Repository: beahunt3r/Windows-Hunting Branch: master Commit: d9e0df8434f1 Files: 52 Total size: 29.1 KB Directory structure: gitextract_rqzb9198/ ├── Persistence/ │ └── Registry Autoruns/ │ ├── Appinit Dlls │ ├── Boot Execute │ ├── Codecs │ ├── Drivers │ ├── Explorer │ ├── Image Hijacks │ ├── Internet Explorer │ ├── KnownDlls │ ├── LSA Providers │ ├── Logon │ ├── Network Providers │ ├── Office │ ├── Print Monitor │ ├── Services │ ├── WinLogon │ └── WinSocket Providers ├── README.md ├── WindowsDefenderATP Hunting Queries / │ ├── APT_IR_CNC_Possible RDP Tunnel │ ├── APT_IR_CNC_rdp enable │ ├── APT_IR_Execution_Echo │ ├── APT_IR_Persistance_AccountCreation │ ├── APT_IR_Persistance_LocalAccounts │ ├── APT_IR_Persistance_LocalGroups │ ├── APT_IR_Persistance_secedit │ ├── Alert_Summary by AlertTitle │ ├── Alert_Summary by Category │ ├── Alert_Summary by ComputerName │ ├── Alert_Summary by FIleName │ ├── Alert_WDAVDetection │ ├── Indication_ClearEventlog │ ├── Indication_OutPut_Redirection │ ├── Indication_RemoteShareMounting │ ├── Indication_Tool_IMPACKET artifact │ ├── Indication_Tool_ProcDump_possible │ ├── Network_Cscript_Wscript │ ├── Network_PowerShell │ ├── Process_Bitsadmin Executions │ ├── Process_Bitsadmin transfer │ ├── Process_Certutil_decode in appdata │ ├── Process_Possible_MSOffice_Abuse │ ├── Process_Rundll32_Control_RunDLL │ ├── Process_Rundll32_DllRegisterServer │ ├── Process_Rundll32_Sus │ ├── Process_Rundll32_possible hta remote │ ├── Process_Rundll32_roaming │ ├── Process_at.exe execution │ ├── Process_wmic_process call │ ├── Process_wscript_js execution │ ├── Process_wscript_suspicious rar:zip │ └── SHELL Detection/ │ ├── Persistence_Potential DLL WebShell_Suspicious IIS module detected │ └── Process_Persistence_Potential WebShell Execution └── _config.yml ================================================ FILE CONTENTS ================================================ ================================================ FILE: Persistence/Registry Autoruns/Appinit Dlls ================================================ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls ================================================ FILE: Persistence/Registry Autoruns/Boot Execute ================================================ HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute HKLM\System\CurrentControlSet\Control\Session Manager\Execute HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute ================================================ FILE: Persistence/Registry Autoruns/Codecs ================================================ HKCU\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance HKCU\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance HKCU\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance HKCU\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance HKCU\Software\Classes\Filter HKCU\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 HKCU\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance HKCU\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance HKCU\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance HKCU\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance HKCU\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance HKLM\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance HKLM\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance HKLM\Software\Classes\Filter HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance HKLM\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance HKLM\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 ================================================ FILE: Persistence/Registry Autoruns/Drivers ================================================ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers HKLM\System\CurrentControlSet\Services ================================================ FILE: Persistence/Registry Autoruns/Explorer ================================================ HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers HKCU\Software\Classes\*\ShellEx\PropertySheetHandlers HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers HKCU\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers HKCU\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers HKCU\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32 HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers HKCU\Software\Classes\Directory\Shellex\DragDropHandlers HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers HKCU\Software\Classes\Folder\Shellex\ColumnHandlers HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers HKCU\Software\Classes\Folder\ShellEx\DragDropHandlers HKCU\Software\Classes\Folder\ShellEx\ExtShellFolderViews