Tools.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:wevtutil.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Defense Evasion via Windows Event Log Tools","version":1},"id":"f1cc8940-14ae-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:53:40.180Z","version":"WzI4NSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Defense evasion via Filter Manager.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:fltmc.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Defense evasion via Filter Manager","version":1},"id":"2ccf6390-14b0-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T03:02:28.680Z","version":"WzI4NywyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via .NET COM Assemblies.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and (process.name:regasm.exe or process.name:regsvcs.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Execution via .NET COM Assemblies","version":1},"id":"de087200-14ab-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:31:38.528Z","version":"WzI4MywyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Compiled HTML File.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:hh.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Execution via Compiled HTML File","version":1},"id":"59596630-14a2-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T01:23:30.451Z","version":"WzI3MSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Connection Manager.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Execution via Connection Manager","version":1},"id":"abdbd920-14a6-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T01:54:26.866Z","version":"WzI3NSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Microsoft HTML Application (HTA).ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and (process.parent.args:*mshta* or process.args:*mshta*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Execution via Microsoft HTML Application (HTA)","version":1},"id":"19832db0-14a8-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:04:40.331Z","version":"WzI3NywyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Regsvr32.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code: 1 and scrobj.dll and (process.name:certutil.exe or process.name:regsvr32.exe or process.name:rundll32.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Execution via Regsvr32","version":1},"id":"e15891f0-14ac-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:38:53.583Z","version":"WzI4NCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Trusted Developer Utilities.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and (process.name:MSBuild.exe or process.name:msxsl.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Execution via Trusted Developer Utilities","version":1},"id":"5df8a1c0-14ab-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T04:06:28.954Z","version":"WzMyMCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Indirect Command Execution.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.parent.name:pcalua.exe or (process.name:bash.exe or process.name:forfiles.exe or process.name:pcalua.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Indirect Command Execution","version":1},"id":"e2efb0e0-14a5-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T01:48:49.774Z","version":"WzI3NCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Management Instrumentation (WMI) Execution.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and (process.parent.args:*wmiprvse.exe* or process.name:wmic.exe or process.args:*wmic* )\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Management Instrumentation (WMI) Execution","version":1},"id":"70b05fd0-14b3-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T03:25:51.053Z","version":"WzI4OSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Payload Obfuscation via Certutil.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:certutil.exe and (process.args:*encode* or process.args:*ToBase64String*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Payload Obfuscation via Certutil","version":1},"id":"cf952eb0-1493-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T23:39:26.362Z","version":"WzI2OCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence or Priv Escalation via Hooking.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:mavinject.exe and processs.args:*INJECTRUNNING*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Persistence or Priv Escalation via Hooking","version":1},"id":"89538eb0-14a7-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:00:38.427Z","version":"WzI3NiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence via Application Shimming.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:sdbinst.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Persistence via Application Shimming","version":1},"id":"6a61eda0-14aa-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:21:15.002Z","version":"WzI4MCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence via BITS Jobs.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and (process.name:bitsadmin.exe or process.args:*Start-BitsTransfer*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Persistence via BITS Jobs","version":1},"id":"e09ebe30-14b4-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T03:36:08.338Z","version":"WzI5MCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence via Modification of Existing Service.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.args:*sc*config*binpath* and (process.name:cmd.exe or process.name:powershell.exe or process.name:sc.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Persistence via Modification of Existing Service","version":1},"id":"55b5b390-1497-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T00:04:39.881Z","version":"WzI3MCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence via Netshell Helper DLL.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:netsh.exe and process.args:*helper*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Persistence via Netshell Helper DLL","version":1},"id":"fa94c0f0-14aa-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:25:16.927Z","version":"WzI4MSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Priv Escalation via Accessibility Features.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.parent.name:winlogon.exe and (process.name:atbroker.exe or process.name:displayswitch.exe or process.name:magnify.exe or process.name:narrator.exe or process.name:osk.exe or process.name:sethc.exe or process.name:utilman.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Priv Escalation via Accessibility Features","version":1},"id":"77dacc30-1492-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T23:29:49.683Z","version":"WzI2NywyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Process Discovery via Tasklist Command.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and process.name:tasklist.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Process Discovery via Tasklist Command","version":1},"id":"62bdce20-14af-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T02:56:49.665Z","version":"WzI4NiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Registry Query, Local.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Registry Query, Local","version":1},"id":"251b6560-1490-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T23:14:50.045Z","version":"WzI2NSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Registry Query, Network.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code: 1 and process.name:reg.exe and process.args:*query* and process.args:*reg*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Registry Query, Network","version":1},"id":"6988a370-1490-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T23:15:06.663Z","version":"WzI2NiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Remote Management Execution.