· 6 years ago · Dec 07, 2019, 03:14 PM
1http://localhost/kibana/app/kibana#/management/kibana/index?_g=()
2
3http://localhost/cerebro/#/connect
4
5NEW QUERY SYNTAX ALL IN ONE COMMAND:
6
7cdqr in:HOSTNAME.zip -z --max_cpu --es_kb HOSTNAME
8
9NEW QUERY SYNTAX TWO SEPARATE COMMANDS:
10
11cdqr in:HOSTNAME.zip out:Results -z --max_cpu
12
13cdqr in:Results/HOSTNAME.plaso --plaso_db --es_kb HOSTNAME
14
15OLD QUERY SYNTAX (TWO EXAMPLES):
16
17cdqr.py --max_cpu -p win --es_kb HOSTNAME -z HOSTNAME.zip
18
19cdqr.py --max_cpu -p datt --es_kb HOSTNAME -z HOSTNAME.zip
20
21case_cdqr-
22
23CyLR.exe -u skadi -p skadi -s <Skadi IP address>
24
25C:\Program Files\VMware\VMware OVF Tool>
26
27Usage: ovftool [options] <source> [<target>]
28where
29<source>: Source URL locator to an OVF package, VMX file, or virtual machine in
30 vCenter or on ESX Server.
31<target>: Target URL locator which specifies either a file location, or a
32 location in the vCenter inventory or on an ESX Server.
33
34C:\Program Files\VMware\VMware OVF Tool\ovftool.exe "F:\VMWare\Skadi\Skadi Server 2019.1.ova" E:\ELK\Skadi001\
35
36
37SKADI QUERIES:
38
39Sysmon Examples to Search by GUID:
40
41+"\{BA7C22B9-284A-5AFA-0000-0010B3BD5704\}"
42
43+"\{CDBDA394-7A84-5AFB-0000-0010181C1500\}"
44
45+"\{CDBDA394-7A84-5AFB-0000-0010181C1500\}"
46
47Sysmon Event Log - (3 Event ID) - Network Connect
48Microsoft-Windows-Sysmon (Please Display strings field to quickly identify Connections of Interest.)
49
50Search for IPs:
51
52xml_string:/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ NOT 3.0.0.0 NOT 1.0.0.0 NOT 3.1.0.2
53
54Sysmon Event Log - (1 Event ID) - Process Create
55Microsoft-Windows-Sysmon (Please Display strings field to quickly identify Processes of Interest.)
56
57Search for IPs:
58
59xml_string:/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ NOT 3.0.0.0 NOT 1.0.0.0 NOT 3.1.0.2
60
61Sysmon Event Log - (11 Event ID) - File Create
62Microsoft-Windows-Sysmon (Please Display strings field to quickly identify Binaries of Interest.)
63
64Grep Search Sysmon Event Log (1, 3, and 11 Event IDs)
65Source Name: Microsoft-Windows-Sysmon
66
67+(event_identifier:1 OR event_identifier:3 OR event_identifier:11) AND /([a-z]{1}\.exe|[[0-9]{1,12}.exe|psexe.*|pskill|winexe.*|wsmprovhost.*|pssdn.*|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service.*|wceaux.*|nmap.*|mikatz.*|cifsmalware.*|fgdump|pwdump|gsecdump|cachedump|lsadump|plink\.exe|hook\.js|g0ne|cge\.pl|commix|crackle|searchsploit|msfconsole|msfvenom|metasploit|scanner|autopwn|misfortune*|setoolkit|shellnoob|sqlmap|yersinia)/
68
69+(event_identifier:1 OR event_identifier:3 OR event_identifier:11) AND /(scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|cmd\.exe \/c|\\pipe\\|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|\winpcap.*|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|\/\.\%|\/[a-z]{50}[^0-9]|quarantine|[a-z]{1}\.png|[a-z]{1}\.gif|[a-z]{1}\.jpg|[a-z]{1}\.jpeg|[a-z]{1}\.bmp|[a-z]{1}\.tif|[a-z]{1}\.tiff|[a-z]{1}\.exif|comspec)/ OR "temp \.exe"~10 OR "detected deleted"~10 OR "virus detected"~10 OR "file deleted"~10 OR "detected denied"~10 NOT /(sc\.exe|du\.exe|at\.exe)/
70
71+(event_identifier:1 OR event_identifier:3 OR event_identifier:11) AND /(fgdump|pwdump|gsecdump|cachedump|lsadump|plink\.exe|hook\.js|g0ne|cge\.pl|commix|crackle|searchsploit|msfconsole|msfvenom|metasploit|scanner|autopwn|misfortune*|setoolkit|shellnoob|sqlmap|yersinia)/
72
73Search for IPs:
74
75xml_string:/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ NOT 3.0.0.0 NOT 1.0.0.0 NOT 3.1.0.2
76
77Microsoft Windows PowerShell Operational
78Source Name: Microsoft-Windows-PowerShell
79
80Powershell Event Log (400 and 600 Event IDs)
81Source Name: PowerShell
82
83Grep Search for IPs within the Powershell Event Logs:
84
85/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ NOT (HostVersion=1.0.0.0 OR HostVersion=1.1.0.0 OR 0.0.0.0 OR 2.0.0.0 OR 3.0.0.0 OR 3.1.0.0 OR 5.0.0.0)
86
87Search for Base64 Encoded and Malicious Commands within the Powershell Event Logs:
88
89/[0-9a-zA-Z\+=]{40,100}/
90
91/encodedcommand|encoded|noni|nop|enc|webclient|download|empire|comspec/ OR "exec bypass"~2 OR "window hidden"~2 OR "windowstyle hidden"~2 OR "ep bypass"~2 OR "reg add"~2
92
93/(dllinjection|wmicommand|gpppassword|keystrokes|timedscreenshot|vaultcredential|credentialinjection|mimikatz|ninjacopy|tokenmanipulation|minidump|volumeshadowcopytools|reflectivepeinjection|userhunter|gpolocation|aclscanner|downgradeaccount|serviceunquoted|servicefilepermission|servicepermission|serviceabuse|servicebinary|regautologon|vulnautorun|vulnschtask|unattendedinstallfile|applicationhost|regalwaysinstallelevated|unconstrained|regbackdoor|scrnsavebackdoor|backdoor|adsbackdoor|duplicatetoken|psuacme|lsasecret|passhashes|mimikatz|targetscreen|scan|poshrathttp|powershelltcp|powershellwmi|exfiltration|persistence)/
94
95/(exfiltration|captureserver|dllinjection|reflectivepeinjection|chromedump|clipboardcontents|foxdump|indexeditem|keystrokes|screenshot|inveigh|netripper|ninjacopy|minidump|egresscheck|postexfil|psinject|runas|mailraider|new-honeyhash|macattribute|vaultcredential|dcsync|mimikatz|powerdump|tokenmanipulation|jboss|thunderstruck|voicetroll|wallpaper|inveighrelay|psexec|sshcommand|securitypackages|ssp|backdoorlnk|powerbreach|gpppassword|sitelistpassword|bypassuac|tater|wscriptbypassuac|powerup|powerview|rickastley|fruit|http-login|trusteddocuments|paranoia|winenum|arpscan|portscan|reversednslookup|smbscanner|mimikitten|dumpcreds|shellcode|sysinternals)/
96
97Grep Search for Web Addresses within the Powershell Event Logs:
98
99strings:/[A-Za-z0-9]{3,10}\.[A-Za-z0-9]{3,10}\.[A-Za-z0-9]{3,10}/ NOT (cfo.csirs.com OR microsoft.update.session OR droppedapp.path.indexof OR params.value.add OR system.windows.forms OR microsoft.powershell.utility OR microsoft.powershell.core OR vendor.mgt.fax|Microsoft.Windows.Diagnosis|www.digicert.com|Appx.format.ps1xml|schemas.microsoft.com|dism.types.ps1xml|dism.format.ps1xml|dnsconfig.types.ps1xml|getevent.types.ps1xml|event.format.ps1xml|pki.types.ps1xml)
100
101PowerShell - Clear Unicode Characters:
102
103tr -cd '\11\12\15\40-\176' < Script.txt > Out.txt
104
105Microsoft Windows WMI Activity Operational Event Log (5861 and 5859 Event IDs)
106Source Name: Microsoft-Windows-WMI-Activity
107
108+(event_identifier:5861 OR event_identifier:5859)
109
110Security Event Log - Logons (4624 Event IDs - External IP)
111Source Name: Microsoft-Windows-Security-Auditing
112
113+(event_identifier:4624) (xml_string:"\>Data Name=\"LogonType\"\>3\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>4\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>5\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>7\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>8\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>10\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>11\</Data\>") NOT xml_string:"\<Data Name=\"IpAddress\"\>-\</Data\>" NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|fe80)/ NOT (xml_string:"\<Data Name=\"IpAddress\"\>::1\</Data\>")
114
115Security Event Log - Logons (4624 Event IDs - External Host Name)
116Source Name: Microsoft-Windows-Security-Auditing
117
118+(event_identifier:4624) (xml_string:"\>Data Name=\"LogonType\"\>3\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>4\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>5\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>7\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>8\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>10\</Data\>" OR xml_string:"\>Data Name=\"LogonType\"\>11\</Data\>") AND xml_string:"\<Data Name=\"IpAddress\"\>-\</Data\>" NOT xml_string:"\<Data Name=\"WorkstationName\"\>-\</Data\>"
