Full Code of beahunt3r/Windows-Hunting for AI

master d9e0df8434f1 cached
52 files
29.1 KB
9.7k tokens
1 requests
Download .txt 
Repository: beahunt3r/Windows-Hunting
Branch: master
Commit: d9e0df8434f1
Files: 52
Total size: 29.1 KB

Directory structure:
gitextract_rqzb9198/

├── Persistence/
│   └── Registry Autoruns/
│       ├── Appinit Dlls
│       ├── Boot Execute
│       ├── Codecs
│       ├── Drivers
│       ├── Explorer
│       ├── Image Hijacks
│       ├── Internet Explorer
│       ├── KnownDlls
│       ├── LSA Providers
│       ├── Logon
│       ├── Network Providers
│       ├── Office
│       ├── Print Monitor
│       ├── Services
│       ├── WinLogon
│       └── WinSocket Providers
├── README.md
├── WindowsDefenderATP Hunting Queries /
│   ├── APT_IR_CNC_Possible RDP Tunnel
│   ├── APT_IR_CNC_rdp enable
│   ├── APT_IR_Execution_Echo
│   ├── APT_IR_Persistance_AccountCreation
│   ├── APT_IR_Persistance_LocalAccounts
│   ├── APT_IR_Persistance_LocalGroups
│   ├── APT_IR_Persistance_secedit
│   ├── Alert_Summary by AlertTitle
│   ├── Alert_Summary by Category
│   ├── Alert_Summary by ComputerName
│   ├── Alert_Summary by FIleName
│   ├── Alert_WDAVDetection
│   ├── Indication_ClearEventlog
│   ├── Indication_OutPut_Redirection
│   ├── Indication_RemoteShareMounting
│   ├── Indication_Tool_IMPACKET artifact
│   ├── Indication_Tool_ProcDump_possible
│   ├── Network_Cscript_Wscript
│   ├── Network_PowerShell
│   ├── Process_Bitsadmin Executions
│   ├── Process_Bitsadmin transfer
│   ├── Process_Certutil_decode in appdata
│   ├── Process_Possible_MSOffice_Abuse
│   ├── Process_Rundll32_Control_RunDLL
│   ├── Process_Rundll32_DllRegisterServer
│   ├── Process_Rundll32_Sus
│   ├── Process_Rundll32_possible hta remote
│   ├── Process_Rundll32_roaming
│   ├── Process_at.exe execution
│   ├── Process_wmic_process call
│   ├── Process_wscript_js execution
│   ├── Process_wscript_suspicious rar:zip
│   └── SHELL Detection/
│       ├── Persistence_Potential DLL WebShell_Suspicious IIS module detected
│       └── Process_Persistence_Potential WebShell Execution
└── _config.yml

================================================
FILE CONTENTS
================================================

================================================
FILE: Persistence/Registry Autoruns/Appinit Dlls
================================================
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls

================================================
FILE: Persistence/Registry Autoruns/Boot Execute
================================================
HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute

================================================
FILE: Persistence/Registry Autoruns/Codecs
================================================
HKCU\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKCU\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKCU\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
HKCU\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
HKCU\Software\Classes\Filter
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKCU\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKCU\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKCU\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
HKCU\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
HKCU\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKLM\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
HKLM\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
HKLM\Software\Classes\Filter
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

================================================
FILE: Persistence/Registry Autoruns/Drivers
================================================
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
HKLM\System\CurrentControlSet\Services

================================================
FILE: Persistence/Registry Autoruns/Explorer
================================================
HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\*\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers
HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers
HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Folder\ShellEx\DragDropHandlers
HKCU\Software\Classes\Folder\ShellEx\ExtShellFolderViews
HKCU\Software\Classes\Folder\ShellEx\PropertySheetHandlers
HKCU\SOFTWARE\Classes\Protocols\Filter
HKCU\SOFTWARE\Classes\Protocols\Handler
HKCU\Software\Microsoft\Ctf\LangBarAddin
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers
HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Classes\Folder\ShellEx\ExtShellFolderViews
HKLM\Software\Classes\Folder\ShellEx\PropertySheetHandlers
HKLM\SOFTWARE\Classes\Protocols\Filter
HKLM\SOFTWARE\Classes\Protocols\Handler
HKLM\Software\Microsoft\Ctf\LangBarAddin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

================================================
FILE: Persistence/Registry Autoruns/Image Hijacks
================================================
HKCU\Software\Classes\.cmd
HKCU\Software\Classes\.exe
HKCU\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
HKCU\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)
HKCU\Software\Microsoft\Command Processor\Autorun
HKLM\Software\Classes\.cmd
HKLM\Software\Classes\.exe
HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
HKLM\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)
HKLM\Software\Microsoft\Command Processor\Autorun
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Wow6432Node\Microsoft\Command Processor\Autorun
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

