Git Product home page Git Product logo

cbr-queries's Introduction

Carbon Black Response - Queries

Most recently added queries below.

Domain Fronts

domain:azurewebsites.net OR domain:appspot.com OR domain:amazonaws.com OR domain:windows.net OR domain:cloudfront.net OR domain:akamai.net OR domain:akamaiedge.net OR domain:kunlungr.com

From Here

Interesting behaviors

process_name:whoami.exe crossproc_name:wmiprvse.exe

parent_name:explorer.exe process_name:whoami.exe

parent_name:explorer.exe process_name:whoami.exe crossproc_name:wmiprvse.exe

Things

process_name:rundll32.exe modload:amsi.dll

process_name:rundll32.exe (modload:scrobj.dll OR modload:clr.dll)

process_name:rundll32.exe (modload:scrobj.dll OR modload:clr.dll) -username:SYSTEM cmdline:advpack.dll

process_name:rundll32.exe (modload:scrobj.dll OR modload:clr.dll) cmdline:ieadvpack.dll

process_name:rundll32.exe (modload:scrobj.dll OR modload:clr.dll) cmdline:syssetup.dll

process_name:cscript.exe (modload:scrobj.dll AND modload:clr.dll)

parent_name:cmd.exe process_name:installutil.exe modload:clr.dll -username:SYSTEM

process_name:installutil.exe modload:clr.dll -username:SYSTEM -cmdline:realtek

parent_name:cmd.exe process_name:installutil.exe modload:clr.dll

process_name:installutil.exe modload:clr.dll -username:SYSTEM cmdline:.dll

process_name:installutil.exe cmdline:.dll -username:SYSTEM

stuff

process_name:excel.exe|winword.exe|powerpnt.exe (cmdline:.dll OR cmdline:.exe)

process_name:control.exe

process_name:winword.exe cmdline:http:\

parent_name:winword.exe process_name:rundll32.exe netconn_count:[1 TO *]

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL c:\users\public\test2.dll

modload:mscor* AND modload:clr.dll AND -process_name:mscorsvw.exe AND path:c:\users* AND modload:samlib.dll

wscript stuff

internal_name:wscript.exe -process_name:wscript.exe

parent_name:taskeng.exe internal_name:wscript.exe -process_name:wscript.exe

path:AppData\Roaming\*

internal_name:schtasks.exe -process_name:schtasks.exe

Check Yo RDP

-file_version:6.1.7601.24441 observed_filename:termdd.sys

Conhost

childproc_name:conhost.exe

Eternalblue-Doublepulsar-Metasploit

filemod:

etebcore-2.x86.dll  
eternalblue-2.2.0.fb  
eternalchampion-2.0.0.fb

modload:

trch-1.dll
libxml2.dll
tucl-1.dll
coli-0.dll
exma-1.dll
tibe-2.dll
cnli-1.dll
xdvl-0.dll
crli-0.dll
ssleay32.dll
libeay32.dll
trfo-2.dll
posh-0.dll
ucl.dll
zlib1.dll

(regmod:"\registry\machine\software\microsoft\windows defender security center\notifications\disablenotifications")

(regmod:"\registry\machine\software\policies\microsoft\windows defender\disableantispyware")

is_executable_image_filewrite:true AND process_name:powershell.exe

cmdline:--* AND netconn_count:[2 TO *] AND modload:"c:\windows\syswow64\bcrypt.dll" AND digsig_result:"Untrusted Root"

process_name:winword.exe regmod:software\microsoft\windows\currentversion\run\* modload:vbe*.dll

parent_name:winword.exe regmod:software\microsoft\windows\currentversion\run\* childproc_name:winword.exe childproc_name:cmd.exe

process_name:regsvr32.exe AND cmdline:f1 AND childproc_name:rundll32.exe AND childproc_count:[2 TO *]

cbr-queries's People

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.