119
120Security Event Log - Logons & Logoffs (4624,4648,4672,4634,4625,4647,4776 Event IDs)
121Source Name: Microsoft-Windows-Security-Auditing
122
123(xml_string:"\<EventID\>4624\</EventID\>" OR xml_string:"\<EventID\>4648\</EventID\>" OR xml_string:"\<EventID\>4672\</EventID\>" OR xml_string:"\<EventID\>4634\</EventID\>" OR xml_string:"\<EventID\>4625\</EventID\>" OR xml_string:"\<EventID\>4647\</EventID\>" OR xml_string:"\<EventID\>4776\</EventID\>")
124
125Security Event Log - Processes (4648 Event ID)
126Source Name: Microsoft-Windows-Security-Auditing
127
128+(event_identifier:4648) NOT /(taskhostw?\.exe|services\.exe|winlogon\.exe|lsass\.exe|slnet\.exe|sldms\.exe|slhelper\.exe|presentationhost\.exe|dataminercube\.exe|svchost\.exe|w3wp\.exe|slprotocol\.exe|TrustedInstaller\.exe|rundll32\.exe|tomcat|arcserve|wininit\.exe|mmc\.exe|consent\.exe|w3wp\.exe|none)/
129
130Security Event Log - New Service (4697 Event ID)
131Source Name: Microsoft-Windows-Security-Auditing
132
133+(event_identifier:4697) AND /([a-z]{1}\.exe|[[0-9]{1,12}.exe|psexe.*|pskill|winexe.*|wsmprovhost.*|pssdn.*|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service.*|wceaux.*|nmap.*|mikatz.*|cifsmalware.*|fgdump|pwdump|gsecdump|cachedump|lsadump|plink\.exe|hook\.js|g0ne|cge\.pl|commix|crackle|searchsploit|msfconsole|msfvenom|metasploit|scanner|autopwn|misfortune*|setoolkit|shellnoob|sqlmap|yersinia)/
134
135+(event_identifier:4697) AND /(scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|cmd\.exe \/c|\\pipe\\|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|cleanup|[0-9a-zA-Z\+=]{40,100})/NOT /(sc\.exe|du\.exe|at\.exe)/
136
137+(event_identifier:4697) AND /(scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|cmd\.exe \/c|\\pipe\\|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|cleanup|[0-9a-zA-Z\+=]{40,100})/NOT /(sc\.exe|du\.exe|at\.exe)/
138
139+(event_identifier:4697) AND /(portqry\.exe|\winpcap.*|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|\/\.\%|\/[a-z]{50}[^0-9]|quarantine|[a-z]{1}\.png|[a-z]{1}\.gif|[a-z]{1}\.jpg|[a-z]{1}\.jpeg|[a-z]{1}\.bmp|[a-z]{1}\.tif|[a-z]{1}\.tiff|[a-z]{1}\.exif|comspec)/ OR "temp \.exe"~10 OR "detected deleted"~10 OR "virus detected"~10 OR "file deleted"~10 OR "detected denied"~10 NOT /(sc\.exe|du\.exe|at\.exe)/
140
141Security Event Log - Processes (4688,4689 Event IDs)
142Source Name: Microsoft-Windows-Security-Auditing
143
144+(event_identifier:4688 OR event_identifier:4689) AND /([a-z]{1}\.exe|[0-9]{1,12}.exe|psexe.*|pskill|winexe.*|wsmprovhost.*|pssdn.*|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service.*|wceaux.*|nmap.*|mikatz.*|cifsmalware.*)/
145
146+(event_identifier:4688 OR event_identifier:4689) AND /(fgdump|pwdump|gsecdump|cachedump|lsadump|plink\.exe|hook\.js|g0ne|cge\.pl|commix|crackle|searchsploit|msfconsole|msfvenom|metasploit|scanner|autopwn|misfortune*|setoolkit|shellnoob|sqlmap|yersinia)/
147
148+(event_identifier:4688 OR event_identifier:4689) AND /(scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|cmd\.exe \/c|\\pipe\\|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe)/
149
150+(event_identifier:4688 OR event_identifier:4689) AND /(\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|\winpcap.*|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|\/\.\%|\/[a-z]{50}[^0-9]|quarantine|[a-z]{1}\.png|[a-z]{1}\.gif|[a-z]{1}\.jpg|[a-z]{1}\.jpeg|[a-z]{1}\.bmp|[a-z]{1}\.tif|[a-z]{1}\.tiff|[a-z]{1}\.exif|comspec)/
151
152+(event_identifier:4688 OR event_identifier:4689) AND /(quanser40\.exe|kprocesshacker\.sys|processhacker\.exe|peview\.exe|nc share v\.2\.exe|pchunter64\.exe|ph\.exe|wincdemu-4\.1\.exe|raevomx.exe|webbrwoserpassview\.exe|pspv\.exe|passwordfox\.exe|mailpv\.exe|dialupass\.exe|bulletspassview64\.exe|mimkatz\.exe|wirelesskeyview64\.exe|wirelesskeyview\.exe|operapassview\.exe|vncpassview\.exe|routerpassview\.exe|sniffpass\.exe|rdpv\.exe|pstpassword\.exe|passwordfox64\.exe|netpass64\.exe|mimilib\.dll|mimidrv\.sys|defendercontrol\.exe|expressvpn.*|pchunter64\.exe|kportscan3\.exe|nlbrute.*|netpass\.exe|mspass\.exe|iepv\.exe|bulletspassview\.exe|chromepass\.exe|mimilove\.exe|86\.exe|64\.exe|processhacker\.exe|peview\.exe|kprocesshacker\.sys|quanser50\.exe|cmdkey\.exe)/
153
154DUE TO THE SIZE, ONLY USE THIS QUERY IF A SINGLE HOST IS INDEXED WITHIN THE SKADI ELK STACK!
155
156+(event_identifier:4688 OR event_identifier:4689) NOT /(cmd\.exe|arp\.exe|java\.exe|sc\.exe|conhost\.exe|wmiprvse\.exe|netstat\.exe|updatetrustedsites\.exe|mode\.com|taskhostw\.exe|wermgr\.exe|taniumclient\.exe|wevtutil\.exe|snmp\.exe|apphostregistrationverifier\.exe|net1\.exe|trustedinstaller\.exe|compattelrunner\.exe|devicecensus\.exe|installagent\.exe|wsqmcons\.exe|ielowutil\.exe|usoclient\.exe|backgroundtaskhost\.exe|policyhost\.exe|msfeedssync\.exe|ccmeval\.exe|ccmsetup\.exe|wmiapsrv\.exe|weffault\.exe|sppsvc\.exe|\\windows\\system32\\svchost\.exe|dllhost\.exe|slui\.exe|sihclient\.exe|symerr\.exe|smss\.exe|csrss\.exe|winlogon\.exe|logonui\.exe|dwm\.exe|tstheme\.exe|rdpclip\.exe|atbroker\.exe|werfault\.exe|chcp\.com|wrapper-windows-x86-64\.exe|wmi_collector\.exe|powershell\.exe|mpsigstub\.exe|am_delta_patch_*|mpcmdrun\.exe|msmpeng\.exe|emet_agent\.exe|mcbuilder\.exe|msdtc\.exe|autochk\.exe|wininit\.exe|services\.exe|lsass\.exe|lpremove\.exe|bcdedit\.exe|mofcomp\.exe|coregen\.exe|msiexec\.exe|ngen\.exe|smsswd\.exe|rundll32\.exe|oobeldr\.exe|utilman\.exe|w32tm\.exe|tsprogressui\.exe|dismhost\.exe|grpconv\.exe|wowreg32\.exe|musnotificationux\.exe|poqexec\.exe|sccmrdpsystem\.exe|vmwareresolutionset\.exe|ramgmtui\.exe|scnotification\.exe|sctoastnotification\.exe|isccisco5\.exe|taskhost\.exe|taskeng\.exe|googleupdate\.exe|w3wp\.exe|ceipdata\.exe|ceiprole\.exe|aitagent\.exe|mpnotify\.exe|servermanagerlauncher\.exe|drvinst\.exe|iissetup\.exe|ie4uinit\.exe|consent\.exe|mscorsvw\.exe|setspn\.exe|vds\.exe|net\.exe|cscript\.exe|taskkill\.exe|taskhostex\.exe|ngentask\.exe|makecab\.exe|tzsync\.exe|defrag\.exe|vssvc\.exe|vdsldr\.exe|tiworker\.exe|schtasks\.exe|gpscript\.exe|spoolsv\.exe|wscript\.exe|vmtoolsd\.exe|cmrcservice\.exe|wmiadap\.exe|netcfg\.exe|tanium client|cvtres\.exe|zip\.exe|hostname\.exe|netsh\.exe|momperfsnapshothelper\.exe|cslogagent\.exe|splunk|monitoringhost\.exe|mcdatrep.exe|ruby\.exe|wmic\.exe|tasklist\.exe|mcscript_inuse\.exe|vbc\.exe|findstr\.exe|secedit\.exe|wsmprovhost\.exe|iisconfig\.exe|visualstudioremotedeployer\.exe|amupdate\.exe|appcmd\.exe|csc\.exe|macomserver\.exe|lcmgr_x64\.exe|auditpol\.exe|userinit\.exe|explorer\.exe|updaterui\.exe|bginfo\.exe|notepad\.exe|whoami\.exe|dotnet\.exe|runonce\.exe|inetmgr\.exe|svchost\.exe|winmgmt\.exe|ddna\.exe|fdpro\.exe|mrt\.exe|powercfg\.exe|tracelogsm\.exe|entvutil\.exe|mcscancheck\.exe|reg\.exe|vtpinfo\.exe|identify\.exe|perl\.exe|sppextcomobj\.exe|taskmgr\.exe|filebeat\.exe|metricbeat\.exe|mfefire\.exe|mcshield\.exes|splunk\.exe|splunkd\.exe|btool\.exe|wlrmdr\.exe|servermanager\.exe|gup\.exe|robocopy\.exe|shstat\.exe|mmc\.exe|jusched\.exe|pdfinfo\.exe|convert\.exe|mogrify\.exe|odl_rotatelogs\.exe|healthservice\.exe|mfecanary\.exe|mfehcs\.exe|mfeesp\.exe|ccmexec\.exe|adrci\.exe|mfemactl\.exe|macompatsvc\.exe|masvc\.exe|pferemediation\.exe|mfemms\.exe|essmsh\.exe|mcshield\.exe|apache\.exe|7z\.exe|opmn\.exe|arswww\.cgi)/ NOT googlecrashhandler64\.exe
157
158Security Event Log - Processes (4624,4634,4647,4688,4689 Event IDs)
159Source Name: Microsoft-Windows-Security-Auditing
160
161(The below-denoted Example Query MUST BE CHANGED to Utilize the Logon IDs of Interest!)
