I have WEF setup with a simple Powershell subscription that includes 4103 and 4104 event IDs. I’ve tried it with a few simple PS scripts, and everything works as expected.However, I got a little more ambitious and ran a 2MB mimikatz script that had Base64 ...
4103 Root and subordinate CAs This event is generated when PowerShell executes and logs pipeline execution details. Common tools such as Certutil and Mimikatz use PowerShell. Analysing this event for PowerShell execution relating to these tools may indicate a Golden Certi...
event <Event ID> <Empire ID> Copy This command starts the event with the specified ID in the specified empire. More Help NameEvent The League of Non-Aligned Powers war_in_heaven.22 League Membership Refused war_in_heaven.21 League Membership Accepted war_in_heaven.20 The League of...
-- PowerShell execute block activity (4103), Remote Command(4104), Start Command(4105), Stop Command(4106) --> <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventID=4104 or EventID=4105 or EventID=4106)]]</Select> </Query> <Query ...
We can't make this file beautiful and searchable because it's too large. CBSA,MDIV,STCOU,NAME,LSAD,CENSUS2010POP,ESTIMATESBASE2010,POPESTIMATE2010,POPESTIMATE2011,POPESTIMATE2012,POPESTIMATE2013,POPESTIMATE2014,NPOPCHG2010,NPOPCHG2011,NPOPCHG2012,NPOPCHG2013,NPOPCHG2014,BIRTHS2010,BIRTHS2011,...
{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1736755563303,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","...
<QueryList><QueryId="0"Path="System"><!-- Anti-malware *old* events, but only detect events (cuts down noise) --><SelectPath="System">*[System[Provider[@Name='Microsoft Antimalware'] and (EventID >= 1116 and EventID <= 1119)]]</Select></Query><!-- AppLoc...