Skip to content

Instantly share code, notes, and snippets.

🏠
Working from home

Roberto Rodriguez Cyb3rWard0g

🏠
Working from home
Block or report user

Report or block Cyb3rWard0g

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View sysmon_event_manifest_v9.0.xml
<manifest schemaversion="4.2" binaryversion="8.00">
<configuration>
<options>
<!-- Command-line only options -->
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
<option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" />
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
<option switch="t" name="DebugMode" argument="none" noconfig="true" />
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
View sysmon-join.commands
CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON');
CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL
View sysmon-ksql-networkconnection-event
12/18/18 10:42:58 PM UTC , NULL ,
{
"@timestamp":"2018-12-18T22:42:58.788Z",
"@metadata":
{
"beat":"winlogbeat",
"type":"doc",
"version":"6.5.3",
"topic":"winlogbeat"
},
View sysmon-ksql-processcreate-event
12/18/18 10:42:32 PM UTC , NULL ,
{
"@timestamp":"2018-12-18T22:42:32.841Z",
"@metadata":
{
"beat":"winlogbeat",
"type":"doc",
"version":"6.5.3",
"topic":"winlogbeat"
},
View ksql_demo.yml
# HELK KSQL Winlogbeat Config - Blog
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
winlogbeat.event_logs:
- name: Microsoft-windows-sysmon/operational
ignore_older: 4h
#----------------------------- Kafka output --------------------------------
output.kafka:
# initial brokers for reading cluster metadata
hosts: ["192.168.64.138:9092"]
View sigma_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
title: Suspicious PowerShell Parameter Substring
status: experimental
description: Detects suspicious PowerShell invocation with a parameter substring
references:
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
logsource:
View elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
alert:
- slack
slack_webhook_url: https://hooks.slack.com/services/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
description: Detects suspicious PowerShell invocation with a parameter substring
filter:
- query:
query_string:
query: (process_path:("*\\Powershell.exe") AND event_id:"1" AND process_command_line:("
\-windowstyle h " " \-windowstyl h" " \-windowsty h" " \-windowst h" " \-windows
h" " \-windo h" " \-wind h" " \-win h" " \-wi h" " \-win h " " \-win hi "
View elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix.yml
alert:
- slack
slack_webhook_url: https://hooks.slack.com/services/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
description: Detects suspicious PowerShell invocation with a parameter substring
filter:
- query:
query_string:
query: (process_path:"*\\powershell.exe" AND (" \-windowstyle h " OR " \-windowstyl
h" OR " \-windowsty h" OR " \-windowst h" OR " \-windows h" OR " \-windo h"
OR " \-wind h" OR " \-win h" OR " \-wi h" OR " \-win h " OR " \-win hi " OR
View windows_filtering_platform_layers.xml
This file has been truncated, but you can view the full file.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wfpstate>
<timeStamp>2018-10-04T05:38:46.705Z</timeStamp>
<sessions numItems="15">
<item>
<sessionKey>{3c1f4d46-4e9d-4fab-bcb5-00c5403ee1cd}</sessionKey>
<displayData>
<name/>
<description/>
View test_rulenames.xml
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include">
<CommandLine name="technique_id=T1136,technique_name=create_accountccount,tactic=persistence, platform=windows" condition="contains">net user /add</CommandLine>
<CommandLine name="technique_id=T1124,technique_name=system_time_discovery,tactic=discovery, platform=windows" condition="contains">net time</CommandLine>
<CommandLine name="technique_id=T1087,technique_name=account_discovery,tactic=discovery, platform=windows" condition="contains">net localgroup</CommandLine>
<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">net start</CommandLine>
You can’t perform that action at this time.