Falcon Queries
SuspiciousDnsRequest
eventtype=eam (ProcessRollup2 OR SyntheticProcessRollup2) earliest=-1h@h |regex FileName!=""chrome.exe|iexplore.exe|MicrosoftEdgeCP.exe|firefox.exe"" |regex DomainName!=""csync.loopme.me""
|rex field=CommandLine ""(?[^\\]+)$"" |stats count values(SHA256HashData) by TargetProcessId_decimal ComputerName timestamp FileName CommandLine |fields - count
|join TargetProcessId_decimal [search event_simpleName=SuspiciousDnsRequest |rename ContextProcessId_decimal as TargetProcessId_decimal |dedup TargetProcessId_decimal |stats count values(SHA256HashData) by TargetProcessId_decimal DomainName |fields - count] |dedup DomainName
Show me a list of processes that executed from the Recycle Bin for a specific AID
ImageFileName=$Recycle.Bin event_simpleName=""ProcessRollup2"" earliest=-1h@h |regex FileName!=""chrome.exe|iexplore.exe|MicrosoftEdgeCP.exe|firefox.exe"" |stats values(name) values(SHA256HashData) values(ComputerName) values(ImageFileName) count by aid
Show me any BITS transfers (can be used to transfer malicious binaries)
event_simpleName=""ProcessRollup2"" FileName=bitsadmin.exe (CommandLine=/Transfer OR CommandLine=/Addfile) earliest=-1h@h |dedup CommandLine |stats count by _time aid ComputerName UserName ImageFileName CommandLine TargetFileName SHA256HashData |sort -_time
Show me any encoded PowerShell commands
event_simpleName=""ProcessRollup2"" FileName=powershell.exe (CommandLine=-enc OR CommandLine=encoded) UserName!=SPAMMYUSER earliest=-24h@h |regex CommandLine!=""(?i)Office.ValidateResult.scratch|SPAMMMY_POWERSHEL_ENC*"" |rex field=CommandLine ""(?[^\\]+)$"" |stats values(UserName) values(CommandLine) values(ComputerName) count by CommandLineTrim |sort -count
Show me a list of processes executing from User Profile file paths
event_simpleName=""ProcessRollup2"" ComputerName=* earliest=-24h@h
|regex CommandLine=""\\\\users\\\\""
|regex CommandLine!=""(?i)SPAMMY.exe|SPAMMY.exe|SPAMMY.exe""
|rex field=CommandLine ""(?<CommandLineTrim>[^\\\\]+)$""
|stats dc(UserName) values(SHA256HashData) values(CommandLineTrim) dc(ComputerName) count by FileName
|sort -count
|where count <10
Show me the responsible process for starting a service
event_simpleName=ServiceStarted ComputerName=* earliest=-7d@h
|dedup CommandLine
|rex field=CommandLine ""(?<CommandLineTrim>[^\\\\]+)$""
|stats values(ComputerName) values(UserName) values(CommandLineTrim) count by FileName
|sort -count
Show me all CreateService events with non internal remote connections
event_simpleName=CreateService earliest=-24h@h
(
RemoteAddressIP4!=""""
RemoteAddressIP4!=192.168.0.0/16 AND
RemoteAddressIP4!=10.0.0.0/8 AND
RemoteAddressIP4!=172.16.0.0/12 AND
RemoteAddressIP4!=127.0.0.0/8 AND
)
|stats values(RemoteAddressIP4) values(ClientComputerName) values(ServiceImagePath) count by ServiceDisplayName
Show me non-System32 binaries running as a hosted service
event_simpleName=HostedServiceStarted ImageFileName!=""*\\System32\\*"" ServiceDisplayName!=WcesComm earliest=-24h@h
|stats values(ComputerName) values(FileName) count by ServiceDisplayName
Show me a list of links opened from Outlook
event_simpleName=""ProcessRollup2"" latest=now FileName=outlook.exe ComputerName=* earliest=-24h@h
|dedup aid TargetProcessId_decimal
|rename FileName as Parent
|rename CommandLine as ParentCmd
|table aid TargetProcessId_decimal Parent ParentCmd
|join max=0 aid TargetProcessId_decimal
[search event_simpleName=""ProcessRollup2"" earliest=-1h@h
|rename ParentProcessId_decimal as TargetProcessId_decimal
|rename FilePath as ChildPath
|dedup aid TargetProcessId_decimal SHA256HashData
|fields aid TargetProcessId_decimal FileName CommandLine
|rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""]
|stats values(CommandLine) values(ParentCmd) count by FileName
Show me a list of web servers or database processes running under a Local System account
event_simpleName=""ProcessRollup2"" (FileName=w3wp.exe OR FileName=sqlservr.exe OR FileName=httpd.exe OR FileName=nginx.exe) UserName=""LOCAL SYSTEM"" OR UserName=""SYSTEM"" earliest=-24h@h
|rex field=CommandLine ""(?<CommandLineTrim>[^\\\\]+)$""
|stats values(ComputerName) values(UserName) values(CommandLineTrim) values(SHA256HashData) count by FileName
Show me user accounts created with logon
event_simpleName=""UserIdentity"" [search event_simpleName=UserAccountCreated UserName!=""spamuser*"" OR UserName!=spamuser| fields cid UserName ]
| stats count values(UserName) by ComputerName
| sort -count
Show me the responsible process for the UserAccountCreated event
event_simpleName=""ProcessRollup2"" earliest=-24h@h ComputerName=* [search event_simpleName=""UserAccountCreated"" |rename RpcClientProcessId as TargetProcessId_decimal |rename UserName as UserName_UserAccountCreated |fields aid TargetProcessId_decimal UserName ] |regex CommandLine!=""(?i)SPAMMY.exe|SPAMMY.exe"" |stats count values(SHA256HashData) values(UserName) values(CommandLine) by FileName |sort -count
Show me all Firewall Set Rule events
event_simpleName=FirewallSetRule | table aid FirewallRule RemoteAddressIP4 RemoteAddressIP6
Show me all FirewallChangeOption events (with human-readable profile description)
event_simpleName=FirewallChangeOption |
eval FirewallProfileDescription=case(FirewallProfile=0, ""INVALID"", FirewallProfile=1, ""DOMAIN"", FirewallProfile=2, ""STANDARD"", FirewallProfile=3, ""PUBLIC"") |
table aid FirewallOption FirewallProfileDescription FirewallOptionNumericValue FirewallOptionStringValue
Show me a list of outbound network traffic on non-standard ports and the process info attached to them
event_simpleName=NetworkConnect* ComputerName=NATL1-8K8L7H2 (RemoteAddressIP4!=192.168.0.0/16 AND RemoteAddressIP4!=10.0.0.0/8 AND RemoteAddressIP4!=172.16.0.0/12 AND RemoteAddressIP4!=127.0.0.0/8)
|regex REMOVEME_TO_FILTER_NON_STANDARD_PORTS_RemotePort_decimal!=""7|9|13|(2[1-3])|(2[56])|37|53|(79|8[01])|88|106|110|111|113|119|135|139|(14[34])|179|199|389|427|(44[3-5])|465|(51[3-5])|543|544|548|554|587|631|646|873|990|993|995|(102[5-9])|1110|1433|1720|1723|1755|1900|2000|2001|2049|2121|2717|3000|3128|3306|3389|3986|4899|5000|5009|5051|5060|5101|5190|5357|5432|5631|5666|5800|5900|6000|6001|6646|7070|8000|8008|8009|8080|8081|8443|8888|9100|9999|10000|32768|(4915[2-7])|0""
|dedup ContextProcessId_decimal ComputerName
| rename ContextProcessId_decimal AS TargetProcessId_decimal