162
163+(event_identifier:4624 OR event_identifier:4634 OR event_identifier:4647 OR event_identifier:4688 OR event_identifier:4689) AND (xml_string:"\"TargetLogonID\"\>0x00000000605ff46f\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x00000000605ff49f\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x00000000605ff5c4\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x00000000605ff707\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x0000000069cc1090\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x0000000069cc1230\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x0000000069cc12d4\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x0000000069cc1303\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x0000000069f368d3\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x0000000069f36a21\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x0000000069f36a51\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x0000000069f36a8a\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x000000006a15dd56\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x000000006a15dd7e\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x000000006a15dd94\</Data\>" OR xml_string:"\"TargetLogonID\"\>0x000000006a15de36\</Data\>")
164
165Security Event Log - Unsuccessful Logons (4625 Event ID)
166Source Name: Microsoft-Windows-Security-Auditing
167
168+(event_identifier:4625) NOT xml_string:"\<Data Name=\"IpAddress\"\>-\</Data\>" NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|fe80)/
169
170Security Event Log - Permitted a Connection & Bind to Port (5156,5158 Event IDs)
171Source Name: Microsoft-Windows-Security-Auditing
172
173+(event_identifier:5156 OR event_identifier:5158) NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0)/ NOT (xml_string:"\<Data Name=\"SourceAddress\"\>::\</Data\>" OR xml_string:"\<Data Name=\"SourceAddress\"\>::1\</Data\>" OR fe80)
174
175Security Event Log - IPC$ Connections (5140,5145 Event IDs)
176Source Name: Microsoft-Windows-Security-Auditing
177
178+(event_identifier:5140 OR event_identifier:5145) NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0)/ NOT (xml_string:"\<Data Name=\"SourceAddress\"\>::\</Data\>" OR xml_string:"\<Data Name=\"SourceAddress\"\>::1\</Data\>" OR fe80)
179
180Security Event Log - Creation of Accounts and Group Membership (4720,4722,4723,4724,4726,4728,4732,4735,4738,4740,4756,4767, and 4782 Event IDs)
181Source Name: Microsoft-Windows-Security-Auditing
182
1834720 - A user account was created
1844722 - A user account was enabled
1854723 - An attempt was made to change an account's password
1864724 - An attempt was made to reset an accounts password
1874726 - A user account was deleted
1884728 - A member was added to a security-enabled global group
1894732 - A member was added to a security-enabled local group
1904735 - A security-enabled local group was changed
1914738 - A user account was changed
1924740 - A user account was locked out
1934756 - A member was added to a security-enabled universal group
1944767 - A user account was unlocked
1954782 - The password hash for an account was accessed
196
197+(event_identifier:4720 OR event_identifier:4722 OR event_identifier:4723 OR event_identifier:4724 OR event_identifier:4726 OR event_identifier:4728 OR event_identifier:4732 OR event_identifier:4735 OR event_identifier:4738 OR event_identifier:4740 OR event_identifier:4756 OR event_identifier:4767)
198
199Security Event Log - A Scheduled Task Was Created (4698 Event ID)
200Source Name: Microsoft-Windows-Security-Auditing
201
2024698: Scheduled Task Created
2034699: Scheduled Task Deleted
2044700: Scheduled Task Enabled
2054701: Scheduled Task Disabled
2064702: Scheduled Task Updated
207
208+(event_identifier:4698 OR event_identifier:4699 OR event_identifier:4700 OR event_identifier:4701 OR event_identifier:4702) AND /([a-z]{1}\.exe|[[0-9]{1,12}.exe|psexe.*|pskill|winexe.*|wsmprovhost.*|pssdn.*|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service.*|wceaux.*|nmap.*|mikatz.*|cifsmalware.*)/
209
210+(event_identifier:4698 OR event_identifier:4699 OR event_identifier:4700 OR event_identifier:4701 OR event_identifier:4702) AND /(fgdump|pwdump|gsecdump|cachedump|lsadump|plink\.exe|hook\.js|g0ne|cge\.pl|commix|crackle|searchsploit|msfconsole|msfvenom|metasploit|scanner|autopwn|misfortune*|setoolkit|shellnoob|sqlmap|yersinia)/
211
212+(event_identifier:4698 OR event_identifier:4699 OR event_identifier:4700 OR event_identifier:4701 OR event_identifier:4702) AND /(scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|cmd\.exe \/c|\\pipe\\|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|\winpcap.*|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|\/\.\%|\/[a-z]{50}[^0-9]|quarantine|[a-z]{1}\.png|[a-z]{1}\.gif|[a-z]{1}\.jpg|[a-z]{1}\.jpeg|[a-z]{1}\.bmp|[a-z]{1}\.tif|[a-z]{1}\.tiff|[a-z]{1}\.exif|comspec)/ OR "temp \.exe"~10 OR "detected deleted"~10 OR "virus detected"~10 OR "file deleted"~10 OR "detected denied"~10 NOT /(sc\.exe|du\.exe|at\.exe)/
213
214+(event_identifier:4698 OR event_identifier:4699 OR event_identifier:4700 OR event_identifier:4701 OR event_identifier:4702) AND /encodedcommand|encoded|noni|nop|enc|webclient|download|empire|comspec/ OR "exec bypass"~2 OR "window hidden"~2 OR "windowstyle hidden"~2 OR "ep bypass"~2 OR "reg add"~2
215
216Grep Search System New Services, Executed Services (7045 and 7036 Event IDs)
217Source Name: Service Control Manager
218
219+(event_identifier:7045 OR event_identifier:7036) AND /([a-z]{1}\.exe|[[0-9]{1,12}.exe|psexe.*|pskill|winexe.*|wsmprovhost.*|pssdn.*|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service.*|wceaux.*|nmap.*|mikatz.*|cifsmalware.*|fgdump|pwdump|gsecdump|cachedump|lsadump|plink\.exe|hook\.js|g0ne|cge\.pl|commix|crackle|searchsploit|msfconsole|msfvenom|metasploit|scanner|autopwn|misfortune*|setoolkit|shellnoob|sqlmap|yersinia)/
220
221+(event_identifier:7045 OR event_identifier:7036) AND /(scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|cmd\.exe \/c|\\pipe\\|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|cleanup|[0-9a-zA-Z\+=]{40,100})/NOT /(sc\.exe|du\.exe|at\.exe)/
222
