- eif-parser
- Get-InjectedThread
- Nork-Nork.exe
- CredDenfense (Responder Guard)
- Powershell Script Block Logging (Event ID 4104)
- Sysmon Event ID 3
- Honey Credentials (Event ID 4648)
https://www.markdownguide.org/cheat-sheet/ https://markdownlivepreview.com/
- 4624 (successful logon)
- 4625 (failed logon)
- 4634 (successful logoff)
- 4647 (user-initiated logoff)
- 4648 (logon using explicit credentials)
- 4672 (special privileges assigned)
- 4768 (Kerberos ticket (TGT) requested)
- 4769 (Kerberos service ticket requested)
- 4771 (Kerberos pre-auth failed)
- 4776 (attempted to validate credentials)
- 4778 (session reconnected)
- 4779 (session disconnected)
- 4720 (account created)
- 4722 (account enabled)
- 4724 (attempt to reset password)
- 4728 (user added to global group)
- 4732 (user added to local group)
- 4756 (user added to universal group)
- 2 Interactive A user physically logged onto this computer.
- 3 Network A user or computer logged on from the network.
- 4 Batch Used by batch servers where processes may be executing on behalf of a user, like scheduled tasks.
- 5 Service A service started by the Service Control Manager.
- 7 Unlock The workstation was unlocked.
- 8 NetworkClear text Network credentials sent in cleartext.
- 9 NewCredentials A caller cloned its current token and specified new credentials (runas command).
- 10 RemoteInteractive A user logged onto computer using Terminal Services or RDP.
- 11 CachedInteractive A user logged onto computer using network credentials which were stored locally on the computer.
- Looking for Event ID 4624 and Logon Type 3, and Logon Process to be NtLmSsP as well key length to be 0
- Looking for Event ID 4624 and 4778, Logon Type 3
- Looking for Event ID 4625, Logon Type 3
- Looking for "\" and prefix "-accepteula"
- 5145 (captures requests to shares, we are interested in ADMIN$ and IPC$)
- 5140 (share successfully accessed)
- 4697 / 7045 (service creation)
- 4688 / Sysmon EID 1
- Looking for Event ID 4698, 106, 200, 201
- Looking for Event ID 4776, 5140, 5145
- Looking for Event ID 1102, 104
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/lateral-movement-windows-authentication-logs.md
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/lateral_movement_detection_via_process_monitoring.md
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/lateral-movement-via-explicit-credentials.md
- https://jpcertcc.github.io/ToolAnalysisResultSheet/
- https://www.jpcert.or.jp/english/pub/sr/DetectingLateralMovementThroughTrackingEventLogs_version2.pdf
- https://lolbas-project.github.io/
- Looking for hashes
- Looking for process description
- https://car.mitre.org/analytics/CAR-2013-04-002/
- Event ID (4104,4105,4106)
- https://github.com/Neo23x0/sigma/tree/master/rules/windows/powershell
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://github.com/Ben0xA/nps
- Looking for Event ID 400, 500
- https://github.com/GhostPack
- ETW
- https://github.com/fireeye/SilkETW
- [https://github.com/byt3bl33d3r/SILENTTRINITY]
- Get-WinEvent -FilterHashtable @{logname="Microsoft-WindowsSysmon/Operational"; id=1} | Where-Object {$_.Properties[10].Value -like "Windows_Reporting.exe"} | fl
- https://github.com/fireeye/SilkETW
- https://github.com/endgameinc/ClrGuard
- https://zhuanlan.zhihu.com/p/38601278
- https://pen-testing.sans.org/resources/papers/gpen/preventing-living-land-attacks-140526
- https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
- https://blog.f-secure.com/hunting-for-amsi-bypasses/
- https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_26.html
- Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=1} | Where-Object {$_.Properties[20].Value -like "wmi"} | fl
- https://www.sans.org/reading-room/whitepapers/threathunting/hunting-gathering-powershell-38842
- https://github.com/Infocyte/PSHunt
- https://devblogs.microsoft.com/scripting/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing/
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536354143.pdf