-
Notifications
You must be signed in to change notification settings - Fork 0
/
Queries
63 lines (48 loc) · 2.84 KB
/
Queries
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Commonly abused paths:
Where ModulePath =~ "System32" OR ModulePath =~ "SysWOW64" OR ModulePath =~ "C:\Users" OR ModulePath =~ "C:\Program Files" OR ModulePath =~ "C:\Program Files (x86)" OR ModulePath =~ "Startup" OR ModulePath =~ "C:\Temp" OR ModulePath =~ "C:\Windows\Temp" OR ModulePath =~ "Perflog"
Processes
// Get a free VT api key
LET VTKey <= ""
// Build the list of untrusted processes first
Let Results = SELECT Name,CommandLine,Exe,Hash.SHA256 AS SHA256, count() AS Count FROM source()
WHERE Authenticode.Trusted = "untrusted"
AND SHA256 // only entries with the required SHA256
GROUP BY Exe,SHA256
// Now combine the previous query with the Server Enrichment query
SELECT *, {SELECT VTRating FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results) WHERE Count < 10
ORDER BY VTResults DESC
***********************
PROCESSES BUT SERVER ARTIFACT
name: Server.Artifact.Processes
description: Post Processing for VT Process Hash Lookup
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: Server
sources:
- query: |
LET VTKey <= ""
Let Results = SELECT Name,CommandLine,Exe,Hash.SHA256 AS SHA256, count() AS Count FROM source(hunt_id="")
WHERE Authenticode.Trusted = "untrusted" AND NOT Exe =~ "velo"
AND SHA256 // only entries with the required SHA256
GROUP BY Exe,SHA256
SELECT *, {SELECT VTRating FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)
WHERE Count < 10
ORDER BY VTResults DESC
******************
DLLS - Make sure to run certificate and hash in artificat configuration
LET VTKey <= ""
Let Results = SELECT Fqdn,Pid,Name,ModuleName,ModulePath,Hash.SHA256 as SHA256, count() AS Count FROM source()
WHERE Certinfo.Trusted != "trusted"
SELECT *, {SELECT VTRating FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results) WHERE Count < 10
ORDER BY VTResults DESC
********************
Sockets Post Process
SELECT Name,`Laddr.IP`,`Raddr.IP`, Fqdn FROM source(artifact="Windows.Network.Netstat")
GROUP BY `Raddr.IP`
4624 EvtxHunter Post Process
SELECT EventTime, Computer, EventID, EventData.SubjectUserName, EventData.TargetUserName, EventData.IpAddress, EventData.WorkstatioName, EventData.ProcessName, EventData.LogonType, Fqdn FROM source(artifact="Windows.EventLogs.EvtxHunter")
Adding a label to output based on ClientID - Add this to select statement, make sure ClientID is not apart of the select query
,label(client_id=ClientID, labels="", op="set")
Yara Forge Query (Removes Duplicates and some F+)
SELECT Category, `File Path`, Fqdn, count() as Count FROM source(artifact="CPIRT.Windows.Scanner.Yara.Parsed")
Where NOT `File Path` =~ "Velo" AND NOT `File Path` =~ "CheckPoint"
Group By `File Path`