Scribd
Upload
10 views

Web Brute Force Attack Query

Uploaded by

an-as505
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
10 views

Web Brute Force Attack Query

Uploaded by

an-as505
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Web Brute force attack Query :

```sql
index="botsv2" dest_ip="172.31.4.249" uri_path="/member.php"
src_ip="45.77.65.211" status=200| sort _time
| rex field=form_data "quick_password=(?<password>[^&]+).*?quick_username=(?
<username>[^&]+)" | eval user_pass_combination=username . ":" . password | stats
values(user_pass_combination) by src_ip site uri_path
```

change the Form_data field and all the Field names

splunk query to detect Attacker Leveraging Native Windows Binaries

```jsx
index=botsv1 source="WinEventLog: Microsoft-Windows-Sysmon/Operational"
Image="*\\powershell.exe" OR Image="*\\msbuild.exe" OR
Image="*\\psexec.exe" OR Image="*\\at.exe" OR Image="*\\schtasks.exe" OR Image="*\\
net.exe" OR
Image="*\\vssadmin.exe" OR Image="*\\utilman.exe" OR Image="*\\wmic.exe" OR
Image="*\\mshta.exe" OR Image="*\\wscript.exe" OR
Image="*\\cscript.exe" OR Image="*\\cmd.exe" OR Image="*\\whoami.exe" OR Image="*\\
mmc.exe" OR
Image="*\\systeminfo.exe" OR Image="*\\csvde.exe" OR
Image="*\\certutil.exe" | stats values(CommandLine) by Image
```

Splunk query to detect Remote privileged user Enumeration using net.exe

```sql
index=your_index
sourcetype="xmlwineventlog:microsoft—windowssysmon/operational "
process="*\\net.exe"
(CommandLine="*net group*" OR CommandLine="*net local group* ")
|stats count by Computer , CommandLine
```

- Hunting for Powershell

A Splunk search that can identify PowerShell executing an encoded script is the
following.

```sql
index=your_index
sourcetype="xmlwxneventlog:microsoft-windows-sysmon/operational"
process="*\\powershell.exe"
(CommandLine="*—encodedcommand*" OR
CommandLine="*-enc*" OR CommandLine="-e" OR
CommandLine="-ec" OR
CommandLine="—encodedcomman" OR
CommandLine="—encodedcomma " OR
CommandLine="—encodedcomm" OR
CommandLine="—encodedcom" OR
CommandLine"—encodedco" OR
CommandLine="—encodedc" OR
CommandLine="—encoded" OR
CommandLine="—encode" OR
CommandLine="—encod" OR CommandLine="-enco" OR CommandLine="—en")
|stats count by CommandLine
|top CommandLine
```

**a hunt for PowerShell commands downloading content**

```sql
winlog.event_data.ScriptBlockText:(*WebClient* OR *DownloadData* OR
*DownloadFile* OR *DownloadString* OR *OpenRead* OR *WebRequest* OR *curl* OR
*wget* OR *RestMethod* OR *WinHTTP* OR *InternetExplorer.Application* OR
*Excel.Application* OR *Word.Application* OR *Msxml2.XMLHTTP* OR *MsXML2.ServerXML*
OR *System.XML.XMLDocument* OR *BitsTransfer*)
```

encoded powershell command

```sql
(winlog.event_data.Description:*PowerShell OR
winlog.event_data.Image:*powershell.exe) AND winlog.event_data.CommandLine:*-e*
```

**a hunt for obfuscated PowerShell commands**

```sql
winlog.event_data.ScriptBlockText:((*char* AND *join*) OR ((*ToInt* OR
*ToInt16* OR *ToDecimal* OR *ToByte* OR *ToUnit* OR *ToSingle*) AND (*ToChar* OR
*ToString* OR *String*)) OR (*ForEach* AND *Xor*))
```

OR

```sql
winlog.event_data.ScriptBlockText:(*hctac* OR *kearb* OR *dnammoc* OR *ekovn*
OR *elifd* OR *rahc* OR *etirw* OR *eddih* OR *tpircs* OR *ssecorp* OR *llehsrewop*
OR *esnopser* OR *daolnwod* OR *tneilcbew* OR *tneilc* OR *ptth* OR *elifotevas* OR
*46esab* OR *tcejbo* OR *maerts* OR *hcaerof* OR *retupmoc*)
```

## Hunt for Renamed PowerShell

After reviewing the MITRE documentation and the following Sigma


detection [rule](https://github.com/SigmaHQ/sigma/tree/master/rules), we'll base
our hunt on any started process that has description "Windows PowerShell" and is
not powershell.exe or powershell_ise.exe. We then construct the following query:

```sql
index=winsysmon EventCode=1 AND Description="Windows PowerShell" AND (Image!
="*\\powershell.exe" AND Image!="*\\powershell_ise.exe") | rex field=Hashes
".*MD5=(?<MD5>[A-F0-9]*)," | table _time, Computer, User, Image, cmdline,
ParentImage, MD5
```

You might also like