This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import os.path | |
import sys | |
import json | |
from datetime import datetime | |
import requests | |
TIMEFILE="/opt/splunk/etc/apps/redcanary_app_analysis/bin/redcanary.lastrun" | |
#TIMEFILE2="/opt/splunk/etc/apps/redcanary_app_analysis/redcanary2.lastrun" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:: Chain Reaction - Reactor | |
:: | |
:: | |
:: Tactic: Discovery | |
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033 | |
:: Single Endpoint | |
:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"da12b58c5b20b52bb3f7fe3fa545e236": { | |
"md5": ["da12b58c5b20b52bb3f7fe3fa545e236"] | |
}, | |
"c5c68606e1e3baabb45644a34ceb36c6": { | |
"md5": ["c5c68606e1e3baabb45644a34ceb36c6"] | |
}, | |
"3871d542cfac9dd8af62b8c05ea7304a": { | |
"md5": ["3871d542cfac9dd8af62b8c05ea7304a"] | |
}, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"wmic": { | |
"process_name": ["wmic.exe"], | |
"cmdline": ["wmic shadowcopy delete"] | |
}, | |
"Vssadmin": { | |
"process_name": ["vssadmin.exe"], | |
"cmdline": ["vssadmin delete shadows /all /quiet"] | |
}, | |
"bcdedit": { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[POWERSHELL-DOWNLOAD-HUNT] | |
dispatch.earliest_time = -24h@h | |
dispatch.latest_time = now | |
dispatchAs = user | |
display.general.type = statistics | |
display.page.search.mode = verbose | |
display.page.search.tab = statistics | |
display.visualizations.charting.chart = bar | |
display.visualizations.show = 0 | |
search = FileName=powershell.exe (CommandLine=*DownloadFile* OR CommandLine=*invoke-webrequest*) | stats values(CommandLine) as "commands" by ComputerName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Cl_invocation.ps1": { | |
"cmdline": ["Cl_invocation.ps1"] | |
}, | |
"manage-bde": { | |
"cmdline": ["manage-bde.vbs"] | |
}, | |
"pubprn": { | |
"process_name": ["pubprn.vbs"] | |
}, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Powershell": { | |
"process_name": ["powershell.exe"] | |
}, | |
"Utilman": { | |
"process_name": ["utilman.exe"] | |
}, | |
"msiexec": { | |
"process_name": ["msiexec.exe"] | |
}, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Source: https://www.splunk.com/blog/2017/11/03/you-can-t-hyde-from-dr-levenshtein-when-you-use-url-toolbox.html | |
Data type required: Carbon Black Response, CrowdStrike Falcon | |
`cb` process_path=*\\users\\* | |
| `ut_shannon(process_path)` | |
| where ut_shannon > 4.5 | |
| stats values(ut_shannon) as "Shannon Entropy Score" by process_path, computer_name | |
| rename process_path as Process, computer_name as Endpoint | |
sourcetype="crowdstrike:falconhost:json" ImageFileName=*\\users\\* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
""" | |
OVERVIEW | |
Extract selected sensor information from Cb Response. | |
""" | |
import argparse | |
import csv |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Stats | |
| metadata type=sourcetypes index=carbonblack | |
`cb` | stats values(computer_name) | |
`cb` type=alert | stats values(docs{}.endpoint) by watchlist_name | |
`cb` notification_type="watchlist.hit.*" | stats values(watchlist_name) | |
`cb` | stats values(feed_name) |