Falcon Queries

SuspiciousDnsRequest

eventtype=eam (ProcessRollup2 OR SyntheticProcessRollup2) earliest=-1h@h |regex FileName!=""chrome.exe|iexplore.exe|MicrosoftEdgeCP.exe|firefox.exe"" |regex DomainName!=""csync.loopme.me""
|rex field=CommandLine ""(?[^\\]+)$"" |stats count values(SHA256HashData) by TargetProcessId_decimal ComputerName timestamp FileName CommandLine |fields - count
|join TargetProcessId_decimal [search event_simpleName=SuspiciousDnsRequest |rename ContextProcessId_decimal as TargetProcessId_decimal |dedup TargetProcessId_decimal |stats count values(SHA256HashData) by TargetProcessId_decimal DomainName |fields - count] |dedup DomainName

Show me a list of processes that executed from the Recycle Bin for a specific AID

ImageFileName=$Recycle.Bin event_simpleName=""ProcessRollup2"" earliest=-1h@h |regex FileName!=""chrome.exe|iexplore.exe|MicrosoftEdgeCP.exe|firefox.exe"" |stats values(name) values(SHA256HashData) values(ComputerName) values(ImageFileName) count by aid

Show me any BITS transfers (can be used to transfer malicious binaries)

event_simpleName=""ProcessRollup2"" FileName=bitsadmin.exe (CommandLine=/Transfer OR CommandLine=/Addfile) earliest=-1h@h |dedup CommandLine |stats count by _time aid ComputerName UserName ImageFileName CommandLine TargetFileName SHA256HashData |sort -_time

Show me any encoded PowerShell commands

event_simpleName=""ProcessRollup2"" FileName=powershell.exe (CommandLine=-enc OR CommandLine=encoded) UserName!=SPAMMYUSER earliest=-24h@h |regex CommandLine!=""(?i)Office.ValidateResult.scratch|SPAMMMY_POWERSHEL_ENC*"" |rex field=CommandLine ""(?[^\\]+)$"" |stats values(UserName) values(CommandLine) values(ComputerName) count by CommandLineTrim |sort -count

Show me a list of processes executing from User Profile file paths

event_simpleName=""ProcessRollup2"" ComputerName=* earliest=-24h@h
 |regex CommandLine=""\\\\users\\\\"" 
 |regex CommandLine!=""(?i)SPAMMY.exe|SPAMMY.exe|SPAMMY.exe"" 
 |rex field=CommandLine ""(?<CommandLineTrim>[^\\\\]+)$"" 
 |stats dc(UserName) values(SHA256HashData) values(CommandLineTrim) dc(ComputerName) count by FileName
 |sort -count 
 |where count <10

Show me the responsible process for starting a service

event_simpleName=ServiceStarted ComputerName=* earliest=-7d@h
 |dedup CommandLine
 |rex field=CommandLine ""(?<CommandLineTrim>[^\\\\]+)$"" 
 
 |stats values(ComputerName) values(UserName) values(CommandLineTrim) count by FileName 
 |sort -count

Show me all CreateService events with non internal remote connections

event_simpleName=CreateService earliest=-24h@h
 (
 RemoteAddressIP4!=""""
 RemoteAddressIP4!=192.168.0.0/16 AND 
 RemoteAddressIP4!=10.0.0.0/8 AND 
 RemoteAddressIP4!=172.16.0.0/12 AND 
 RemoteAddressIP4!=127.0.0.0/8 AND
 )
 |stats values(RemoteAddressIP4) values(ClientComputerName) values(ServiceImagePath) count by ServiceDisplayName

Show me non-System32 binaries running as a hosted service

event_simpleName=HostedServiceStarted ImageFileName!=""*\\System32\\*"" ServiceDisplayName!=WcesComm earliest=-24h@h
 |stats values(ComputerName) values(FileName) count by ServiceDisplayName

Show me a list of links opened from Outlook

event_simpleName=""ProcessRollup2"" latest=now FileName=outlook.exe ComputerName=* earliest=-24h@h
 |dedup aid TargetProcessId_decimal 
 |rename FileName as Parent 
 |rename CommandLine as ParentCmd 
 |table aid TargetProcessId_decimal Parent ParentCmd
 
 |join max=0 aid TargetProcessId_decimal 
 
 [search event_simpleName=""ProcessRollup2"" earliest=-1h@h
 |rename ParentProcessId_decimal as TargetProcessId_decimal 
 |rename FilePath as ChildPath 
 |dedup aid TargetProcessId_decimal SHA256HashData 
 |fields aid TargetProcessId_decimal FileName CommandLine
 |rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""] 
 
 |stats values(CommandLine) values(ParentCmd) count by FileName

Show me a list of web servers or database processes running under a Local System account

event_simpleName=""ProcessRollup2"" (FileName=w3wp.exe OR FileName=sqlservr.exe OR FileName=httpd.exe OR FileName=nginx.exe) UserName=""LOCAL SYSTEM"" OR UserName=""SYSTEM"" earliest=-24h@h
 |rex field=CommandLine ""(?<CommandLineTrim>[^\\\\]+)$"" 
 |stats values(ComputerName) values(UserName) values(CommandLineTrim) values(SHA256HashData) count by FileName

Show me user accounts created with logon

event_simpleName=""UserIdentity"" [search event_simpleName=UserAccountCreated UserName!=""spamuser*"" OR UserName!=spamuser| fields cid UserName ] 
 | stats count values(UserName) by ComputerName 
 | sort -count

Show me the responsible process for the UserAccountCreated event

event_simpleName=""ProcessRollup2"" earliest=-24h@h ComputerName=* [search event_simpleName=""UserAccountCreated"" |rename RpcClientProcessId as TargetProcessId_decimal |rename UserName as UserName_UserAccountCreated |fields aid TargetProcessId_decimal UserName ] |regex CommandLine!=""(?i)SPAMMY.exe|SPAMMY.exe"" |stats count values(SHA256HashData) values(UserName) values(CommandLine) by FileName |sort -count

Show me all Firewall Set Rule events

event_simpleName=FirewallSetRule | table aid FirewallRule RemoteAddressIP4 RemoteAddressIP6

Show me all FirewallChangeOption events (with human-readable profile description)

event_simpleName=FirewallChangeOption |
 eval FirewallProfileDescription=case(FirewallProfile=0, ""INVALID"", FirewallProfile=1, ""DOMAIN"", FirewallProfile=2, ""STANDARD"", FirewallProfile=3, ""PUBLIC"") |
 table aid FirewallOption FirewallProfileDescription FirewallOptionNumericValue FirewallOptionStringValue

Show me a list of outbound network traffic on non-standard ports and the process info attached to them

event_simpleName=NetworkConnect*  ComputerName=NATL1-8K8L7H2  (RemoteAddressIP4!=192.168.0.0/16 AND RemoteAddressIP4!=10.0.0.0/8 AND RemoteAddressIP4!=172.16.0.0/12 AND RemoteAddressIP4!=127.0.0.0/8) 
|regex REMOVEME_TO_FILTER_NON_STANDARD_PORTS_RemotePort_decimal!=""7|9|13|(2[1-3])|(2[56])|37|53|(79|8[01])|88|106|110|111|113|119|135|139|(14[34])|179|199|389|427|(44[3-5])|465|(51[3-5])|543|544|548|554|587|631|646|873|990|993|995|(102[5-9])|1110|1433|1720|1723|1755|1900|2000|2001|2049|2121|2717|3000|3128|3306|3389|3986|4899|5000|5009|5051|5060|5101|5190|5357|5432|5631|5666|5800|5900|6000|6001|6646|7070|8000|8008|8009|8080|8081|8443|8888|9100|9999|10000|32768|(4915[2-7])|0""
|dedup ContextProcessId_decimal ComputerName 
| rename ContextProcessId_decimal AS TargetProcessId_decimal
|stats count by TargetProcessId_decimal ComputerName RemoteIP RPort _time
|sort -count
|join   TargetProcessId_decimal
    [search event_simpleName=""ProcessRollup2""  ComputerName=NATL1-8K8L7H2
    | dedup TargetProcessId_decimal
    | fields TargetProcessId_decimal ComputerName timestamp ImageFileName   CommandLine _time ] 
     | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
     | sort by +""Last Seen (UTC)"" 
     |rex field=CommandLine ""(?<CommandLine_Short>[^\\\\]+)$""
     | rex field=CommandLine_Short ""(?P<CommandLine_Short>\w{75}).*""
| stats count    values(RemoteIP) AS Dst values(RPort) AS Port  values(ImageFileName) AS Path values(CommandLine) AS CommandLine by ""Last Seen (UTC)""  CommandLine_Short

