Roberto Rodriguez Cyb3rWard0g
🍻
Cyb3rWard0g
/ winword_load.xml
Created
March 28, 2017 18:53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="3.30"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>md5</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"/> | |
| <!-- Event ID 2 == File Creation Time. --> | |
| <FileCreateTime onmatch="include"/> | |
| <!-- Event ID 3 == Network Connection. --> | |
| <NetworkConnect onmatch="include"/> |
Cyb3rWard0g
/ net.xml
Last active
July 6, 2018 14:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
| - <System> | |
| <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
| <EventID>1</EventID> | |
| <Version>5</Version> | |
| <Level>4</Level> | |
| <Task>1</Task> | |
| <Opcode>0</Opcode> | |
| <Keywords>0x8000000000000000</Keywords> | |
| <TimeCreated SystemTime="2018-07-06T14:05:04.230108800Z" /> |
Cyb3rWard0g
/ sysmon_rulename_filter.conf
Created
July 6, 2018 22:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter { | |
| if [log_name] == "Microsoft-Windows-Sysmon/Operational"{ | |
| if [event_data][RuleName] { | |
| kv { | |
| source => "[event_data][RuleName]" | |
| field_split => "," | |
| value_split => "=" | |
| prefix => "mitre_" | |
| transform_key => "lowercase" | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"> | |
| <Image condition="end with">net.exe</Image> | |
| <CommandLine name="technique_id=T1136,technique_name=Create_Account,tactic=persistence, platform=windows" condition="contains">user /add</CommandLine> | |
| </ProcessCreate> | |
| </EventFiltering> |
Cyb3rWard0g
/ test_rulenames.xml
Last active
July 7, 2018 00:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"> | |
| <CommandLine name="technique_id=T1136,technique_name=create_accountccount,tactic=persistence, platform=windows" condition="contains">net user /add</CommandLine> | |
| <CommandLine name="technique_id=T1124,technique_name=system_time_discovery,tactic=discovery, platform=windows" condition="contains">net time</CommandLine> | |
| <CommandLine name="technique_id=T1087,technique_name=account_discovery,tactic=discovery, platform=windows" condition="contains">net localgroup</CommandLine> | |
| <CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">net start</CommandLine> |
Cyb3rWard0g
/ windows_filtering_platform_layers.xml
Created
October 4, 2018 05:53
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <wfpstate> | |
| <timeStamp>2018-10-04T05:38:46.705Z</timeStamp> | |
| <sessions numItems="15"> | |
| <item> | |
| <sessionKey>{3c1f4d46-4e9d-4fab-bcb5-00c5403ee1cd}</sessionKey> | |
| <displayData> | |
| <name/> | |
| <description/> | |
| </displayData> |
Cyb3rWard0g
/ elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
Created
December 8, 2018 09:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert: | |
| - slack | |
| slack_webhook_url: https://hooks.slack.com/services/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 | |
| description: Detects suspicious PowerShell invocation with a parameter substring | |
| filter: | |
| - query: | |
| query_string: | |
| query: (process_path:("*\\Powershell.exe") AND event_id:"1" AND process_command_line:(" | |
| \-windowstyle h " " \-windowstyl h" " \-windowsty h" " \-windowst h" " \-windows | |
| h" " \-windo h" " \-wind h" " \-win h" " \-wi h" " \-win h " " \-win hi " |
Cyb3rWard0g
/ ksql_demo.yml
Last active
December 18, 2018 22:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HELK KSQL Winlogbeat Config - Blog | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| winlogbeat.event_logs: | |
| - name: Microsoft-windows-sysmon/operational | |
| ignore_older: 4h | |
| #----------------------------- Kafka output -------------------------------- | |
| output.kafka: | |
| # initial brokers for reading cluster metadata | |
| hosts: ["192.168.64.138:9092"] |
Cyb3rWard0g
/ sysmon-ksql-processcreate-event
Last active
December 18, 2018 23:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 12/18/18 10:42:32 PM UTC , NULL , | |
| { | |
| "@timestamp":"2018-12-18T22:42:32.841Z", | |
| "@metadata": | |
| { | |
| "beat":"winlogbeat", | |
| "type":"doc", | |
| "version":"6.5.3", | |
| "topic":"winlogbeat" | |
| }, |
Cyb3rWard0g
/ sysmon-ksql-networkconnection-event
Created
December 18, 2018 23:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 12/18/18 10:42:58 PM UTC , NULL , | |
| { | |
| "@timestamp":"2018-12-18T22:42:58.788Z", | |
| "@metadata": | |
| { | |
| "beat":"winlogbeat", | |
| "type":"doc", | |
| "version":"6.5.3", | |
| "topic":"winlogbeat" | |
| }, |
OlderNewer