================================================
FILE: Persistence/Registry Autoruns/Internet Explorer
================================================
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Extensions
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

================================================
FILE: Persistence/Registry Autoruns/KnownDlls
================================================
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

================================================
FILE: Persistence/Registry Autoruns/LSA Providers
================================================
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

================================================
FILE: Persistence/Registry Autoruns/Logon
================================================
HKCU\Environment\UserInitMprLogonScript
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Environment\UserInitMprLogonScript
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect
HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram

================================================
FILE: Persistence/Registry Autoruns/Network Providers
================================================
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

================================================
FILE: Persistence/Registry Autoruns/Office
================================================
HKCU\SOFTWARE\Microsoft\Office test\Special\Perf\(Default)
HKCU\Software\Microsoft\Office\Access\Addins
HKCU\Software\Microsoft\Office\Excel\Addins
HKCU\Software\Microsoft\Office\Outlook\Addins
HKCU\Software\Microsoft\Office\PowerPoint\Addins
HKCU\Software\Microsoft\Office\Word\Addins
HKCU\Software\Wow6432Node\Microsoft\Office\Access\Addins
HKCU\Software\Wow6432Node\Microsoft\Office\Excel\Addins
HKCU\Software\Wow6432Node\Microsoft\Office\Outlook\Addins
HKCU\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins
HKCU\Software\Wow6432Node\Microsoft\Office\Word\Addins
HKLM\SOFTWARE\Microsoft\Office test\Special\Perf\(Default)
HKLM\Software\Microsoft\Office\Access\Addins
HKLM\Software\Microsoft\Office\Excel\Addins
HKLM\Software\Microsoft\Office\Outlook\Addins
HKLM\Software\Microsoft\Office\PowerPoint\Addins
HKLM\Software\Microsoft\Office\Word\Addins
HKLM\Software\Wow6432Node\Microsoft\Office\Access\Addins
HKLM\Software\Wow6432Node\Microsoft\Office\Excel\Addins
HKLM\Software\Wow6432Node\Microsoft\Office\Outlook\Addins
HKLM\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins
HKLM\Software\Wow6432Node\Microsoft\Office\Word\Addins

================================================
FILE: Persistence/Registry Autoruns/Print Monitor
================================================
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers

================================================
FILE: Persistence/Registry Autoruns/Services
================================================
HKLM\System\CurrentControlSet\Services
HKLM\System\ControlSet001
HKLM\System\ControlSet002

================================================
FILE: Persistence/Registry Autoruns/WinLogon
================================================
HKLM\SYSTEM\Setup\CmdLine
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKCU\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
HKCU\Control Panel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpExtensions

================================================
FILE: Persistence/Registry Autoruns/WinSocket Providers
================================================
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

================================================
FILE: README.md
================================================
Windows-Hunting

The Purpose of this repository is to aid windows threat hunters to look for some common artifacts during their day to day operations.

Feel free to contirbute.

================================================
FILE: WindowsDefenderATP Hunting Queries /APT_IR_CNC_Possible RDP Tunnel
================================================
// Possible RDP tunnel
ProcessCreationEvents | where EventTime > ago(10d)
| where (ProcessCommandLine contains ":3389" or ProcessCommandLine contains ":6511")
| project EventTime, ComputerName, AccountName, InitiatingProcessFileName, ActionType, FileName, ProcessCommandLine, InitiatingProcessCommandLine

================================================
FILE: WindowsDefenderATP Hunting Queries /APT_IR_CNC_rdp enable
================================================
// Allow RDP connection
ProcessCreationEvents  
| where EventTime > ago(7d)
| where ( ProcessCommandLine contains "SC CONFIG" and ProcessCommandLine contains "DISABLED" and ProcessCommandLine contains "wuauserv" )
or (ProcessCommandLine contains "Terminal Serve" and ProcessCommandLine contains "fDenyTSConnections" and ProcessCommandLine contains "0x0"  )
//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine)  by InitiatingProcessFileName
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName

================================================
FILE: WindowsDefenderATP Hunting Queries /APT_IR_Execution_Echo
================================================
// inf file echo creation
ProcessCreationEvents  
| where EventTime > ago(17d)
| where ProcessCommandLine contains "echo" and ProcessCommandLine contains ".inf"
//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine)  by InitiatingProcessFileName
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName 