Show me a list of low-volume domain name requests

event_simpleName=DnsRequest earliest=-1h@h
 |regex DomainName!=""(?i)adobe.com|google.com|newellco.com|outlook.com|microsoft.com|live\.com|skype\.com|footprintdns\.com|microsoftonline\.com|office365\.com|office\.net|digicert.com|office\.com|windows\.com|lync\.com|apple\.com|windows\.net|icloud\.net|goody\.com|facebook\.com|jahglobal\.net|0\.0\.0\.0|rackcdn\.com|yammer\.com"" 
 |rare DomainName 
 |stats values(ComputerName) count by DomainName 
 |where count <4 
 |sort - count

Show all Remote Desktop Protocol (RDP) connections observed on a specific host

event_simpleName=*UserIdentity LogonType_decimal=10 
 |table ComputerName UserPrincipal 
 |fillnull value=null
 |stats values(ComputerName) count by UserPrincipal
 |sort -count

Hunting Suspicious Registry Changes

event_simpleName=ASEP* earliest=-24h@h 
 |rex field=RegStringValue ""(?<RegStringValueTrim>[^\\\\]+)$"" 
 |stats dc(ComputerName) as count values(ComputerName) values(RegStringValue) by RegStringValueTrim
 |sort -count
 |where count < 10

SysInternals Use

sourcetype=PeVersionInfoV3-v02 CompanyName=*Sysinternals* earliest=-24h@h
 |eval OriginalFilename=lower(OriginalFilename)
 |stats values(ImageFileName) values(ComputerName) values(SHA256HashData) count by OriginalFilename

NWL_CMD run with Echo and & Parameters-v3

event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 CommandLine=""*echo*&"" FileName=cmd.exe earliest=-24h@h
  |stats count values(CommandLine) by ComputerName
  |sort -count

NWL_Administrator Enumeration

event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 (FileName=net.exe OR FileName=net1.exe) AND CommandLine=""*admin*"" AND (CommandLine=""*localgroup*"" OR CommandLine=""*domain*"") earliest=-24h@h
  |regex CommandLine!=""(?i)Uninstall|aspect|S-1-5-32-544"" 
  |stats count values(CommandLine) by ComputerName

NWL_Wscript Runs Obfuscated JS

event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 CommandLine="*wscript.exe*ProgramData*" earliest=-24h@h

NWL_Changes to Known DLLs registry

event_simpleName=ASEP* RegStringValue=""*knowndlls*"" earliest=-24h@h
 |rex field=RegStringValue ""(?<RegStringValueTrim>[^\\\\]+)$"" 
 |stats count values(ComputerName) values(RegStringValue) by RegStringValueTrim
 |sort -count

NWL_T1121 - Regsvcs/Regasm - Making Network Connections

event_simpleName=""ProcessRollup2"" FileName=Regasm.exe OR FileName=RegSvcs.exe 
 | dedup ComputerName FileName 
 | regex DomainName!=""(?i)adobe\.com$|google.com$|newellco\.com$|outlook\.com$|microsoft\.com$|live\.com$|skype\.com$|footprintdns\.com$|microsoftonline\.com$|office365\.com$|office\.net$|digicert\.com$|office\.com$|windows\.com$|lync\.com$|apple\.com$|windows\.net$|icloud\.net$|goody\.com$|facebook\.com$|jahglobal\.net$|0\.0\.0\.0$|rackcdn\.com$|yammer\.com|office\.com$|msedge\.net$|identrust\.com$|letsencrypt\.org$|msn\.com$|bing\.com$|msocsp\.com$|cloudsink\.net$"" 
 
 |map maxsearches=9999 search=""search event_simpleName=DnsRequest ContextProcessId_decimal=$TargetProcessId_decimal$ ""

NWL_CMD or PS Invoke-Expression with Env Variable

event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 (FileName=cmd.exe OR FileName:powershell.exe) AND (CommandLine="*Invoke-Expression*" AND CommandLine="*$env:*") earliest=-24h@h

NWL_WannaCry

event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 MD5HashData=86F8E249B90A767D28BE2D16EB702675 OR MD5HashData=EF83438AA06BAA2732E8F594322FF059 OR MD5HashData=a043fac94294b844bd4f05e3aec2c612 OR MD5HashData=f107a717f76f4f910ae9cb4dc5290594 OR MD5HashData=84c82835a5d21bbcf75a61706d8ab549 OR MD5HashData=7f7ccaa16fb15eb1c7399d422f8363e8 OR MD5HashData=509c41ec97bb81b0567b059aa2f50fe8 OR MD5HashData=db349b97c37d22f5ea1d1841e3c89eb4 earliest=-24h@h

Off Shore Non Standard Ports

eventtype=eam NetworkConnectIP4 RemoteAddressIP4!=127.0.0.0/8 RemoteAddressIP4!=222.222.222.0/22 RemoteAddressIP4!=222.222.222.0/23 RemoteAddressIP4!=10.0.0.0/8 RemoteAddressIP4!=172.16.0.0/12 RemoteAddressIP4!=192.168.0.0/16 
 RemotePort_decimal!=443 RemotePort_decimal!=80
 |head 10000
 |iplocation RemoteAddressIP4 
 |search Country!=""United States""
 |stats count values(Country) values(RemoteAddressIP4) values(RemotePort_decimal) by ComputerName 
 | sort -count

Regkey stuff

event_simpleName=Asep* RegObjectName=*\\Run 
 |regex TargetCommandLineParameters!=""(?i)\""|\-[a-z]|\/[a-z]|\/u0000"" 
 |regex RegValueName!=""(?i)program files|Program Files|dell|Logitech|sidebar|tomtom|Yandex"" 
 |stats count values(RegStringValue) values(RegValueName) values(ComputerName) by TargetCommandLineParameters
 |sort -count

Review all events for ComputerName

source=PlatformEvents ComputerName=COMPUTERNAME

Aid and/or UserName>userinfo for ticket

(ComputerName=COMPUTERNAMEHERE sourcetype=UserIdentityV2-v02 OR sourcetype=UserLogonV8-v02 UserPrincipal!=""spammyemail@company.com"" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com UserName!=svcSCCM.ClientPush UserName!=SYSTEM earliest=-7d@d ) 
 
 | lookup aid_master aid OUTPUT City Country ComputerName MachineDomain 
 | rex field=UserPrincipal ""^(?<First>\w+).(?<Last>\w+)(@.*)""
 | eval ""Full Name""= First."" "".Last
 | eval ""Country City"" = Country."","".City 
 | join ComputerName 
  [search source=PlatformEvents DetectDescription=""*""
  | table ComputerName DetectDescription ]
 | table DetectDescription ComputerName LocalAddressIP4 MachineDomain UserName ""Full Name"" UserPrincipal ""Country City"" 
 | fillnull value=NULL
 | dedup UserPrincipal DetectDescription ComputerName

Windows_Patch_Status (BlueKeepStatus)

|savedsearch windows_patch_status cid=""*"" kb_pattern=""(KB4499178)|(KB4499175)|(KB4499164)|(KB4503277)|(KB4503292)|(KB4507449)|(KB4507437)|(KB4512506)|(KB4512514)|(KB4516065)|(KB4516048)|(KB4524157)|(KB4519976)|(KB4525251)|(KB4525235);""
  |rename PatchStatus as BlueKeepStatus
  |lookup aid_master.csv aid OUTPUT ComputerName, Version, Time, SiteName, MachineDomain
  |search Version=""Windows Server 2008 R2"" OR Version=""Windows 7""
  |search Version=""*"" BlueKeepStatus=""Vulnerable (Patched; Reboot Required)"" OR BlueKeepStatus=""Vulnerable (Not patched)""
  |lookup managedassets.csv aid OUTPUT MAC, LocalAddressIP4
  |lookup cid_name.csv cid OUTPUT name as ""Company""
  |table ComputerName, Version, BlueKeepStatus, LastPatchTime, Time, MAC, LocalAddressIP4, SiteName, MachineDomain, Company
  `formatDate(LastPatchTime)`
  `formatDate(Time)`
  |rename ComputerName as ""Host Name"", Version as ""OS Version"", BlueKeepStatus as ""Vulnerable Status"", LastPatchTime as ""Last Update Installed Time"", Time as ""Last Sensor Report Time"", SiteName as ""Site Name"", MachineDomain as ""Domain"", Company as ""Company Name""