|stats count by TargetProcessId_decimal ComputerName RemoteIP RPort _time
|sort -count
|join TargetProcessId_decimal
[search event_simpleName=""ProcessRollup2"" ComputerName=NATL1-8K8L7H2
| dedup TargetProcessId_decimal
| fields TargetProcessId_decimal ComputerName timestamp ImageFileName CommandLine _time ]
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort by +""Last Seen (UTC)""
|rex field=CommandLine ""(?<CommandLine_Short>[^\\\\]+)$""
| rex field=CommandLine_Short ""(?P<CommandLine_Short>\w{75}).*""
| stats count values(RemoteIP) AS Dst values(RPort) AS Port values(ImageFileName) AS Path values(CommandLine) AS CommandLine by ""Last Seen (UTC)"" CommandLine_Short
Show me a list of low-volume domain name requests
event_simpleName=DnsRequest earliest=-1h@h
|regex DomainName!=""(?i)adobe.com|google.com|newellco.com|outlook.com|microsoft.com|live\.com|skype\.com|footprintdns\.com|microsoftonline\.com|office365\.com|office\.net|digicert.com|office\.com|windows\.com|lync\.com|apple\.com|windows\.net|icloud\.net|goody\.com|facebook\.com|jahglobal\.net|0\.0\.0\.0|rackcdn\.com|yammer\.com""
|rare DomainName
|stats values(ComputerName) count by DomainName
|where count <4
|sort - count
Show all Remote Desktop Protocol (RDP) connections observed on a specific host
event_simpleName=*UserIdentity LogonType_decimal=10
|table ComputerName UserPrincipal
|fillnull value=null
|stats values(ComputerName) count by UserPrincipal
|sort -count
Hunting Suspicious Registry Changes
event_simpleName=ASEP* earliest=-24h@h
|rex field=RegStringValue ""(?<RegStringValueTrim>[^\\\\]+)$""
|stats dc(ComputerName) as count values(ComputerName) values(RegStringValue) by RegStringValueTrim
|sort -count
|where count < 10
SysInternals Use
sourcetype=PeVersionInfoV3-v02 CompanyName=*Sysinternals* earliest=-24h@h
|eval OriginalFilename=lower(OriginalFilename)
|stats values(ImageFileName) values(ComputerName) values(SHA256HashData) count by OriginalFilename
NWL_CMD run with Echo and & Parameters-v3
event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 CommandLine=""*echo*&"" FileName=cmd.exe earliest=-24h@h
|stats count values(CommandLine) by ComputerName
|sort -count
NWL_Administrator Enumeration
event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 (FileName=net.exe OR FileName=net1.exe) AND CommandLine=""*admin*"" AND (CommandLine=""*localgroup*"" OR CommandLine=""*domain*"") earliest=-24h@h
|regex CommandLine!=""(?i)Uninstall|aspect|S-1-5-32-544""
|stats count values(CommandLine) by ComputerName
NWL_Wscript Runs Obfuscated JS
event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 CommandLine="*wscript.exe*ProgramData*" earliest=-24h@h
NWL_Changes to Known DLLs registry
event_simpleName=ASEP* RegStringValue=""*knowndlls*"" earliest=-24h@h
|rex field=RegStringValue ""(?<RegStringValueTrim>[^\\\\]+)$""
|stats count values(ComputerName) values(RegStringValue) by RegStringValueTrim
|sort -count
NWL_T1121 - Regsvcs/Regasm - Making Network Connections
event_simpleName=""ProcessRollup2"" FileName=Regasm.exe OR FileName=RegSvcs.exe
| dedup ComputerName FileName
| regex DomainName!=""(?i)adobe\.com$|google.com$|newellco\.com$|outlook\.com$|microsoft\.com$|live\.com$|skype\.com$|footprintdns\.com$|microsoftonline\.com$|office365\.com$|office\.net$|digicert\.com$|office\.com$|windows\.com$|lync\.com$|apple\.com$|windows\.net$|icloud\.net$|goody\.com$|facebook\.com$|jahglobal\.net$|0\.0\.0\.0$|rackcdn\.com$|yammer\.com|office\.com$|msedge\.net$|identrust\.com$|letsencrypt\.org$|msn\.com$|bing\.com$|msocsp\.com$|cloudsink\.net$""
|map maxsearches=9999 search=""search event_simpleName=DnsRequest ContextProcessId_decimal=$TargetProcessId_decimal$ ""
NWL_CMD or PS Invoke-Expression with Env Variable
event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 (FileName=cmd.exe OR FileName:powershell.exe) AND (CommandLine="*Invoke-Expression*" AND CommandLine="*$env:*") earliest=-24h@h
NWL_WannaCry
event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 MD5HashData=86F8E249B90A767D28BE2D16EB702675 OR MD5HashData=EF83438AA06BAA2732E8F594322FF059 OR MD5HashData=a043fac94294b844bd4f05e3aec2c612 OR MD5HashData=f107a717f76f4f910ae9cb4dc5290594 OR MD5HashData=84c82835a5d21bbcf75a61706d8ab549 OR MD5HashData=7f7ccaa16fb15eb1c7399d422f8363e8 OR MD5HashData=509c41ec97bb81b0567b059aa2f50fe8 OR MD5HashData=db349b97c37d22f5ea1d1841e3c89eb4 earliest=-24h@h
Off Shore Non Standard Ports
eventtype=eam NetworkConnectIP4 RemoteAddressIP4!=127.0.0.0/8 RemoteAddressIP4!=222.222.222.0/22 RemoteAddressIP4!=222.222.222.0/23 RemoteAddressIP4!=10.0.0.0/8 RemoteAddressIP4!=172.16.0.0/12 RemoteAddressIP4!=192.168.0.0/16
RemotePort_decimal!=443 RemotePort_decimal!=80
|head 10000
|iplocation RemoteAddressIP4
|search Country!=""United States""
|stats count values(Country) values(RemoteAddressIP4) values(RemotePort_decimal) by ComputerName
| sort -count
Regkey stuff
event_simpleName=Asep* RegObjectName=*\\Run
|regex TargetCommandLineParameters!=""(?i)\""|\-[a-z]|\/[a-z]|\/u0000""
|regex RegValueName!=""(?i)program files|Program Files|dell|Logitech|sidebar|tomtom|Yandex""
|stats count values(RegStringValue) values(RegValueName) values(ComputerName) by TargetCommandLineParameters
|sort -count
Aid and/or UserName>userinfo for ticket
(ComputerName=COMPUTERNAMEHERE sourcetype=UserIdentityV2-v02 OR sourcetype=UserLogonV8-v02 UserPrincipal!=""spammyemail@company.com"" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com UserName!=svcSCCM.ClientPush UserName!=SYSTEM earliest=-7d@d )
| lookup aid_master aid OUTPUT City Country ComputerName MachineDomain
| rex field=UserPrincipal ""^(?<First>\w+).(?<Last>\w+)(@.*)""
| eval ""Full Name""= First."" "".Last
| eval ""Country City"" = Country."","".City
| join ComputerName
[search source=PlatformEvents DetectDescription=""*""
| table ComputerName DetectDescription ]
| table DetectDescription ComputerName LocalAddressIP4 MachineDomain UserName ""Full Name"" UserPrincipal ""Country City""
| fillnull value=NULL
| dedup UserPrincipal DetectDescription ComputerName
Windows_Patch_Status (BlueKeepStatus)
|savedsearch windows_patch_status cid=""*"" kb_pattern=""(KB4499178)|(KB4499175)|(KB4499164)|(KB4503277)|(KB4503292)|(KB4507449)|(KB4507437)|(KB4512506)|(KB4512514)|(KB4516065)|(KB4516048)|(KB4524157)|(KB4519976)|(KB4525251)|(KB4525235);""
|rename PatchStatus as BlueKeepStatus
|lookup aid_master.csv aid OUTPUT ComputerName, Version, Time, SiteName, MachineDomain