================================================
FILE: WindowsDefenderATP Hunting Queries /APT_IR_Persistance_AccountCreation
================================================
// Accounts Creation
ProcessCreationEvents  
| where EventTime > ago(7d)
| where ProcessCommandLine contains "net user" and ProcessCommandLine contains "/add"
//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine)  by InitiatingProcessFileName
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName

================================================
FILE: WindowsDefenderATP Hunting Queries /APT_IR_Persistance_LocalAccounts
================================================
// Local Accounts Activation
ProcessCreationEvents  
| where EventTime > ago(7d)
| where ProcessCommandLine contains "Administrator /active:yes" or ProcessCommandLine contains "guest /active:yes" 
//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine)  by InitiatingProcessFileName
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName

================================================
FILE: WindowsDefenderATP Hunting Queries /APT_IR_Persistance_LocalGroups
================================================
// User Addition to Local Groups
ProcessCreationEvents  
| where EventTime > ago(7d)
| where ProcessCommandLine contains "localgroup" and ProcessCommandLine contains "/add" and ( ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "administrators")
//| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine)  by InitiatingProcessFileName
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName

================================================
FILE: WindowsDefenderATP Hunting Queries /APT_IR_Persistance_secedit
================================================
// Service Creation
// Look for 'InitiatingProcessFileName'
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName contains "SECEDIT" 
//| where ProcessCommandLine == @"secedit.exe /export /cfg ** .inf"
| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine)  by InitiatingProcessFileName

================================================
FILE: WindowsDefenderATP Hunting Queries /Alert_Summary by AlertTitle
================================================
AlertEvents 
| where EventTime > ago(7d)
| summarize makeset(FileName), dcount(FileName), makeset(ComputerName), makeset(Category), dcount(ComputerName) by Title 
| sort by dcount_ComputerName desc

================================================
FILE: WindowsDefenderATP Hunting Queries /Alert_Summary by Category
================================================
AlertEvents 
| where EventTime > ago(7d)
| summarize dcount(ComputerName), dcount(FileName), makeset(FileName), makeset(ComputerName) by  Category, Severity
| sort by dcount_ComputerName desc

================================================
FILE: WindowsDefenderATP Hunting Queries /Alert_Summary by ComputerName
================================================
AlertEvents 
| where EventTime > ago(7d)
| summarize dcount(Category), dcount(FileName), makeset(Category), makeset(FileName) by ComputerName, Severity
| sort by dcount_Category desc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Alert_Summary by FIleName
================================================
AlertEvents 
| where EventTime > ago(7d)
| summarize dcount(ComputerName), dcount(Category), makeset(Severity),  makeset(Category), makeset(ComputerName) by FileName
| sort by dcount_ComputerName desc

================================================
FILE: WindowsDefenderATP Hunting Queries /Alert_WDAVDetection
================================================
MiscEvents    
| where EventTime > ago(17d)
| where ActionType == "WDAVDetection"
| summarize  makeset(FileName), makeset(InitiatingProcessParentFileName), makeset(InitiatingProcessFileName), makeset(InitiatingProcessCommandLine), makeset(FolderPath), makeset(InitiatingProcessFolderPath) , makeset(AccountName )  by ComputerName 

================================================
FILE: WindowsDefenderATP Hunting Queries /Indication_ClearEventlog
================================================
// Call ClearEventlog
ProcessCreationEvents  
| where EventTime > ago(10d)
| where ProcessCommandLine contains "call ClearEventlog" or InitiatingProcessCommandLine contains "call ClearEventlog" 
| summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName)   by InitiatingProcessFileName, ProcessCommandLine
| sort by dcount_ComputerName desc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Indication_OutPut_Redirection
================================================
// OutPut Redirection
ProcessCreationEvents  
| where EventTime > ago(10d)
| where ProcessCommandLine contains "2>&1"
| summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName)   by InitiatingProcessFileName, ProcessCommandLine
| sort by dcount_ComputerName desc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Indication_RemoteShareMounting
================================================
// Remote Share Mounting
ProcessCreationEvents  
| where EventTime > ago(7d)
| where ProcessCommandLine contains "net.exe"
| where ProcessCommandLine contains "\\c$" or ProcessCommandLine contains "\\admin$" or ProcessCommandLine contains "\\ipc$"