Show processes and connected domain names

ComputerName=""EHTT1-DHD2NH2"" event_simpleName=""DnsRequest"" DomainName=""*.*""
 | regex DomainName!=""(?i)adobe\.com$|google.com$|newellco\.com$|outlook\.com$|microsoft\.com$|live\.com$|skype\.com$|footprintdns\.com$|microsoftonline\.com$|office365\.com$|office\.net$|digicert\.com$|office\.com$|windows\.com$|lync\.com$|apple\.com$|windows\.net$|icloud\.net$|goody\.com$|facebook\.com$|jahglobal\.net$|0\.0\.0\.0$|rackcdn\.com$|yammer\.com|office\.com$|msedge\.net$|identrust\.com$|letsencrypt\.org$|msn\.com$|bing\.com$|msocsp\.com$|cloudsink\.net$|..localmachine"" 
 
 |rename ContextProcessId_decimal as TargetProcessId_decimal 
 |join TargetProcessId_decimal 
 
 [search ComputerName=""EHTT1-DHD2NH2"" event_simpleName=""ProcessRollup2"" earliest=-24h@h
 |regex CommandLine!=""(?i)iexplore\.exe|chrome\.exe|MicrosoftEdgeCP\.exe|firefox\.exe|google|smartscreen\.exe|OneDrive\.exe|SearchUI\.exe|mimecast\.com|MicrosoftEdge\.exe""]
 |rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""
 | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
 |stats sparkline count values(CommandLine) values(DomainName) dc(""Last Seen (UTC)"") by FileName SHA256HashData

NWL_Potential Post Exploit

event_simpleName=""ProcessRollup2"" earliest=-24h@h
 FileName=PsInfo.exe OR FileName=PsLoggedon.exe OR FileName=pssuspend.exe OR FileName=psfile.exe OR FileName=PsService.exe OR FileName=PsGetsid.exe OR FileName=pslist.exe OR FileName=pspasswd.exe OR FileName=psshutdown.exe OR FileName=psping.exe OR FileName=psloglist.exe
 |rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""
  |regex CommandLine!=""(?i)Spammypath"" 
 |stats count values(CommandLine) by ComputerName

NWL_Potential Post Exploit Tools Elevated

event_simpleName=""ProcessRollup2"" 
 FileName=PsExec.exe OR FileName=SysRun.exe OR FileName=wce.exe OR FileName=wce32.exe OR FileName=whosthere-alt.exe OR FileName=whosthere.exe OR FileName=genhash.exe OR FileName=iam-alt.exe OR FileName=iam.exe OR FileName=crackmapexec.exe OR FileName=hashcat64.exe OR FileName=AccessChk.exe OR FileName=Autologon.exe OR FileName=Streams.exe OR FileName=getlsasrvaddr.exe OR FileName=SharpExec_x64.exe OR FileName=SharpExec_x86.exe
 |regex CommandLine!=""(?i)Spammy_strings1|Spammy_strings2|Spammy_strings3|Spammy_strings4"" 
 |stats count values(CommandLine) by ComputerName 
 |sort -count

Execution of Renamed Executables

event_simpleName=""NewExecutableRenamed"" SourceFileName!=""*.exe""
 |regex CommandLine!=""(?i)\.partial"" 
 |rename TargetFileName as ImageFileName
 |join ImageFileName 
  [ search event_simpleName=""ProcessRollup2"" ]
 |table ComputerName SourceFileName ImageFileName CommandLine

LOLBAS (add to ID:86 or 87)

event_simpleName=""NewExecutableRenamed"" SourceFileName!=""*.exe""
 |regex CommandLine!=""(?i)\.partial"" 
 |rename TargetFileName as ImageFileName
 |join ImageFileName 
  [ search event_simpleName=""ProcessRollup2"" ]
 |table ComputerName SourceFileName ImageFileName CommandLine

Suspicious PowerShell Process, Spawned from Explorer, with Network Connections

event_simpleName=""DnsRequest""
 |rename ContextProcessId as TargetProcessId
 |join TargetProcessId 
  [ search event_simpleName=""ProcessRollup2"" AND FileName=""explorer.exe"" 
  |dedup CommandLine
  |rename TargetProcessId_decimal as ParentProcessId_decimal 
  |join ParentProcessId_decimal 
  [ search event_simpleName=""ProcessRollup2"" FileName=""powershell.exe"" 
  |dedup CommandLine]] 
 |table ComputerName timestamp ImageFileName DomainName CommandLine

Powershell Downloads

event_simpleName=""ProcessRollup2"" FileName=powershell.exe (CommandLine=*Invoke-WebRequest* OR CommandLine=*Net.WebClient* OR CommandLine=*Start-BitsTransfer*) 
 |regex CommandLine!=""((?i)169\.254\.169\.254)""
 |stats count values(ComputerName) values(UserName) values(CommandLine) by FileName

MAC: Detecting Word Macros

event_platform=Mac event_simpleName=""ProcessRollup2"" 
 [search event_simpleName=*ProcessRollup2 event_platform=Mac
 CommandLine=""/Applications/*Microsoft Word*""
 |fields ProcessGroupId_decimal ]
 |stats values(CommandLine) as Commands, count by
 aid,ProcessGroupId_decimal
 |search Commands=""/Applications/*Microsoft Word*""

MAC: Investigating a Word macro

aid= event_simpleName=""ProcessRollup2"" NOT
 CommandLine=""/Applications/*Microsoft Word*"" [search aid=<aid>
 CommandLine=""/Applications/*Microsoft Word*""
 event_simpleName=""ProcessRollup2""
 |rename TargetProcessId_decimal as ProcessGroupId_decimal
 |return 10000 ProcessGroupId_decimal]

MAC: Rare launch agents: list and count launch agents

event_platform=Mac event_simpleName=*ProcessRollup2
 CommandLine=*LaunchAgents*
 |dedup aid,CommandLine |makemv CommandLine delim="" ""
 |eval CommandLine=mvfilter(match(CommandLine, "".*LaunchAgents.*""))
 |eval CommandLine=replace(CommandLine,""/Users/[a-z]+/"", ""/"") |eval
 CommandLine=replace(CommandLine,""\""$"", """")
 |dedup aid,CommandLine
 |stats count by CommandLine
 |sort count

MAC: Removing the quarantine attribute

event_platform=Mac event_simpleName=ProcessRollup2
 CommandLine=""*xattr -d -r com.apple.quarantine*"" NOT
 <redacted> NOT <redacted>

MAC: Very busy process trees

event_platform=Mac event_simpleName=ProcessRollup2
 |stats count by ProcessGroupId_decimal,aid |search count>50 |map
 search=""search aid=$aid$
 ProcessGroupId_decimal=$ProcessGroupId_decimal$
 TargetProcessId_decimal=$ProcessGroupId_decimal$""
 |search NOT CommandLine=<redacted> NOT CommandLine=<redacted>

MAC: Processes running from tmp dirs

event_platform=Mac event_simpleName=ProcessRollup2 (CommandLine=""/tmp/*""
 OR CommandLine=""/private/tmp/*"") NOT <redacted> NOT <redacted> NOT
 <redacted>

MAC: Processes running from /Library/Scripts

event_platform=Mac CommandLine="/Library/Scripts/*"

MAC: Copies from tmp dirs to Users

event_platform=Mac event_simpleName=ProcessRollup2 FileName=cp
 CommandLine=""*tmp*Users*""

MAC: Chown commands run on hidden user dirs

event_simpleName=*ProcessRollup2 event_platform=Mac chown NOT <redacted>
 |regex CommandLine=""/Users/[a-z]+/\..*""

MAC: Chmod commands run on hidden user dirs 2

event_simpleName=*ProcessRollup2 event_platform=Mac chmod NOT <redacted>
 NOT <redacted>
 |regex CommandLine=""/Users/[a-z]+/\..*""
 |table CommandLine

MAC: Long running processes with few network connections (i.e. stealthy C2)

event_platform=Mac event_simpleName=ProcessRollup2 aid=<aid>
 |join type=outer TargetProcessId_decimal
 [search event_platform=Mac aid=<aid> event_simpleName=EndOfProcess
 |rename _time as EndTime
 |fields aid,TargetProcessId_decimal, EndTime]
 |eval duration=if(isnull(EndTime),now()-_time,EndTime-_time)
 |join type=outer aid,ProcessGroupId_decimal
 [search event_platform=Mac event_simpleName=NetworkConnect* aid=<aid>
 |stats count as NetworkConnectionCount by aid, ContextProcessId_decimal
 |rename ContextProcessId_decimal as ProcessGroupId_decimal]
 |search duration>86399 NetworkConnectionCount<5

MAC: Process tree that contains both sh and launchctl

event_platform=Mac aid=<aid> event_simpleName=ProcessRollup2 (sh OR launchctl)
 |transaction aid,ProcessGroupId_decimal
 |search sh launchctl

MAC: Process trees with lots of shells

event_platform=Mac event_simpleName=ProcessRollup2 (CommandLine=sh* OR CommandLine=/bin/sh* OR CommandLine=/bin/bash) 
 |stats values(CommandLine) as Commands,count by aid,ProcessGroupId_decimal
 |regex CommandLine!=""(forticlient|daily|gstm|pid,pcpu,rss,comm|cups|audit_warn)""
 |search count>20

MAC: Unusual number of recon commands for the environment for 1 host

event_platform=Mac event_simpleName=ProcessRollup2 aid=<aid> (networksetup OR who OR whoami OR sysctl)
 |eval JoinId=ParentProcessId_decimal
 |rename CommandLine as ChildCommandLine
 |join type=outer aid,JoinId
 [search event_platform=Mac aid=<aid> event_simpleName=ProcessRollup2
 |eval JoinId=TargetProcessId_decimal
 |rename CommandLine as ParentCommandLine]
 |search NOT ChildCommandLine=<redacted>
 |search NOT ParentCommandLine=<redacted>
 |stats values(ChildCommandLine) as Commands, count by aid
 |search count>1

MAC: Rare processes associated with security_authtrampoline

event_platform=Mac event_simpleName=*ProcessRollup2
 [search event_platform=Mac event_simpleName=*ProcessRollup2 security_authtrampoline
 |fields ProcessGroupId_decimal]
 |dedup aid, SHA256HashData
 |eval CommandLine=substr(CommandLine,1,100)
 |stats values(CommandLine) as Commands, dc(aid) as AuthtrampolineCount by SHA256HashData
 |eventstats sum(AuthtrampolineCount) as AuthtrampolineTotal
 |eval AuthTrampolinePerc=round((AuthtrampolineCount/AuthtrampolineTotal)*100,7)
 |join type=outer SHA256HashData
 [search event_platform=Mac event_simpleName=*ProcessRollup2
 |rare SHA256HashData limit=10000 by aid
 |stats dc(aid) as RareGPopCount by SHA256HashData
 |eventstats sum(RareGPopCount) as RareGPopTotal
 |eval RareGPopPerc=round((RareGPopCount/RareGPopTotal)*100,7) ]
 |join type=outer SHA256HashData
 [search event_platform=Mac event_simpleName=*ProcessRollup2
 |top SHA256HashData limit=10000 by aid
 |stats dc(aid) as CommonGPopCount by SHA256HashData
 |eventstats sum(CommonGPopCount) as CommonGPopTotal
 |eval CommonGPopPerc=round((CommonGPopCount/CommonGPopTotal)*100,7)]
 |fillnull value=0 CommonGPopCount
 |fillnull value=0 RareGPopCount

MAC: Rare processes associated with security_authtrampoline events query

event_platform=Mac event_simpleName=*ProcessRollup2
 [search event_platform=Mac event_simpleName=*ProcessRollup2 security_authtrampoline
 |fields ProcessGroupId_decimal]
 |dedup aid, SHA256HashData
 |eval CommandLine=substr(CommandLine,1,100)
 |stats values(CommandLine) as Commands, dc(aid) as AuthtrampolineCount by SHA256HashData
 |search AuthtrampolineCount=1
 |join type=outer SHA256HashData
 [search event_platform=Mac event_simpleName=*ProcessRollup2
 |rare SHA256HashData limit=10000 by aid
 |stats dc(aid) as RareGPopCount by SHA256HashData]
 |join type=outer SHA256HashData
 [search event_platform=Mac event_simpleName=*ProcessRollup2
 |top SHA256HashData limit=10000 by aid
 |stats dc(aid) as CommonGPopCount by SHA256HashData]
 |fillnull value=0 CommonGPopCount
 |fillnull value=0 RareGPopCount
 |search CommonGPopCount<2 RareGPopCount<2
 |eval Auth_Common_Rare=AuthtrampolineCount."","".CommonGPopCount."","".RareGPopCount
 |fields SHA256HashData, Commands, Auth_Common_Rare
 |search NOT <redacted> NOT <redacted>

MAC: Rare processes associated with security_authtrampoline Why isn’t the first query enough?

event_platform=Mac event_simpleName=*ProcessRollup2
 [search event_platform=Mac event_simpleName=*ProcessRollup2 security_authtrampoline
 |fields ProcessGroupId_decimal]
 |dedup aid, SHA256HashData
 |eval CommandLine=substr(CommandLine,1,100)
 |stats values(CommandLine) as Commands, dc(aid) as AuthtrampolineCount by SHA256HashData
 |search AuthtrampolineCount=1
 |join type=outer SHA256HashData
 [search event_platform=Mac event_simpleName=*ProcessRollup2
 |rare SHA256HashData limit=10000 by aid
 |stats dc(aid) as RareGPopCount by SHA256HashData]
 |join type=outer SHA256HashData
 [search event_platform=Mac event_simpleName=*ProcessRollup2
 |top SHA256HashData limit=10000 by aid
 |stats dc(aid) as CommonGPopCount by SHA256HashData]
 |fillnull value=0 CommonGPopCount
 |fillnull value=0 RareGPopCount
 |search CommonGPopCount<2 RareGPopCount<2
 |eval Auth_Common_Rare=AuthtrampolineCount."","".CommonGPopCount."","".RareGPopCount
 |fields SHA256HashData, Commands, Auth_Common_Rare
 |search NOT <redacted> NOT <redacted>

MAC: Rare self-deleting processes

event_platform=Mac event_simpleName=ProcessSelfDeleted
 |map search=""search event_simpleName=*ProcessRollup2 aid=$aid$
 TargetProcessId_decimal=$ContextProcessId_decimal$""
 |dedup aid,SHA256HashData
 |eval CommandLine=substr(CommandLine,1,50)
 |stats values(CommandLine) as Commands, dc(aid) as UniqueAgentCount by SHA256HashData
 |join type=outer SHA256HashData
 [search event_platform=Mac event_simpleName=*ProcessRollup2
 |top SHA256HashData limit=10000 by aid
 |stats dc(aid) as CommonGPopCount by SHA256HashData]
 |join type=outer SHA256HashData
 [search event_platform=Mac event_simpleName=*ProcessRollup2
 |rare SHA256HashData limit=10000 by aid
 |stats dc(aid) as RareGPopCount by SHA256HashData]
 |fillnull value=0 CommonGPopCount
 |fillnull value=0 RareGPopCount
 |search UniqueAgentCount=1 CommonGPopCount<2 RareGPopCount<2

MAC: Was a process orphaned?

aid=<aid> <process_id> event_simpleName=ProcessRollup2
 |eval JoinId=ParentProcessId_decimal
 |rename CommandLine as ChildCommandLine
 |join type=outer JoinId
 [search aid=<aid> event_simpleName=ProcessRollup2
 |eval JoinId=TargetProcessId_decimal
 |rename CommandLine as ParentCommandLine]
 |eval ParentCommandLine=coalesce(ParentCommandLine,""IamAnOrphan"")

MAC: Find orphaned processes for 1 host v1

event_platform=Mac aid=<aid> event_simpleName=ProcessRollup2 NOT CommandLine=""/System/*"" NOT CommandLine=""/Library/*"" NOT CommandLine=""/usr/libexec/*"" NOT CommandLine=xpcproxy* NOT CommandLine=""/Applications/Utilities/*"" NOT CommandLine=""make*"" NOT CommandLine=ipconfig* NOT CommandLine=""/Applications/*"" NOT ""/Users/*/Library/Application Support/*"" NOT CommandLine=<bunch_of_internal_stuff> 
 
 // LONG RUNNING SYSTEM PROCESSES NEED TO BE FILTERED OUT//
 
 |eval JoinId=ParentProcessId_decimal
 |rename CommandLine as ChildCommandLine
 |join type=outer aid,TargetProcessId_decimal [search event_platform=Mac aid=<aid> event_simpleName=EndOfProcess 
 |rename _time as EndTime 
 |fields aid,TargetProcessId_decimal, EndTime] 
 
 //USE EndOfProcess RECORDS TO CALCULATE END TIME IF IT EXISTS//
 
 |eval duration=if(isnull(EndTime),now()-_time,EndTime-_time)
 |join type=outer JoinId,aid [search event_platform=Mac aid=<aid> event_simpleName=ProcessRollup2 
 |eval JoinId=TargetProcessId_decimal 
 |rename CommandLine as ParentCommandLine 
 |fields JoinId, ParentCommandLine]
 