223+(event_identifier:7045 OR event_identifier:7036) AND /(portqry\.exe|\winpcap.*|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|\/\.\%|\/[a-z]{50}[^0-9]|quarantine|[a-z]{1}\.png|[a-z]{1}\.gif|[a-z]{1}\.jpg|[a-z]{1}\.jpeg|[a-z]{1}\.bmp|[a-z]{1}\.tif|[a-z]{1}\.tiff|[a-z]{1}\.exif|comspec)/ OR "temp \.exe"~10 OR "detected deleted"~10 OR "virus detected"~10 OR "file deleted"~10 OR "detected denied"~10 NOT /(sc\.exe|du\.exe|at\.exe)/
224
225+(event_identifier:7045 OR event_identifier:7036) AND /encodedcommand|encoded|noni|nop|enc|webclient|download|empire|comspec/ OR "exec bypass"~2 OR "window hidden"~2 OR "windowstyle hidden"~2 OR "ep bypass"~2 OR "reg add"~2
226
227+(event_identifier:7045 OR event_identifier:7036) AND "del temp"~10 OR "q echo"~10 OR "c echo"~10 OR "cmd\.exe \/c"~1 OR "noP enc"~10
228
229+(event_identifier:7045 OR event_identifier:7036) AND /(quanser40\.exe|kprocesshacker\.sys|processhacker\.exe|peview\.exe|nc share v\.2\.exe|pchunter64\.exe|ph\.exe|wincdemu-4\.1\.exe|raevomx.exe|webbrwoserpassview\.exe|pspv\.exe|passwordfox\.exe|mailpv\.exe|dialupass\.exe|bulletspassview64\.exe|mimkatz\.exe|wirelesskeyview64\.exe|wirelesskeyview\.exe|operapassview\.exe|vncpassview\.exe|routerpassview\.exe|sniffpass\.exe|rdpv\.exe|pstpassword\.exe|passwordfox64\.exe|netpass64\.exe|mimilib\.dll|mimidrv\.sys|defendercontrol\.exe|expressvpn.*|pchunter64\.exe|kportscan3\.exe|nlbrute.*|netpass\.exe|mspass\.exe|iepv\.exe|bulletspassview\.exe|chromepass\.exe|mimilove\.exe|86\.exe|64\.exe|processhacker\.exe|peview\.exe|kprocesshacker\.sys|quanser50\.exe|cmdkey\.exe)/
230
231Grep Search System AntiMalware (1116,1117,1011 Event IDs)
232Source Name: Service Control Manager
233
234+(event_identifier:1116 OR event_identifier:1117 OR event_identifier:1011)
235
236AppCompatibleCache (Review Entries for Suspicious Naming Conventions)
237Source Long: AppCompatCache Registry Entry
238
239NOT /(cmd\.exe|arp\.exe|java\.exe|sc\.exe|conhost\.exe|wmiprvse\.exe|netstat\.exe|updatetrustedsites\.exe|mode\.com|taskhostw\.exe|wermgr\.exe|taniumclient\.exe|wevtutil\.exe|snmp\.exe|apphostregistrationverifier\.exe|net1\.exe|trustedinstaller\.exe|compattelrunner\.exe|devicecensus\.exe|installagent\.exe|wsqmcons\.exe|ielowutil\.exe|usoclient\.exe|backgroundtaskhost\.exe|policyhost\.exe|msfeedssync\.exe|ccmeval\.exe|ccmsetup\.exe|wmiapsrv\.exe|weffault\.exe|sppsvc\.exe|\\windows\\system32\\svchost\.exe|dllhost\.exe|slui\.exe|sihclient\.exe|symerr\.exe|smss\.exe|csrss\.exe|winlogon\.exe|logonui\.exe|dwm\.exe|tstheme\.exe|rdpclip\.exe|atbroker\.exe|werfault\.exe|chcp\.com|wrapper-windows-x86-64\.exe|wmi_collector\.exe|powershell\.exe|mpsigstub\.exe|am_delta_patch_*|mpcmdrun\.exe|msmpeng\.exe|\emet_agent\.exe|mcbuilder\.exe|msdtc\.exe|autochk\.exe|wininit\.exe|services\.exe|lsass\.exe|lpremove\.exe|bcdedit\.exe|mofcomp\.exe|coregen\.exe|msiexec\.exe|ngen\.exe|smsswd\.exe|rundll32\.exe|oobeldr\.exe|utilman\.exe|w32tm\.exe|tsprogressui\.exe|\dismhost .exe|grpconv\.exe|wowreg32\.exe|musnotificationux\.exe|poqexec\.exe|sccmrdpsystem\.exe|\vmwareresolutionset\.exe|ramgmtui\.exe|scnotification\.exe|sctoastnotification\.exe|isccisco5\.exe|taskhost\.exe|taskeng\.exe|googleupdate\.exe|w3wp\.exe|ceipdata\.exe|ceiprole\.exe|aitagent\.exe|mpnotify\.exe|servermanagerlauncher\.exe|drvinst\.exe|iissetup\.exe|ie4uinit\.exe|consent\.exe|mscorsvw\.exe|setspn\.exe|vds\.exe|net\.exe|cscript\.exe|taskkill\.exe|taskhostex\.exe|ngentask\.exe|makecab\.exe|tzsync\.exe|defrag\.exe|vssvc\.exe|vdsldr\.exe|tiworker\.exe|schtasks\.exe|gpscript\.exe|spoolsv\.exe|wscript\.exe|vmtoolsd\.exe|cmrcservice\.exe|wmiadap\.exe|netcfg\.exe|tanium client|cvtres\.exe|zip\.exe|hostname\.exe|netsh\.exe|momperfsnapshothelper\.exe|cslogagent\.exe|splunk|monitoringhost\.exe|mcdatrep.exe|ruby\.exe|wmic\.exe|tasklist\.exe|mcscript_inuse\.exe|vbc\.exe|findstr\.exe|secedit\.exe|wsmprovhost\.exe|iisconfig\.exe|googlecrashhandler64\.exe|visualstudioremotedeployer\.exe|amupdate\.exe|appcmd\.exe|csc\.exe|macomserver\.exe|lcmgr_x64\.exe|auditpol\.exe|userinit\.exe|explorer\.exe|updaterui\.exe|bginfo\.exe|notepad\.exe|whoami\.exe|dotnet\.exe|runonce\.exe|inetmgr\.exe|svchost\.exe|winmgmt\.exe|ddna\.exe|fdpro\.exe|mrt\.exe|powercfg\.exe|tracelogsm\.exe|entvutil\.exe|mcscancheck\.exe|reg\.exe|vtpinfo\.exe|identify\.exe|perl\.exe|sppextcomobj\.exe|taskmgr\.exe|filebeat\.exe|metricbeat\.exe|mfefire\.exe|mcshield\.exes|splunk\.exe|splunkd\.exe|btool\.exe|wlrmdr\.exe|servermanager\.exe|gup\.exe|robocopy\.exe|shstat\.exe|mmc\.exe|jusched\.exe|pdfinfo\.exe|convert\.exe|mogrify\.exe|odl_rotatelogs\.exe|healthservice\.exe|mfecanary\.exe|mfehcs\.exe|mfeesp\.exe|ccmexec\.exe|adrci\.exe|mfemactl\.exe|macompatsvc\.exe|masvc\.exe|pferemediation\.exe|mfemms\.exe|essmsh\.exe|mcshield\.exe|apache\.exe|7z\.exe|opmn\.exe|arswww\.cgi|setup\.exe|dismhost\.exe)/ NOT googlecrashhandler64\.exe
240
241Terminal Services Operational Event Log - (21 and 25 Event IDs)
242Source Name: Microsoft-Windows-TerminalServices-LocalSessionManager
243
244+(event_identifier:21 OR event_identifier:25) NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|local|fe80)/ AND /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
245
246Terminal Services Remote Connection Manager Event Log - (1149 Event IDs) (Initiated Incoming Connections - Does NOT indicate Successful Logon!)
247Source Name: Microsoft-Windows-TerminalServices-RemoteConnectionManager (Event ID 1149 - Event ID 1149 is very valuable as it gave you the means to spot failed logins or brute force login attempts even if auditing of failed logins was not enabled.)
248
249+(event_identifier:1149) NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|local|fe80)/ AND /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
250
251Microsoft Windows Terminal Services RDP Client Operatonal Event Log - (1024 Event IDs) (Initiated Outgoing Connections)
252Source Name: Microsoft-Windows-TerminalServices-ClientActiveXCore
253
254+(event_identifier:1024) NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|local|fe80)/ AND /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
255
256Microsoft-Windows-RemoteDesktopServices-RDPCoreTS Operational - (Event IDs 131 and 102) (Accepting and Disconnecting TCP Connections)
257Source Name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS (Event ID 131 - This occurs prior to authentication like Event ID 1149 and while there is no workstation name or user account associated with this log entry, it does provide the connecting IP.)