================================================
FILE: WindowsDefenderATP Hunting Queries /Indication_Tool_IMPACKET artifact
================================================
// Default IMPACKET artifact in cmdln
ProcessCreationEvents  
| where EventTime > ago(10d)
| where ProcessCommandLine contains "127.0.0.1\\ADMIN$\\" and ProcessCommandLine contains "2>&1"
| project EventTime , InitiatingProcessFileName , ProcessCommandLine, AccountName , ComputerName 
| sort by InitiatingProcessFileName desc
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /Indication_Tool_ProcDump_possible
================================================
// Possible Procdump
ProcessCreationEvents  
| where EventTime > ago(10d)
| where (ProcessCommandLine contains "-accepteula" and ProcessCommandLine contains "1>") or (ProcessCommandLine contains "-accepteula" and ProcessCommandLine contains "-ma")
| summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName)   by InitiatingProcessFileName, ProcessCommandLine
| sort by dcount_ComputerName desc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Network_Cscript_Wscript
================================================
NetworkCommunicationEvents 
| where EventTime > ago(7d)
| where InitiatingProcessFileName in ("cscript.exe", "wscript.exe")
| summarize makeset(InitiatingProcessParentName), makeset(RemoteUrl), makeset(RemotePort), makeset(InitiatingProcessAccountName)  ,dcount(RemoteUrl) by InitiatingProcessCommandLine
| sort by dcount_RemoteUrl desc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Network_PowerShell
================================================
NetworkCommunicationEvents 
| where EventTime > ago(1d)
| where InitiatingProcessFileName =~ "powershell.exe"
| summarize makeset(RemoteUrl), makeset(RemotePort), makeset(InitiatingProcessAccountName)  ,dcount(RemoteUrl) by InitiatingProcessCommandLine
| sort by dcount_RemoteUrl desc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Bitsadmin Executions
================================================
// Bitsadmin Executions
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName contains "bitsadmin.exe"
| where ProcessCommandLine contains "/TRANSFER" or ProcessCommandLine contains "/CREATE" or ProcessCommandLine contains "/ADDFILE"
or ProcessCommandLine contains "/SETPROXY" or ProcessCommandLine contains "/SETNOTIFYCMDLINE" or ProcessCommandLine contains "/SETCUSTOMHEADERS"
or ProcessCommandLine contains "/SETSECURITYFLAGS" or ProcessCommandLine contains "/SETREPLYFILENAME"
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName  
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Bitsadmin transfer
================================================
// download using bitsadmin
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "bitsadmin.exe"
| where ProcessCommandLine contains "/transfer"
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName  
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Certutil_decode in appdata
================================================
// Certutil Decode in Appdata
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine contains "-decode" and ProcessCommandLine contains "\\AppData\\"
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName  
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Possible_MSOffice_Abuse
================================================
// Possible_MSOffice_Abuse
ProcessCreationEvents  
| where EventTime > ago(1d)
| where InitiatingProcessParentName contains "winword.exe" or InitiatingProcessParentName contains "excel.exe" or InitiatingProcessParentName contains  "powerpnt.exe"
| where FileName contains "cscript" or FileName contains "wscript" or FileName contains "powershell"
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentName,  AccountName  
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_Control_RunDLL
================================================
// Control_RunDLL
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine contains ",Control_RunDLL"
| summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName)   by InitiatingProcessFileName, ProcessCommandLine
| sort by dcount_ComputerName desc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_DllRegisterServer
================================================
// Control_RunDLL
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine contains "DllRegisterServer"
| summarize makeset(ComputerName), makeset(AccountName)  by InitiatingProcessFileName, ProcessCommandLine
| sort by InitiatingProcessFileName asc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_Sus
================================================
// Suspicious executions
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "rundll32.exe"
| where InitiatingProcessFileName in ("winword.exe" , "excel.exe" , "cscript.exe" , "wscript.exe" , "mshta.exe" )
| summarize makeset(ComputerName), makeset(AccountName)  by InitiatingProcessFileName, ProcessCommandLine
| sort by InitiatingProcessFileName asc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_possible hta remote
================================================
// Control_RunDLL
ProcessCreationEvents  
| where EventTime > ago(1d)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine contains "mshtml,RunHTMLApplication"
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName  
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_roaming
================================================
// Remote Executions
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine contains "\\roaming\\"
| where ProcessCommandLine !contains "\\STREAM Interactive (Emirates).appref-ms|"
| summarize makeset(ComputerName), makeset(AccountName)  by InitiatingProcessFileName, ProcessCommandLine
| sort by InitiatingProcessFileName asc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_at.exe execution
================================================
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "at.exe"
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName  
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_wmic_process call
================================================
// wmic process call
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "WMIC.exe"
| where ProcessCommandLine contains "process call create"
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName  
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_wscript_js execution
================================================
// wscript - js execution
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "wscript.exe"
| where ProcessCommandLine contains ".js"
| summarize makeset(ComputerName), makeset(AccountName)  by InitiatingProcessFileName, ProcessCommandLine
| sort by InitiatingProcessFileName asc 

