Tiago Faria 0xtf

## tcprewrite-cheat-sheet
Visualization (tcpdump, tshark)

tcpdump -qns 0 -X -r file.pcap
tcpdump -qns 0 -A -r file.pcap
tcpdump -X -r file.pcap
tshark -r file.pcap -V

Packet manipulation (tcprewrite)

Port: tcprewrite --portmap=OLDPORT:NEWPORT -i in.pcap -o out.pcap

## tlp-colors
TLP:RED #FF2B2B
TLP:AMBER #ffc000
TLP:GREEN #33ff00
TLP:WHITE #ffffff

## myip-SG-update-based-on-description
#!/bin/bash

# This is based on the work done at https://gist.github.com/isalgueiro/212a612fc232f1437ce88876937691d3/revisions#diff-c6d6f47361666bfba5538e6e0101bafd

####################
# Define variables #
####################
# Expected for securityGroupIds is sg-...
securityGroupIds="Insert_Your_SGID"
# Expected for ruleDescription is something like Home, or OfficeNY

## S3 + Cloudfront CICD Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your_website.com",
                "arn:aws:s3:::your_website.com/*"
            ]

## d4-tmux.sh
#!/bin/bash

tmux new-session -d -s d4

tmux send-keys -t d4 'tmux new-window -n d4-auth ' ENTER
tmux send-keys -t d4 'tmux new-window -n d4-eve ' ENTER
tmux send-keys -t d4 'tmux new-window -n suricata ' ENTER

# D4 - auth.log
tmux send-keys -t d4 'tmux send-keys -t d4-auth "tail -F /var/log/auth.log | grep --line-buffered sshd | egrep --line-buffered '"'Invalid user'"' | /home/user/d4-goclient/d4-goclient_linux_amd64 -c /home/administrator/d4-goclient/confs/ssh/" ENTER' ENTER

## sigma-overrides-literals.yaml
literals:
  - ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*))
  - ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*))
  - ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin"))
  - ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin"))
  - ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
  - ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_code.keyword:* OR aws.clo

## sigma-overrides-regexes.yaml
regexes:
  - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
  - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
  - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
  - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
  - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
  - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
  - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\))
  - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\))

## sigma-overrides-config.yaml
overrides:
  - field: event.outcome
    value: failure
    regexes:
      - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
      - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
      - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
      - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))

## sigma-with-failure-logic.yaml
title: AWS EC2 VM Export failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: experimental
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
author: Diogo Braz
date: 2020/04/16
tags:
  - attack.collection

## ecs-cloudtrail-mapping
python3 sigmac -c config/ecs-cloudtrail.yml -t es-qs ../rules/cloud/aws_ec2_vm_export_failure.yml

((event.action:"CreateInstanceExportTask" AND event.provider:"ec2.amazonaws.com") AND event.outcome:failure)
	Visualization (tcpdump, tshark)

	tcpdump -qns 0 -X -r file.pcap
	tcpdump -qns 0 -A -r file.pcap
	tcpdump -X -r file.pcap
	tshark -r file.pcap -V

	Packet manipulation (tcprewrite)

	Port: tcprewrite --portmap=OLDPORT:NEWPORT -i in.pcap -o out.pcap
	TLP:RED #FF2B2B
	TLP:AMBER #ffc000
	TLP:GREEN #33ff00
	TLP:WHITE #ffffff
	#!/bin/bash

	# This is based on the work done at https://gist.github.com/isalgueiro/212a612fc232f1437ce88876937691d3/revisions#diff-c6d6f47361666bfba5538e6e0101bafd

	####################
	# Define variables #
	####################
	# Expected for securityGroupIds is sg-...
	securityGroupIds="Insert_Your_SGID"
	# Expected for ruleDescription is something like Home, or OfficeNY
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": "s3:*",
	"Resource": [
	"arn:aws:s3:::your_website.com",
	"arn:aws:s3:::your_website.com/*"
	]
	#!/bin/bash

	tmux new-session -d -s d4

	tmux send-keys -t d4 'tmux new-window -n d4-auth ' ENTER
	tmux send-keys -t d4 'tmux new-window -n d4-eve ' ENTER
	tmux send-keys -t d4 'tmux new-window -n suricata ' ENTER

	# D4 - auth.log
	tmux send-keys -t d4 'tmux send-keys -t d4-auth "tail -F /var/log/auth.log \| grep --line-buffered sshd \| egrep --line-buffered '"'Invalid user'"' \| /home/user/d4-goclient/d4-goclient_linux_amd64 -c /home/administrator/d4-goclient/confs/ssh/" ENTER' ENTER
	literals:
	- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure*))
	- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure*))
	- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:) OR (aws.cloudtrail.response_elements.keyword:Failure* AND event.action:"ConsoleLogin"))
	- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:) OR (aws.cloudtrail.response_elements.keyword:Failure* AND event.action:"ConsoleLogin"))
	- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
	- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure) OR (aws.cloudtrail.error_code.keyword:* OR aws.clo
	regexes:
	- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
	- (\(\(aws.cloudtrail.response_elements.keyword:\Failure\.* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(aws.cloudtrail.response_elements.keyword:\Failure\.* aws.cloudtrail.error_code.keyword:\*\)\))
	overrides:
	- field: event.outcome
	value: failure
	regexes:
	- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
	title: AWS EC2 VM Export failure
	id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
	status: experimental
	description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
	references:
	- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
	author: Diogo Braz
	date: 2020/04/16
	tags:
	- attack.collection
	python3 sigmac -c config/ecs-cloudtrail.yml -t es-qs ../rules/cloud/aws_ec2_vm_export_failure.yml

	((event.action:"CreateInstanceExportTask" AND event.provider:"ec2.amazonaws.com") AND event.outcome:failure)