|search Version=""Windows Server 2008 R2"" OR Version=""Windows 7""
|search Version=""*"" BlueKeepStatus=""Vulnerable (Patched; Reboot Required)"" OR BlueKeepStatus=""Vulnerable (Not patched)""
|lookup managedassets.csv aid OUTPUT MAC, LocalAddressIP4
|lookup cid_name.csv cid OUTPUT name as ""Company""
|table ComputerName, Version, BlueKeepStatus, LastPatchTime, Time, MAC, LocalAddressIP4, SiteName, MachineDomain, Company
`formatDate(LastPatchTime)`
`formatDate(Time)`
|rename ComputerName as ""Host Name"", Version as ""OS Version"", BlueKeepStatus as ""Vulnerable Status"", LastPatchTime as ""Last Update Installed Time"", Time as ""Last Sensor Report Time"", SiteName as ""Site Name"", MachineDomain as ""Domain"", Company as ""Company Name""
Show processes and connected domain names
ComputerName=""EHTT1-DHD2NH2"" event_simpleName=""DnsRequest"" DomainName=""*.*""
| regex DomainName!=""(?i)adobe\.com$|google.com$|newellco\.com$|outlook\.com$|microsoft\.com$|live\.com$|skype\.com$|footprintdns\.com$|microsoftonline\.com$|office365\.com$|office\.net$|digicert\.com$|office\.com$|windows\.com$|lync\.com$|apple\.com$|windows\.net$|icloud\.net$|goody\.com$|facebook\.com$|jahglobal\.net$|0\.0\.0\.0$|rackcdn\.com$|yammer\.com|office\.com$|msedge\.net$|identrust\.com$|letsencrypt\.org$|msn\.com$|bing\.com$|msocsp\.com$|cloudsink\.net$|..localmachine""
|rename ContextProcessId_decimal as TargetProcessId_decimal
|join TargetProcessId_decimal
[search ComputerName=""EHTT1-DHD2NH2"" event_simpleName=""ProcessRollup2"" earliest=-24h@h
|regex CommandLine!=""(?i)iexplore\.exe|chrome\.exe|MicrosoftEdgeCP\.exe|firefox\.exe|google|smartscreen\.exe|OneDrive\.exe|SearchUI\.exe|mimecast\.com|MicrosoftEdge\.exe""]
|rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
|stats sparkline count values(CommandLine) values(DomainName) dc(""Last Seen (UTC)"") by FileName SHA256HashData
NWL_Potential Post Exploit
event_simpleName=""ProcessRollup2"" earliest=-24h@h
FileName=PsInfo.exe OR FileName=PsLoggedon.exe OR FileName=pssuspend.exe OR FileName=psfile.exe OR FileName=PsService.exe OR FileName=PsGetsid.exe OR FileName=pslist.exe OR FileName=pspasswd.exe OR FileName=psshutdown.exe OR FileName=psping.exe OR FileName=psloglist.exe
|rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""
|regex CommandLine!=""(?i)Spammypath""
|stats count values(CommandLine) by ComputerName
NWL_Potential Post Exploit Tools Elevated
event_simpleName=""ProcessRollup2""
FileName=PsExec.exe OR FileName=SysRun.exe OR FileName=wce.exe OR FileName=wce32.exe OR FileName=whosthere-alt.exe OR FileName=whosthere.exe OR FileName=genhash.exe OR FileName=iam-alt.exe OR FileName=iam.exe OR FileName=crackmapexec.exe OR FileName=hashcat64.exe OR FileName=AccessChk.exe OR FileName=Autologon.exe OR FileName=Streams.exe OR FileName=getlsasrvaddr.exe OR FileName=SharpExec_x64.exe OR FileName=SharpExec_x86.exe
|regex CommandLine!=""(?i)Spammy_strings1|Spammy_strings2|Spammy_strings3|Spammy_strings4""
|stats count values(CommandLine) by ComputerName
|sort -count
Execution of Renamed Executables
event_simpleName=""NewExecutableRenamed"" SourceFileName!=""*.exe""
|regex CommandLine!=""(?i)\.partial""
|rename TargetFileName as ImageFileName
|join ImageFileName
[ search event_simpleName=""ProcessRollup2"" ]
|table ComputerName SourceFileName ImageFileName CommandLine
LOLBAS (add to ID:86 or 87)
event_simpleName=""NewExecutableRenamed"" SourceFileName!=""*.exe""
|regex CommandLine!=""(?i)\.partial""
|rename TargetFileName as ImageFileName
|join ImageFileName
[ search event_simpleName=""ProcessRollup2"" ]
|table ComputerName SourceFileName ImageFileName CommandLine
Suspicious PowerShell Process, Spawned from Explorer, with Network Connections
event_simpleName=""DnsRequest""
|rename ContextProcessId as TargetProcessId
|join TargetProcessId
[ search event_simpleName=""ProcessRollup2"" AND FileName=""explorer.exe""
|dedup CommandLine
|rename TargetProcessId_decimal as ParentProcessId_decimal
|join ParentProcessId_decimal
[ search event_simpleName=""ProcessRollup2"" FileName=""powershell.exe""
|dedup CommandLine]]
|table ComputerName timestamp ImageFileName DomainName CommandLine
Powershell Downloads
event_simpleName=""ProcessRollup2"" FileName=powershell.exe (CommandLine=*Invoke-WebRequest* OR CommandLine=*Net.WebClient* OR CommandLine=*Start-BitsTransfer*)
|regex CommandLine!=""((?i)169\.254\.169\.254)""
|stats count values(ComputerName) values(UserName) values(CommandLine) by FileName
MAC: Detecting Word Macros
event_platform=Mac event_simpleName=""ProcessRollup2""
[search event_simpleName=*ProcessRollup2 event_platform=Mac
CommandLine=""/Applications/*Microsoft Word*""
|fields ProcessGroupId_decimal ]
|stats values(CommandLine) as Commands, count by
aid,ProcessGroupId_decimal
|search Commands=""/Applications/*Microsoft Word*""
MAC: Investigating a Word macro
aid= event_simpleName=""ProcessRollup2"" NOT
CommandLine=""/Applications/*Microsoft Word*"" [search aid=<aid>
CommandLine=""/Applications/*Microsoft Word*""
event_simpleName=""ProcessRollup2""
|rename TargetProcessId_decimal as ProcessGroupId_decimal
|return 10000 ProcessGroupId_decimal]
MAC: Rare launch agents: list and count launch agents
event_platform=Mac event_simpleName=*ProcessRollup2
CommandLine=*LaunchAgents*
|dedup aid,CommandLine |makemv CommandLine delim="" ""
|eval CommandLine=mvfilter(match(CommandLine, "".*LaunchAgents.*""))
|eval CommandLine=replace(CommandLine,""/Users/[a-z]+/"", ""/"") |eval
CommandLine=replace(CommandLine,""\""$"", """")
|dedup aid,CommandLine
|stats count by CommandLine
|sort count
MAC: Removing the quarantine attribute
event_platform=Mac event_simpleName=ProcessRollup2
CommandLine=""*xattr -d -r com.apple.quarantine*"" NOT
<redacted> NOT <redacted>
MAC: Very busy process trees
event_platform=Mac event_simpleName=ProcessRollup2
|stats count by ProcessGroupId_decimal,aid |search count>50 |map
search=""search aid=$aid$
ProcessGroupId_decimal=$ProcessGroupId_decimal$
TargetProcessId_decimal=$ProcessGroupId_decimal$""
|search NOT CommandLine=<redacted> NOT CommandLine=<redacted>
MAC: Processes running from tmp dirs
event_platform=Mac event_simpleName=ProcessRollup2 (CommandLine=""/tmp/*""
OR CommandLine=""/private/tmp/*"") NOT <redacted> NOT <redacted> NOT
<redacted>
MAC: Copies from tmp dirs to Users
event_platform=Mac event_simpleName=ProcessRollup2 FileName=cp
