christian christian-taillon

## gui_attendedAccess_script.
#!/bin/bash

# Function to disable GUI and power management
disable_gui_power() {
    echo "Disabling GUI and power management..."

    # Disable sleep and hibernate
    systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

    # Disable GNOME power management

## C-00000291-00000000-00000032.sys


## vCISO-GPT-Actions.json
{
  "openapi": "3.1.0",
  "info": {
    "title": "ZDNet | Zero Day RSS Feed",
    "description": "Fetches the latest cybersecurity news from ZDNet's Zero Day blog.",
    "version": "1.0.0"
  },
  "servers": [
    {
      "url": "https://www.zdnet.com"

## Suricata Rules Format
# Suricata Rulesets URLs

- Corelight Labs Suricata Rules: [https://feed.corelight.com/corelight.rules](https://feed.corelight.com/corelight.rules)
- ET/Open: [https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz](https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz)
- ET/Pro: [https://rules.emergingthreatspro.com/<insert-et-pro-key-here>/suricata-6.0/etpro.rules.tar.gz](https://rules.emergingthreatspro.com/<insert-et-pro-key-here>/suricata-6.0/etpro.rules.tar.gz)
- etnetera/aggressive: [https://security.etnetera.cz/feeds/etn_aggressive.rules](https://security.etnetera.cz/feeds/etn_aggressive.rules)
- malsilo: [https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz](https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz)
- oisf/trafficid rules: [https://openinfosecfoundation.org/rules/trafficid/trafficid](https://openinfosecfoundation.org/rules/trafficid/trafficid)
- ptresearch/attackdetection: [https://raw.githubusercontent.com/ptresearch/AttackDetection/mast

## ioc-extract-cyberchef-recipe.txt
https://gchq.github.io/CyberChef/#recipe=Extract_domains(false,true,true)Extract_URLs(false,true,true/disabled)Extract_email_addresses(false,true,true/disabled)Extract_IP_addresses(true,true,false,false,false,false/disabled)Defang_URL(true,true,true,'Valid%20domains%20and%20full%20URLs')Defang_IP_Addresses()

## network-Malicious Labyrinth Chollima DNS Beacon Query.yaml
title: Malicious Labyrinth Chollima DNS Beacon Query - DNS Client
id: 35c355a3-8c9d-4772-bbbc-327434770e4a
status: test
description: Detects a program that invoked suspicious DNS queries known from Labyrinth Chollima's C3X beacons
references:
    - https://www.crowdstrike.com/adversaries/labyrinth-chollima/
    - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
    - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp
    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
    - https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898

## SCCM Deployment
Creating the actual deployment
1.	SCCM Console
2.	Software Library
3.	App Management
4.	Applications -> Server Software
5.	Create Application
6.	If it's an MSI installer so a lot of the info is prepopulated just plug in your install string
7.	Populate what info you see fit / relevant
8.	Finish
9.	Distribute the content to the software group

## slack_theme.csv

          
            #1A1D21
            #121016
            #2C2C2C
            #FB8C00
            #FB8C00
            #FFB05C
            #2BAC76
            #FB8C00
            #2C2C2C
            #FFB05C

## Splunk Template View
<form theme="dark">
  <label>Splunk Template View</label>
  <description>I frequently find my self trying to remember what is required for a new view creation.</description>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>

## Reset a domain password from Linux using nslookup to identify DC IP address.
smbpasswd -U $user$ -r `nslookup _ldap._tcp.dc._msdcs.$domain$ | awk '{print $2;exit;}'`
	#!/bin/bash

	# Function to disable GUI and power management
	disable_gui_power() {
	echo "Disabling GUI and power management..."

	# Disable sleep and hibernate
	systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

	# Disable GNOME power management
	{
	"openapi": "3.1.0",
	"info": {
	"title": "ZDNet \| Zero Day RSS Feed",
	"description": "Fetches the latest cybersecurity news from ZDNet's Zero Day blog.",
	"version": "1.0.0"
	},
	"servers": [
	{
	"url": "https://www.zdnet.com"
	# Suricata Rulesets URLs

	- Corelight Labs Suricata Rules: [https://feed.corelight.com/corelight.rules](https://feed.corelight.com/corelight.rules)
	- ET/Open: [https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz](https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz)
	- ET/Pro: [https://rules.emergingthreatspro.com/<insert-et-pro-key-here>/suricata-6.0/etpro.rules.tar.gz](https://rules.emergingthreatspro.com/<insert-et-pro-key-here>/suricata-6.0/etpro.rules.tar.gz)
	- etnetera/aggressive: [https://security.etnetera.cz/feeds/etn_aggressive.rules](https://security.etnetera.cz/feeds/etn_aggressive.rules)
	- malsilo: [https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz](https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz)
	- oisf/trafficid rules: [https://openinfosecfoundation.org/rules/trafficid/trafficid](https://openinfosecfoundation.org/rules/trafficid/trafficid)
	- ptresearch/attackdetection: [https://raw.githubusercontent.com/ptresearch/AttackDetection/mast
	title: Malicious Labyrinth Chollima DNS Beacon Query - DNS Client
	id: 35c355a3-8c9d-4772-bbbc-327434770e4a
	status: test
	description: Detects a program that invoked suspicious DNS queries known from Labyrinth Chollima's C3X beacons
	references:
	- https://www.crowdstrike.com/adversaries/labyrinth-chollima/
	- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
	- https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp
	- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
	- https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898
	Creating the actual deployment
	1. SCCM Console
	2. Software Library
	3. App Management
	4. Applications -> Server Software
	5. Create Application
	6. If it's an MSI installer so a lot of the info is prepopulated just plug in your install string
	7. Populate what info you see fit / relevant
	8. Finish
	9. Distribute the content to the software group
	<form theme="dark">
	<label>Splunk Template View</label>
	<description>I frequently find my self trying to remember what is required for a new view creation.</description>
	<fieldset autoRun="true" submitButton="true">
	<input type="time" token="time">
	<label>Time</label>
	<default>
	<earliest>-24h@h</earliest>
	<latest>now</latest>
	</default>