258
259+(event_identifier:131 OR event_identifier:102) NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|local|fe80)/ AND /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
260
261Grep Search for IPs within the Terminal Services Event Logs:
262
263/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
264
265Task Scheduler Event Log - (106,107,140,141,200,201 Event IDs)
266Source Name: Microsoft-Windows-TaskScheduler
267
268106 - Registered Task
269107 - Task is Scheduled to be Launched with Time Trigger
270129 - Task is Launched
271140 - Updated the Task
272141 - Deleted Task
273200 - Launched the Task
274201 - Successfully Complete Task
275602 - Created Task
276
277+(xml_string:"\<EventID\>106\</EventID\>" OR xml_string:"\<EventID\>107\</EventID\>" OR xml_string:"\<EventID\>129\</EventID\>" OR xml_string:"\<EventID\>140\</EventID\>" OR xml_string:"\<EventID\>141\</EventID\>" OR xml_string:"\<EventID\>200\</EventID\>" OR xml_string:"\<EventID\>201\</EventID\>" OR xml_string:"\<EventID\>602\</EventID\>")
278
279/(\/\.\%|\/[a-z]{50}[^0-9]|quarantine|[a-z]{1}\.png|[a-z]{1}\.gif|[a-z]{1}\.jpg|[a-z]{1}\.jpeg|[a-z]{1}\.bmp|[a-z]{1}\.tif|[a-z]{1}\.tiff|[a-z]{1}\.exif)/ OR "temp \.exe"~10 OR "temp \.bat"~10 OR "del temp"~10 OR "Q echo"~10 OR "c echo"~10 OR "detected deleted"~10 OR "virus detected"~10 OR "file deleted"~10 OR "detected denied"~10 OR "cmd\.exe \/c"~1 OR "noP enc"~10 OR "appdata \.exe"~20 OR "users \.exe"~10 OR "programdata \.exe"~10 OR "recycle.bin \.exe"~10 OR "Potentially Unwanted Program" NOT /(sc\.exe|du\.exe|at\.exe)/
280
281Prefetch Files:
282Source Long: WinPrefetch
283
284/(quanser40\.exe|kprocesshacker\.sys|processhacker\.exe|peview\.exe|nc share v\.2\.exe|pchunter64\.exe|ph\.exe|wincdemu-4\.1\.exe|raevomx.exe|webbrwoserpassview\.exe|pspv\.exe|passwordfox\.exe|mailpv\.exe|dialupass\.exe|bulletspassview64\.exe|mimkatz\.exe|wirelesskeyview64\.exe|wirelesskeyview\.exe|operapassview\.exe|vncpassview\.exe|routerpassview\.exe|sniffpass\.exe|rdpv\.exe|pstpassword\.exe|passwordfox64\.exe|netpass64\.exe|mimilib\.dll|mimidrv\.sys|defendercontrol\.exe|expressvpn.*|pchunter64\.exe|kportscan3\.exe|nlbrute.*|netpass\.exe|mspass\.exe|iepv\.exe|bulletspassview\.exe|chromepass\.exe|mimilove\.exe|86\.exe|64\.exe|processhacker\.exe|peview\.exe|kprocesshacker\.sys|quanser50\.exe|cmdkey\.exe)/
285
286/(a{1,5}\.exe|b{1,5}\.exe|c{1,5}\.exe|d{1,5}\.exe|e{1,5}\.exe|f{1,5}\.exe|g{1,5}\.exe|h{1,5}\.exe|i{1,5}\.exe|j{1,5}\.exe|k{1,5}\.exe|l{1,5}\.exe|m{1,5}\.exe|n{1,5}\.exe|o{1,5}\.exe|p{1,5}\.exe|q{1,5}\.exe|r{1,5}\.exe|s{1,5}\.exe|t{1,5}\.exe|u{1,5}\.exe|v{1,5}\.exe|w{1,5}\.exe|x{1,5}\.exe|y{1,5}\.exe|z{1,5}\.exe|bootzxqsyloyv959|scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|[a-z]{1}\.exe|psexe.*|pskill.*|winexe.*|wsmprovhost.*|pssdn|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service|wceaux.*|winpcap.*|nmap.*|mikatz.*|cifsmalware.*)/ NOT /(hh\.exe)/
287
288/([a-z]{1}\.exe|psexe.*|pskill.*|winexe.*|wsmprovhost.*|pssdn.*|framepkg.*|mimikatz.*|mimilib.*|mimidrv.*|wce.*|wce.*|wceaux.*|winpcap.*|nmap.*|mikatz.*|cifsmalware.*|.*\.ryk|.*\.wnry|decrypt.*|ryuk*|window\.bat)/
289
290/(gentilkiwi.*|fgdump.*|pwdump.*|gsecdump.*|cachedump.*|lsadump.*|plink.*|hook.*|g0ne.*|cge.*|commix.*|crackle.*|searchsploit.*|msfconsole.*|msfvenom.*|metasploit.*|scanner.*|autopwn.*|misfortune.*|setoolkit.*|shellnoob.*|sqlmap.*|yersinia.*)/
291
292/(svhost|scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|\\pipe\\|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe)/
293
294/(a{1,5}\.exe|b{1,5}\.exe|c{1,5}\.exe|d{1,5}\.exe|e{1,5}\.exe|f{1,5}\.exe|g{1,5}\.exe|h{1,5}\.exe|i{1,5}\.exe|j{1,5}\.exe|k{1,5}\.exe|l{1,5}\.exe|m{1,5}\.exe|n{1,5}\.exe|o{1,5}\.exe|p{1,5}\.exe|q{1,5}\.exe|r{1,5}\.exe|s{1,5}\.exe|t{1,5}\.exe|u{1,5}\.exe|v{1,5}\.exe|w{1,5}\.exe|x{1,5}\.exe|y{1,5}\.exe|z{1,5}\.exe|comspec)/ NOT /(hh\.exe)/ OR "programdata tasksche\.exe"~10
295
296Master File Table (MFT)
297(Please Display name "exists" with * and add name to the Display Column.)
298
299Source Long: NTFS Creation Time
300
301/(a{1,5}\.exe|b{1,5}\.exe|c{1,5}\.exe|d{1,5}\.exe|e{1,5}\.exe|f{1,5}\.exe|g{1,5}\.exe|h{1,5}\.exe|i{1,5}\.exe|j{1,5}\.exe|k{1,5}\.exe|l{1,5}\.exe|m{1,5}\.exe|n{1,5}\.exe|o{1,5}\.exe|p{1,5}\.exe|q{1,5}\.exe|r{1,5}\.exe|s{1,5}\.exe|t{1,5}\.exe|u{1,5}\.exe|v{1,5}\.exe|w{1,5}\.exe|x{1,5}\.exe|y{1,5}\.exe|z{1,5}\.exe|bootzxqsyloyv959|scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|[a-z]{1}\.exe|psexe.*|pskill.*|winexe.*|wsmprovhost.*|pssdn|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service|wceaux.*|winpcap.*|nmap.*|mikatz.*|cifsmalware.*)/ NOT /(hh\.exe)/
302
303/(quanser40\.exe|kprocesshacker\.sys|processhacker\.exe|peview\.exe|nc share v\.2\.exe|pchunter64\.exe|ph\.exe|wincdemu-4\.1\.exe|raevomx.exe|webbrwoserpassview\.exe|pspv\.exe|passwordfox\.exe|mailpv\.exe|dialupass\.exe|bulletspassview64\.exe|mimkatz\.exe|wirelesskeyview64\.exe|wirelesskeyview\.exe|operapassview\.exe|vncpassview\.exe|routerpassview\.exe|sniffpass\.exe|rdpv\.exe|pstpassword\.exe|passwordfox64\.exe|netpass64\.exe|mimilib\.dll|mimidrv\.sys|defendercontrol\.exe|expressvpn.*|pchunter64\.exe|kportscan3\.exe|nlbrute.*|netpass\.exe|mspass\.exe|iepv\.exe|bulletspassview\.exe|chromepass\.exe|mimilove\.exe|86\.exe|64\.exe|processhacker\.exe|peview\.exe|kprocesshacker\.sys|quanser50\.exe|cmdkey\.exe)/
304
305Source Long: NTFS Metadata Modification Time
306
307/(a{1,5}\.exe|b{1,5}\.exe|c{1,5}\.exe|d{1,5}\.exe|e{1,5}\.exe|f{1,5}\.exe|g{1,5}\.exe|h{1,5}\.exe|i{1,5}\.exe|j{1,5}\.exe|k{1,5}\.exe|l{1,5}\.exe|m{1,5}\.exe|n{1,5}\.exe|o{1,5}\.exe|p{1,5}\.exe|q{1,5}\.exe|r{1,5}\.exe|s{1,5}\.exe|t{1,5}\.exe|u{1,5}\.exe|v{1,5}\.exe|w{1,5}\.exe|x{1,5}\.exe|y{1,5}\.exe|z{1,5}\.exe|bootzxqsyloyv959|scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|[a-z]{1}\.exe|psexe.*|pskill.*|winexe.*|wsmprovhost.*|pssdn|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service|wceaux.*|winpcap.*|nmap.*|mikatz.*|cifsmalware.*)/ NOT /(hh\.exe)/
308
309Source Long: NTFS Content Modification Time
310
311/(a{1,5}\.exe|b{1,5}\.exe|c{1,5}\.exe|d{1,5}\.exe|e{1,5}\.exe|f{1,5}\.exe|g{1,5}\.exe|h{1,5}\.exe|i{1,5}\.exe|j{1,5}\.exe|k{1,5}\.exe|l{1,5}\.exe|m{1,5}\.exe|n{1,5}\.exe|o{1,5}\.exe|p{1,5}\.exe|q{1,5}\.exe|r{1,5}\.exe|s{1,5}\.exe|t{1,5}\.exe|u{1,5}\.exe|v{1,5}\.exe|w{1,5}\.exe|x{1,5}\.exe|y{1,5}\.exe|z{1,5}\.exe|bootzxqsyloyv959|scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|[a-z]{1}\.exe|psexe.*|pskill.*|winexe.*|wsmprovhost.*|pssdn|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service|wceaux.*|winpcap.*|nmap.*|mikatz.*|cifsmalware.*)/ NOT /(hh\.exe)/