HKCU\Software\Classes\Folder\ShellEx\PropertySheetHandlers HKCU\SOFTWARE\Classes\Protocols\Filter HKCU\SOFTWARE\Classes\Protocols\Handler HKCU\Software\Microsoft\Ctf\LangBarAddin HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers HKLM\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers HKLM\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers HKLM\Software\Classes\Directory\Shellex\DragDropHandlers HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers HKLM\Software\Classes\Folder\Shellex\ColumnHandlers HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers HKLM\Software\Classes\Folder\ShellEx\ExtShellFolderViews HKLM\Software\Classes\Folder\ShellEx\PropertySheetHandlers HKLM\SOFTWARE\Classes\Protocols\Filter HKLM\SOFTWARE\Classes\Protocols\Handler HKLM\Software\Microsoft\Ctf\LangBarAddin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers HKLM\Software\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers HKLM\Software\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers HKLM\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ================================================ FILE: Persistence/Registry Autoruns/Image Hijacks ================================================ HKCU\Software\Classes\.cmd HKCU\Software\Classes\.exe HKCU\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default) HKCU\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default) HKCU\Software\Microsoft\Command Processor\Autorun HKLM\Software\Classes\.cmd HKLM\Software\Classes\.exe HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default) HKLM\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default) HKLM\Software\Microsoft\Command Processor\Autorun HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKLM\Software\Wow6432Node\Microsoft\Command Processor\Autorun HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options ================================================ FILE: Persistence/Registry Autoruns/Internet Explorer ================================================ HKCU\Software\Microsoft\Internet Explorer\Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Extensions HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions HKLM\Software\Microsoft\Internet Explorer\Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Extensions HKLM\Software\Microsoft\Internet Explorer\Toolbar HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects ================================================ FILE: Persistence/Registry Autoruns/KnownDlls ================================================ HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls ================================================ FILE: Persistence/Registry Autoruns/LSA Providers ================================================ HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders ================================================ FILE: Persistence/Registry Autoruns/Logon ================================================ HKCU\Environment\UserInitMprLogonScript HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\Environment\UserInitMprLogonScript HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram ================================================ FILE: Persistence/Registry Autoruns/Network Providers ================================================ HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order ================================================ FILE: Persistence/Registry Autoruns/Office ================================================ HKCU\SOFTWARE\Microsoft\Office test\Special\Perf\(Default) HKCU\Software\Microsoft\Office\Access\Addins HKCU\Software\Microsoft\Office\Excel\Addins HKCU\Software\Microsoft\Office\Outlook\Addins HKCU\Software\Microsoft\Office\PowerPoint\Addins HKCU\Software\Microsoft\Office\Word\Addins HKCU\Software\Wow6432Node\Microsoft\Office\Access\Addins HKCU\Software\Wow6432Node\Microsoft\Office\Excel\Addins HKCU\Software\Wow6432Node\Microsoft\Office\Outlook\Addins HKCU\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins HKCU\Software\Wow6432Node\Microsoft\Office\Word\Addins HKLM\SOFTWARE\Microsoft\Office test\Special\Perf\(Default) HKLM\Software\Microsoft\Office\Access\Addins HKLM\Software\Microsoft\Office\Excel\Addins HKLM\Software\Microsoft\Office\Outlook\Addins HKLM\Software\Microsoft\Office\PowerPoint\Addins HKLM\Software\Microsoft\Office\Word\Addins HKLM\Software\Wow6432Node\Microsoft\Office\Access\Addins HKLM\Software\Wow6432Node\Microsoft\Office\Excel\Addins HKLM\Software\Wow6432Node\Microsoft\Office\Outlook\Addins HKLM\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins HKLM\Software\Wow6432Node\Microsoft\Office\Word\Addins ================================================ FILE: Persistence/Registry Autoruns/Print Monitor ================================================ HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers ================================================ FILE: Persistence/Registry Autoruns/Services ================================================ HKLM\System\CurrentControlSet\Services HKLM\System\ControlSet001 HKLM\System\ControlSet002 ================================================ FILE: Persistence/Registry Autoruns/WinLogon ================================================ HKLM\SYSTEM\Setup\CmdLine HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman HKCU\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe HKCU\Control Panel\Desktop\Scrnsave.exe HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpExtensions ================================================ FILE: Persistence/Registry Autoruns/WinSocket Providers ================================================ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64 ================================================ FILE: README.md ================================================ Windows-Hunting The Purpose of this repository is to aid windows threat hunters to look for some common artifacts during their day to day operations. Feel free to contirbute. ================================================ FILE: WindowsDefenderATP Hunting Queries /APT_IR_CNC_Possible RDP Tunnel ================================================ // Possible RDP tunnel ProcessCreationEvents | where EventTime > ago(10d) | where (ProcessCommandLine contains ":3389" or ProcessCommandLine contains ":6511") | project EventTime, ComputerName, AccountName, InitiatingProcessFileName, ActionType, FileName, ProcessCommandLine, InitiatingProcessCommandLine ================================================ FILE: WindowsDefenderATP Hunting Queries /APT_IR_CNC_rdp enable ================================================ // Allow RDP connection ProcessCreationEvents | where EventTime > ago(7d) | where ( ProcessCommandLine contains "SC CONFIG" and ProcessCommandLine contains "DISABLED" and ProcessCommandLine contains "wuauserv" ) or (ProcessCommandLine contains "Terminal Serve" and ProcessCommandLine contains "fDenyTSConnections" and ProcessCommandLine contains "0x0" ) //| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName ================================================ FILE: WindowsDefenderATP Hunting Queries /APT_IR_Execution_Echo ================================================ // inf file echo creation ProcessCreationEvents | where EventTime > ago(17d) | where ProcessCommandLine contains "echo" and ProcessCommandLine contains ".inf" //| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName ================================================ FILE: WindowsDefenderATP Hunting Queries /APT_IR_Persistance_AccountCreation ================================================ // Accounts Creation ProcessCreationEvents | where EventTime > ago(7d) | where ProcessCommandLine contains "net user" and ProcessCommandLine contains "/add" //| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName ================================================ FILE: WindowsDefenderATP Hunting Queries /APT_IR_Persistance_LocalAccounts ================================================ // Local Accounts Activation ProcessCreationEvents | where EventTime > ago(7d) | where ProcessCommandLine contains "Administrator /active:yes" or ProcessCommandLine contains "guest /active:yes" //| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName ================================================ FILE: WindowsDefenderATP Hunting Queries /APT_IR_Persistance_LocalGroups ================================================ // User Addition to Local Groups ProcessCreationEvents | where EventTime > ago(7d) | where ProcessCommandLine contains "localgroup" and ProcessCommandLine contains "/add" and ( ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "administrators") //| summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName ================================================ FILE: WindowsDefenderATP Hunting Queries /APT_IR_Persistance_secedit ================================================ // Service Creation // Look for 'InitiatingProcessFileName' ProcessCreationEvents | where EventTime > ago(7d) | where FileName contains "SECEDIT" //| where ProcessCommandLine == @"secedit.exe /export /cfg ** .inf" | summarize makeset(ComputerName), makeset(AccountName), makeset(ProcessCommandLine) by InitiatingProcessFileName ================================================ FILE: WindowsDefenderATP Hunting Queries /Alert_Summary by AlertTitle ================================================ AlertEvents | where EventTime > ago(7d) | summarize makeset(FileName), dcount(FileName), makeset(ComputerName), makeset(Category), dcount(ComputerName) by