Purple Team Cheat Sheet: SMB Attacks and Detection
SMB Attack Commands
Attack Type
Command
Description
Detection: Event Codes and KQL/EQL Rules
Event Code
Description
KQL/EQL Rule
Forensics Commands and Codes
Command
Description
KQL Rule: Suspicious SMB Login
SecurityEvent| where EventID == 4624and LogonType == 3| where AccountName != "known_good_account"| project AccountName, IpAddress, TimeGenerated
EQL Rule: Excessive SMB Failures
sequence by AccountName, IpAddress
[any where EventID == 4625]
[any where EventID == 4625] by AccountName, IpAddress
| where sequence.count > 20
KQL Rule: Unusual SMB Traffic
NetworkTraffic
| where Protocol == "SMB" and not(ipAddress in ("known_good_ip_list"))
| summarize Count = count() by IpAddress, Port
| where Count > threshold_value
Purple Team Cheat Sheet: FTP Attacks and Detection
FTP Attack Commands
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
KQL Rule: Suspicious FTP Login Attempts
SecurityEvent| where EventID == 4625and NetworkInformation.Protocol == "FTP"| summarize Count = count()by AccountName, IpAddress| where Count > threshold_value
EQL Rule: FTP Brute Force Detection
sequence by AccountName, IpAddress
[any where EventID == 4625 and NetworkInformation.Protocol == "FTP"]
[any where EventID == 4625 and NetworkInformation.Protocol == "FTP"] by AccountName, IpAddress
| where sequence.count > 20
KQL Rule: Unusual FTP File Uploads
SecurityEvent
| where EventID == 5156 and ApplicationInformation.ApplicationProtocol == "FTP"
| where NetworkInformation.Direction == "Outbound" and NetworkInformation.Port == 21
| summarize Count = count() by FileName, IpAddress
| where Count > threshold_value
Attack Techniques and Commands
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: LLMNR Poisoning Detection
SecurityEvent| where EventID == 5145and ShareName == '\\*\\IPC$'| summarize Count = count()by AccountName, IpAddress| where Count > threshold_value
EQL Rule: AS-REP Roasting Activity
sequence by AccountName
[any where EventID == 4768 and TicketOptions == '0x40810000']
[any where EventID == 4769] by AccountName
| where sequence.count > 5
KQL Rule: Unusual Process Execution
SecurityEvent
| where EventID == 4688 and NewProcessName contains 'RunForrestRun.exe'
| project AccountName, NewProcessName, CommandLine
Attack Techniques and Commands
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Service Creation
SecurityEvent| where EventID == 4688and NewProcessName contains'sc.exe'| where CommandLine contains'create'and CommandLine contains'binPath='| project AccountName, NewProcessName, CommandLine
EQL Rule: Abnormal Kerberos Ticket Requests
sequence by AccountName
[any where EventID == 4768]
[any where EventID == 4769] by AccountName
| where sequence.count > threshold_value
KQL Rule: Suspicious ACL Modifications
SecurityEvent
| where EventID == 4728 or EventID == 4732 or EventID == 4756
| where MemberName contains 'Attacker' or MemberSid contains 'S-1-5-21'
| project TimeGenerated, MemberName, TargetUserName, TargetDomainName
Attack Techniques and Commands
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Privilege Escalation
SecurityEvent| where EventID == 4672| where AccountName != "known_good_accounts"| project AccountName, TimeGenerated, ProcessName
EQL Rule: Suspicious Delegation Use
sequence by AccountName
[any where EventID == 4768]
[any where EventID == 4769] by AccountName
| where sequence.count > threshold_value
KQL Rule: Abnormal SQL Server Command Execution
SecurityEvent
| where EventID == 4688 and NewProcessName contains 'sqlservr.exe'
| where CommandLine contains 'malicious_command'
| project AccountName, NewProcessName, CommandLine
Attack Techniques and Commands
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: AMSI Bypass Detection
SecurityEvent| where EventID == 4104| where ScriptBlockText contains'amsiInitFailed'| project TimeGenerated, Computer, AccountName, ScriptBlockText
EQL Rule: Unusual Kerberos Ticket Requests
sequence by AccountName
[any where EventID == 4768]
[any where EventID == 4769] by AccountName
| where sequence.count > threshold_value
KQL Rule: Suspicious SQL Command Execution
SecurityEvent
| where EventID == 4688 and NewProcessName contains 'sqlservr.exe'
| where CommandLine contains 'malicious_command'
| project AccountName, NewProcessName, CommandLine
Purple Team Cheat Sheet: Comprehensive Attack Scenario
Attack Techniques and Commands
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Network Traffic
NetworkTraffic| where DestinationPort == 80or DestinationPort == 443| summarize Count = count()by DestinationIP, DestinationPort| where Count > threshold_value
EQL Rule: Suspicious Process Creation
sequence by Hostname, AccountName
[process where EventID == 4688 and NewProcessName contains 'nc.exe']
[process where EventID == 4688 and NewProcessName contains 'powershell.exe'] by Hostname, AccountName
| where sequence.count > 5
KQL Rule: Abnormal File Access
SecurityEvent
| where EventID == 5145
| where ShareName contains 'C$' or ShareName contains 'ADMIN$'
| project AccountName, ShareName, FileName, IpAddress
Purple Team Cheat Sheet: Web-Based Attack Scenario
Attack Techniques and Commands
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual Network Traffic
