API tools faq
paste
chapinb

TS Search Template

chapinb
Nov 4th, 2019
571
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
YAML 1.78 KB | None | 0 0
raw download clone embed print report
  1. - name: Scheduled Tasks
  2.   query_dsl: '""'
  3.   query_string: 'event_identifier:(4698 OR 4702)'
  4.   supported_os: []
  5. - name: Service Installed
  6.   query_dsl: '""'
  7.   query_string: 'event_identifier:7045'
  8.   supported_os: []
  9. - name: RDP
  10.   query_dsl: '""'
  11.   query_string: '((event_identifier:(4624)) AND ("LogonType\>10")) OR event_identifier:
  12.    22'
  13.   supported_os: []
  14. - name: Account Creation
  15.   query_dsl: '""'
  16.   query_string: 'event_identifier:(4720 OR 4721)'
  17.   supported_os: []
  18. - name: Event Log Cleared
  19.   query_dsl: '""'
  20.   query_string: 'event_identifier:(1102 OR 517)'
  21.   supported_os: []
  22. - name: NTUSER.DAT Creation
  23.   query_dsl: '""'
  24.   query_string: 'filename:"NTUSER.DAT" AND timestamp_desc:creation'
  25.   supported_os: []
  26. - name: Windows Defender
  27.   query_dsl: '""'
  28.   query_string: '"Microsoft-Windows-Windows Defender Strings" AND event_identifier:
  29.    1006'
  30.   supported_os: []
  31. - name: Registry Scheduled Tasks
  32.   query_dsl: '""'
  33.   query_string: 'data_type:"task_scheduler:task_cache:entry"'
  34.   supported_os: []
  35. - name: Network Shares/Shared Object Accessed
  36.   query_dsl: '""'
  37.   query_string: 'event_identifier:(5140 OR 5145)'
  38.   supported_os: []
  39. - name: AutoRuns
  40.   query_dsl: '""'
  41.   query_string: "parser:\u201Dwindows_run\u201D"
  42.   supported_os: []
  43. - name: FIle Downloads
  44.   query_dsl: '""'
  45.   query_string: "(file_extension:*) OR parser:\u201Dfirefox_downloads\u201D"
  46.   supported_os: []
  47. - name: Autostart Services
  48.   query_dsl: '""'
  49.   query_string: "parser:\u201Dwindows_services\u201D"
  50.   supported_os: []
  51. - name: Execution
  52.   query_dsl: '""'
  53.   query_string: 'parser:(prefetch OR userassist OR amcache OR appcompatcache OR srum)'
  54.   supported_os: []
  55. - name: Domain
  56.   query_dsl: '""'
  57.   query_string: '"System\\ControlSet001\\Services\\TCPIP\\Parameters" AND domain'
  58.   supported_os: []
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!