 // FIND PARENT PROCESS RECORD IF IT EXISTS //
 
 |eval ParentCommandLine=coalesce(ParentCommandLine,""IamAnOrphan"")
 |search ParentCommandLine=""IamAnOrphan""
 |eval ChildCommandLine=substr(ChildCommandLine,1,50)
 |stats values(ChildCommandLine) as Commands, max(duration) as duration, dc(aid) as AgentsWithHash by SHA256HashData
 |search AgentsWithHash=1
 |join type=outer SHA256HashData [search event_platform=Mac event_simpleName=VT 
 |stats sum(detectionCount) as VTCount by sha256 
 |rename sha256 as SHA256HashData]
 
 //FIND ANY VIRUSTOTAL HITS - NOT USED FOR FILTERING YET //
 
 |join type=outer SHA256HashData [search event_platform=Mac event_simpleName=ProcessRollup2 
 |top SHA256HashData limit=10000 by aid 
 |stats dc(aid) as CommonGPopCount by SHA256HashData]
 
 //FIND 10,000 MOST COMMON PROCESSES OVER ALL MACHINES//
 
 |join type=outer SHA256HashData [search event_platform=Mac event_simpleName=ProcessRollup2 
 |rare SHA256HashData limit=10000 by aid
 |stats dc(aid) as RareGPopCount by SHA256HashData] 
 
 //FIND 10,000 LEAST COMMON PROCESSES OVER ALL MACHINES//
 
 
 |fillnull value=0 CommonGPopCount 
 |fillnull value=0 RareGPopCount
 |fillnull value=0 VTCount 
 |search CommonGPopCount <2 RareGPopCount < 2 
 
 // FILTER OUT ANY HASHES THAT EXIST ON MORE THAN ONE MACHINE //

RDP inbound Splunk

event_simpleName=NetworkConnect* (LocalPort_decimal=3389 OR LocalPort_decimal=5900) (RemoteAddressIP4!=192.168.0.0/16 AND RemoteAddressIP4!=10.0.0.0/8 AND RemoteAddressIP4!=172.16.0.0/12 AND RemoteAddressIP4!=127.0.0.0/8)
 |rename aip as EXT_DEST_IP , LocalPort_decimal as EXT_DEST_PORT , LocalAddressIP4 as DEST_NAT_IP,RemotePort_decimal as DEST_NAT_PORT, RemoteAddressIP4 as SRC_EXT_IP
 |table EXT_DEST_IP EXT_DEST_PORT DEST_NAT_IP DEST_NAT_PORT SRC_EXT_IP ComputerName

enc powershell advanced

event_simpleName=""ProcessRollup2"" CommandLine=""*powershell*"" 
 | regex CommandLine!=""(?i)\b_SPAMMYSTTRING2>*|\b_SPAMMYSTTRINGHERE.*"" 
 | regex CommandLine=""(([A-Z|a-z|0-9]{200}))"" 
 |fields CommandLine ComputerName

DST_DNS>Process

event_simpleName=""DnsRequest"" DomainName=""vinnerpostwnet.ru"" OR DomainName=""vandmeds.ru"" 
 |dedup ContextProcessId_decimal DomainName
 |rename ContextProcessId_decimal as TargetProcessId_decimal 
 |map maxsearches=99999 search=""search event_simpleName=""ProcessRollup2"" TargetProcessId_decimal=$TargetProcessId_decimal$"" 
 |rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""
 |stats count by ComputerName UserName ImageFileName CommandLine

Dump what you have access to ( indexes and lookup tables and the size of the index tables )

|eventcount summarize=false index=* report_size=true |eval MB=(size_bytes/1024)/1024 |stats sum(MB) by index
 |sort -sum(MB) 
 |append [ rest/servicesNS/-/-/data/lookup-table-files |table title eai:appName]
 |append [ tstats values(sourcetype) where index=* by index ]

Search process tree tree view treeview by ContextProcessId_decimal

https://falcon.crowdstrike.com/investigate/process-explorer/aid/ContextProcessId_decimal

CS:MAC>Apple dump all non 192 Apple Inc MAC Address split IP address

| inputlookup managedassets.csv 
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)""    | lookup oui.csv MACPrefix OUTPUT Manufacturer 
    | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer) 

| join aid  
    [| inputlookup aid_master where cid=*
    | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
    | sort 0 -""Last Seen (UTC)""    | lookup oui.csv MACPrefix OUTPUT Manufacturer 
    | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer) 
    | dedup aid]

  | append 
    [| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
    | rename ComputerName AS ""Last Discovered By""
| append 
    [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
    | rename ComputerName AS ""Last Discovered By""]
| append 
    [| inputlookup append=t unmanaged_low.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
    | rename ComputerName AS ""Last Discovered By""]
    | append
    [| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
    | rename ComputerName AS ""Last Discovered By""
    ]
    | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
    | fillnull value=null aid
    | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,"" ""))) 
    | eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,"" ""))) 
    | eval aip=mvsort(mvdedup(split(aip,"" ""))) 
    | sort 0 -""Last Seen (UTC)""
    | lookup oui.csv MACPrefix OUTPUT Manufacturer, ManufacturerAddress 
    | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
  ] 
  
 
| table aid,ComputerName,""Last Discovered By"",LastDiscoveredBy,confidence,NeighborName,CurrentLocalIP,LocalAddressIP4,InterfaceDescription,aip,GatewayIP,MAC,Manufacturer,MACPrefix,""Last Seen (UTC)"",City,Country,MachineDomain,OU,SystemManufacturer,SystemProductName,Version,event_platform

| search ""CurrentLocalIP""!=""192.168*"" OR ""LocalAddressIP4""!=""192.168.*"" Manufacturer=""Apple, Inc.""

| dedup MAC


| rex field=""CurrentLocalIP"" ""(?<ClassC>\d+\.\d+\.\d+\.)(?<OCT4>\d+)""
| stats count  dc(MAC)  dc(""OCT4"") by ClassC 
| sort -count
| addcoltotals label=Total labelfield=MAC

TreeId_decimal tree id process tree sort of ...( this is more of a deep search when there are to many hits for normal DomainName/FileName Search his search requires a “event time” (earliest) ,aid and a “the last number on the URL bar of an alert tree view” (TreeId_decimal) but it’s tricky with stuff like ‘explore.exe’ or ‘excel.exe’ that has been running for hours if not DAYS I had to add 3hrs to pickup an alert CommandLine and domain

aid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX TreeId_decimal=30064919953
 | regex DomainName!=""(?i)adobe.com|google.com|outlook.com|microsoft.com|live\.com|skype\.com|footprintdns\.com|microsoftonline\.com|office365\.com|office\.net|digicert.com|office\.com|windows\.com|lync\.com|apple\.com|windows\.net|icloud\.net|goody\.com"" 
 
 | fillnull value=""NULL""
 
 | rename ContextProcessId_decimal as TargetProcessId_decimal 
 | join TargetProcessId_decimal 
 
 [search aid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX event_simpleName=""ProcessRollup2"" earliest=-1@d ] 
 
 | rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""
 | stats values(FileName) values(CommandLine) values(DomainName) count by SHA256HashData

search -N days + 24hrs so -3d would be 24hrs after 3 days ago... good for checking day by day -1 -2 -3 -4 -5 -6 -7 is a week etc..