CommandLine=""*tmp*Users*""
MAC: Chown commands run on hidden user dirs
event_simpleName=*ProcessRollup2 event_platform=Mac chown NOT <redacted>
|regex CommandLine=""/Users/[a-z]+/\..*""
MAC: Chmod commands run on hidden user dirs 2
event_simpleName=*ProcessRollup2 event_platform=Mac chmod NOT <redacted>
NOT <redacted>
|regex CommandLine=""/Users/[a-z]+/\..*""
|table CommandLine
MAC: Long running processes with few network connections (i.e. stealthy C2)
event_platform=Mac event_simpleName=ProcessRollup2 aid=<aid>
|join type=outer TargetProcessId_decimal
[search event_platform=Mac aid=<aid> event_simpleName=EndOfProcess
|rename _time as EndTime
|fields aid,TargetProcessId_decimal, EndTime]
|eval duration=if(isnull(EndTime),now()-_time,EndTime-_time)
|join type=outer aid,ProcessGroupId_decimal
[search event_platform=Mac event_simpleName=NetworkConnect* aid=<aid>
|stats count as NetworkConnectionCount by aid, ContextProcessId_decimal
|rename ContextProcessId_decimal as ProcessGroupId_decimal]
|search duration>86399 NetworkConnectionCount<5
MAC: Process tree that contains both sh and launchctl
event_platform=Mac aid=<aid> event_simpleName=ProcessRollup2 (sh OR launchctl)
|transaction aid,ProcessGroupId_decimal
|search sh launchctl
MAC: Process trees with lots of shells
event_platform=Mac event_simpleName=ProcessRollup2 (CommandLine=sh* OR CommandLine=/bin/sh* OR CommandLine=/bin/bash)
|stats values(CommandLine) as Commands,count by aid,ProcessGroupId_decimal
|regex CommandLine!=""(forticlient|daily|gstm|pid,pcpu,rss,comm|cups|audit_warn)""
|search count>20
MAC: Unusual number of recon commands for the environment for 1 host
event_platform=Mac event_simpleName=ProcessRollup2 aid=<aid> (networksetup OR who OR whoami OR sysctl)
|eval JoinId=ParentProcessId_decimal
|rename CommandLine as ChildCommandLine
|join type=outer aid,JoinId
[search event_platform=Mac aid=<aid> event_simpleName=ProcessRollup2
|eval JoinId=TargetProcessId_decimal
|rename CommandLine as ParentCommandLine]
|search NOT ChildCommandLine=<redacted>
|search NOT ParentCommandLine=<redacted>
|stats values(ChildCommandLine) as Commands, count by aid
|search count>1
MAC: Rare processes associated with security_authtrampoline
event_platform=Mac event_simpleName=*ProcessRollup2
[search event_platform=Mac event_simpleName=*ProcessRollup2 security_authtrampoline
|fields ProcessGroupId_decimal]
|dedup aid, SHA256HashData
|eval CommandLine=substr(CommandLine,1,100)
|stats values(CommandLine) as Commands, dc(aid) as AuthtrampolineCount by SHA256HashData
|eventstats sum(AuthtrampolineCount) as AuthtrampolineTotal
|eval AuthTrampolinePerc=round((AuthtrampolineCount/AuthtrampolineTotal)*100,7)
|join type=outer SHA256HashData
[search event_platform=Mac event_simpleName=*ProcessRollup2
|rare SHA256HashData limit=10000 by aid
|stats dc(aid) as RareGPopCount by SHA256HashData
|eventstats sum(RareGPopCount) as RareGPopTotal
|eval RareGPopPerc=round((RareGPopCount/RareGPopTotal)*100,7) ]
|join type=outer SHA256HashData
[search event_platform=Mac event_simpleName=*ProcessRollup2
|top SHA256HashData limit=10000 by aid
|stats dc(aid) as CommonGPopCount by SHA256HashData
|eventstats sum(CommonGPopCount) as CommonGPopTotal
|eval CommonGPopPerc=round((CommonGPopCount/CommonGPopTotal)*100,7)]
|fillnull value=0 CommonGPopCount
|fillnull value=0 RareGPopCount
MAC: Rare processes associated with security_authtrampoline events query
event_platform=Mac event_simpleName=*ProcessRollup2
[search event_platform=Mac event_simpleName=*ProcessRollup2 security_authtrampoline
|fields ProcessGroupId_decimal]
|dedup aid, SHA256HashData
|eval CommandLine=substr(CommandLine,1,100)
|stats values(CommandLine) as Commands, dc(aid) as AuthtrampolineCount by SHA256HashData
|search AuthtrampolineCount=1
|join type=outer SHA256HashData
[search event_platform=Mac event_simpleName=*ProcessRollup2
|rare SHA256HashData limit=10000 by aid
|stats dc(aid) as RareGPopCount by SHA256HashData]
|join type=outer SHA256HashData
[search event_platform=Mac event_simpleName=*ProcessRollup2
|top SHA256HashData limit=10000 by aid
|stats dc(aid) as CommonGPopCount by SHA256HashData]
|fillnull value=0 CommonGPopCount
|fillnull value=0 RareGPopCount
|search CommonGPopCount<2 RareGPopCount<2
|eval Auth_Common_Rare=AuthtrampolineCount."","".CommonGPopCount."","".RareGPopCount
|fields SHA256HashData, Commands, Auth_Common_Rare
|search NOT <redacted> NOT <redacted>
MAC: Rare processes associated with security_authtrampoline Why isn’t the first query enough?
event_platform=Mac event_simpleName=*ProcessRollup2
[search event_platform=Mac event_simpleName=*ProcessRollup2 security_authtrampoline
|fields ProcessGroupId_decimal]
|dedup aid, SHA256HashData
|eval CommandLine=substr(CommandLine,1,100)
|stats values(CommandLine) as Commands, dc(aid) as AuthtrampolineCount by SHA256HashData
|search AuthtrampolineCount=1
|join type=outer SHA256HashData
[search event_platform=Mac event_simpleName=*ProcessRollup2
|rare SHA256HashData limit=10000 by aid
|stats dc(aid) as RareGPopCount by SHA256HashData]
|join type=outer SHA256HashData
[search event_platform=Mac event_simpleName=*ProcessRollup2
|top SHA256HashData limit=10000 by aid
|stats dc(aid) as CommonGPopCount by SHA256HashData]
|fillnull value=0 CommonGPopCount
|fillnull value=0 RareGPopCount
|search CommonGPopCount<2 RareGPopCount<2
|eval Auth_Common_Rare=AuthtrampolineCount."","".CommonGPopCount."","".RareGPopCount
|fields SHA256HashData, Commands, Auth_Common_Rare
|search NOT <redacted> NOT <redacted>
MAC: Rare self-deleting processes
event_platform=Mac event_simpleName=ProcessSelfDeleted
|map search=""search event_simpleName=*ProcessRollup2 aid=$aid$
TargetProcessId_decimal=$ContextProcessId_decimal$""
|dedup aid,SHA256HashData
|eval CommandLine=substr(CommandLine,1,50)
|stats values(CommandLine) as Commands, dc(aid) as UniqueAgentCount by SHA256HashData
|join type=outer SHA256HashData
[search event_platform=Mac event_simpleName=*ProcessRollup2
|top SHA256HashData limit=10000 by aid
|stats dc(aid) as CommonGPopCount by SHA256HashData]
|join type=outer SHA256HashData
[search event_platform=Mac event_simpleName=*ProcessRollup2
|rare SHA256HashData limit=10000 by aid
|stats dc(aid) as RareGPopCount by SHA256HashData]
|fillnull value=0 CommonGPopCount
|fillnull value=0 RareGPopCount
|search UniqueAgentCount=1 CommonGPopCount<2 RareGPopCount<2
MAC: Was a process orphaned?
