{
"name": "file_events",
"hostIdentifier": "computer.local",
"calendarTime": "Mon Mar 13 07:03:13 2017 UTC",
"unixTime": "1489388593",
"columns": {
"action": "CREATED",
"atime": "1489388581",
"category": "tmp",
Chris Long clong
clong
/ hardware_events.md
Created
March 15, 2017 07:15
{
"action": "added",
"columns": {
"vendor_id": "1050",
"vendor": "Yubico",
"type": "IOUSBDevice",
"action": "attach",
"driver": "IOUSBDeviceUserClientV2",
"model": "Yubikey NEO OTP+U2F+CCID",
clong
/ install-go-audit-osquery.sh
Last active
March 17, 2017 12:13
go-audit and osquery bootstrap script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| sudo su | |
| apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd | |
| cd /root | |
| # Update Golang from 1.2 to 1.7 or compilation of go-audit will fail | |
| wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz | |
| tar -xvf go1.7.linux-amd64.tar.gz | |
| mv go /usr/local |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT * FROM python_packages WHERE name = 'acqusition' OR name = 'apidev-coop' OR name = 'bzip' OR name = 'crypt' OR name = 'django-server' OR name = 'pwd' OR name = 'setup-tools' OR name = 'telnet' OR name = 'urlib3' OR name = 'urllib'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| int filter(char* cmd){ | |
| int r=0; | |
| r += strstr(cmd, "flag")!=0; | |
| r += strstr(cmd, "sh")!=0; | |
| r += strstr(cmd, "tmp")!=0; | |
| return r; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| int filter(char* cmd){ | |
| int r=0; | |
| r += strstr(cmd, "=")!=0; | |
| r += strstr(cmd, "PATH")!=0; | |
| r += strstr(cmd, "export")!=0; | |
| r += strstr(cmd, "/")!=0; | |
| r += strstr(cmd, "`")!=0; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo osqueryi --extension osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext --allow_unsafe --verbose | |
| I1214 15:24:28.376690 3197526976 init.cpp:382] osquery initialized [version=2.10.2] | |
| I1214 15:24:28.376940 3197526976 extensions.cpp:288] Could not autoload extensions: Failed reading: /var/osquery/extensions.load | |
| I1214 15:24:28.378172 153985024 watcher.cpp:563] Created and monitoring extension child (30280): osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext | |
| I1214 15:24:28.378330 155058176 interface.cpp:327] Extension manager service starting: .osquery/shell.em | |
| Connecting to the running osquery instance... | |
| I1214 15:24:28.388691 3197526976 init.cpp:385] osquery extension initialized [sdk=2.10.4] | |
| I1214 15:24:28.391145 156119040 interface.cpp:141] Registering extension (efigy, 42198, version=1.0.0, sdk=2.10.4) | |
| I1214 15:24:28.410346 156119040 registry.cpp:351] Extension 42198 registered table plugin efigy | |
| I1214 15:24:28.412704 56770560 interface.cpp:316] Extension service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generate a base64 encoded random string with length provided in $1 | |
| function generate_random() { | |
| docker run --rm --entrypoint sh kolide/openssl -c "cat /dev/random | base64 | head -c $1" | |
| } |
Python shell launched and caught:
osquery> select distinct(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port from processes join process_open_sockets using (pid) left outer join process_open_files on processes.pid = process_open_files.pid WHERE (name='Python' OR name='sh' OR name='bash') AND process_open_files.pid is null;
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
| pid | parent | name | path | cmdline | cwd | root | uid | gid | start_time | remote_address | remote_port |
+-----+--------+--------+------------------------------------------
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "platform": "linux", | |
| "schedule": { | |
| "detect_responder": { | |
| "query": "SELECT * FROM detect_responder;", | |
| "interval": 10 | |
| } | |
| } | |
| } |
OlderNewer