[ search earliest=-1d@d
  | addinfo 
  | head 1 
  | eval earliest=info_min_time
  | eval latest=info_min_time+86400
  | fields earliest,latest 
  | format ""("" ""("" """" "")"" ""OR"" "")"" ]

filter out fields regex good for != string1|string2

| regex FileName!="(?i)chrome.exe|iexplore.exe|MicrosoftEdgeCP.exe|firefox.exe

Searching in Bash

export key=`curl -ks https://YOUR_SPLUN_SERVER:8089/services/auth/login -d username=YOUR_USERNAME -d password=YOUR_PASSWORD | grep sessionKey | sed -r 's/<sessionKey>(.*)<\/sessionKey>/\1/g'|sed 's/ //g'`
  
 
 
 curl -m 999 -s -k -H ""Authorization: Splunk $key"" ""https://YOUR_SPLUN_SERVER:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv"" --data-urlencode search='search index=*
 
 
 |head 100
 |stats count earliest(_time) as earliest by username sourcetype 
 | eval earliest=strftime(earliest,""%m/%d/%y %H:%M:%S"")
 | eval username=lower(username)
 | stats count by username sourcetype earliest
 | dedup username
 
 `

Create data for Splunk search testing

 | makeresults count=100 | eval poll=if((random()%5) == 1, ""String1"", ""String2"") |eval number=random() % 1000 + 9999
 | makeresults | eval number=1574658133587347700
 | eval date=strftime(round(number/1000000000,2), ""%F %T"")

Expand IP addresses and count class C addresses

| rex field=""DNS Client"" ""(?<o1>(\d)+).(?<o2>(\d)+).(?<o3>(\d)+).(?<o4>(\d)+)""
  |stats count values(o3) by o2
  |sort -count

Find bad searches slow searches optimize searches

|addcoltotals label=Total labelfield=MAC

Get all Asset info

 | inputlookup managedassets.csv 
 | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
 | sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer 
  | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer) 
 
 | join aid 
  [| inputlookup aid_master where cid=*
  | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
  | sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer 
  | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer) 
  | dedup aid]
 
  | append 
  [| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
  | rename ComputerName AS ""Last Discovered By""
 | append 
  [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
  | rename ComputerName AS ""Last Discovered By""]
 | append 
  [| inputlookup append=t unmanaged_low.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
  | rename ComputerName AS ""Last Discovered By""]
  | append
  [| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
  | rename ComputerName AS ""Last Discovered By""
  ]
  | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
  | fillnull value=null aid
  | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,"" ""))) 
  | eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,"" ""))) 
  | eval aip=mvsort(mvdedup(split(aip,"" ""))) 
  | sort 0 -""Last Seen (UTC)""
  | lookup oui.csv MACPrefix OUTPUT Manufacturer, ManufacturerAddress 
  | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
  ] 
  
  
 | table aid,ComputerName,""Last Discovered By"",LastDiscoveredBy,confidence,NeighborName,CurrentLocalIP,LocalAddressIP4,InterfaceDescription,aip,GatewayIP,MAC,Manufacturer,MACPrefix,""Last Seen (UTC)"",City,Country,MachineDomain,OU,SystemManufacturer,SystemProductName,Version,event_platform
 
 | append 
  [|inputlookup aws_ec2_images.csv]
 | append 
  [|inputlookup aws_ec2_instances.csv]
 | append 
  [|inputlookup aws_ec2_mac_ip_lookup.csv]
 | append 
  [|inputlookup aws_ec2_networkacl_entries.csv]
 | append 
  [|inputlookup aws_ec2_networkacls.csv]
 | append 
  [|inputlookup aws_ec2_networkinterface_privateips.csv]
 | append 
  [|inputlookup aws_ec2_networkinterfaces.csv]
 | append 
  [|inputlookup aws_ec2_securitygroup_rules.csv]
 | append 
  [|inputlookup aws_ec2_securitygroups.csv]
 | append 
  [|inputlookup aws_ec2_subnets.csv]
 | append 
  [|inputlookup aws_ec2_volumes.csv]
 | append 
  [|inputlookup aws_ec2_vpcs.csv]
 | append 
  [|inputlookup aws_iam_account_aliases.csv]
 
 
 | search ""CurrentLocalIP""!=""XXXXX"" OR ""LocalAddressIP4""!=""XXXXX""

Hunting Urls

https://github.com/mvelazc0/Oriana/wiki/Hunting-Analytics

MISC: earliest=1580801331 or earliest=-7d@d and eval info_sec=60601 the (1) is hours to search to search after earliest

[ search earliest=1580801331
  |addinfo 
  |head 1 
  |eval earliest=info_min_time
  |eval info_sec=60*60*1
  |eval latest=info_min_time+info_sec
  |fields earliest,latest 
  |format ""("" ""("" """" "")"" ""OR"" "")"" ]

Get count of Cisco AnyConnect VPN IP's

| inputlookup managedassets.csv 
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)""    | lookup oui.csv MACPrefix OUTPUT Manufacturer 
    | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer) 

| join aid  
    [| inputlookup aid_master where cid=*
    | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
    | sort 0 -""Last Seen (UTC)""    | lookup oui.csv MACPrefix OUTPUT Manufacturer 
    | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer) 
    | dedup aid]

  | append 
    [| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
    | rename ComputerName AS ""Last Discovered By""
| append 
    [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
    | rename ComputerName AS ""Last Discovered By""]
| append 
    [| inputlookup append=t unmanaged_low.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
    | rename ComputerName AS ""Last Discovered By""]
    | append
    [| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
    | rename ComputerName AS ""Last Discovered By""
    ]
    | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
    | fillnull value=null aid
    | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,"" ""))) 
    | eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,"" ""))) 
    | eval aip=mvsort(mvdedup(split(aip,"" ""))) 
    | sort 0 -""Last Seen (UTC)""
    | lookup oui.csv MACPrefix OUTPUT Manufacturer, ManufacturerAddress 
    | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
  ] 
  
 
| table aid,ComputerName,""Last Discovered By"",LastDiscoveredBy,confidence,NeighborName,CurrentLocalIP,LocalAddressIP4,InterfaceDescription,aip,GatewayIP,MAC,Manufacturer,MACPrefix,""Last Seen (UTC)"",City,Country,MachineDomain,OU,SystemManufacturer,SystemProductName,Version,event_platform
| search InterfaceDescription=""*AnyConnect*""
| rex field=""LocalAddressIP4"" ""(?<Net>\d+\.\d+\.\d+\.)(?<Host>\d+)""


| search InterfaceDescription=""*AnyConnect*""
| stats  values(Net) count by Country City 
| sort 0 -count

Extract usernames from windows and *nix FilePath and CommandLine with given aid or ComputerName

event_simpleName=""ProcessRollup2"" ComputerName=COMPUTERNAME FilePath=""*Users*"" OR CommandLine=""*Users*""
  | rex field=FilePath mode=sed ""s/.*\bUsers\b.(\w+)(\b.*)/\1/g""
  | rex field=CommandLine mode=sed ""s/.*\bUsers\b.(\w+)(\b.*)/\1/g""
  | regex CommandLine!=""(?i).\b."" 
  | regex FilePath!=""(?i).\b."" 
 
  | rename FilePath AS CommandLine
 | rename CommandLine AS UserName
 | dedup UserName
 | table UserName

Search for remote access servers running

event_simpleName=""ProcessRollup2""  FileName=""r_server.exe""  
OR FileName=""remotelyanywhere.exe""
OR FileName=""raabout.exe""
OR FileName=""DNTUS26.exe""
OR FileName=""DWRCST.EXE""
OR FileName=""awhost32.exe""
OR FileName=""AWHOST32.EXE""
OR FileName=""TeamViewer_Service.exe""
OR FileName=""RACWinVNC.exe""
OR FileName=""tvnserver.exe""
OR FileName=""unltravnc.exe""
OR FileName=""winvnc.exe""
OR FileName=""VNCHooks.dll""
OR FileName=""LogMeIn.exe""
OR FileName=""winvnc4.exe""
OR FileName=""g2svc.exe""
OR FileName=""vncserver.exe""
|eval FileName=lower(FileName)
 | rex field=FileName mode=sed ""s/awhost32.exe/awhost32.exe Symantec PCAnywhere/g""
 | rex field=FileName mode=sed ""s/tvnserver.exe/tvnserver.exe TightVNC Server/g""
 | rex field=FileName mode=sed ""s/dwrcst.exe/dwrcst.exe Dameware NT Utilities/g""
 | rex field=FileName mode=sed ""s/dntus26.exe/dntus26.exe Dameware NT Utilities/g""
| join type=left aid  
    [| inputlookup aid_master where cid=*
    | dedup aid
    | fields aid City Country  OU SystemProductName ]

| join type=left UserName
    [search event_simpleName IN (""UserLogon*"")  UserPrincipal!=""svcSCOM.SvcNow@newellco.com"" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com  UserName!=svcSCCM.ClientPush        UserName!=SYSTEM earliest=-2d@d]
| rename UserPrincipal to UserName
| stats count values(FileName)  values(UserName)  values(City) values(Country) values(OU) values(SystemProductName) by ComputerName
| sort -count

Find Chrome Remote Desktop Hits Via DNS

event_simpleName=DnsRequest DomainName=""remotedesktop.google.com"" OR DomainName=""remotedesktop-pa.googleapis.com"" 
| join type=left ComputerName
    [search event_simpleName IN (""UserLogon*"")   UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com   earliest=-1d@d]

| stats sparkline count by ComputerName UserPrincipal
| sort -count

Count of local admin users logins

event_simpleName=UserLogon UserSid_readable=S-1-5-21-* UserIsAdmin_decimal=1 earliest=-1d@d
 | where ComputerName=LogonDomain
 | convert ctime(LogonTime_decimal) AS logonTime ctime(PasswordLastSet_decimal) AS lastPwdReset
 
 | stats sparkline count values(ComputerName) by UserName 
 | sort -count
 | where count>5