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(process.name:wsmprovhost.exe or process.name:winrm.cmd) and (process.args:*Enable-PSRemoting -Force* or process.args:*Invoke-Command -computer_name* or process.args:*wmic*node*process call create*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Remote Management Execution","version":1},"id":"a152f5c0-1496-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-01T23:59:37.244Z","version":"WzI2OSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Scheduled Task Activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and (process.name:schtasks.exe or process.name:taskeng.exe) or (event.code:1 and process.name:svchost.exe and not process.parent.executable: \\\"C:\\\\Windows\\\\System32\\\\services.exe\\\" )\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Scheduled Task Activity","version":1},"id":"5acf4a10-14b2-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T03:18:04.849Z","version":"WzI4OCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Signed Binary Proxy Execution Download.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\" event.code:3 and http and (process.name:certutil.exe or process.name:replace.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Signed Binary Proxy Execution Download","version":1},"id":"4dea1540-14a4-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T01:37:30.260Z","version":"WzI3MywyXQ=="} -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Signed Binary Proxy Execution.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:1 and http and (process.name:certutil.exe or process.name:msiexec.exe)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Signed Binary Proxy Execution","version":1},"id":"394a8030-14a3-11ea-89c9-297ba237856a","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-12-02T01:29:46.163Z","version":"WzI3MiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/BITSadmin file download activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:bitsadmin.exe and process.args:*transfer* \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"BITSadmin file download activity","version":1},"id":"988c7390-ab22-11e9-b37f-a9f6bb2114fd","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T02:47:03.745Z","version":"WzQ5LDFd"} -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Cmdkey Cached Credentials Recon.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["winlog.event_id","process.name","process.parent.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:cmdkey.exe AND process.args:*list*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":" Cmdkey Cached Credentials Recon","version":1},"id":"52384110-8496-11e9-afe1-2be72f287c2d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T16:57:40.056Z","version":"WzI4NCwxXQ=="} -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/MavInject Process Injection.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.args:*INJECTRUNNING*\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"MavInject Process Injection","version":1},"id":"0f8f87a0-849c-11e9-afe1-2be72f287c2d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T16:58:57.512Z","version":"WzI4OCwxXQ=="} -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Suspicious XOR Encoded PowerShell Command Line.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["winlog.event_id","process.name","process.parent.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:powershell.exe AND process.args:*bxor*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Suspicious XOR Encoded PowerShell Command Line","version":1},"id":"16a50da0-8495-11e9-afe1-2be72f287c2d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T17:02:11.340Z","version":"WzI5OSwxXQ=="} -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/WMI SquiblyTwo Attack.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["winlog.event_id","process.name","process.parent.name","process.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:wmic.exe AND (process.args:*format* AND process.args:*http*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"WMI SquiblyTwo Attack","version":1},"id":"3008e180-8496-11e9-afe1-2be72f287c2d","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T17:02:39.902Z","version":"WzMwMCwxXQ=="} -------------------------------------------------------------------------------- /Windows/Sigma Searches/README.md: -------------------------------------------------------------------------------- 1 | 2 | ### Rewritten Sigma Rules for ELK 3 | 4 | So I was asked to take a look at getting the Sigma rules running in ELK. These are rewrites of the Sigma rules for ELK in KQL (Kibana Query Language) and ECS (the Elastic common schema) which is needed in order to make searches portable. I wrote these from scratch after reviewing the Sigma rules one by one and creating new KQL searches that look for the same things. I have mapped the MITRE ATT&CK categories from the originals to the new searches. 5 | 6 | ### Contents 7 | 8 | SpaceCake to Sigma Matrix: these are a cross reference of the new searches and the original Sigma rules. I have mapped the MITRE ATT&CK categories from the originals to the new searches. 9 | 10 | Process Event Searches - these are rewrites of the Sigma rules from the "process_creation" folder. They work on sysmon process creation events. 11 | 12 | Windows Event Log Searches - these are rewrites of the Sigma rules from the "builtin" folder. They work on Windows event log events. 13 | -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Password change on a DSRM account - possible persistence.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"type\":\"phrase\",\"key\":\"event.code\",\"value\":\"4794\",\"params\":{\"query\":\"4794\"},\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4794\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Password change on a DSRM account - possible persistence","version":1},"id":"4a071470-ac06-11e9-b37f-a9f6bb2114fd","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T23:45:57.388Z","version":"WzgxNywxXQ=="} -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Security event log was cleared.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"event.code\",\"value\":\"517, 1102\",\"params\":[\"517\",\"1102\"],\"alias\":null,\"negate\":false,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"event.code\":\"517\"}},{\"match_phrase\":{\"event.code\":\"1102\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security event log was cleared.","version":1},"id":"bb2a22a0-0b88-11ea-87bc-db492753243c","migrationVersion":{"search":"7.4.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-11-20T11:27:27.177Z","version":"WzkyOSwxXQ=="} 2 | -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/smbexec.py service installed.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["winlog.event_data.ServiceName","winlog.event_data.ImagePath"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"winlog.event_data.ServiceName:*BTOBTO* and \\twinlog.event_data.ImagePath:*execute.bat*\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"type\":\"phrase\",\"key\":\"event.code\",\"value\":\"7045\",\"params\":{\"query\":\"7045\"},\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"7045\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"smbexec.py service installed","version":1},"id":"4d294ef0-abf9-11e9-b37f-a9f6bb2114fd","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-21T23:45:57.388Z","version":"WzgxOCwxXQ=="} -------------------------------------------------------------------------------- /Windows/WinDump activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:WinDump.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"WinDump activity","version":1},"id":"7046d410-b154-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk1OSwyXQ=="} -------------------------------------------------------------------------------- /Windows/WinRar activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:winrar.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"WinRar activity","version":1},"id":"32bceed0-b155-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkyNiwyXQ=="} -------------------------------------------------------------------------------- /Windows/WinSCP network activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:winscp.