NetworkTraffic| where DestinationPort == 80or DestinationPort == 443| summarize Count = count()by DestinationIP, DestinationPort| where Count > threshold_value
EQL Rule: Suspicious Process Creation
sequence by Hostname, AccountName
[process where EventID == 4688 and NewProcessName contains 'nc.exe']
[process where EventID == 4688 and NewProcessName contains 'powershell.exe'] by Hostname, AccountName
| where sequence.count > 5
KQL Rule: Abnormal File Access
SecurityEvent
| where EventID == 5145
| where ShareName contains 'C$' or ShareName contains 'ADMIN$'
| project AccountName, ShareName, FileName, IpAddress
Purple Team Cheat Sheet: Recon to Exploitation Scenario
Attack Techniques and Commands
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
KQL Rule: Unusual SMB Traffic
SecurityEvent| where EventID == 5145| where ShareName contains'Software_Updates'| project AccountName, ShareName, FileName, IpAddress
EQL Rule: Suspicious Process Execution
sequence by Hostname, AccountName
[process where EventID == 4688 and NewProcessName contains 'rspoof.exe']
[process where EventID == 4688 and NewProcessName contains 'redis-cli'] by Hostname, AccountName
| where sequence.count > 2
KQL Rule: Abnormal File Access Patterns
SecurityEvent
| where EventID == 5145
| where FileName contains 'latest.yml' or FileName contains 'UAT_Testing_Procedures.pdf'
| project TimeGenerated, AccountName, FileName, IpAddress
Purple Team Cheat Sheet: Credential and Connection Scenario
Attack Techniques and Commands
Detection: Event Codes, KQL/EQL, Sysmon, and Wazuh Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Malicious Patterns
sequence by Hostname, AccountName
[network where DestinationPort == 3389]
[process where EventID == 4688 and NewProcessName contains 'xfreerdp'] by Hostname, AccountName
| where sequence.count > 2
sequence by AccountName
[security where EventID == 4672]
[security where EventID == 4768 and TicketOptions has '0x40810000'] by AccountName
| where sequence.count > 5
KQL Rule: Suspicious Logon Types
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AccountName == "Administrator" or AccountName == "unknown"
| project TimeGenerated, AccountName, LogonType, IpAddress
Purple Team Cheat Sheet: Silver Ticket Attack Scenario
Attack Technique and Command
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Silver Ticket Usage
KQL Rule: Unusual Kerberos Service Ticket Requests
SecurityEvent| where EventID == 4769| where ServiceName !contains'krbtgt'| project TimeGenerated, AccountName, ServiceName, TicketOptions
EQL Rule: Anomalous Kerberos Service Ticket Assignments
sequence by AccountName
[security where EventID == 4672]
[security where EventID == 4769 and ServiceName !contains 'krbtgt'] by AccountName
| where sequence.count > 5
KQL Rule: Suspicious Logon Types
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AccountName == "specific_user" or AccountName == "unknown"
| project TimeGenerated, AccountName, LogonType, IpAddress
Purple Team Cheat Sheet: Kerberoasting Attack Scenario
Attack Technique and Command
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Kerberoasting
KQL Rule: Unusual Kerberos Service Ticket Requests
SecurityEvent| where EventID == 4769| where ServiceName !contains'krbtgt'and TicketOptions has'0x40810000'| project TimeGenerated, AccountName, ServiceName, TicketOptions
EQL Rule: Anomalous Kerberos Service Ticket Activity
sequence by AccountName
[security where EventID == 4672]
[security where EventID == 4769 and ServiceName !contains 'krbtgt'] by AccountName
| where sequence.count > 5
Purple Team Cheat Sheet: Pass the Ticket Attack Scenario
Attack Technique and Command
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting Pass the Ticket Usage
sequence by AccountName
[security where EventID == 4672]
[security where EventID == 4662 and ObjectProperties contains 'Replicating Directory Changes'] by AccountName
| where sequence.count > 5
KQL Rule: Suspicious Kerberos TGT Requests
SecurityEvent
| where EventID == 4768
| where TicketOptions has '0x40810000'
| project TimeGenerated, AccountName, ServiceName, TicketOptions
Purple Team Cheat Sheet: AS-REP Roasting Attack Scenario
Attack Technique and Command
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting AS-REP Roasting
KQL Rule: Unusual Kerberos TGT Requests without Pre-Authentication
SecurityEvent| where EventID == 4768| where TicketOptions has'0x40810000'and TicketEncryptionType == 0x17| project TimeGenerated, AccountName, ServiceName, TicketOptions, TicketEncryptionType
sequence by AccountName
[security where EventID == 4771]
[security where EventID == 4768 and TicketOptions has '0x40810000' and TicketEncryptionType == 0x17] by AccountName
| where sequence.count > 5
KQL Rule: Suspicious Kerberos Service Ticket Requests
SecurityEvent
| where EventID == 4769
| where ServiceName contains 'krbtgt' and TicketEncryptionType == 0x17
| project TimeGenerated, AccountName, ServiceName, TicketEncryptionType
Purple Team Cheat Sheet: GenericWrite Attack Scenario
Attack Technique and Command
Detection: Event Codes and KQL/EQL Rules
Forensics Commands and Codes
Full Raw KQL/EQL Rules for Detecting GenericWrite Usage
KQL Rule: Unusual Directory Service Object Modifications