randomuserid / adama Goto Github PK
View Code? Open in Web Editor NEWSearches For Threat Hunting and Security Analytics
License: Other
Searches For Threat Hunting and Security Analytics
License: Other
In this saved search we searching for Security event log was cleared which means we search for event id 517 and 1102 but the problem is your query search for the inverse, your query is like this
"must_not": [
{
"bool": {
"minimum_should_match": 1,
"should": [
{
"match_phrase": {
"event.code": "517"
}
},
{
"match_phrase": {
"event.code": "1102"
}
}
]
and the correct is searching for these event ids and the query will be like this
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"event.code": "517"
}
},
{
"match_phrase": {
"event.code": "1102"
}
}
],
"minimum_should_match": 1
}
}
https://twitter.com/RhinoSecurity/status/1253397992255582208?s=20
https://twitter.com/SpenGietz/status/1268947404071383042?s=20
https://twitter.com/0xdabbad00/status/1225452593234640897?s=21
https://twitter.com/singe/status/1202480904851087360?s=21
https://twitter.com/ashwinpatil/status/1196455153009774592?s=21
https://twitter.com/0xdabbad00/status/1182409961717977088?s=21
https://twitter.com/andresriancho/status/1182000274237358080?s=21
https://twitter.com/cyberwarship/status/1264533437379162113?s=21
https://twitter.com/dinosn/status/1181981419641462784?s=21
https://twitter.com/rhinosecurity/status/1159936327770681346?s=21
https://twitter.com/0xdabbad00/status/1158456395504611329?s=21
https://twitter.com/0xdabbad00/status/1258909131605307393?s=21
https://twitter.com/0xdabbad00/status/1225452593234640897?s=21
https://twitter.com/singe/status/1202480904851087360?s=21
https://twitter.com/ram_ssk/status/1196472379293044736?s=21
https://twitter.com/binitamshah/status/1176453379540865024?s=21
https://twitter.com/voulnet/status/1168527352680341505?s=21
https://twitter.com/rhinosecurity/status/1159936327770681346?s=21
https://twitter.com/taosecurity/status/1144707145138626561?s=21
https://twitter.com/rhinosecurity/status/1140982831532990464?s=21
Can you plz just uppercase the first letter from this Adama/Windows/cacls command activity.ndjson to this Adama/Windows/Cacls command activity.ndjson
Into one rule per SID, or per CVE, to facilitate more granular tuning and selection
Blanket alerting on ports in the Commonly Used Port category - https://attack.mitre.org/techniques/T1043/ - tends to make a super-massive FP / noise flood. Develop a high signal / noise search set for network events using network behavioral profiling and anomaly detection.
Executing PowerShell from Decoded Base64 (medium confidence)
Process is ‘powershell.exe’ AND
Command line includes ‘base64’ AND
Command line includes ‘iex’
PHP Executing OS Commands (medium confidence)
Parent process is ‘php.exe’ OR ‘php-cgi.exe’ AND
Process is ‘cmd.exe’
Tune out commands required for normal web application use; this is different per organization and application.
Windows IIS Worker Executing OS Commands (medium confidence)
Parent process is ‘w3wp.exe’ AND
Process is ‘cmd.exe’
Tune out commands required for normal web application use; this is different per organization and application.
Domain Administrator Enumeration via Net.exe (high confidence)
Process is ‘net.exe’ OR ‘net1.exe` AND
Command line includes ‘Domain Admin’
PowerShell Downloading Code for Execution (medium confidence)
Process is ‘powershell.exe’ AND
Command line includes ‘downloadstring’ AND
Command line includes ‘iex’
Wmic Remote Stylesheet Execution (high confidence)
Process is ‘wmic.exe’ AND
Command line includes ‘/format:’ AND
Has network connection
Use of Windows Optimize Drives Service for C2 (high confidence)
Process is ‘svchost.exe’ AND
Command line includes ‘defragsvc’ AND
Has network connection
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.