================================================
FILE: WindowsDefenderATP Hunting Queries /Process_wscript_suspicious rar:zip
================================================
// wscript - Suspicious rar/zip userprofile execution
ProcessCreationEvents  
| where EventTime > ago(7d)
| where FileName =~ "wscript.exe"
| where ProcessCommandLine contains "\\appdata\\" and ProcessCommandLine contains ".zip" or ProcessCommandLine contains "\\Rar$*\\" 
| project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName  
| top 1000 by EventTime

================================================
FILE: WindowsDefenderATP Hunting Queries /SHELL Detection/Persistence_Potential DLL WebShell_Suspicious IIS module detected
================================================
// Name: Persistence_Potential DLL WebShell_Suspicious IIS module detected
// Risk Level: HIGH
// Justification: - DLL Web shells are hard to detect as it can run persistantly over the IIS Modules as TransportModule.
//                - As any other Web shell, DLL Web shells provide a set of functions to execute or a command-line interface on the system that hosts the Web server
// Supporting Investigation Data Sources: Web Access Logs, Packets, ApplicationHost.config, Yara Scan
// Tactic: Persistence
// MITRE: https://attack.mitre.org/techniques/T1505/003/
// Questions: beahunt3r@gmail.com

union DeviceProcessEvents, DeviceImageLoadEvents 
| where Timestamp > ago(7d)
| extend CommandLine=coalesce(ProcessCommandLine,InitiatingProcessCommandLine) 
| where (FileName =~ "appcmd.exe" or InitiatingProcessFileName =~ "appcmd.exe") 
            and CommandLine contains "module" and ( CommandLine contains " add" 
            										                        or CommandLine contains " install")
| summarize count(), Timestamp = min(Timestamp) by DeviceId, ActionType, CommandLine, InitiatingProcessParentFileName, InitiatingProcessFileName
//////////////////////WHITELIST FILTER CONDITIONS//////////////////////
| where InitiatingProcessParentFileName !contains @"\Windows\System32\inetsrv\iissetup.exe" 
            and InitiatingProcessParentFileName !in ("iissetup.exe")
            and InitiatingProcessFileName !in ("iissetup.exe")
            //and CommandLine !contains @"<WHITELIST#1>"
//////////////////////END/////////////////////////////////////////////
//| extend commandline=replace(@'%windir%', @'C:\\Windows', CommandLine)			// Map env path to exact location
| extend module_FolderPath = extract("(image|type)\\:([^(\\/|\\-|$)]+)(\\s+|$)", 2, CommandLine)
| extend module_FolderPath =replace(@'\"', @'', module_FolderPath)
| extend module_FileName = extract("(.*)\\\\(.*)", 2, module_FolderPath)
| join (DeviceFileEvents | summarize count(), File_Create_Timestamp = min(Timestamp) by module_FileName = FileName, SHA256, ActionType, DeviceId) on module_FileName, DeviceId 				// Optional
| where (Timestamp - File_Create_Timestamp) between (0min .. 1440min)				// Optional
| invoke FileProfile(SHA256) | where SignatureState != "SignedValid"				// Optional


================================================
FILE: WindowsDefenderATP Hunting Queries /SHELL Detection/Process_Persistence_Potential WebShell Execution
================================================
// Risk Level: HIGH
// Justification: - Web shells will be useed by attackers for persistent access to a compromised machine. This rule will trigger when commands are executed remotely.
//                - Any matching events must be thoroughly investigated, we may endup finding a potential weakness in web application.
//                - This rule is effective aganist the recent exchange exploits
// Supporting Investigation Data Sources: WebAccess Logs, Packets, Compile File, WebShell Yara Scan
// Tactic: Persistence
// MITRE: https://attack.mitre.org/techniques/T1505/003/
// Questions: beahunt3r@gmail.com

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where (   InitiatingProcessFileName == "w3wp.exe"                    // Windows process which runs Web applications
            or InitiatingProcessFileName contains "httpd.exe"          // Apache httpd for Microsoft Windows
            or InitiatingProcessFileName contains "tomcat"             // Apache Tomcat an open-source implementation
            or InitiatingProcessFileName contains "appache.exe"        // Apache Web server
            or InitiatingProcessFileName contains "nginx.exe"          // Nginx web server
            // Run a discovery search on ATP Netowrk Events to find common web services running and add here
        ) 
        and FileName in ("cmd.exe", "powershell.exe")
//////////////////////WHITELIST FILTER CONDITIONS//////////////////////
//| where ( ProcessCommandLine !contains "<WHITELIST#1>" 
//            and ProcessCommandLine !contains "<WHITELIST#2>")
//| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName
| extend DC_Time = bin(Timestamp, 1d)
| summarize count(), First_Event = min(Timestamp), Last_Event = max(Timestamp), DC_Time = dcount(DC_Time), dcount(DeviceName) by ProcessCommandLine


