Skip to content

k4nfr3/XDR_scripts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
images
images
 
 
BIOC-Jetico_signed.bioc
BIOC-Jetico_signed.bioc
 
 
BIOC-Jetico_signed.md
BIOC-Jetico_signed.md
 
 
BIOC-Kerberoasting-Canary-Account.bioc
BIOC-Kerberoasting-Canary-Account.bioc
 
 
BIOC-Kerberoasting-Canary-Account.md
BIOC-Kerberoasting-Canary-Account.md
 
 
BIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc
BIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc
 
 
BIOC-MadLicensing-CVE-2024-38077-RPC-Call.md
BIOC-MadLicensing-CVE-2024-38077-RPC-Call.md
 
 
BIOC-PetitPotam-Authentication-Coercer.bioc
BIOC-PetitPotam-Authentication-Coercer.bioc
 
 
BIOC-PetitPotam-Authentication-Coercer.md
BIOC-PetitPotam-Authentication-Coercer.md
 
 
BIOC-PetitPotam-EventLog-ElfrOpenBELW.bioc
BIOC-PetitPotam-EventLog-ElfrOpenBELW.bioc
 
 
BIOC-PetitPotam-EventLog-ElfrOpenBELW.md
BIOC-PetitPotam-EventLog-ElfrOpenBELW.md
 
 
BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.bioc
BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.bioc
 
 
BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.md
BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.md
 
 
BIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc
BIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc
 
 
BIOC-PetitPotam_Spoolss_Authentication_Coercer.md
BIOC-PetitPotam_Spoolss_Authentication_Coercer.md
 
 
BIOC-RBCD_Attack.bioc
BIOC-RBCD_Attack.bioc
 
 
BIOC-RBCD_Attack.md
BIOC-RBCD_Attack.md
 
 
BIOC-Rdrleakdiag-lolbas.bioc
BIOC-Rdrleakdiag-lolbas.bioc
 
 
BIOC-Rdrleakdiag-lolbas.md
BIOC-Rdrleakdiag-lolbas.md
 
 
BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc
BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc
 
 
BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.md
BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.md
 
 
BIOC-SprintCSP.dll.bioc
BIOC-SprintCSP.dll.bioc
 
 
BIOC-SprintCSP.dll.md
BIOC-SprintCSP.dll.md
 
 
BIOC-TTTracerinjection-into-LSASS.bioc
BIOC-TTTracerinjection-into-LSASS.bioc
 
 
BIOC-TTTracerinjection-into-LSASS.md
BIOC-TTTracerinjection-into-LSASS.md
 
 
BIOC-cdpsgshims.dll.bioc
BIOC-cdpsgshims.dll.bioc
 
 
BIOC-cdpsgshims.dll.md
BIOC-cdpsgshims.dll.md
 
 
BIOC-suspicious-command-line to Critical registry and NTDS file.bioc
BIOC-suspicious-command-line to Critical registry and NTDS file.bioc
 
 
BIOC-suspicious-command-line to Critical registry and NTDS file.md
BIOC-suspicious-command-line to Critical registry and NTDS file.md
 
 
BIOC-wlanapi.dll_LPE.bioc
BIOC-wlanapi.dll_LPE.bioc
 
 
BIOC-wlanapi.dll_LPE.md
BIOC-wlanapi.dll_LPE.md
 
 
BIOC_PingCastle_ADCS_scanning.bioc
BIOC_PingCastle_ADCS_scanning.bioc
 
 
BIOC_PingCastle_ADCS_scanning.md
BIOC_PingCastle_ADCS_scanning.md
 
 
Forensic_4624_type_10
Forensic_4624_type_10
 
 
LICENCE
LICENCE
 
 
ProcDump.py
ProcDump.py
 
 
README.md
README.md
 
 
SCRT_invalid_driver_hunt.bioc
SCRT_invalid_driver_hunt.bioc
 
 
SCRT_invalid_driver_hunt.md
SCRT_invalid_driver_hunt.md
 
 
Widget_Agent_Type
Widget_Agent_Type
 
 
Widget_Network_Probes_Last_events
Widget_Network_Probes_Last_events
 
 
XDR-Collector-config-DHCP-Filebeat.txt
XDR-Collector-config-DHCP-Filebeat.txt
 
 
XDR_Collector_Exchange_Msg_Tracking
XDR_Collector_Exchange_Msg_Tracking
 
 
XDR_Collector_config_IIS.txt
XDR_Collector_config_IIS.txt
 
 
XDR_loldriver.io_update_IOC.md
XDR_loldriver.io_update_IOC.md
 
 
XDR_loldriver.io_update_IOC.py
XDR_loldriver.io_update_IOC.py
 
 
XQL_4624_successfull_Logons
XQL_4624_successfull_Logons
 
 
XQL_Account_Lockout
XQL_Account_Lockout
 
 
XQL_Computer_Account_created.txt
XQL_Computer_Account_created.txt
 
 
XQL_Failed_Logins.txt
XQL_Failed_Logins.txt
 
 
XQL_Failed_Logins_francais.txt
XQL_Failed_Logins_francais.txt
 
 
XQL_General_event_logs
XQL_General_event_logs
 
 
XQL_Kerb_PreAuth_4771
XQL_Kerb_PreAuth_4771
 
 
XQL_Kerberoasting_of_canary_account
XQL_Kerberoasting_of_canary_account
 
 
XQL_Powershell_transcripts
XQL_Powershell_transcripts
 
 
XQL_RPC_LSAT
XQL_RPC_LSAT
 
 
XQL_Threat_hunt_kerberos_request
XQL_Threat_hunt_kerberos_request
 
 
XQL_driver_hunting
XQL_driver_hunting
 
 
XQL_graph_process_by_hour
XQL_graph_process_by_hour
 
 
convert_to_md.py
convert_to_md.py
 
 
fullmemorydump.py
fullmemorydump.py
 
 
xdr_log4j.py
xdr_log4j.py
 
 
xdr_loldriver_api_role.png
xdr_loldriver_api_role.png
 
 

Repository files navigation

XDR_scripts

A few custom BIOC signature

  • some LPE(s)
  • PetitPotam (from Coercer)
  • privesc on some DLL creation
  • Lsass memory dump via microsoft TTTracer

A few XQL queries which can be used for widgets

  • one for detecting Canary accounts (which will be trigguered via Kerberoasting attack)

A few XDR Scripts

  • ProcDump.py is as you might expect to run a ProcDump on a process pid. pid to be passed as argument. (this is not my code but from somebody I don't know )

  • Fullmemorydump.py is as you might expect to run winpmem to get the entire memory dump for Forensic purpose.

A few XDR Collector Filebeat configurations

A Python script uploading IOC to XDR tenant via API rest

  • XDR_loldriver.io_update_IOC.py

My whish list of improvements for Cortex XDR

  • Original filenames field in process events and other data
  • Driver load signature field (against BYOVD)
  • BIOC specific fields to report in a Alert (basically give in the Alert the fields you want to show to the operator)
  • Every hour or so, check your own subscription as a ETW provider (against BYOVD)

About

A few XDR Scripts

Topics

bioc xdr cortex xql

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

16 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages