This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Visualization (tcpdump, tshark) | |
tcpdump -qns 0 -X -r file.pcap | |
tcpdump -qns 0 -A -r file.pcap | |
tcpdump -X -r file.pcap | |
tshark -r file.pcap -V | |
Packet manipulation (tcprewrite) | |
Port: tcprewrite --portmap=OLDPORT:NEWPORT -i in.pcap -o out.pcap |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TLP:RED #FF2B2B | |
TLP:AMBER #ffc000 | |
TLP:GREEN #33ff00 | |
TLP:WHITE #ffffff |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# This is based on the work done at https://gist.github.com/isalgueiro/212a612fc232f1437ce88876937691d3/revisions#diff-c6d6f47361666bfba5538e6e0101bafd | |
#################### | |
# Define variables # | |
#################### | |
# Expected for securityGroupIds is sg-... | |
securityGroupIds="Insert_Your_SGID" | |
# Expected for ruleDescription is something like Home, or OfficeNY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": "s3:*", | |
"Resource": [ | |
"arn:aws:s3:::your_website.com", | |
"arn:aws:s3:::your_website.com/*" | |
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
tmux new-session -d -s d4 | |
tmux send-keys -t d4 'tmux new-window -n d4-auth ' ENTER | |
tmux send-keys -t d4 'tmux new-window -n d4-eve ' ENTER | |
tmux send-keys -t d4 'tmux new-window -n suricata ' ENTER | |
# D4 - auth.log | |
tmux send-keys -t d4 'tmux send-keys -t d4-auth "tail -F /var/log/auth.log | grep --line-buffered sshd | egrep --line-buffered '"'Invalid user'"' | /home/user/d4-goclient/d4-goclient_linux_amd64 -c /home/administrator/d4-goclient/confs/ssh/" ENTER' ENTER |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
literals: | |
- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*)) | |
- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*)) | |
- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin")) | |
- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin")) | |
- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*)) | |
- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_code.keyword:* OR aws.clo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
regexes: | |
- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\)) | |
- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\)) | |
- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\)) | |
- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\)) | |
- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\)) | |
- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\)) | |
- (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\)) | |
- (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
overrides: | |
- field: event.outcome | |
value: failure | |
regexes: | |
- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\)) | |
- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\)) | |
- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\)) | |
- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\)) | |
- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\)) | |
- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: AWS EC2 VM Export failure | |
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b | |
status: experimental | |
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. | |
references: | |
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance | |
author: Diogo Braz | |
date: 2020/04/16 | |
tags: | |
- attack.collection |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
python3 sigmac -c config/ecs-cloudtrail.yml -t es-qs ../rules/cloud/aws_ec2_vm_export_failure.yml | |
((event.action:"CreateInstanceExportTask" AND event.provider:"ec2.amazonaws.com") AND event.outcome:failure) |
OlderNewer