================================================
FILE: _config.yml
================================================
theme: jekyll-theme-time-machine
Download .txt 
gitextract_rqzb9198/

├── Persistence/
│   └── Registry Autoruns/
│       ├── Appinit Dlls
│       ├── Boot Execute
│       ├── Codecs
│       ├── Drivers
│       ├── Explorer
│       ├── Image Hijacks
│       ├── Internet Explorer
│       ├── KnownDlls
│       ├── LSA Providers
│       ├── Logon
│       ├── Network Providers
│       ├── Office
│       ├── Print Monitor
│       ├── Services
│       ├── WinLogon
│       └── WinSocket Providers
├── README.md
├── WindowsDefenderATP Hunting Queries /
│   ├── APT_IR_CNC_Possible RDP Tunnel
│   ├── APT_IR_CNC_rdp enable
│   ├── APT_IR_Execution_Echo
│   ├── APT_IR_Persistance_AccountCreation
│   ├── APT_IR_Persistance_LocalAccounts
│   ├── APT_IR_Persistance_LocalGroups
│   ├── APT_IR_Persistance_secedit
│   ├── Alert_Summary by AlertTitle
│   ├── Alert_Summary by Category
│   ├── Alert_Summary by ComputerName
│   ├── Alert_Summary by FIleName
│   ├── Alert_WDAVDetection
│   ├── Indication_ClearEventlog
│   ├── Indication_OutPut_Redirection
│   ├── Indication_RemoteShareMounting
│   ├── Indication_Tool_IMPACKET artifact
│   ├── Indication_Tool_ProcDump_possible
│   ├── Network_Cscript_Wscript
│   ├── Network_PowerShell
│   ├── Process_Bitsadmin Executions
│   ├── Process_Bitsadmin transfer
│   ├── Process_Certutil_decode in appdata
│   ├── Process_Possible_MSOffice_Abuse
│   ├── Process_Rundll32_Control_RunDLL
│   ├── Process_Rundll32_DllRegisterServer
│   ├── Process_Rundll32_Sus
│   ├── Process_Rundll32_possible hta remote
│   ├── Process_Rundll32_roaming
│   ├── Process_at.exe execution
│   ├── Process_wmic_process call
│   ├── Process_wscript_js execution
│   ├── Process_wscript_suspicious rar:zip
│   └── SHELL Detection/
│       ├── Persistence_Potential DLL WebShell_Suspicious IIS module detected
│       └── Process_Persistence_Potential WebShell Execution
└── _config.yml
Download .json
Condensed preview — 52 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (36K chars). 
[
  {
    "path": "Persistence/Registry Autoruns/Appinit Dlls",
    "chars": 219,
    "preview": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\Cu"
  },
  {
    "path": "Persistence/Registry Autoruns/Boot Execute",
    "chars": 334,
    "preview": "HKLM\\System\\CurrentControlSet\\Control\\ServiceControlManagerExtension\nHKLM\\System\\CurrentControlSet\\Control\\Session Manag"
  },
  {
    "path": "Persistence/Registry Autoruns/Codecs",
    "chars": 1633,
    "preview": "HKCU\\Software\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance\nHKCU\\Software\\Classes\\CLSID\\{7ED96837-96F0-4"
  },
  {
    "path": "Persistence/Registry Autoruns/Drivers",
    "chars": 101,
    "preview": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Font Drivers\nHKLM\\System\\CurrentControlSet\\Services"
  },
  {
    "path": "Persistence/Registry Autoruns/Explorer",
    "chars": 4519,
    "preview": "HKCU\\Software\\Classes\\*\\ShellEx\\ContextMenuHandlers\nHKCU\\Software\\Classes\\*\\ShellEx\\PropertySheetHandlers\nHKCU\\Software\\"
  },
  {
    "path": "Persistence/Registry Autoruns/Image Hijacks",
    "chars": 677,
    "preview": "HKCU\\Software\\Classes\\.cmd\nHKCU\\Software\\Classes\\.exe\nHKCU\\SOFTWARE\\Classes\\Exefile\\Shell\\Open\\Command\\(Default)\nHKCU\\SO"
  },
  {
    "path": "Persistence/Registry Autoruns/Internet Explorer",
    "chars": 822,
    "preview": "HKCU\\Software\\Microsoft\\Internet Explorer\\Explorer Bars\nHKCU\\Software\\Microsoft\\Internet Explorer\\Extensions\nHKCU\\Softwa"
  },
  {
    "path": "Persistence/Registry Autoruns/KnownDlls",
    "chars": 63,
    "preview": "HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls"
  },
  {
    "path": "Persistence/Registry Autoruns/LSA Providers",
    "chars": 332,
    "preview": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification"
  },
  {
    "path": "Persistence/Registry Autoruns/Logon",
    "chars": 3682,
    "preview": "HKCU\\Environment\\UserInitMprLogonScript\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Softwa"
  },
  {
    "path": "Persistence/Registry Autoruns/Network Providers",
    "chars": 59,
    "preview": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order"
  },
  {
    "path": "Persistence/Registry Autoruns/Office",
    "chars": 1145,
    "preview": "HKCU\\SOFTWARE\\Microsoft\\Office test\\Special\\Perf\\(Default)\nHKCU\\Software\\Microsoft\\Office\\Access\\Addins\nHKCU\\Software\\Mi"
  },
  {
    "path": "Persistence/Registry Autoruns/Print Monitor",
    "chars": 106,