aid=<aid> <process_id> event_simpleName=ProcessRollup2
|eval JoinId=ParentProcessId_decimal
|rename CommandLine as ChildCommandLine
|join type=outer JoinId
[search aid=<aid> event_simpleName=ProcessRollup2
|eval JoinId=TargetProcessId_decimal
|rename CommandLine as ParentCommandLine]
|eval ParentCommandLine=coalesce(ParentCommandLine,""IamAnOrphan"")
MAC: Find orphaned processes for 1 host v1
event_platform=Mac aid=<aid> event_simpleName=ProcessRollup2 NOT CommandLine=""/System/*"" NOT CommandLine=""/Library/*"" NOT CommandLine=""/usr/libexec/*"" NOT CommandLine=xpcproxy* NOT CommandLine=""/Applications/Utilities/*"" NOT CommandLine=""make*"" NOT CommandLine=ipconfig* NOT CommandLine=""/Applications/*"" NOT ""/Users/*/Library/Application Support/*"" NOT CommandLine=<bunch_of_internal_stuff>
// LONG RUNNING SYSTEM PROCESSES NEED TO BE FILTERED OUT//
|eval JoinId=ParentProcessId_decimal
|rename CommandLine as ChildCommandLine
|join type=outer aid,TargetProcessId_decimal [search event_platform=Mac aid=<aid> event_simpleName=EndOfProcess
|rename _time as EndTime
|fields aid,TargetProcessId_decimal, EndTime]
//USE EndOfProcess RECORDS TO CALCULATE END TIME IF IT EXISTS//
|eval duration=if(isnull(EndTime),now()-_time,EndTime-_time)
|join type=outer JoinId,aid [search event_platform=Mac aid=<aid> event_simpleName=ProcessRollup2
|eval JoinId=TargetProcessId_decimal
|rename CommandLine as ParentCommandLine
|fields JoinId, ParentCommandLine]
// FIND PARENT PROCESS RECORD IF IT EXISTS //
|eval ParentCommandLine=coalesce(ParentCommandLine,""IamAnOrphan"")
|search ParentCommandLine=""IamAnOrphan""
|eval ChildCommandLine=substr(ChildCommandLine,1,50)
|stats values(ChildCommandLine) as Commands, max(duration) as duration, dc(aid) as AgentsWithHash by SHA256HashData
|search AgentsWithHash=1
|join type=outer SHA256HashData [search event_platform=Mac event_simpleName=VT
|stats sum(detectionCount) as VTCount by sha256
|rename sha256 as SHA256HashData]
//FIND ANY VIRUSTOTAL HITS - NOT USED FOR FILTERING YET //
|join type=outer SHA256HashData [search event_platform=Mac event_simpleName=ProcessRollup2
|top SHA256HashData limit=10000 by aid
|stats dc(aid) as CommonGPopCount by SHA256HashData]
//FIND 10,000 MOST COMMON PROCESSES OVER ALL MACHINES//
|join type=outer SHA256HashData [search event_platform=Mac event_simpleName=ProcessRollup2
|rare SHA256HashData limit=10000 by aid
|stats dc(aid) as RareGPopCount by SHA256HashData]
//FIND 10,000 LEAST COMMON PROCESSES OVER ALL MACHINES//
|fillnull value=0 CommonGPopCount
|fillnull value=0 RareGPopCount
|fillnull value=0 VTCount
|search CommonGPopCount <2 RareGPopCount < 2
// FILTER OUT ANY HASHES THAT EXIST ON MORE THAN ONE MACHINE //
RDP inbound Splunk
event_simpleName=NetworkConnect* (LocalPort_decimal=3389 OR LocalPort_decimal=5900) (RemoteAddressIP4!=192.168.0.0/16 AND RemoteAddressIP4!=10.0.0.0/8 AND RemoteAddressIP4!=172.16.0.0/12 AND RemoteAddressIP4!=127.0.0.0/8)
|rename aip as EXT_DEST_IP , LocalPort_decimal as EXT_DEST_PORT , LocalAddressIP4 as DEST_NAT_IP,RemotePort_decimal as DEST_NAT_PORT, RemoteAddressIP4 as SRC_EXT_IP
|table EXT_DEST_IP EXT_DEST_PORT DEST_NAT_IP DEST_NAT_PORT SRC_EXT_IP ComputerName
enc powershell advanced
event_simpleName=""ProcessRollup2"" CommandLine=""*powershell*""
| regex CommandLine!=""(?i)\b_SPAMMYSTTRING2>*|\b_SPAMMYSTTRINGHERE.*""
| regex CommandLine=""(([A-Z|a-z|0-9]{200}))""
|fields CommandLine ComputerName
DST_DNS>Process
event_simpleName=""DnsRequest"" DomainName=""vinnerpostwnet.ru"" OR DomainName=""vandmeds.ru""
|dedup ContextProcessId_decimal DomainName
|rename ContextProcessId_decimal as TargetProcessId_decimal
|map maxsearches=99999 search=""search event_simpleName=""ProcessRollup2"" TargetProcessId_decimal=$TargetProcessId_decimal$""
|rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""
|stats count by ComputerName UserName ImageFileName CommandLine
Dump what you have access to ( indexes and lookup tables and the size of the index tables )
|eventcount summarize=false index=* report_size=true |eval MB=(size_bytes/1024)/1024 |stats sum(MB) by index
|sort -sum(MB)
|append [ rest/servicesNS/-/-/data/lookup-table-files |table title eai:appName]
|append [ tstats values(sourcetype) where index=* by index ]
Search process tree tree view treeview by ContextProcessId_decimal
https://falcon.crowdstrike.com/investigate/process-explorer/aid/ContextProcessId_decimal
CS:MAC>Apple dump all non 192 Apple Inc MAC Address split IP address
| inputlookup managedassets.csv
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
| join aid
[| inputlookup aid_master where cid=*
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
| dedup aid]
| append
[| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""
| append
[ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""]
| append
[| inputlookup append=t unmanaged_low.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""]
| append
[| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""
]
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| fillnull value=null aid
| eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,"" "")))
| eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,"" "")))
| eval aip=mvsort(mvdedup(split(aip,"" "")))
| sort 0 -""Last Seen (UTC)""
| lookup oui.csv MACPrefix OUTPUT Manufacturer, ManufacturerAddress
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
]
| table aid,ComputerName,""Last Discovered By"",LastDiscoveredBy,confidence,NeighborName,CurrentLocalIP,LocalAddressIP4,InterfaceDescription,aip,GatewayIP,MAC,Manufacturer,MACPrefix,""Last Seen (UTC)"",City,Country,MachineDomain,OU,SystemManufacturer,SystemProductName,Version,event_platform
| search ""CurrentLocalIP""!=""192.168*"" OR ""LocalAddressIP4""!=""192.168.*"" Manufacturer=""Apple, Inc.""
| dedup MAC
| rex field=""CurrentLocalIP"" ""(?<ClassC>\d+\.\d+\.\d+\.)(?<OCT4>\d+)""
| stats count dc(MAC) dc(""OCT4"") by ClassC
| sort -count
| addcoltotals label=Total labelfield=MAC
TreeId_decimal tree id process tree sort of ...( this is more of a deep search when there are to many hits for normal DomainName/FileName Search his search requires a “event time” (earliest) ,aid and a “the last number on the URL bar of an alert tree view” (TreeId_decimal) but it’s tricky with stuff like ‘explore.exe’ or ‘excel.exe’ that has been running for hours if not DAYS I had to add 3hrs to pickup an alert CommandLine and domain
aid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX TreeId_decimal=30064919953
| regex DomainName!=""(?i)adobe.com|google.com|outlook.com|microsoft.com|live\.com|skype\.com|footprintdns\.com|microsoftonline\.com|office365\.com|office\.net|digicert.com|office\.com|windows\.com|lync\.com|apple\.com|windows\.net|icloud\.net|goody\.com""
| fillnull value=""NULL""
| rename ContextProcessId_decimal as TargetProcessId_decimal
| join TargetProcessId_decimal
[search aid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX event_simpleName=""ProcessRollup2"" earliest=-1@d ]
| rex field=CommandLine ""(?<CommandLine>[^\\\\]+)$""
| stats values(FileName) values(CommandLine) values(DomainName) count by SHA256HashData
search -N days + 24hrs so -3d would be 24hrs after 3 days ago... good for checking day by day -1 -2 -3 -4 -5 -6 -7 is a week etc..