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Network connection detected (rule: NetworkConnect)\",\"params\":{\"query\":\"Network connection detected (rule: NetworkConnect)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Network connection detected (rule: NetworkConnect)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"WinSCP network activity","version":1},"id":"9ed3bdb0-b169-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2NSwyXQ=="} -------------------------------------------------------------------------------- /Windows/WinSCP process activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:winscp.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"WinSCP process activity","version":1},"id":"8ba77240-b169-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2MiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows - New External Device Attached.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.code:6416\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows - New External Device Attached","version":1},"id":"6307ccb0-365f-11ea-a00f-cd9081555a24","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-01-13T23:49:49.946Z","version":"WzYyMCw0XQ=="} -------------------------------------------------------------------------------- /Windows/Windows 7Zip activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:7zG.exe or process.name:7zFM.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows 7Zip activity","version":1},"id":"212f90e0-b156-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkyNSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows Burp CE activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:BurpSuiteCommunity.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Burp CE activity","version":1},"id":"99ceb1e0-b154-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkyOSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows Fiddler proxy activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:fiddler.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Fiddler proxy activity","version":1},"id":"bbf314f0-b154-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkzMSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows Mimikatz activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:mimikatz.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Mimikatz activity","version":1},"id":"fcd850a0-b147-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkzNCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows Netcat activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:ncat.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Netcat activity","version":1},"id":"e0660ed0-b147-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkzMywyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows Netcat network activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:ncat.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"connected-to\",\"params\":{\"query\":\"connected-to\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"connected-to\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Netcat network activity","version":1},"id":"a1dc45c0-b148-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2NiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows Network Monitor activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:netmon.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Network Monitor activity","version":1},"id":"048e4540-b155-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkyMSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows WMI command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:wsmprovhost.exe or process.name:wmiapsrv.exe or process.name:winrs.exe or process.name:wmic.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows WMI command activity","version":1},"id":"1cc86fc0-b162-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk0MywyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows Wireshark activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:wireshark.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows Wireshark activity","version":1},"id":"5dba2e90-b155-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkyOCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows bulk file copy commands.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\" process.name:copy.exe or process.name:robocopy.exe or process.name:xcopy.exe \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows bulk file copy commands","version":1},"id":"1add7ef0-b17e-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk0MiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows certutil command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:certutil.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows certutil command activity","version":1},"id":"a5cab900-b17f-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2OCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows device driver loaded - sysmon event 6.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Driver loaded (rule: DriverLoad)\",\"params\":{\"query\":\"Driver loaded (rule: DriverLoad)\"},\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Driver loaded (rule: DriverLoad)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows device driver loaded - sysmon event 6","version":1},"id":"8fe5b0d0-b16c-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2NCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows ftp command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:ftp.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows ftp command activity","version":1},"id":"5a3b51f0-b15e-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk1NSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows image load from a temp directory.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"file.path:Temp\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Image loaded (rule: ImageLoad)\",\"params\":{\"query\":\"Image loaded (rule: ImageLoad)\"},\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Image loaded (rule: ImageLoad)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows image load from a temp directory","version":1},"id":"07f044e0-b169-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkyMiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows net command activity by the SYSTEM account.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.args","user.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"user.name:SYSTEM\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"process.name\",\"value\":\"net.exe, net1.exe\",\"params\":[\"net.exe\",\"net1.exe\"],\"alias\":null,\"negate\":false,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"process.name\":\"net.exe\"}},{\"match_phrase\":{\"process.name\":\"net1.exe\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows net command activity by the SYSTEM account","version":1},"id":"1a7f5630-b17a-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk0MSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows net localgroup command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:net.exe and process.args:localgroup\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows net localgroup command activity","version":1},"id":"19790890-b160-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk0MCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows net use command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:net.exe and process.args:use\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows net use command activity","version":1},"id":"3732e590-b160-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk0NywyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows net user command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:net.exe and process.args:user\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows net user command activity","version":1},"id":"059ad240-b160-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"WzkzNiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows netsh command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:netsh.