    "preview": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Providers"
  },
  {
    "path": "Persistence/Registry Autoruns/Services",
    "chars": 90,
    "preview": "HKLM\\System\\CurrentControlSet\\Services\nHKLM\\System\\ControlSet001\nHKLM\\System\\ControlSet002"
  },
  {
    "path": "Persistence/Registry Autoruns/WinLogon",
    "chars": 602,
    "preview": "HKLM\\SYSTEM\\Setup\\CmdLine\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\nHKLM\\SOFTWA"
  },
  {
    "path": "Persistence/Registry Autoruns/WinSocket Providers",
    "chars": 283,
    "preview": "HKLM\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5\\Catalog_Entries64\nHKLM\\System\\CurrentContr"
  },
  {
    "path": "README.md",
    "chars": 176,
    "preview": "Windows-Hunting\n\nThe Purpose of this repository is to aid windows threat hunters to look for some common artifacts durin"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /APT_IR_CNC_Possible RDP Tunnel",
    "chars": 304,
    "preview": "// Possible RDP tunnel\nProcessCreationEvents | where EventTime > ago(10d)\n| where (ProcessCommandLine contains \":3389\" o"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /APT_IR_CNC_rdp enable",
    "chars": 567,
    "preview": "// Allow RDP connection\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where ( ProcessCommandLine contains \"SC CO"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /APT_IR_Execution_Echo",
    "chars": 372,
    "preview": "// inf file echo creation\nProcessCreationEvents  \n| where EventTime > ago(17d)\n| where ProcessCommandLine contains \"echo"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /APT_IR_Persistance_AccountCreation",
    "chars": 369,
    "preview": "// Accounts Creation\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where ProcessCommandLine contains \"net user\" "
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /APT_IR_Persistance_LocalAccounts",
    "chars": 407,
    "preview": "// Local Accounts Activation\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where ProcessCommandLine contains \"Ad"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /APT_IR_Persistance_LocalGroups",
    "chars": 489,
    "preview": "// User Addition to Local Groups\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where ProcessCommandLine contains"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /APT_IR_Persistance_secedit",
    "chars": 331,
    "preview": "// Service Creation\n// Look for 'InitiatingProcessFileName'\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where "
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Alert_Summary by AlertTitle",
    "chars": 197,
    "preview": "AlertEvents \n| where EventTime > ago(7d)\n| summarize makeset(FileName), dcount(FileName), makeset(ComputerName), makeset"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Alert_Summary by Category",
    "chars": 191,
    "preview": "AlertEvents \n| where EventTime > ago(7d)\n| summarize dcount(ComputerName), dcount(FileName), makeset(FileName), makeset("
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Alert_Summary by ComputerName",
    "chars": 183,
    "preview": "AlertEvents \n| where EventTime > ago(7d)\n| summarize dcount(Category), dcount(FileName), makeset(Category), makeset(File"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Alert_Summary by FIleName",
    "chars": 200,
    "preview": "AlertEvents \n| where EventTime > ago(7d)\n| summarize dcount(ComputerName), dcount(Category), makeset(Severity),  makeset"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Alert_WDAVDetection",
    "chars": 330,
    "preview": "MiscEvents    \n| where EventTime > ago(17d)\n| where ActionType == \"WDAVDetection\"\n| summarize  makeset(FileName), makese"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Indication_ClearEventlog",
    "chars": 359,
    "preview": "// Call ClearEventlog\nProcessCreationEvents  \n| where EventTime > ago(10d)\n| where ProcessCommandLine contains \"call Cle"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Indication_OutPut_Redirection",
    "chars": 282,
    "preview": "// OutPut Redirection\nProcessCreationEvents  \n| where EventTime > ago(10d)\n| where ProcessCommandLine contains \"2>&1\"\n| "
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Indication_RemoteShareMounting",
    "chars": 247,
    "preview": "// Remote Share Mounting\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where ProcessCommandLine contains \"net.ex"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Indication_Tool_IMPACKET artifact",
    "chars": 350,
