Sha256 In ("b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0","097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e","2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1","65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5","511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1","4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea","811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d","1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944") OR
( TgtFilePath In Contains Anycase ("web.aspx","help.aspx","document.aspx","errorEE.aspx","errorEEE.aspx","errorEW.aspx","errorFF.aspx","healthcheck.aspx","aspnet_www.aspx","aspnet_client.aspx","xx.aspx","shell.aspx","aspnet_iisstart.aspx","one.aspx") AND
TgtFilePath In Contains Anycase ("C:\inetpub\wwwroot\aspnet_client", "C:\inetpub\wwwroot\aspnet_client\system_web", "FrontEnd\HttpProxy\owa\auth") AND
EventType In ("File Creation","File
keyboardcrunch keyboardcrunch
keyboardcrunch
/ SolarWinds Process Disabling Services Via Registry.txt
Created
December 18, 2020 16:33
Identifies SolarWinds binaries modifying start type of a service to be disabled.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (RegistryKeyPath RegExp "\bMACHINE\\SYSTEM\\.*ControlSet.*\\Services\\.*\\Start" AND EventType = "Registry Value Modified") AND SrcProcName RegExp "(.*\.)?((SolarWinds.BusinessLayerHost.*|ConfigurationWizard.*|NetflowDatabasemaintenance.*|NetFlowService.*|SolarWinds.Administration.*|SolarWinds.Collector.Service.*|SolarwindsDiagnostics.*).exe)" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @0daydorpher | |
| SMBConfig | |
| | summarize countif( (EnableSMB1Protocol == true) ) by Device | |
| | where (countif_ > 0) | |
| @IoanPopovici Enabled/Disabled barchart | |
| SMBConfig | |
| | summarize Enabled=countif(EnableSMB1Protocol == true) by Device |
keyboardcrunch
/ email-switch.html
Created
February 8, 2021 17:36
— forked from jdgregson/email-switch.html
HTML which allows you to present different email content to Outlook and OWA/Outlook for iOS/Outlook for Android. See here for reference: https://twitter.com/jdgregson/status/1356444039445237760
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | |
| <html> | |
| <head> | |
| <!--[if gte mso 9]><!--> | |
| <meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge"> | |
| <!--[if !mso]><!--> | |
| <!--<!--> | |
| <!--[if gte mso 9]><!--> | |
| <h1>You're viewing this in one of the following: | |
| <ul> |
keyboardcrunch
/ S1Queries_HAFNIUM_Exploitation.md
Last active
March 4, 2021 17:05
SentinelOne Queries - HAFNIUM Exchange Exploitation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Installed = Get-WmiObject -Class Win32Reg_AddRemovePrograms | Where-Object { $_.DisplayName -eq "Sentinel Agent" } | |
| If ( -Not $Installed ) { | |
| # Sentinel Agent not installed/missing. | |
| Return $false | |
| } Else { | |
| $Version = $Installed.Version | |
| $SentinelCtl = "C:\Program Files\SentinelOne\Sentinel Agent $Version\SentinelCtl.exe" | |
| $Status = & $SentinelCtl "status" |
keyboardcrunch
/ SentinelOne_Reboot_Compliance.ps1
Last active
April 7, 2021 01:47
Check if a system rebooted after a SentinelOne agent upgrade or install.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $SentinelOne = Get-WmiObject -Class Win32Reg_AddRemovePrograms | Where-Object { $_.DisplayName -eq "Sentinel Agent" } | |
| $Boot = Get-WmiObject -class Win32_OperatingSystem | Select-Object __SERVER,@{label='LastRestart';expression={$_.ConvertToDateTime($_.LastBootUpTime)}} | |
| If ( $SentinelOne ) { | |
| # Quick date-time conversion | |
| $InstallDate = Get-Date $([Datetime]::ParseExact($SentinelOne.InstallDate, 'yyyyMMdd', $null)) | |
| $LastRestart = Get-Date $Boot.LastRestart | |
| #Write-Host "Last Reboot: $LastRestart" | |
| #Write-Host "S1 Installed: $InstallDate" |
keyboardcrunch
/ SentinelOne_Export_Watchlist_Queries.ps1
Last active
April 13, 2021 16:54
Export SentinelOne Watchlist Queries with PowerShell.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Update the console_address with your subdomain, change the query limit on the filters_api if you wish, and update the | |
| YOUR_API_TOKEN with a token that has the correct API permissions. | |
| $json is the pure json results off the API, but the script will convert the json and export to csv. | |
| You can do this within your console from the API Doc page. Just navigate to Filters > Get Deep Visibility Filters. | |
| Change your limit and run from console to get the json output. | |
| https://YOUR_CONSOLE.sentinelone.net/api-doc/api-details?category=filters&api=get-deep-visibility-filters | |
| #> |
keyboardcrunch
/ SentinelOne_SCCM_Compliance_and_Remediation.ps1
Last active
January 9, 2023 22:19
Granular Configuration Manager Compliance and Remediation scripts for SentinelOne Agent
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# Check installation compliance #> | |
| $Installed = Get-WmiObject -Class Win32Reg_AddRemovePrograms | Where-Object { $_.DisplayName -eq "Sentinel Agent" } | |
| If ( -Not $Installed ) { | |
| # Sentinel Agent not installed/missing. | |
| Return $false | |
| } Else { | |
| Return $true | |
| } |
keyboardcrunch
/ Kaseya_REvil_S1QL.md
Created
July 2, 2021 22:59
Kaseya REvil IOCs :: SentinelOne Queries
SrcProcPublisher ContainsCIS "PB03 TRANSPORT LTD" OR TgtFileSha256 In AnyCase ("d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e", "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd", "e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2") OR SrcProcCmdLine ContainsCIS "c:\kworking\agent.exe"
`DnsRequest RegExp "(?i)((dubnew|zewatchers|bouquet-de-roses|appsformacpc|friendsandbrgrs|thenewrejuveme|xn--singlebrsen-vergleich-nec|sabel-bf|seminoc|tastewilliamsburg|aselbermachen|creamery201|rerekatu|makeurvoiceheard|bradynursery|aarvorg|artige|highlinesouthasc|sofavietxinh|higadograsoweb|ruralarcoiris|harpershologram.wordpress|ohidesign|international-sound-awards|krlosdavid|durganews|coding-machine|caribbeansunpoker|mir-na-iznanku|promesapuertorico|grelot-home|id-vet|bricotienda|boldcitydowntown|homecomingstudio|sojamindbody|asgestion|danubecloud|no-plans|schoolofpassivewealth|lmtprovisions|talentw
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SrcProcName ContainsCIS "rundll32.exe" and SrcProcCmdLine RegExp "(?i)(shell32.dll.*Control_RunDLL).*" AND SrcProcCmdLine RegExp "^(?!.*CCM\\SMSCFGRC.cpl|.*RunDLL timedate.cpl|.*mmsys.cpl|.*system32\\appwiz.cpl).*" AND TgtProcCmdLine RegExp "^(?!.*desk.cpl,ScreenSaver|.*launchalpsdelltouchpad|.*System32\\hdwwiz.cpl|.*ClearMyTracksByProcess).*" AND TgtProcName Not In ( "ieunatt.exe", "ieUnatt.exe", "MouseKeyboardCenter.exe", "mmc.exe", "Bubbles.scr", "SystemPropertiesComputerName.exe" ) |