312
313Source Long: NTFS Last Access Time
314
315/(a{1,5}\.exe|b{1,5}\.exe|c{1,5}\.exe|d{1,5}\.exe|e{1,5}\.exe|f{1,5}\.exe|g{1,5}\.exe|h{1,5}\.exe|i{1,5}\.exe|j{1,5}\.exe|k{1,5}\.exe|l{1,5}\.exe|m{1,5}\.exe|n{1,5}\.exe|o{1,5}\.exe|p{1,5}\.exe|q{1,5}\.exe|r{1,5}\.exe|s{1,5}\.exe|t{1,5}\.exe|u{1,5}\.exe|v{1,5}\.exe|w{1,5}\.exe|x{1,5}\.exe|y{1,5}\.exe|z{1,5}\.exe|bootzxqsyloyv959|scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe|[a-z]{1}\.exe|psexe.*|pskill.*|winexe.*|wsmprovhost.*|pssdn|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service|wceaux.*|winpcap.*|nmap.*|mikatz.*|cifsmalware.*)/ NOT /(hh\.exe)/
316
317General Grep Seach:
318
319/([a-z]{1}\.exe|psexe.*|pskill.*|winexe.*|wsmprovhost.*|pssdn|framepkg.*|mimikatz.*|mimilib\.dll|mimidrv|wce\.exe|wce service|wceaux.*|winpcap.*|nmap.*|mikatz.*|cifsmalware.*|.*\.ryk|.*\.wnry|decrypt\.txt|ryukreadme\.txt|window\.bat)/
320
321/(gentilkiwi|fgdump|pwdump|gsecdump|cachedump|lsadump|plink\.exe|hook\.js|g0ne|cge\.pl|commix|crackle|searchsploit|msfconsole|msfvenom|metasploit|scanner|autopwn|misfortune*|setoolkit|shellnoob|sqlmap|yersinia)/
322
323/(svhost|scvhost\.exe|scp\.exe|ssh\.exe|sshd\.exe|ping\.exe|ipconfig|\\pipe\\|\.ps1|mim\.exe|ps\.exe|tmp\.vbs|tmp1\.vbs|samsam\.exe|del\.exe|selfdel\.exe|delfiletype\.exe|trojan|[0-9]{1,5}\.exe|[a-z]{1}\.exe|\.psd1|\.psm1|netinfo\.exe|regsvr32\.exe|xcopy\.exe|dumpcap\.exe|wireshark\.exe|route\.exe|portqry\.exe|eventvwr\.exe|taskkill\.exe|security risk found|7za\.exe|rar\.exe)/
324
325/(\/\.\%|\/[a-z]{50}[^0-9]|quarantine|[a-z]{1}\.png|[a-z]{1}\.gif|[a-z]{1}\.jpg|[a-z]{1}\.jpeg|[a-z]{1}\.bmp|[a-z]{1}\.tif|[a-z]{1}\.tiff|[a-z]{1}\.exif)/ OR "temp \.exe"~10 OR "temp \.bat"~10 OR "del temp"~10 OR "Q echo"~10 OR "c echo"~10 OR "detected deleted"~10 OR "virus detected"~10 OR "file deleted"~10 OR "detected denied"~10 OR "cmd\.exe \/c"~1 OR "noP enc"~10 OR "appdata \.exe"~20 OR "users \.exe"~10 OR "programdata \.exe"~10 OR "recycle.bin \.exe"~10 OR "Potentially Unwanted Program" NOT /(sc\.exe|du\.exe|at\.exe)/
326
327/(a{1,5}\.exe|b{1,5}\.exe|c{1,5}\.exe|d{1,5}\.exe|e{1,5}\.exe|f{1,5}\.exe|g{1,5}\.exe|h{1,5}\.exe|i{1,5}\.exe|j{1,5}\.exe|k{1,5}\.exe|l{1,5}\.exe|m{1,5}\.exe|n{1,5}\.exe|o{1,5}\.exe|p{1,5}\.exe|q{1,5}\.exe|r{1,5}\.exe|s{1,5}\.exe|t{1,5}\.exe|u{1,5}\.exe|v{1,5}\.exe|w{1,5}\.exe|x{1,5}\.exe|y{1,5}\.exe|z{1,5}\.exe|comspec)/ NOT /(hh\.exe)/ OR "programdata tasksche\.exe"~10
328
329+name:(/[^a-z0-9\-]ps[^a-z0-9\-]/ OR /[^a-z0-9\-]a[^a-z0-9\-]/ OR /[^a-z0-9\-]b[^a-z0-9\-]/ OR /[^a-z0-9\-]c[^a-z0-9\-]/ OR /[^a-z0-9\-]d[^a-z0-9\-]/ OR /[^a-z0-9\-]e[^a-z0-9\-]/ OR /[^a-z0-9\-]f[^a-z0-9\-]/ OR /[^a-z0-9\-]g[^a-z0-9\-]/ OR /[^a-z0-9\-]h[^a-z0-9\-]/ OR /[^a-z0-9\-]i[^a-z0-9\-]/ OR /[^a-z0-9\-]j[^a-z0-9\-]/ OR /[^a-z0-9\-]k[^a-z0-9\-]/ OR /[^a-z0-9\-]l[^a-z0-9\-]/ OR /[^a-z0-9\-]m[^a-z0-9\-]/ OR /[^a-z0-9\-]n[^a-z0-9\-]/ OR /[^a-z0-9\-]o[^a-z0-9\-]/ OR /[^a-z0-9\-]p[^a-z0-9\-]/ OR /[^a-z0-9\-]q[^a-z0-9\-]/ OR /[^a-z0-9\-]r[^a-z0-9\-]/ OR /[^a-z0-9\-]s[^a-z0-9\-]/ OR /[^a-z0-9\-]t[^a-z0-9\-]/ OR /[^a-z0-9\-]u[^a-z0-9\-]/ OR /[^a-z0-9\-]v[^a-z0-9\-]/ OR /[^a-z0-9\-]w[^a-z0-9\-]/ OR /[^a-z0-9\-]x[^a-z0-9\-]/ OR /[^a-z0-9\-]y[^a-z0-9\-]/ OR /[^a-z0-9\-]z[^a-z0-9\-]/ OR /[^a-z0-9\-]b[^a-z0-9\-]/ OR mof OR rar OR bat OR job OR zip OR 7z OR tar OR tgz)
330
331"cmd\.exe echo"~2 OR "cmd echo"~2 OR "cmd certutil\.exe"~2 OR "cmd\.exe certutil\.exe"~2 OR "cmd powershell\.exe"~2 OR "cmd\.exe powershell\.exe"~2 OR "cmd\.exe \/c"~2 OR "cmd \/c"~1
332
333/(wget http:\/\/|wget https:\/\/ beasvc\.exe executes|https:\/\/pastebin\.com|downloadstring|-outfile |start-sleep|net\.webclient)/
334
335/(quanser40\.exe|kprocesshacker\.sys|processhacker\.exe|peview\.exe|nc share v\.2\.exe|pchunter64\.exe|ph\.exe|wincdemu-4\.1\.exe|raevomx.exe|webbrwoserpassview\.exe|pspv\.exe|passwordfox\.exe|mailpv\.exe|dialupass\.exe|bulletspassview64\.exe|mimkatz\.exe|wirelesskeyview64\.exe|wirelesskeyview\.exe|operapassview\.exe|vncpassview\.exe|routerpassview\.exe|sniffpass\.exe|rdpv\.exe|pstpassword\.exe|passwordfox64\.exe|netpass64\.exe|mimilib\.dll|mimidrv\.sys|defendercontrol\.exe|expressvpn.*|pchunter64\.exe|kportscan3\.exe|nlbrute.*|netpass\.exe|mspass\.exe|iepv\.exe|bulletspassview\.exe|chromepass\.exe|mimilove\.exe|86\.exe|64\.exe|processhacker\.exe|peview\.exe|kprocesshacker\.sys|quanser50\.exe|cmdkey\.exe)/
336
337/(wod28\(1\)\.exe||W28LX\.exe|systeminfo64|pwgrab64|dpost|importDll64|grabber_temp.INTEG.RAW|networkDll64|NewBCtestnDll64|networkDll64|NewBCtestnDll64|mwormDll64|mshareDll64|pwgrab64|tabDll64)/
338
339/(importDll64|settings.ini|bcconfig3|wod28\.exe|jlaunch\.exe|stsvc\.exe|wmd26\(1\)\.exe|wmd261\.exe|jnaupch\.exe|utuvc\.exe|tWueiMA\.exe|W26JX\.exe|urdateuetur\.exe|tWueiMA.exe|W28LX.exe|updatesetup.exe|glvpo.exe|udpvidy.exe)/
340
341/(wod29.exe|glvpo.exe|jlaunch.exe|jnaupch.exe|utuvc.exe|stsvc.exe|udPVlDY.exe|lgwgf4lrucfcaa_vo6bqb08eo1nja1f4d_h2dnradrkw11hvguuphvk__7sg7rwb.exe|utdateuetut.exe)/
342
343Grep Search SysInternals Tools:
344
345/(accesschk64\.exe|accesschk\.exe|accessenum\.exe|adexplorer\.chm|adexplorer\.exe|adinsight\.chm|adinsight\.exe|adrestore\.exe|autologon\.exe|autoruns64\.exe|
346autorunsc64\.exe|autorunsc\.exe|autoruns\.chm|Autoruns\.exe|bginfo\.exe|bginfo64\.exe|cacheset\.exe|clockres64\.exe|clockres\.exe|contig64\.exe|
347contig\.exe|coreinfo\.exe|ctrl2cap\.amd\.sys|ctrl2cap\.exe|ctrl2cap\.nt4.sys|ctrl2cap\.nt5.sys|dbgview\.chm|cbgview\.exe|Desktops\.exe|cisk2vhd\.chm|
348disk2vhd\.exe|diskext64\.exe|diskext\.exe|ciskmon\.exe|diskmon\.hlp|diskview\.exe|dmon\.sys|du64\.exe|du\.exe|efsdump\.exe|eula\.txt|Files\.txt|
349findLinks64\.exe|findLinks\.exe|handle64\.exe|handle\.exe|hex2dec64\.exe|hex2dec\.exe|junction64\.exe|junction\.exe|ldmdump\.exe|listdlls64\.exe|
350listdlls\.exe|livekd64\.exe|livekd\.exe|LoadOrd64\.exe|loadOrdC64\.exe|loadordc\.exe|loadord\.exe|logonsessions64\.exe|logonsession\.exe)/
351
352/(movefile64\.exe|movefile\.exe|notmyfault64\.exe|notmyfaultc64\.exe|notmyfaultc\.exe|notmyfault\.exe|ntfsinfo64\.exe|ntfsinfo\.exe|pagedfrg\.exe|
