{
"name": "file_events",
"hostIdentifier": "computer.local",
"calendarTime": "Mon Mar 13 07:03:13 2017 UTC",
"unixTime": "1489388593",
"columns": {
"action": "CREATED",
"atime": "1489388581",
"category": "tmp",
Chris Long clong
clong
/ osquery.conf
Created
September 1, 2015 18:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "options": { | |
| "config_plugin": "filesystem", | |
| "logger_plugin": "filesystem", | |
| "host_identifier": "hostname", | |
| "event_pubsub_expiry": "86000", | |
| "debug": "false", | |
| "verbose_debug": "false", | |
| "worker_threads": "4", | |
| "schedule_splay_percent": 10 |
clong
/ install-go-audit-osquery.sh
Last active
March 17, 2017 12:13
go-audit and osquery bootstrap script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| sudo su | |
| apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd | |
| cd /root | |
| # Update Golang from 1.2 to 1.7 or compilation of go-audit will fail | |
| wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz | |
| tar -xvf go1.7.linux-amd64.tar.gz | |
| mv go /usr/local |
clong
/ hardware_events.md
Created
March 15, 2017 07:15
{
"action": "added",
"columns": {
"vendor_id": "1050",
"vendor": "Yubico",
"type": "IOUSBDevice",
"action": "attach",
"driver": "IOUSBDeviceUserClientV2",
"model": "Yubikey NEO OTP+U2F+CCID",
clong
/ scenario.md
Last active
March 11, 2019 21:07
"bash_reverse_shell": {
"query": "SELECT * FROM processes WHERE cmdline LIKE '/bin/bash -i >& /dev/tcp/%';",
"interval": 30,
"description": "Looks for processes that resemble a bash reverse shell"
}
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT * FROM python_packages WHERE name = 'acqusition' OR name = 'apidev-coop' OR name = 'bzip' OR name = 'crypt' OR name = 'django-server' OR name = 'pwd' OR name = 'setup-tools' OR name = 'telnet' OR name = 'urlib3' OR name = 'urllib'; |
clong
/ Native-Windows-Useragentss.txt
Created
September 23, 2017 06:41
Native Windows UserAgents for Threat Hunting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Invoke-WebRequest: | |
| Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066 | |
| System.Net.WebClient.DownloadFile(): | |
| None | |
| Start-BitsTransfer: | |
| Microsoft BITS/7.8 | |
| certutil.exe: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| int filter(char* cmd){ | |
| int r=0; | |
| r += strstr(cmd, "flag")!=0; | |
| r += strstr(cmd, "sh")!=0; | |
| r += strstr(cmd, "tmp")!=0; | |
| return r; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| int filter(char* cmd){ | |
| int r=0; | |
| r += strstr(cmd, "=")!=0; | |
| r += strstr(cmd, "PATH")!=0; | |
| r += strstr(cmd, "export")!=0; | |
| r += strstr(cmd, "/")!=0; | |
| r += strstr(cmd, "`")!=0; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo osqueryi --extension osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext --allow_unsafe --verbose | |
| I1214 15:24:28.376690 3197526976 init.cpp:382] osquery initialized [version=2.10.2] | |
| I1214 15:24:28.376940 3197526976 extensions.cpp:288] Could not autoload extensions: Failed reading: /var/osquery/extensions.load | |
| I1214 15:24:28.378172 153985024 watcher.cpp:563] Created and monitoring extension child (30280): osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext | |
| I1214 15:24:28.378330 155058176 interface.cpp:327] Extension manager service starting: .osquery/shell.em | |
| Connecting to the running osquery instance... | |
| I1214 15:24:28.388691 3197526976 init.cpp:385] osquery extension initialized [sdk=2.10.4] | |
| I1214 15:24:28.391145 156119040 interface.cpp:141] Registering extension (efigy, 42198, version=1.0.0, sdk=2.10.4) | |
| I1214 15:24:28.410346 156119040 registry.cpp:351] Extension 42198 registered table plugin efigy | |
| I1214 15:24:28.412704 56770560 interface.cpp:316] Extension service |
OlderNewer