Roberto Rodriguez Cyb3rWard0g
🍻
Cyb3rWard0g
/ SilkService-Log-WEF-Subscription.xml
Last active
October 3, 2019 03:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription"> | |
| <SubscriptionId>SilkETW</SubscriptionId> | |
| <SubscriptionType>SourceInitiated</SubscriptionType> | |
| <Description>Everything from the SilkService-Log channel</Description> | |
| <Enabled>true</Enabled> | |
| <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri> | |
| <ConfigurationMode>Custom</ConfigurationMode> | |
| <Delivery Mode="Push"> | |
| <Batching> | |
| <MaxItems>1</MaxItems> |
Cyb3rWard0g
/ erebor-winlogbeat.yml
Created
October 3, 2019 03:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###################### Winlogbeat Configuration Example ######################## | |
| # Author: Roberto Rodriguez @Cyb3rWard0g | |
| # License: GPL Version 3 | |
| # Mordor Environment: Erebor | |
| #======================= WEC Winlogbeat Configuration =========================== | |
| winlogbeat.event_logs: | |
| - name: ForwardedEvents | |
| ignore_older: 72h |
Cyb3rWard0g
/ silketw-logstash-filter.conf
Created
October 3, 2019 04:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HELK winevent-silkservice filter conf file | |
| # HELK build Stage: Alpha | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| # Reference: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-logstash/pipeline/1010-winevent-winlogbeats-filter.conf | |
| filter { | |
| if [log_name] == "SilkService-Log"{ | |
| mutate { add_field => { "z_logstash_pipeline" => "1536" } } | |
| json { |
Cyb3rWard0g
/ silketw-logstash-output.conf
Created
October 3, 2019 04:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HELK SilkETW service output conf file | |
| # HELK build Stage: Alpha | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| output { | |
| if [log_name] == "SilkService-Log" { | |
| elasticsearch { | |
| hosts => ["helk-elasticsearch:9200"] | |
| index => "logs-endpoint-winevent-etw-%{+YYYY.MM.dd}" |
Cyb3rWard0g
/ erebor-SilkServiceConfig.xml
Created
October 3, 2019 05:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| SilkService Config | |
| Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| License: GPL-3.0 | |
| Version: 0.0.1 | |
| References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml | |
| --> | |
| <SilkServiceConfig> | |
| <!-- |
Cyb3rWard0g
/ silkservice-dotnetruntime-event-sample.json
Created
October 5, 2019 05:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "@timestamp": "2019-10-05T04:58:54.508Z", | |
| "@metadata": { | |
| "beat": "winlogbeat", | |
| "type": "_doc", | |
| "version": "7.4.0", | |
| "topic": "winlogbeat" | |
| }, | |
| "log": { | |
| "level": "information" |
Cyb3rWard0g
/ silkservice-logstash-filter.conf
Created
October 5, 2019 05:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HELK winevent-silkservice filter conf file | |
| # HELK build Stage: Alpha | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| # Reference: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-logstash/pipeline/1010-winevent-winlogbeats-filter.conf | |
| filter { | |
| if [log_name] == "SilkService-Log"{ | |
| mutate { add_field => { "z_logstash_pipeline" => "1536" } } | |
| json { |
Cyb3rWard0g
/ silkservice-logstash-output.conf
Created
October 5, 2019 05:10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HELK SilkETW service output conf file | |
| # HELK build Stage: Alpha | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| output { | |
| if [log_name] == "SilkService-Log" and [@metadata][helk_parsed] == "yes" { | |
| elasticsearch { | |
| hosts => ["helk-elasticsearch:9200"] | |
| index => "logs-endpoint-winevent-etw-%{+YYYY.MM.dd}" |
Cyb3rWard0g
/ Dockerfile
Created
November 6, 2019 23:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ThreatHunter Playbook: Jupyter Environment Dockerfile | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| FROM cyb3rward0g/jupyter-pyspark:0.0.2 | |
| LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" | |
| LABEL description="Dockerfile ThreatHunter Playbook Project." | |
| ARG NB_USER | |
| ARG NB_UID |
Cyb3rWard0g
/ G0005-enterprise-layer.json
Created
November 11, 2019 21:23
https://attack.mitre.org/groups/G0005/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "description": "Enterprise techniques used by APT12, ATT&CK group G0005 v2.0", | |
| "name": "APT12 (G0005)", | |
| "domain": "mitre-enterprise", | |
| "version": "2.2", | |
| "techniques": [ | |
| { | |
| "score": 1, | |
| "techniqueID": "T1203", | |
| "comment": "APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611)." |