353pagedfrg\.hlp|pendmoves64\.exe|pendmoves\.exe|pipelist64\.exe|pipelist\.exe|portmon\.cnt|portmon\.exe|portmon\.hlp|procdump64\.exe|procdump\.exe|
354procexp64\.exe|procexp\.chm|procexp\.exe|procmon\.chm|procmon\.exe|psexec64\.exe|psexec\.exe|psfile64\.exe|psfile\.exe|psgetsid64\.exe|psgetsid\.exe|
355psinfo64\.exe|psinfo\.exe|pskill64\.exe|pskill\.exe|pslist64\.exe|pslist\.exe|psloggedon64\.exe|psloggedon\.exe|psloglist\.exe|pspasswd64\.exe|
356pspasswd\.exe|psping64\.exe|psping\.exe|psservice64\.exe|psservice\.exe|psshutdown\.exe|pssuspend64\.exe|pssuspend\.exe|pstools\.chm|psversion\.txt|
357rammap\.exe|readme\.txt|regdelnull64\.exe|regdelnull\.exe|regjump\.exe|rootkitrevealer\.chm|rootkitrevealer\.exe|ru64\.exe|ru\.exe|sdelete64\.exe|
358sdelete\.exe|shareEnum\.exe|shellrunas\.exe|sigcheck64\.exe|sigcheck\.exe|streams64\.exe|streams\.exe|strings64\.exe|strings\.exe|sync64\.exe|
359sysmon64\.exe|sysmon\.exe|tcpvcon\.exe|tcpview\.chm|\tcpview\.exe|tcpview\.hlp|testlimit64\.exe|testlimit\.exe|vmmap\.chm|vmmap\.exe|volumeid64\.exe|
360volumeid\.exe|whois64\.exe|whois\.exe|winobj\.exe|winobj\.hlp|zoomit\.exe|cygwin)/
361
362Grep Search Cleared Event Logs:
363None
364
365+(event_identifier:1102 OR event_identifier:104 OR event_identifier:517)
366
367Grep Search Scanners:
368
369/(nessus|openvas|qualys|netspi)/
370
371Search Passwords:
372
373logonpassword=
374password=
375pass=
376
377Application Event Logs
378display_name: Application.evtx
379
3801033 - Installation completed (With success/failure status)
3811034 - Application removal completed (with sucess/failure status)
38211707 - Installation completed successfully
38311708 - Installation operation failed
38411724 - Applicatin removal completed successfully
385
386+(event_identifier:1033 OR event_identifier:1034 OR event_identifier:11707 OR event_identifier:11708 OR event_identifier:11724) NOT (enableapi OR configuration)
387
388Grep Search Application Symantec (51 Event ID)
389Source Name: Symantec AntiVirus
390
391+(event_identifier:51)
392
393Grep Search Application McAfee (3 and 258 Event IDs)
394Source Name: McAfee Endpoint Security
395
396+(event_identifier:3 OR event_identifier:258) AND (xml_string:"\<Data\>EventID=1024" OR xml_string:"\<Data\>EventID=1025" OR xml_string:"\<Data\>EventID=1027" OR xml_string:"\<Data\>EventID=1280" OR xml_string:"\<Data\>EventID=1092")
397
398Grep Search ASP Errors (1309,1310,1314,1315,1316 Event IDs)
399None
400
401(event_identifier:1309 OR event_identifier:1310 OR event_identifier:1314 OR event_identifier:1315 OR event_identifier:1316)
402
403Windows Defender Event Log (1116, 1117, and 1011 Event IDs)
404Source Name: Microsoft-Windows-Windows Defender
405
406+(event_identifier:1116 OR event_identifier:1117 OR event_identifier:1011)
407
408Domain Controller Granted Authentication (External Internet IPs) (Event ID 4768)
409Source Name: Microsoft-Windows-Security-Auditing
410
411+(event_identifier:4768) AND (xml_string:"\<Data Name=\"Status\"\>0x00000000\</Data\>") NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|fe80)/ NOT (xml_string:"\<Data Name=\"IpAddress\"\>::1\</Data\>")
412
413Domain Controller Granted Authentication Failed (External Internet IPs) (Event ID 4768)
414Source Name: Microsoft-Windows-Security-Auditing
415
416+(event_identifier:4768) NOT (xml_string:"\<Data Name=\"Status\"\>0x00000000\</Data\>" OR xml_string:"\<Data Name=\"Status\"\>0x00000017\</Data\>" OR xml_string:"\<Data Name=\"Status\"\>0x00000006\</Data\>") NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|fe80)/ NOT (xml_string:"\<Data Name=\"IpAddress\"\>::1\</Data\>")
417
418Domain Controller Granted Authentication (Event ID 4768)
419Source Name: Microsoft-Windows-Security-Auditing
420
421+(event_identifier:4768) AND (xml_string:"\<Data Name=\"Status\"\>0x00000000\</Data\>")
422
423Domain Controller Granted Authentication Failed (Event ID 4768)
424Source Name: Microsoft-Windows-Security-Auditing
425
426+(event_identifier:4768) NOT (xml_string:"\<Data Name=\"Status\"\>0x00000000\</Data\>" OR xml_string:"\<Data Name=\"Status\"\>0x00000017\</Data\>" OR xml_string:"\<Data Name=\"Status\"\>0x00000006\</Data\>")
427
428Domain Controller Kerberos Ticket was Requested and Succeeded (Event ID 4769)
429Source Name: Microsoft-Windows-Security-Auditing
430
431+(event_identifier:4769) AND (xml_string:"\<Data Name=\"Status\"\>0x00000000\</Data\>")
432
433Domain Controller Kerberos Ticket was Requested and Failed (Event ID 4769)
434Source Name: Microsoft-Windows-Security-Auditing
435
436+(event_identifier:4769) NOT (xml_string:"\<Data Name=\"Status\"\>0x00000000\</Data\>")
437
438Domain Controller Failed Authentication (Event ID 4771)
439Source Name: Microsoft-Windows-Security-Auditing
440
441+(event_identifier:4771) NOT (xml_string:"\<Data Name=\"Status\"\>0x00000018\</Data\>")
442
443
444DOMAIN CONTROLLER RESULT CODES:
445
446Result code Kerberos RFC description Notes on common failure codes
4470x0 Request for Ticket was granted
4480x1 Client's entry in database has expired
4490x2 Server's entry in database has expired
4500x3 Requested protocol version # not supported
4510x4 Client's key encrypted in old master key
4520x5 Server's key encrypted in old master key
4530x6 Client not found in Kerberos database Bad user name, or new computer/user account has not replicated to DC yet
4540x7 Server not found in Kerberos database New computer account has not replicated yet or computer is pre-w2k
4550x8 Multiple principal entries in database
4560x9 The client or server has a null key administrator should reset the password on the account
4570xA Ticket not eligible for postdating
4580xB Requested start time is later than end time
4590xC KDC policy rejects request Workstation restriction, or Authentication Policy Silo (look for event ID 4820)
4600xD KDC cannot accommodate requested option
4610xE KDC has no support for encryption type
4620xF KDC has no support for checksum type
4630x10 KDC has no support for padata type
4640x11 KDC has no support for transited type
4650x12 Clients credentials have been revoked Account disabled, expired, locked out, logon hours.
4660x13 Credentials for server have been revoked
4670x14 TGT has been revoked
4680x15 Client not yet valid - try again later
4690x16 Server not yet valid - try again later
4700x17 Password has expired The user�s password has expired.