    "preview": "// Default IMPACKET artifact in cmdln\nProcessCreationEvents  \n| where EventTime > ago(10d)\n| where ProcessCommandLine co"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Indication_Tool_ProcDump_possible",
    "chars": 412,
    "preview": "// Possible Procdump\nProcessCreationEvents  \n| where EventTime > ago(10d)\n| where (ProcessCommandLine contains \"-accepte"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Network_Cscript_Wscript",
    "chars": 337,
    "preview": "NetworkCommunicationEvents \n| where EventTime > ago(7d)\n| where InitiatingProcessFileName in (\"cscript.exe\", \"wscript.ex"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Network_PowerShell",
    "chars": 285,
    "preview": "NetworkCommunicationEvents \n| where EventTime > ago(1d)\n| where InitiatingProcessFileName =~ \"powershell.exe\"\n| summariz"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Bitsadmin Executions",
    "chars": 615,
    "preview": "// Bitsadmin Executions\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName contains \"bitsadmin.exe\"\n| "
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Bitsadmin transfer",
    "chars": 283,
    "preview": "// download using bitsadmin\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"bitsadmin.exe\"\n| wh"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Certutil_decode in appdata",
    "chars": 328,
    "preview": "// Certutil Decode in Appdata\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"certutil.exe\"\n| w"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Possible_MSOffice_Abuse",
    "chars": 496,
    "preview": "// Possible_MSOffice_Abuse\nProcessCreationEvents  \n| where EventTime > ago(1d)\n| where InitiatingProcessParentName conta"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_Control_RunDLL",
    "chars": 323,
    "preview": "// Control_RunDLL\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"rundll32.exe\"\n| where Process"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_DllRegisterServer",
    "chars": 307,
    "preview": "// Control_RunDLL\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"rundll32.exe\"\n| where Process"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_Sus",
    "chars": 372,
    "preview": "// Suspicious executions\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"rundll32.exe\"\n| where "
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_possible hta remote",
    "chars": 288,
    "preview": "// Control_RunDLL\nProcessCreationEvents  \n| where EventTime > ago(1d)\n| where FileName =~ \"rundll32.exe\"\n| where Process"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_Rundll32_roaming",
    "chars": 386,
    "preview": "// Remote Executions\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"rundll32.exe\"\n| where Proc"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_at.exe execution",
    "chars": 200,
    "preview": "ProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"at.exe\"\n| project EventTime, ComputerName, Proc"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_wmic_process call",
    "chars": 281,
    "preview": "// wmic process call\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"WMIC.exe\"\n| where ProcessC"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_wscript_js execution",
    "chars": 300,
    "preview": "// wscript - js execution\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileName =~ \"wscript.exe\"\n| where "
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /Process_wscript_suspicious rar:zip",
    "chars": 392,
    "preview": "// wscript - Suspicious rar/zip userprofile execution\nProcessCreationEvents  \n| where EventTime > ago(7d)\n| where FileNa"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /SHELL Detection/Persistence_Potential DLL WebShell_Suspicious IIS module detected",
    "chars": 2277,
    "preview": "// Name: Persistence_Potential DLL WebShell_Suspicious IIS module detected\n// Risk Level: HIGH\n// Justification: - DLL W"
  },
  {
    "path": "WindowsDefenderATP Hunting Queries /SHELL Detection/Process_Persistence_Potential WebShell Execution",
    "chars": 1871,
    "preview": "// Risk Level: HIGH\n// Justification: - Web shells will be useed by attackers for persistent access to a compromised mac"
  },
  {
    "path": "_config.yml",
    "chars": 32,
    "preview": "theme: jekyll-theme-time-machine"
  }
]

About this extraction

This page contains the full source code of the beahunt3r/Windows-Hunting GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 52 files (29.1 KB), approximately 9.7k tokens. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.

Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.

Extract another repo
Copied to clipboard!