Create base64 lookup / macro to encode / decode base64

| makeresults 
 | fields - _time 
 | eval bin=""0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111"" 
 | makemv delim="" "" bin 
 | mvexpand bin 
 | map 
  [| makeresults 
  | fields - _time 
  | eval bin=""$bin$0000 $bin$0001 $bin$0010 $bin$0011 $bin$0100 $bin$0101 $bin$0110 $bin$0111 $bin$1000 $bin$1001 $bin$1010 $bin$1011 $bin$1100 $bin$1101 $bin$1110 $bin$1111"" 
  | makemv delim="" "" bin 
  | mvexpand bin ] maxsearches=16 
 | mvcombine bin 
 | eval dec=mvrange(0,256) 
 | eval data=mvzip(bin,dec) 
 | fields - bin,dec 
 | mvexpand data 
 | rex field=data ""(?<bin>\d+),(?<dec>\d+)"" 
 | fields - data 
 | eval ascii=printf(""%c"",dec), hex=printf(""%02X"",dec) 
 | join type=outer dec 
  [ makeresults 
  | fields - _time 
  | eval base64=""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"" 
  | rex field=base64 mode=sed ""s/./& /g"" 
  | makemv delim="" "" base64 
  | eval dec=mvrange(0,64) 
  | eval data=mvzip(base64,dec) 
  | fields - base64,dec 
  | mvexpand data 
  | rex field=data ""(?<base64char>[^,]+),(?<dec>[^,]+)"" 
  | fields - data ] 
 | eval base64bin=if(isnotnull(base64char),substr(bin,3,6),NULL()) 
 | append 
  [| makeresults 
  | eval base64bin=""000000"" 
  | eval base64char=""="" 
  | fields - _time ] 
 | outputlookup converstionmatrix.csv
 -----------------------------------------------------------------------
 Create Macro to Decode base64dec(1): arg1 will be your arguments
 -----------------------------------------------------------------------
  eval b64x_split=split($arg1$,"""") 
 | lookup converstionmatrix.csv base64char as b64x_split OUTPUT base64bin as b64x_bin 
 | eval b64x_join=mvjoin(b64x_bin,"""") 
 | rex field=b64x_join ""(?<b64x_by8>.{8})"" max_match=0 
 | lookup converstionmatrix.csv bin as b64x_by8 output ascii as b64x_out 
 | eval $arg1$_ascii=mvjoin(b64x_out,"""")
 | fields - b64x_*
 -----------------------------------------------------------------------
 Create Macro to Encode base64enc(1): arg1 will be your arguments
 -----------------------------------------------------------------------
 eval b64x_split=split($arg1$,"""") 
 | lookup converstionmatrix.csv ascii as b64x_split output bin as b64x_bin 
 | eval b64x_join=mvjoin(b64x_bin,""""),b64x_join=if(len(b64x_join)%6>0,b64x_join.""000000"",b64x_join) 
 | rex field=b64x_join ""(?<b64x_by6>.{6})"" max_match=0 
 | lookup converstionmatrix.csv base64bin as b64x_by6 output base64char as b64x_out
 | eval $arg1$_base64=mvjoin(b64x_out,"""")
 | fields - b64x_*
 -----------------------------------------------------------------------
 Usage:
 -----------------------------------------------------------------------
 | makeresults | eval cs1=""MTAxMDEwMTAxCg==~VGhpcyBpcyBhbm90aGVyCg=="" | makemv delim=~ cs1 | mvexpand cs1 | `base64dec(cs1)`
 | makeresults | eval cs1=""splunk"" | `base64enc(cs1)` | `base64dec(cs1_base64)`

HTA files

event_simpleName=ProcessRollup2 ImageFileName=""*\mshta.exe""
 
 | table ComputerName,UserName,FileName,CommandLine,SHA256HashData
 |regex CommandLine!=""(?i)TeamViewer|officejet|deskjet|Assistant|solidworks|ChangeProxySettings"" 
 | rex field=CommandLine ""\\\\(?<HTA_filename>[^\\\\]*\.hta)""

City,State of possible Wireless Hot Spot usage (WIP old need more wireless network ranges)

| inputlookup managedassets.csv 
 | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
 | sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer 
  | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer) 
 
 | join aid 
  [| inputlookup aid_master where cid=*
  | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
  | sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer 
  | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer) 
  | dedup aid]
 
  | append 
  [| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
  | rename ComputerName AS ""Last Discovered By""
 | append 
  [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
  | rename ComputerName AS ""Last Discovered By""]
 | append 
  [| inputlookup append=t unmanaged_low.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
  | rename ComputerName AS ""Last Discovered By""]
  | append
  [| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
  | rename ComputerName AS ""Last Discovered By""
  ]
  | eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
  | fillnull value=null aid
  | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,"" ""))) 
  | eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,"" ""))) 
  | eval aip=mvsort(mvdedup(split(aip,"" ""))) 
  | sort 0 -""Last Seen (UTC)""
  | lookup oui.csv MACPrefix OUTPUT Manufacturer, ManufacturerAddress 
  | fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
  ] 
  
  | search aip=166.128.0.0/9
  OR aip=174.192.0.0/10
  OR aip=97.128.0.0/9
  OR aip=70.192.0.0/11
  OR aip=69.96.0.0/13
  OR aip=69.82.0.0/15
  OR aip=66.174.0.0/16
  OR aip=72.96.0.0/11
  OR aip=75.192.0.0/10
  OR aip=97.0.0.0/10
  OR aip=107.64.0.0/10
  OR aip=160.170.220.0/22
  OR aip=166.128.0.0/13
  OR aip=166.136.0.0/15
  OR aip=166.138.0.0/16
  OR aip=166.147.104.0/25
  OR aip=166.170.0.0/19
  OR aip=166.170.32.0/20
  OR aip=166.170.48.0/21
  OR aip=166.170.56.0/22
  OR aip=166.171.56.0/22
  OR aip=166.171.120.0/22
  OR aip=166.171.184.0/22
  OR aip=166.171.248.0/22
  OR aip=166.172.56.0/22
  OR aip=166.172.60.0/22
  OR aip=166.172.120.0/22
  OR aip=166.172.184.0/22
  OR aip=166.172.188.0/22
  OR aip=166.173.56.0/22
  OR aip=166.173.60.0/22
  OR aip=166.173.184.0/22
  OR aip=166.173.248.0/22
  OR aip=166.175.56.0/22
  OR aip=166.175.60.0/22
  OR aip=166.175.184.0/22
  OR aip=166.175.188.0/22
  OR aip=166.176.56.0/22
  OR aip=166.176.120.0/22
  OR aip=166.176.184.0/22
  OR aip=166.176.248.0/22
  OR aip=166.177.56.0/22
  OR aip=166.177.120.0/22
  OR aip=166.177.184.0/22
  OR aip=166.177.248.0/22
  OR aip=166.216.133.103/32
  OR aip=166.216.133.208/28
  OR aip=166.216.133.231/32
  OR aip=166.216.133.231/32
  OR aip=166.216.133.64/28
  OR aip=166.216.157.0/24
  OR aip=166.216.158.0/24
  OR aip=166.216.159.0/24
  OR aip=166.216.165.0/24
  OR aip=162.160.0.0/11
  OR aip=172.32.0.0/11
  OR aip=208.54.0.0/17
  OR aip=208.54.128.0/19
  OR aip=100.128.0.0/9
  OR aip=50.28.192.0/18
  OR aip=173.96.0.0/11
  OR aip=174.155.64.0/18
  OR aip=24.221.0.0/16
  OR aip=66.87.0.0/16
  OR aip=99.200.0.0/13
  OR aip=70.12.0.0/15
  OR aip=70.8.0.0/14
  OR aip=70.14.0.0/16
  OR aip=70.0.0.0/13
  OR aip=107.32.0.0/11
  OR aip=107.24.0.0/13
  OR aip=108.102.0.0/16
  OR aip=108.96.0.0/11
  OR aip=184.204.0.0/16
  OR aip=68.24.0.0/13
  OR aip=68.240.0.0/13
  OR aip=66.1.0.0/22
  OR aip=72.56.0.0/13
  OR aip=100.48.0.0/12
 | table aid,ComputerName,""Last Discovered By"",LastDiscoveredBy,confidence,NeighborName,CurrentLocalIP,LocalAddressIP4,InterfaceDescription,aip,GatewayIP,MAC,Manufacturer,MACPrefix,""Last Seen (UTC)"",City,Country,MachineDomain,OU,SystemManufacturer,SystemProductName,Version,event_platform
  
 
 | stats count values(aip) by City Country
 | sort -count

Take the first 10 hits on a search and look for intresting fields after and before