[ search earliest=-1d@d
| addinfo
| head 1
| eval earliest=info_min_time
| eval latest=info_min_time+86400
| fields earliest,latest
| format ""("" ""("" """" "")"" ""OR"" "")"" ]
filter out fields regex good for != string1|string2
| regex FileName!="(?i)chrome.exe|iexplore.exe|MicrosoftEdgeCP.exe|firefox.exe
Searching in Bash
export key=`curl -ks https://YOUR_SPLUN_SERVER:8089/services/auth/login -d username=YOUR_USERNAME -d password=YOUR_PASSWORD | grep sessionKey | sed -r 's/<sessionKey>(.*)<\/sessionKey>/\1/g'|sed 's/ //g'`
curl -m 999 -s -k -H ""Authorization: Splunk $key"" ""https://YOUR_SPLUN_SERVER:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv"" --data-urlencode search='search index=*
|head 100
|stats count earliest(_time) as earliest by username sourcetype
| eval earliest=strftime(earliest,""%m/%d/%y %H:%M:%S"")
| eval username=lower(username)
| stats count by username sourcetype earliest
| dedup username
`
Create data for Splunk search testing
| makeresults count=100 | eval poll=if((random()%5) == 1, ""String1"", ""String2"") |eval number=random() % 1000 + 9999
| makeresults | eval number=1574658133587347700
| eval date=strftime(round(number/1000000000,2), ""%F %T"")
Expand IP addresses and count class C addresses
| rex field=""DNS Client"" ""(?<o1>(\d)+).(?<o2>(\d)+).(?<o3>(\d)+).(?<o4>(\d)+)""
|stats count values(o3) by o2
|sort -count
Get all Asset info
| inputlookup managedassets.csv
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
| join aid
[| inputlookup aid_master where cid=*
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
| dedup aid]
| append
[| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""
| append
[ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""]
| append
[| inputlookup append=t unmanaged_low.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""]
| append
[| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""
]
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| fillnull value=null aid
| eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,"" "")))
| eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,"" "")))
| eval aip=mvsort(mvdedup(split(aip,"" "")))
| sort 0 -""Last Seen (UTC)""
| lookup oui.csv MACPrefix OUTPUT Manufacturer, ManufacturerAddress
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
]
| table aid,ComputerName,""Last Discovered By"",LastDiscoveredBy,confidence,NeighborName,CurrentLocalIP,LocalAddressIP4,InterfaceDescription,aip,GatewayIP,MAC,Manufacturer,MACPrefix,""Last Seen (UTC)"",City,Country,MachineDomain,OU,SystemManufacturer,SystemProductName,Version,event_platform
| append
[|inputlookup aws_ec2_images.csv]
| append
[|inputlookup aws_ec2_instances.csv]
| append
[|inputlookup aws_ec2_mac_ip_lookup.csv]
| append
[|inputlookup aws_ec2_networkacl_entries.csv]
| append
[|inputlookup aws_ec2_networkacls.csv]
| append
[|inputlookup aws_ec2_networkinterface_privateips.csv]
| append
[|inputlookup aws_ec2_networkinterfaces.csv]
| append
[|inputlookup aws_ec2_securitygroup_rules.csv]
| append
[|inputlookup aws_ec2_securitygroups.csv]
| append
[|inputlookup aws_ec2_subnets.csv]
| append
[|inputlookup aws_ec2_volumes.csv]
| append
[|inputlookup aws_ec2_vpcs.csv]
| append
[|inputlookup aws_iam_account_aliases.csv]
| search ""CurrentLocalIP""!=""XXXXX"" OR ""LocalAddressIP4""!=""XXXXX""
MISC: earliest=1580801331 or earliest=-7d@d and eval info_sec=60601 the (1) is hours to search to search after earliest
[ search earliest=1580801331
|addinfo
|head 1
|eval earliest=info_min_time
|eval info_sec=60*60*1
|eval latest=info_min_time+info_sec
|fields earliest,latest
|format ""("" ""("" """" "")"" ""OR"" "")"" ]
Get count of Cisco AnyConnect VPN IP's
| inputlookup managedassets.csv
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
| join aid
[| inputlookup aid_master where cid=*
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
| dedup aid]
| append
[| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""
| append
[ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""]
| append
[| inputlookup append=t unmanaged_low.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""]
| append
[| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""
]
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| fillnull value=null aid
| eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,"" "")))
| eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,"" "")))
| eval aip=mvsort(mvdedup(split(aip,"" "")))
| sort 0 -""Last Seen (UTC)""
| lookup oui.csv MACPrefix OUTPUT Manufacturer, ManufacturerAddress
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
]
| table aid,ComputerName,""Last Discovered By"",LastDiscoveredBy,confidence,NeighborName,CurrentLocalIP,LocalAddressIP4,InterfaceDescription,aip,GatewayIP,MAC,Manufacturer,MACPrefix,""Last Seen (UTC)"",City,Country,MachineDomain,OU,SystemManufacturer,SystemProductName,Version,event_platform
| search InterfaceDescription=""*AnyConnect*""
| rex field=""LocalAddressIP4"" ""(?<Net>\d+\.\d+\.\d+\.)(?<Host>\d+)""
| search InterfaceDescription=""*AnyConnect*""
| stats values(Net) count by Country City
| sort 0 -count
Extract usernames from windows and *nix FilePath and CommandLine with given aid or ComputerName
event_simpleName=""ProcessRollup2"" ComputerName=COMPUTERNAME FilePath=""*Users*"" OR CommandLine=""*Users*""
| rex field=FilePath mode=sed ""s/.*\bUsers\b.(\w+)(\b.*)/\1/g""
| rex field=CommandLine mode=sed ""s/.*\bUsers\b.(\w+)(\b.*)/\1/g""
| regex CommandLine!=""(?i).\b.""
| regex FilePath!=""(?i).\b.""
| rename FilePath AS CommandLine
| rename CommandLine AS UserName
| dedup UserName
| table UserName
Search for remote access servers running
event_simpleName=""ProcessRollup2"" FileName=""r_server.exe""
OR FileName=""remotelyanywhere.exe""
OR FileName=""raabout.exe""
OR FileName=""DNTUS26.exe""
OR FileName=""DWRCST.EXE""
OR FileName=""awhost32.exe""
OR FileName=""AWHOST32.EXE""
OR FileName=""TeamViewer_Service.exe""
OR FileName=""RACWinVNC.exe""
OR FileName=""tvnserver.exe""
OR FileName=""unltravnc.exe""
OR FileName=""winvnc.exe""
OR FileName=""VNCHooks.dll""
OR FileName=""LogMeIn.exe""
OR FileName=""winvnc4.exe""
OR FileName=""g2svc.exe""
OR FileName=""vncserver.exe""
|eval FileName=lower(FileName)
| rex field=FileName mode=sed ""s/awhost32.exe/awhost32.exe Symantec PCAnywhere/g""
| rex field=FileName mode=sed ""s/tvnserver.exe/tvnserver.exe TightVNC Server/g""
| rex field=FileName mode=sed ""s/dwrcst.exe/dwrcst.exe Dameware NT Utilities/g""
| rex field=FileName mode=sed ""s/dntus26.exe/dntus26.exe Dameware NT Utilities/g""
| join type=left aid
[| inputlookup aid_master where cid=*
| dedup aid
| fields aid City Country OU SystemProductName ]
| join type=left UserName
[search event_simpleName IN (""UserLogon*"") UserPrincipal!=""svcSCOM.SvcNow@newellco.com"" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com UserName!=svcSCCM.ClientPush UserName!=SYSTEM earliest=-2d@d]
| rename UserPrincipal to UserName
| stats count values(FileName) values(UserName) values(City) values(Country) values(OU) values(SystemProductName) by ComputerName
| sort -count
Find Chrome Remote Desktop Hits Via DNS
event_simpleName=DnsRequest DomainName=""remotedesktop.google.com"" OR DomainName=""remotedesktop-pa.googleapis.com""
| join type=left ComputerName
[search event_simpleName IN (""UserLogon*"") UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com earliest=-1d@d]