Title | sort by dcount_ComputerName desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Alert_Summary by Category ================================================ AlertEvents | where EventTime > ago(7d) | summarize dcount(ComputerName), dcount(FileName), makeset(FileName), makeset(ComputerName) by Category, Severity | sort by dcount_ComputerName desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Alert_Summary by ComputerName ================================================ AlertEvents | where EventTime > ago(7d) | summarize dcount(Category), dcount(FileName), makeset(Category), makeset(FileName) by ComputerName, Severity | sort by dcount_Category desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Alert_Summary by FIleName ================================================ AlertEvents | where EventTime > ago(7d) | summarize dcount(ComputerName), dcount(Category), makeset(Severity), makeset(Category), makeset(ComputerName) by FileName | sort by dcount_ComputerName desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Alert_WDAVDetection ================================================ MiscEvents | where EventTime > ago(17d) | where ActionType == "WDAVDetection" | summarize makeset(FileName), makeset(InitiatingProcessParentFileName), makeset(InitiatingProcessFileName), makeset(InitiatingProcessCommandLine), makeset(FolderPath), makeset(InitiatingProcessFolderPath) , makeset(AccountName ) by ComputerName ================================================ FILE: WindowsDefenderATP Hunting Queries /Indication_ClearEventlog ================================================ // Call ClearEventlog ProcessCreationEvents | where EventTime > ago(10d) | where ProcessCommandLine contains "call ClearEventlog" or InitiatingProcessCommandLine contains "call ClearEventlog" | summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName) by InitiatingProcessFileName, ProcessCommandLine | sort by dcount_ComputerName desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Indication_OutPut_Redirection ================================================ // OutPut Redirection ProcessCreationEvents | where EventTime > ago(10d) | where ProcessCommandLine contains "2>&1" | summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName) by InitiatingProcessFileName, ProcessCommandLine | sort by dcount_ComputerName desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Indication_RemoteShareMounting ================================================ // Remote Share Mounting ProcessCreationEvents | where EventTime > ago(7d) | where ProcessCommandLine contains "net.exe" | where ProcessCommandLine contains "\\c$" or ProcessCommandLine contains "\\admin$" or ProcessCommandLine contains "\\ipc$" ================================================ FILE: WindowsDefenderATP Hunting Queries /Indication_Tool_IMPACKET artifact ================================================ // Default IMPACKET artifact in cmdln ProcessCreationEvents | where EventTime > ago(10d) | where ProcessCommandLine contains "127.0.0.1\\ADMIN$\\" and ProcessCommandLine contains "2>&1" | project EventTime , InitiatingProcessFileName , ProcessCommandLine, AccountName , ComputerName | sort by InitiatingProcessFileName desc | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /Indication_Tool_ProcDump_possible ================================================ // Possible Procdump ProcessCreationEvents | where EventTime > ago(10d) | where (ProcessCommandLine contains "-accepteula" and ProcessCommandLine contains "1>") or (ProcessCommandLine contains "-accepteula" and ProcessCommandLine contains "-ma") | summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName) by InitiatingProcessFileName, ProcessCommandLine | sort by dcount_ComputerName desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Network_Cscript_Wscript ================================================ NetworkCommunicationEvents | where EventTime > ago(7d) | where InitiatingProcessFileName in ("cscript.exe", "wscript.exe") | summarize makeset(InitiatingProcessParentName), makeset(RemoteUrl), makeset(RemotePort), makeset(InitiatingProcessAccountName) ,dcount(RemoteUrl) by InitiatingProcessCommandLine | sort by dcount_RemoteUrl desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Network_PowerShell ================================================ NetworkCommunicationEvents | where EventTime > ago(1d) | where InitiatingProcessFileName =~ "powershell.exe" | summarize makeset(RemoteUrl), makeset(RemotePort), makeset(InitiatingProcessAccountName) ,dcount(RemoteUrl) by InitiatingProcessCommandLine | sort by dcount_RemoteUrl desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Bitsadmin Executions ================================================ // Bitsadmin Executions ProcessCreationEvents | where EventTime > ago(7d) | where FileName contains "bitsadmin.exe" | where ProcessCommandLine contains "/TRANSFER" or ProcessCommandLine contains "/CREATE" or ProcessCommandLine contains "/ADDFILE" or ProcessCommandLine contains "/SETPROXY" or ProcessCommandLine contains "/SETNOTIFYCMDLINE" or ProcessCommandLine contains "/SETCUSTOMHEADERS" or ProcessCommandLine contains "/SETSECURITYFLAGS" or ProcessCommandLine contains "/SETREPLYFILENAME" | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Bitsadmin transfer ================================================ // download using bitsadmin ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "bitsadmin.exe" | where ProcessCommandLine contains "/transfer" | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Certutil_decode in appdata ================================================ // Certutil Decode in Appdata ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "certutil.exe" | where ProcessCommandLine contains "-decode" and ProcessCommandLine contains "\\AppData\\" | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Possible_MSOffice_Abuse ================================================ // Possible_MSOffice_Abuse ProcessCreationEvents | where EventTime > ago(1d) | where InitiatingProcessParentName contains "winword.exe" or InitiatingProcessParentName contains "excel.exe" or InitiatingProcessParentName contains "powerpnt.exe" | where FileName contains "cscript" or FileName contains "wscript" or FileName contains "powershell" | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentName, AccountName | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_Control_RunDLL ================================================ // Control_RunDLL ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "rundll32.exe" | where ProcessCommandLine contains ",Control_RunDLL" | summarize makeset(ComputerName), makeset(AccountName), dcount(ComputerName) by InitiatingProcessFileName, ProcessCommandLine | sort by dcount_ComputerName desc ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_DllRegisterServer ================================================ // Control_RunDLL ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "rundll32.exe" | where ProcessCommandLine contains "DllRegisterServer" | summarize makeset(ComputerName), makeset(AccountName) by InitiatingProcessFileName, ProcessCommandLine | sort by InitiatingProcessFileName asc ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_Sus ================================================ // Suspicious executions ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "rundll32.exe" | where InitiatingProcessFileName in ("winword.exe" , "excel.exe" , "cscript.exe" , "wscript.exe" , "mshta.exe" ) | summarize makeset(ComputerName), makeset(AccountName) by InitiatingProcessFileName, ProcessCommandLine | sort by InitiatingProcessFileName asc ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_possible hta remote ================================================ // Control_RunDLL ProcessCreationEvents | where EventTime > ago(1d) | where FileName =~ "rundll32.exe" | where ProcessCommandLine contains "mshtml,RunHTMLApplication" | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_Rundll32_roaming ================================================ // Remote Executions ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "rundll32.exe" | where ProcessCommandLine contains "\\roaming\\" | where ProcessCommandLine !contains "\\STREAM Interactive (Emirates).appref-ms|" | summarize makeset(ComputerName), makeset(AccountName) by InitiatingProcessFileName, ProcessCommandLine | sort by InitiatingProcessFileName asc ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_at.exe execution ================================================ ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "at.exe" | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_wmic_process call ================================================ // wmic process call ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "WMIC.exe" | where ProcessCommandLine contains "process call create" | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_wscript_js execution ================================================ // wscript - js execution ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "wscript.exe" | where ProcessCommandLine contains ".js" | summarize makeset(ComputerName), makeset(AccountName) by InitiatingProcessFileName, ProcessCommandLine | sort by InitiatingProcessFileName asc ================================================ FILE: WindowsDefenderATP Hunting Queries /Process_wscript_suspicious rar:zip ================================================ // wscript - Suspicious rar/zip userprofile execution ProcessCreationEvents | where EventTime > ago(7d) | where FileName =~ "wscript.exe" | where ProcessCommandLine contains "\\appdata\\" and ProcessCommandLine contains ".zip" or ProcessCommandLine contains "\\Rar$*\\" | project EventTime, ComputerName, ProcessCommandLine, InitiatingProcessFileName, AccountName | top 1000 by EventTime ================================================ FILE: WindowsDefenderATP Hunting Queries /SHELL Detection/Persistence_Potential DLL WebShell_Suspicious IIS module detected ================================================ // Name: Persistence_Potential DLL WebShell_Suspicious IIS module detected // Risk Level: HIGH // Justification: - DLL Web shells are hard to detect as it can run persistantly over the IIS Modules as TransportModule. // - As any other Web shell, DLL Web shells provide a set of functions to execute or a command-line interface on the system that hosts the Web server // Supporting Investigation Data Sources: Web Access Logs, Packets, ApplicationHost.config, Yara Scan // Tactic: Persistence // MITRE: https://attack.mitre.org/techniques/T1505/003/ // Questions: beahunt3r@gmail.com union DeviceProcessEvents, DeviceImageLoadEvents | where Timestamp > ago(7d) | extend CommandLine=coalesce(ProcessCommandLine,InitiatingProcessCommandLine) | where (FileName =~ "appcmd.exe" or InitiatingProcessFileName =~ "appcmd.exe") and CommandLine contains "module" and ( CommandLine contains " add" or CommandLine contains " install") | summarize count(), Timestamp = min(Timestamp) by DeviceId, ActionType, CommandLine, InitiatingProcessParentFileName, InitiatingProcessFileName //////////////////////WHITELIST FILTER CONDITIONS////////////////////// | where InitiatingProcessParentFileName !contains @"\Windows\System32\inetsrv\iissetup.exe" and InitiatingProcessParentFileName !in ("iissetup.exe") and InitiatingProcessFileName !in ("iissetup.exe") //and CommandLine !contains @"" //////////////////////END///////////////////////////////////////////// //| extend commandline=replace(@'%windir%', @'C:\\Windows', CommandLine) // Map env path to exact location | extend module_FolderPath = extract("(image|type)\\:([^(\\/|\\-|$)]+)(\\s+|$)", 2, CommandLine) | extend module_FolderPath =replace(@'\"', @'', module_FolderPath) | extend module_FileName = extract("(.*)\\\\(.*)", 2, module_FolderPath) | join (DeviceFileEvents | summarize count(), File_Create_Timestamp = min(Timestamp) by module_FileName = FileName, SHA256, ActionType, DeviceId) on module_FileName, DeviceId // Optional | where (Timestamp - File_Create_Timestamp) between (0min .. 1440min) // Optional | invoke FileProfile(SHA256) | where SignatureState != "SignedValid" // Optional ================================================ FILE: WindowsDefenderATP Hunting Queries /SHELL Detection/Process_Persistence_Potential WebShell Execution ================================================ // Risk Level: HIGH // Justification: - Web shells will be useed by attackers for persistent access to a compromised machine. This rule will trigger when commands are executed remotely. // - Any matching events must be thoroughly investigated, we may endup finding a potential weakness in web application. // - This rule is effective aganist the recent exchange exploits // Supporting Investigation Data Sources: WebAccess Logs, Packets, Compile File, WebShell Yara Scan // Tactic: Persistence // MITRE: https://attack.mitre.org/techniques/T1505/003/ // Questions: beahunt3r@gmail.com DeviceProcessEvents | where Timestamp > ago(7d) | where ( InitiatingProcessFileName == "w3wp.exe" // Windows process which runs Web applications or InitiatingProcessFileName contains "httpd.exe" // Apache httpd for Microsoft Windows or InitiatingProcessFileName contains "tomcat" // Apache Tomcat an open-source implementation or InitiatingProcessFileName contains "appache.exe" // Apache Web server or InitiatingProcessFileName contains "nginx.exe" // Nginx web server // Run a discovery search on ATP Netowrk Events to find common web services running and add here ) and FileName in ("cmd.exe", "powershell.exe") //////////////////////WHITELIST FILTER CONDITIONS////////////////////// //| where ( ProcessCommandLine !contains "" // and ProcessCommandLine !contains "") //| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName | extend DC_Time = bin(Timestamp, 1d) | summarize count(), First_Event = min(Timestamp), Last_Event = max(Timestamp), DC_Time = dcount(DC_Time), dcount(DeviceName) by ProcessCommandLine ================================================ FILE: _config.yml ================================================ theme: jekyll-theme-time-machine