FileName=""*""
| head 10
| eval eTimeBefore=_time-1800
| eval eTimeAfter=_time+600
|eval CommandLine=""""
|eval SHA256HashData=""""
|eval CommandLine_Short=""""
|eval TargetFileName=""""
|eval RegObjectName=""""
|eval RegValueName=""""
|eval ExecutablesWritten{}.FilePath=""""
|eval GrandparentCommandLine=""""
|eval ParentCommandLine=""""
|eval DetectDescription=""""
| fillnull value=""""

| map search=""search ComputerName=$ComputerName$  _time>=$eTimeBefore$ _time<=$eTimeAfter$""

| rex field=CommandLine ""(?<CommandLine_Short>[^\\\\]+)$""
| rex field=CommandLine_Short ""(?P<CommandLine_Short>\w{75}).*""
| fillnull value=""""
|regex DomainName!=""(?i)adobe.com|google.com|newellco.com|outlook.com|microsoft.com|live\.com|skype\.com|footprintdns\.com|microsoftonline\.com|office365\.com|office\.net|digicert.com|office\.com|windows\.com|lync\.com|apple\.com|windows\.net|icloud\.net|goody\.com|facebook\.com|jahglobal\.net|0\.0\.0\.0|rackcdn\.com|yammer\.com|newellrubbermaid.com"" 
|regex CommandLine!=""(?i)CCM|PSScriptPolicyTest|teams|Search.*Robot|SearchFilterHost""
| table CommandLine SHA256HashData _time CommandLine_Short TargetFileName RegObjectName   RegValueName  ExecutablesWritten{}.FilePath   GrandparentCommandLine  ParentCommandLine  DetectDescription DomainName

| fillnull value="""""

Show me Running Processes with MD5 or SHA256 Hash from all machines

event_simpleName=ProcessRollup2 earliest=-8h | dedup SHA256HashData | table ImageFileName SHA256HashData CommandLine

Show me Running Processes with MD5 or SHA256 Hash from all machines

event_simpleName=ProcessRollup2 earliest=-8h | stats count by SHA256HashData ImageFileName | sort - count

Show me Running Processes with MD5 or SHA256 Hash from all machines

event_simpleName=ProcessRollup2 SHA256HashData!="" earliest=-8h | rare SHA256HashData by ImageFileName | where percent < 10 | sort by percent asc

Get Injected Processes from all machines

event_simpleName=*InjectedThread* earliest=-1h | rename event_simpleName as inject_eventname | join TargetProcessId, aid [search (event_simpleName="ProcessRollup2" earliest=-1h)] | table _time inject_eventname ComputerName UserName CommandLine

Get Injected Processes from all machines

event_simpleName=ProcessRollup2 event_platform=Win earliest=-1d ParentBaseFileName!=winlogon.exe ParentBaseFileName!=explorer.exe [search event_simpleName=*InjectedThread* earliest=-1d event_platform=Win | rename ContextProcessId_decimal as SourceProcessId_decimal | fields SourceProcessId_decimal] | stats values(ParentBaseFileName), values(ImageFileName), values(CommandLine) by _time, UserName, SourceProcessId_decimal

Show me AutoRun Program Details from all machines

(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepKeyUpdate earliest=-8h] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType CommandLine ImageFileName

Show me Running Processes With Parent containing "mutex" from all machines

event_simpleName=ProcessRollup2 earliest=-24h | eval TargetProcessId_decimal=if(FileName="*mutex*" or FileName="*MUTEX*", ParentProcessId_decimal, TargetProcessId_decimal) | stats values(eval(if(FileName="*mutex*" or FileName="*MUTEX*", FileName, null))) as FileName values(eval(if(FileName="*mutex*" or FileName="*MUTEX*", CommandLine, null))) as CommandLine by aid TargetProcessId_decimal | where isnotnull(Parent) and isnotnull(CommandLine)

Get Run Keys Contains ‘VIRUSNAME’ from all Machines (ex: win32.maze.exe)

(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepValueUpdate earliest=-8h (RegObjectName=*VIRUSNAME* or RegStringValue=*VIRUSNAME*) ] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType RegStringValue CommandLine ImageFileName

Show me PSexec Event Consumers from all machines

psexec earliest=-24h | table _time event_simpleName ComputerName UserName ImageFileName CommandLine

Show me DLL Load Order Hijacking from all machines

(event_simpleName=ReflectiveDllOpenProcess OR event_simpleName=CreateThreadReflectiveDll) earliest=-7d ReflectiveDllName!=metsrv.dll ReflectiveDllName!=metsrv.dll ReflectiveDllName!=server.dll ReflectiveDllName!=metsrv.x64.dll ReflectiveDllName!=metsrv.x86.dll ReflectiveDllName!=ext_server_priv.x86.dll ReflectiveDllName!=ext_server_powershell.x86.dll | table _time ComputerName ReflectiveDllName CallStackModuleNames

Show me Running Processes with MD5 or SHA256 Hash from all machines

event_simpleName=ProcessRollup2 earliest=-8h | dedup SHA256HashData | table ImageFileName SHA256HashData CommandLine

Show me Running Processes with MD5 or SHA256 Hash from all machines

event_simpleName=ProcessRollup2 earliest=-8h | stats count by SHA256HashData ImageFileName | sort - count

Show me Running Processes with MD5 or SHA256 Hash from all machines

event_simpleName=ProcessRollup2 SHA256HashData!="" earliest=-8h | rare SHA256HashData by ImageFileName | where percent < 10 | sort by percent asc

Get Injected Processes from all machines

event_simpleName=*InjectedThread* earliest=-1h | rename event_simpleName as inject_eventname | join TargetProcessId, aid [search (event_simpleName="ProcessRollup2" earliest=-1h)] | table _time inject_eventname ComputerName UserName CommandLine

Get Injected Processes from all machines

event_simpleName=ProcessRollup2 event_platform=Win earliest=-1d ParentBaseFileName!=winlogon.exe ParentBaseFileName!=explorer.exe [search event_simpleName=*InjectedThread* earliest=-1d event_platform=Win | rename ContextProcessId_decimal as SourceProcessId_decimal | fields SourceProcessId_decimal] | stats values(ParentBaseFileName), values(ImageFileName), values(CommandLine) by _time, UserName, SourceProcessId_decimal

Show me AutoRun Program Details from all machines

(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepKeyUpdate earliest=-8h] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType CommandLine ImageFileName

Show me Running Processes With Parent containing "mutex" from all machines

event_simpleName=ProcessRollup2 earliest=-24h | eval TargetProcessId_decimal=if(FileName="*mutex*" or FileName="*MUTEX*", ParentProcessId_decimal, TargetProcessId_decimal) | stats values(eval(if(FileName="*mutex*" or FileName="*MUTEX*", FileName, null))) as FileName values(eval(if(FileName="*mutex*" or FileName="*MUTEX*", CommandLine, null))) as CommandLine by aid TargetProcessId_decimal | where isnotnull(Parent) and isnotnull(CommandLine)

Get Run Keys Contains ‘VIRUSNAME’ from all Machines (ex: win32.maze.exe)

(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepValueUpdate earliest=-8h (RegObjectName=*VIRUSNAME* or RegStringValue=*VIRUSNAME*) ] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType RegStringValue CommandLine ImageFileName

Show me PSexec Event Consumers from all machines

(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepValueUpdate earliest=-8h (RegObjectName=*VIRUSNAME* or RegStringValue=*VIRUSNAME*) ] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType RegStringValue CommandLine ImageFileName

Show me DLL Load Order Hijacking from all machines

(event_simpleName=ReflectiveDllOpenProcess OR event_simpleName=CreateThreadReflectiveDll) earliest=-7d ReflectiveDllName!=metsrv.dll ReflectiveDllName!=metsrv.dll ReflectiveDllName!=server.dll ReflectiveDllName!=metsrv.x64.dll ReflectiveDllName!=metsrv.x86.dll ReflectiveDllName!=ext_server_priv.x86.dll ReflectiveDllName!=ext_server_powershell.x86.dll | table _time ComputerName ReflectiveDllName CallStackModuleNames

PreviousAWS GuardDuty NextUser Sessions Hunting

Last updated 3 years ago