| stats sparkline count by ComputerName UserPrincipal
| sort -count
Count of local admin users logins
event_simpleName=UserLogon UserSid_readable=S-1-5-21-* UserIsAdmin_decimal=1 earliest=-1d@d
| where ComputerName=LogonDomain
| convert ctime(LogonTime_decimal) AS logonTime ctime(PasswordLastSet_decimal) AS lastPwdReset
| stats sparkline count values(ComputerName) by UserName
| sort -count
| where count>5
Create base64 lookup / macro to encode / decode base64
| makeresults
| fields - _time
| eval bin=""0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111""
| makemv delim="" "" bin
| mvexpand bin
| map
[| makeresults
| fields - _time
| eval bin=""$bin$0000 $bin$0001 $bin$0010 $bin$0011 $bin$0100 $bin$0101 $bin$0110 $bin$0111 $bin$1000 $bin$1001 $bin$1010 $bin$1011 $bin$1100 $bin$1101 $bin$1110 $bin$1111""
| makemv delim="" "" bin
| mvexpand bin ] maxsearches=16
| mvcombine bin
| eval dec=mvrange(0,256)
| eval data=mvzip(bin,dec)
| fields - bin,dec
| mvexpand data
| rex field=data ""(?<bin>\d+),(?<dec>\d+)""
| fields - data
| eval ascii=printf(""%c"",dec), hex=printf(""%02X"",dec)
| join type=outer dec
[ makeresults
| fields - _time
| eval base64=""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/""
| rex field=base64 mode=sed ""s/./& /g""
| makemv delim="" "" base64
| eval dec=mvrange(0,64)
| eval data=mvzip(base64,dec)
| fields - base64,dec
| mvexpand data
| rex field=data ""(?<base64char>[^,]+),(?<dec>[^,]+)""
| fields - data ]
| eval base64bin=if(isnotnull(base64char),substr(bin,3,6),NULL())
| append
[| makeresults
| eval base64bin=""000000""
| eval base64char=""=""
| fields - _time ]
| outputlookup converstionmatrix.csv
-----------------------------------------------------------------------
Create Macro to Decode base64dec(1): arg1 will be your arguments
-----------------------------------------------------------------------
eval b64x_split=split($arg1$,"""")
| lookup converstionmatrix.csv base64char as b64x_split OUTPUT base64bin as b64x_bin
| eval b64x_join=mvjoin(b64x_bin,"""")
| rex field=b64x_join ""(?<b64x_by8>.{8})"" max_match=0
| lookup converstionmatrix.csv bin as b64x_by8 output ascii as b64x_out
| eval $arg1$_ascii=mvjoin(b64x_out,"""")
| fields - b64x_*
-----------------------------------------------------------------------
Create Macro to Encode base64enc(1): arg1 will be your arguments
-----------------------------------------------------------------------
eval b64x_split=split($arg1$,"""")
| lookup converstionmatrix.csv ascii as b64x_split output bin as b64x_bin
| eval b64x_join=mvjoin(b64x_bin,""""),b64x_join=if(len(b64x_join)%6>0,b64x_join.""000000"",b64x_join)
| rex field=b64x_join ""(?<b64x_by6>.{6})"" max_match=0
| lookup converstionmatrix.csv base64bin as b64x_by6 output base64char as b64x_out
| eval $arg1$_base64=mvjoin(b64x_out,"""")
| fields - b64x_*
-----------------------------------------------------------------------
Usage:
-----------------------------------------------------------------------
| makeresults | eval cs1=""MTAxMDEwMTAxCg==~VGhpcyBpcyBhbm90aGVyCg=="" | makemv delim=~ cs1 | mvexpand cs1 | `base64dec(cs1)`
| makeresults | eval cs1=""splunk"" | `base64enc(cs1)` | `base64dec(cs1_base64)`
HTA files
event_simpleName=ProcessRollup2 ImageFileName=""*\mshta.exe""
| table ComputerName,UserName,FileName,CommandLine,SHA256HashData
|regex CommandLine!=""(?i)TeamViewer|officejet|deskjet|Assistant|solidworks|ChangeProxySettings""
| rex field=CommandLine ""\\\\(?<HTA_filename>[^\\\\]*\.hta)""
City,State of possible Wireless Hot Spot usage (WIP old need more wireless network ranges)
| inputlookup managedassets.csv
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
| join aid
[| inputlookup aid_master where cid=*
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| sort 0 -""Last Seen (UTC)"" | lookup oui.csv MACPrefix OUTPUT Manufacturer
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
| dedup aid]
| append
[| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""
| append
[ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""]
| append
[| inputlookup append=t unmanaged_low.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""]
| append
[| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none
| rename ComputerName AS ""Last Discovered By""
]
| eval ""Last Seen (UTC)""=strftime(_time, ""%m/%d/%y %I:%M%p"")
| fillnull value=null aid
| eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,"" "")))
| eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,"" "")))
| eval aip=mvsort(mvdedup(split(aip,"" "")))
| sort 0 -""Last Seen (UTC)""
| lookup oui.csv MACPrefix OUTPUT Manufacturer, ManufacturerAddress
| fillnull value=NA Manufacturer | eval Manufacturer=if(Manufacturer=""NA"",InterfaceDescription,Manufacturer)
]
| search aip=166.128.0.0/9
OR aip=174.192.0.0/10
OR aip=97.128.0.0/9
OR aip=70.192.0.0/11
OR aip=69.96.0.0/13
OR aip=69.82.0.0/15
OR aip=66.174.0.0/16
OR aip=72.96.0.0/11
OR aip=75.192.0.0/10
OR aip=97.0.0.0/10
OR aip=107.64.0.0/10
OR aip=160.170.220.0/22
OR aip=166.128.0.0/13
OR aip=166.136.0.0/15
OR aip=166.138.0.0/16
OR aip=166.147.104.0/25
OR aip=166.170.0.0/19
OR aip=166.170.32.0/20
OR aip=166.170.48.0/21
OR aip=166.170.56.0/22
OR aip=166.171.56.0/22
OR aip=166.171.120.0/22
OR aip=166.171.184.0/22
OR aip=166.171.248.0/22
OR aip=166.172.56.0/22
OR aip=166.172.60.0/22
OR aip=166.172.120.0/22
OR aip=166.172.184.0/22
OR aip=166.172.188.0/22
OR aip=166.173.56.0/22
OR aip=166.173.60.0/22
OR aip=166.173.184.0/22
OR aip=166.173.248.0/22
OR aip=166.175.56.0/22
OR aip=166.175.60.0/22
OR aip=166.175.184.0/22
OR aip=166.175.188.0/22
OR aip=166.176.56.0/22
OR aip=166.176.120.0/22
OR aip=166.176.184.0/22
OR aip=166.176.248.0/22
OR aip=166.177.56.0/22
OR aip=166.177.120.0/22
OR aip=166.177.184.0/22
OR aip=166.177.248.0/22
OR aip=166.216.133.103/32
OR aip=166.216.133.208/28
OR aip=166.216.133.231/32
OR aip=166.216.133.231/32
OR aip=166.216.133.64/28
OR aip=166.216.157.0/24
OR aip=166.216.158.0/24
OR aip=166.216.159.0/24
OR aip=166.216.165.0/24
OR aip=162.160.0.0/11
OR aip=172.32.0.0/11
OR aip=208.54.0.0/17
OR aip=208.54.128.0/19
OR aip=100.128.0.0/9
OR aip=50.28.192.0/18
OR aip=173.96.0.0/11
OR aip=174.155.64.0/18
OR aip=24.221.0.0/16
OR aip=66.87.0.0/16
OR aip=99.200.0.0/13
OR aip=70.12.0.0/15
OR aip=70.8.0.0/14
OR aip=70.14.0.0/16
OR aip=70.0.0.0/13
OR aip=107.32.0.0/11
OR aip=107.24.0.0/13
OR aip=108.102.0.0/16
OR aip=108.96.0.0/11
OR aip=184.204.0.0/16
OR aip=68.24.0.0/13
OR aip=68.240.0.0/13
OR aip=66.1.0.0/22
OR aip=72.56.0.0/13
OR aip=100.48.0.0/12
| table aid,ComputerName,""Last Discovered By"",LastDiscoveredBy,confidence,NeighborName,CurrentLocalIP,LocalAddressIP4,InterfaceDescription,aip,GatewayIP,MAC,Manufacturer,MACPrefix,""Last Seen (UTC)"",City,Country,MachineDomain,OU,SystemManufacturer,SystemProductName,Version,event_platform
| stats count values(aip) by City Country
| sort -count
Take the first 10 hits on a search and look for intresting fields after and before
FileName=""*""
| head 10
| eval eTimeBefore=_time-1800
| eval eTimeAfter=_time+600
|eval CommandLine=""""
|eval SHA256HashData=""""
|eval CommandLine_Short=""""
|eval TargetFileName=""""
|eval RegObjectName=""""
|eval RegValueName=""""
|eval ExecutablesWritten{}.FilePath=""""
|eval GrandparentCommandLine=""""
|eval ParentCommandLine=""""
|eval DetectDescription=""""
| fillnull value=""""
| map search=""search ComputerName=$ComputerName$ _time>=$eTimeBefore$ _time<=$eTimeAfter$""