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows netsh command activity","version":1},"id":"f5105cd0-b149-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk3OSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows networking command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:arp.exe or process.name:hostname.exe or process.name:netstat.exe or process.name:nbtstat.exe or process.name:nslookup.exe or process.name:ping.exe or process.name:ssh.exe or process.name:telnet.exe or process.name:tracert.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows networking command activity","version":1},"id":"d73744f0-b17e-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:48:54.308Z","version":"WzkzMiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows nmap activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:nmap.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows nmap activity","version":1},"id":"315ba790-b149-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk0NiwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows nmap scan activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:nmap.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Network connection detected (rule: NetworkConnect)\",\"params\":{\"query\":\"Network connection detected (rule: NetworkConnect)\"},\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Network connection detected (rule: NetworkConnect)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows nmap scan activity","version":1},"id":"ffcbd0a0-b153-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk4MSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows password dumper activity - pwdump.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:pwdump*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows password dumper activity - pwdump","version":1},"id":"7c46f150-b168-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2MSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows process activity in a temp directory.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.executable:Temp and process.executable:Users\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows process activity in a temp directory","version":1},"id":"a66c27f0-b165-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2OSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows process activity in a user folder.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.executable:Users\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows process activity in a user folder","version":1},"id":"e3207840-b165-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk3OCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows process activity in the downloads folder.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.executable:Downloads and process.executable:Users\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows process activity in the downloads folder","version":1},"id":"cc2cc490-b165-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk3NCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows process started by the Java runtime.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["process.parent.args"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.parent.name:javaw.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows process started by the Java runtime","version":1},"id":"b4d11660-b15c-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk3MSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows putty activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:putty.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows putty activity","version":1},"id":"0fc87b70-b15e-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"WzkzOSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows runas command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:runas.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows runas command activity","version":1},"id":"8cb6d580-b160-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk2MywyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows scheduled task creation.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:schtasks.exe and process.args:CREATE\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows scheduled task creation","version":1},"id":"59a83250-b161-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk1MywyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows schtasks command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:schtasks.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows schtasks command activity","version":1},"id":"055a8a60-b15f-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"WzkzNSwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows script interpreter activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\" process.name:cscript.exe or process.name:powershell.exe or process.name:wscript.exe\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows script interpreter activity","version":1},"id":"5a2ad430-b17f-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk1NCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows tasklist command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:tasklist.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows tasklist command activity","version":1},"id":"0dc9e4f0-b161-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"WzkzOCwyXQ=="} -------------------------------------------------------------------------------- /Windows/Windows whoami command activity.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"process.name:whoami.exe\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"Process Create (rule: ProcessCreate)\",\"params\":{\"query\":\"Process Create (rule: ProcessCreate)\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"Process Create (rule: ProcessCreate)\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":["@timestamp","desc"],"title":"Windows whoami command activity","version":1},"id":"6f4da800-b149-11e9-a377-0327b6022b41","migrationVersion":{"search":"7.0.0"},"references":[{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"7e08c6d0-a96b-11e9-9bd8-67cb9a1ae39a","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2019-07-28T21:49:04.428Z","version":"Wzk1OCwyXQ=="} -------------------------------------------------------------------------------- /img/adama-cic-2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/b4a24455d984638e80bd4aa25a0214131deac875/img/adama-cic-2.jpg -------------------------------------------------------------------------------- /img/adama-cic.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/b4a24455d984638e80bd4aa25a0214131deac875/img/adama-cic.jpg -------------------------------------------------------------------------------- /img/cylon 2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/b4a24455d984638e80bd4aa25a0214131deac875/img/cylon 2.jpg -------------------------------------------------------------------------------- /img/cylon.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/b4a24455d984638e80bd4aa25a0214131deac875/img/cylon.jpg -------------------------------------------------------------------------------- /img/pacu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/b4a24455d984638e80bd4aa25a0214131deac875/img/pacu.png -------------------------------------------------------------------------------- /img/snorts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/b4a24455d984638e80bd4aa25a0214131deac875/img/snorts.png -------------------------------------------------------------------------------- /img/snorts2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/b4a24455d984638e80bd4aa25a0214131deac875/img/snorts2.png --------------------------------------------------------------------------------