4710x18 Pre-authentication information was invalid Usually means bad password
4720x19 Additional pre-authentication required*
4730x1F Integrity check on decrypted field failed
4740x20 Ticket expired Frequently logged by computer accounts
4750x21 Ticket not yet valid
4760x21 Ticket not yet valid
4770x22 Request is a replay
4780x23 The ticket isn't for us
4790x24 Ticket and authenticator don't match
4800x25 Clock skew too great Workstation�s clock too far out of sync with the DC�s
4810x26 Incorrect net address IP address change?
4820x27 Protocol version mismatch
4830x28 Invalid msg type
4840x29 Message stream modified
4850x2A Message out of order
4860x2C Specified version of key is not available
4870x2D Service key not available
4880x2E Mutual authentication failed may be a memory allocation failure
4890x2F Incorrect message direction
4900x30 Alternative authentication method required*
4910x31 Incorrect sequence number in message
4920x32 Inappropriate type of checksum in message
4930x3C Generic error (description in e-text)
4940x3D Field is too long for this implementation
495
496DATT:
497
498Source Long: Registry Key: UserAssist
499
500
501RENAME Multiple SUB-DIRECTORIES (TEST)
502
503find . -depth -type d -not -name '.' -exec rename -n 's/(.*)/$1_foo/' {} +
504
505REMOVE THE -n IF THE NAMINING CONVENTION IS CORRECT:
506
507find . -depth -type d -not -name '.' -exec rename 's/(.*)/$1_foo/' {} +
508
509COMPRESS NUMEROUS SUB-DIRECTORIES INTO INDIVIDUAL ARCHIVES:
510
511for i in */; do zip -r "${i%/}.zip" "$i"; done
512
513INDEX NUMEROUS ARCHIVES INTO THE ELK STACK:
514
515MAKE THE DIRECTORY NAMED "Evidence" AND PLACE ALL OF THE COMPRESSED ARCHIVES IN IT:
516
517STRIP the ".zip" FILE EXTENSION OFF ALL OF THE ARCHIVES:
518
519sudo apt install rename
520
521find . -depth -type f -not -name '.' -exec rename 's/\.zip//' {} +
522
523AUTOMATE THE INDEXING AND INGESTION OF THE ARCHIVES INTO THE ELK STACK:
524
525for i in *; do cdqr.py --max_cpu -p win --es_kb "$i" -z "$i" /home/skadi/"$i"; done
526
527EXAMPLES
528
529cdqr.py c:\mydiskimage.vmdk myresults
530
531cdqr.exe -p win c:\images\badlaptop.e01
532
533cdqr.exe -p datt --max_cpu C:\artifacts\tag009
534
535cdqr.exe -p datt --max_cpu C:\artifacts\tag009\$MFT --export
536
537cdqr.exe -z --max_cpu C:\artifacts\tag009\artifacts.zip
538
539cdqr.exe -z --max_cpu C:\artifacts\tag009\artifacts.zip --es myindexname
540
541PARSER LIST
542
543win
544
545bencode,czip,ccleaner,esedb,filestat,lnk,mcafee_protection,olecf,pe,prefetch,recycle_bin,recycle_bin_info2,sccm,sophos_av,sqlite,symantec_scanlog,winevt,winevtx,webhist,winfirewall,winjob,windows_typed_urls,winreg
546
547mft_usnjrnl
548
549mft,usnjrnl
550
551mac
552 asl_log,bash_history,bash,bencode,bsm_log,ccleaner,cups_ipp,czipplist,filestat,fseventsd,mcafee_protection,mac_appfirewall_log,mac_keychain,mac_securityd,macwifi,mcafee_protection,olecf,sophos_av,sqlite,symantec_scanlog,syslog,utmpx,webhist,zsh_extended_history
553
554lin
555 bash,bash_history,bencode,czip,dockerjson,dpkg,filestat,mcafee_protection,olecf,pls_recall,popularity_contest,selinux,sophos_av,sqlite,symantec_scanlog,syslog,systemd_journal,utmp,webhist,xchatlog,xchatscrollback,zsh_extended_history
556
557datt
558 amcache,android_app_usage,apache_access,asl_log,bash_history,bash,bencode,binary_cookies,bsm_log,chrome_cache,chrome_preferences,cups_ipp,custom_destinations,czip,dockerjson,dpkg,esedb,filestat,firefox_cache,firefox_cache2,fsevents,gdrive_synclog,hachoir,java_idx,lnk,mac_appfirewall_log,mac_keychain,mac_securityd,mactime,macwifi,mcafee_protection,mft,msiecf,olecf,opera_global,opera_typed_history,pe,plist,pls_recall,popularity_contest,prefetch,recycle_bin_info2,recycle_bin,rplog,santa,sccm,selinux,skydrive_log_old,skydrive_log,sophos_av,sqlite,symantec_scanlog,syslog,systemd_journal,trendmicro_url,trendmicro_vd,usnjrnl,utmp,utmpx,winevt,winevtx,winfirewall,winiis,winjob,winreg,xchatlog,xchatscrollback,zsh_extended_history
559
560ARGUMENTS & OPTIONS
561
562positional arguments:
563 src_location Source File location: Y:/Case/Tag009/sample.E01
564 dst_location Destination Folder location. If nothing is supplied
565 then the default is 'Results'
566
567optional arguments:
568 -h, --help show this help message and exit
569 -p PARSER, --parser PARSER
570 Choose parser to use. If nothing chosen then 'win' is
571 used. The parsing options are: win, mft_usnjrnl, lin,
572 mac, datt
573 --nohash Do not hash all the files as part of the processing of
574 the image
575 --mft Process the MFT file (disabled by default except for
576 DATT)
577 --usnjrnl Process the USNJRNL file (disabled by default except
578 for DATT)
579 --max_cpu Use the maximum number of cpu cores to process the
580 image
581 --export Creates zipped, line delimited json export file
582 --artifact_filters ARTIFACT_FILTERS
583 Plaso passthrough: Names of forensic artifact
584 definitions, provided on the command command line
585 (comma separated). Forensic artifacts are stored in
586 .yaml files that are directly pulled from the artifact
587 definitions project. You can also specify a custom
588 artifacts yaml file (see
589 --custom_artifact_definitions). Artifact definitions
590 can be used to describe and quickly collect data of
591 interest, such as specific files or Windows Registry
592 keys.
593 --artifact_filters_file ARTIFACT_FILTERS_FILE
594 Plaso passthrough: Names of forensic artifact
595 definitions, provided in a file with one artifact name
596 per line. Forensic artifacts are stored in .yaml files
597 that are directly pulled from the artifact definitions
598 project. You can also specify a custom artifacts yaml
599 file (see --custom_artifact_definitions). Artifact
600 definitions can be used to describe and quickly
601 collect data of interest, such as specific files or
602 Windows Registry keys.
603 --artifact_definitions ARTIFACT_DEFINITIONS
604 Plaso passthrough: Path to a directory containing
605 artifact definitions, which are .yaml files. Artifact
606 definitions can be used to describe and quickly
607 collect data of interest, such as specific files or
608 Windows Registry keys.
609 --custom_artifact_definitions CUSTOM_ARTIFACT_DEFINITIONS
610 Plaso passthrough: Path to a file containing custom
611 artifact definitions, which are .yaml files. Artifact
612 definitions can be used to describe and quickly
613 collect data of interest, such as specific files or
614 Windows Registry keys.
615 --file_filter FILE_FILTER, -f FILE_FILTER
616 Plaso passthrough: List of files to include for
617 targeted collection of files to parse, one line per
618 file path, setup is /path|file - where each element
619 can contain either a variable set in the preprocessing
620 stage or a regular expression.
621 --es_kb ES_KB Outputs Kibana format to elasticsearch database.
622 Requires index name. Example: '--es_kb my_index'
623 --es_kb_server ES_KB_SERVER
624 Kibana Format Only: Exports to remote (default is
625 127.0.0.1) elasticsearch database. Requires Server
626 name or IP address Example: '--es_kb_server
627 myserver.elk.go' or '--es_kb_server 192.168.1.10'
628 --es_kb_port ES_KB_PORT
629 Kibana Format Only: Port (default is 9200) for remote
630 elasticsearch database. Requires port number Example:
631 '--es_kb_port 9200 '
632 --es_kb_user ES_KB_USER
633 Kibana Format Only: Username (default is none) for
634 remote elasticsearch database. Requires port number
635 Example: '--es_kb_user skadi '
636 --es_ts ES_TS Outputs TimeSketch format to elasticsearch database.
637 Requires index/timesketch name. Example: '--es_ts
638 my_name'
639 --plaso_db Process an existing Plaso DB file. Example:
640 artifacts.plaso
641 -z Indicates the input file is a zip file and needs to be
642 decompressed
643 --no_dependencies_check
644 Re-enables the log2timeline the dependencies check. It
645 is skipped by default
646 --process_archives Extract and inspect contents of archives found inside
647 of artifacts or disk images
648 -v, --version show program's version number and exit
649 -y Accepts all defaults on prompted questions in the
650 program.