| rex field=CommandLine ""(?<CommandLine_Short>[^\\\\]+)$""
| rex field=CommandLine_Short ""(?P<CommandLine_Short>\w{75}).*""
| fillnull value=""""
|regex DomainName!=""(?i)adobe.com|google.com|newellco.com|outlook.com|microsoft.com|live\.com|skype\.com|footprintdns\.com|microsoftonline\.com|office365\.com|office\.net|digicert.com|office\.com|windows\.com|lync\.com|apple\.com|windows\.net|icloud\.net|goody\.com|facebook\.com|jahglobal\.net|0\.0\.0\.0|rackcdn\.com|yammer\.com|newellrubbermaid.com""
|regex CommandLine!=""(?i)CCM|PSScriptPolicyTest|teams|Search.*Robot|SearchFilterHost""
| table CommandLine SHA256HashData _time CommandLine_Short TargetFileName RegObjectName RegValueName ExecutablesWritten{}.FilePath GrandparentCommandLine ParentCommandLine DetectDescription DomainName
| fillnull value="""""
Show me Running Processes with MD5 or SHA256 Hash from all machines
event_simpleName=ProcessRollup2 earliest=-8h | dedup SHA256HashData | table ImageFileName SHA256HashData CommandLine
Show me Running Processes with MD5 or SHA256 Hash from all machines
event_simpleName=ProcessRollup2 earliest=-8h | stats count by SHA256HashData ImageFileName | sort - count
Show me Running Processes with MD5 or SHA256 Hash from all machines
event_simpleName=ProcessRollup2 SHA256HashData!="" earliest=-8h | rare SHA256HashData by ImageFileName | where percent < 10 | sort by percent asc
Get Injected Processes from all machines
event_simpleName=*InjectedThread* earliest=-1h | rename event_simpleName as inject_eventname | join TargetProcessId, aid [search (event_simpleName="ProcessRollup2" earliest=-1h)] | table _time inject_eventname ComputerName UserName CommandLine
Get Injected Processes from all machines
event_simpleName=ProcessRollup2 event_platform=Win earliest=-1d ParentBaseFileName!=winlogon.exe ParentBaseFileName!=explorer.exe [search event_simpleName=*InjectedThread* earliest=-1d event_platform=Win | rename ContextProcessId_decimal as SourceProcessId_decimal | fields SourceProcessId_decimal] | stats values(ParentBaseFileName), values(ImageFileName), values(CommandLine) by _time, UserName, SourceProcessId_decimal
Show me AutoRun Program Details from all machines
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepKeyUpdate earliest=-8h] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType CommandLine ImageFileName
Show me Running Processes With Parent containing "mutex" from all machines
event_simpleName=ProcessRollup2 earliest=-24h | eval TargetProcessId_decimal=if(FileName="*mutex*" or FileName="*MUTEX*", ParentProcessId_decimal, TargetProcessId_decimal) | stats values(eval(if(FileName="*mutex*" or FileName="*MUTEX*", FileName, null))) as FileName values(eval(if(FileName="*mutex*" or FileName="*MUTEX*", CommandLine, null))) as CommandLine by aid TargetProcessId_decimal | where isnotnull(Parent) and isnotnull(CommandLine)
Get Run Keys Contains ‘VIRUSNAME’ from all Machines (ex: win32.maze.exe)
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepValueUpdate earliest=-8h (RegObjectName=*VIRUSNAME* or RegStringValue=*VIRUSNAME*) ] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType RegStringValue CommandLine ImageFileName
Show me PSexec Event Consumers from all machines
psexec earliest=-24h | table _time event_simpleName ComputerName UserName ImageFileName CommandLine
Show me DLL Load Order Hijacking from all machines
(event_simpleName=ReflectiveDllOpenProcess OR event_simpleName=CreateThreadReflectiveDll) earliest=-7d ReflectiveDllName!=metsrv.dll ReflectiveDllName!=metsrv.dll ReflectiveDllName!=server.dll ReflectiveDllName!=metsrv.x64.dll ReflectiveDllName!=metsrv.x86.dll ReflectiveDllName!=ext_server_priv.x86.dll ReflectiveDllName!=ext_server_powershell.x86.dll | table _time ComputerName ReflectiveDllName CallStackModuleNames
Show me Running Processes with MD5 or SHA256 Hash from all machines
event_simpleName=ProcessRollup2 earliest=-8h | dedup SHA256HashData | table ImageFileName SHA256HashData CommandLine
Show me Running Processes with MD5 or SHA256 Hash from all machines
event_simpleName=ProcessRollup2 earliest=-8h | stats count by SHA256HashData ImageFileName | sort - count
Show me Running Processes with MD5 or SHA256 Hash from all machines
event_simpleName=ProcessRollup2 SHA256HashData!="" earliest=-8h | rare SHA256HashData by ImageFileName | where percent < 10 | sort by percent asc
Get Injected Processes from all machines
event_simpleName=*InjectedThread* earliest=-1h | rename event_simpleName as inject_eventname | join TargetProcessId, aid [search (event_simpleName="ProcessRollup2" earliest=-1h)] | table _time inject_eventname ComputerName UserName CommandLine
Get Injected Processes from all machines
event_simpleName=ProcessRollup2 event_platform=Win earliest=-1d ParentBaseFileName!=winlogon.exe ParentBaseFileName!=explorer.exe [search event_simpleName=*InjectedThread* earliest=-1d event_platform=Win | rename ContextProcessId_decimal as SourceProcessId_decimal | fields SourceProcessId_decimal] | stats values(ParentBaseFileName), values(ImageFileName), values(CommandLine) by _time, UserName, SourceProcessId_decimal
Show me AutoRun Program Details from all machines
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepKeyUpdate earliest=-8h] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType CommandLine ImageFileName
Show me Running Processes With Parent containing "mutex" from all machines
event_simpleName=ProcessRollup2 earliest=-24h | eval TargetProcessId_decimal=if(FileName="*mutex*" or FileName="*MUTEX*", ParentProcessId_decimal, TargetProcessId_decimal) | stats values(eval(if(FileName="*mutex*" or FileName="*MUTEX*", FileName, null))) as FileName values(eval(if(FileName="*mutex*" or FileName="*MUTEX*", CommandLine, null))) as CommandLine by aid TargetProcessId_decimal | where isnotnull(Parent) and isnotnull(CommandLine)
Get Run Keys Contains ‘VIRUSNAME’ from all Machines (ex: win32.maze.exe)
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepValueUpdate earliest=-8h (RegObjectName=*VIRUSNAME* or RegStringValue=*VIRUSNAME*) ] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType RegStringValue CommandLine ImageFileName
Show me PSexec Event Consumers from all machines
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) earliest=-8h | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search event_simpleName=AsepValueUpdate earliest=-8h (RegObjectName=*VIRUSNAME* or RegStringValue=*VIRUSNAME*) ] | eval RegOperationType=case(RegOperationType_decimal=1, "SET_VALUE", RegOperationType_decimal=2, "DELETE", RegOperationType_decimal=3, "CREATE_KEY", RegOperationType_decimal=4, "DELETE_KEY", RegOperationType_decimal=5, "SET_KEY_SECURITY", RegOperationType_decimal=6, "LOAD_KEY", RegOperationType_decimal=7, "RENAME_KEY", RegOperationType_decimal=8, "OPEN_KEY") | table _time ComputerName event_simpleName RegObjectName RegOperationType RegStringValue CommandLine ImageFileName
Show me DLL Load Order Hijacking from all machines
(event_simpleName=ReflectiveDllOpenProcess OR event_simpleName=CreateThreadReflectiveDll) earliest=-7d ReflectiveDllName!=metsrv.dll ReflectiveDllName!=metsrv.dll ReflectiveDllName!=server.dll ReflectiveDllName!=metsrv.x64.dll ReflectiveDllName!=metsrv.x86.dll ReflectiveDllName!=ext_server_priv.x86.dll ReflectiveDllName!=ext_server_powershell.x86.dll | table _time ComputerName ReflectiveDllName CallStackModuleNames
Last updated