"bash_reverse_shell": {
"query": "SELECT * FROM processes WHERE cmdline LIKE '/bin/bash -i >& /dev/tcp/%';",
"interval": 30,
"description": "Looks for processes that resemble a bash reverse shell"
}
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ vagrant reload dc --provision --debug | |
INFO global: Vagrant version: 2.2.4 | |
INFO global: Ruby version: 2.4.4 | |
INFO global: RubyGems version: 2.6.14.1 | |
INFO global: VAGRANT_DEFAULT_PROVIDER="vmware_desktop" | |
INFO global: VAGRANT_EXECUTABLE="/opt/vagrant/embedded/gems/2.2.4/gems/vagrant-2.2.4/bin/vagrant" | |
INFO global: VAGRANT_INSTALLER_VERSION="2" | |
INFO global: VAGRANT_INSTALLER_ENV="1" | |
INFO global: VAGRANT_INSTALLER_EMBEDDED_DIR="/opt/vagrant/embedded" | |
INFO global: VAGRANT_LOG="debug" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ aws ec2 describe-images --owners 505638924199 --executable-users all | |
{ | |
"Images": [ | |
{ | |
"Architecture": "x86_64", | |
"CreationDate": "2019-03-05T04:27:56.000Z", | |
"ImageId": "ami-00ae1022c8a735d81", | |
"ImageLocation": "505638924199/import-ami-09eb68f773fab5bf8", | |
"ImageType": "machine", | |
"Public": true, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-16"?> | |
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> | |
<RegistrationInfo> | |
<Date>2019-03-12T06:13:46.6956561</Date> | |
<Author>WEF\vagrant</Author> | |
<Description>Grabs the latest config from the Caldera server</Description> | |
<URI>\Caldera_Config_Fixer</URI> | |
</RegistrationInfo> | |
<Triggers> | |
<CalendarTrigger> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This script downloads an updated Caldera config if the one in replace | |
# is found to not match the one on the server | |
$tempCalderaCertFromServer = "c:\windows\temp\conf.yml" | |
$cagentConfPath = "C:\Program Files\cagent\conf.yml" | |
try { | |
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $tempCalderaCertFromServer) | |
} catch { | |
Write-Host "The Caldera server cannot be reached at this time." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"options": { | |
"config_plugin": "filesystem", | |
"logger_plugin": "filesystem", | |
"host_identifier": "hostname", | |
"event_pubsub_expiry": "86000", | |
"debug": "false", | |
"verbose_debug": "false", | |
"worker_threads": "4", | |
"schedule_splay_percent": 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"platform": "linux", | |
"schedule": { | |
"detect_responder": { | |
"query": "SELECT * FROM detect_responder;", | |
"interval": 10 | |
} | |
} | |
} |
Python shell launched and caught:
osquery> select distinct(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port from processes join process_open_sockets using (pid) left outer join process_open_files on processes.pid = process_open_files.pid WHERE (name='Python' OR name='sh' OR name='bash') AND process_open_files.pid is null;
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
| pid | parent | name | path | cmdline | cwd | root | uid | gid | start_time | remote_address | remote_port |
+-----+--------+--------+------------------------------------------
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generate a base64 encoded random string with length provided in $1 | |
function generate_random() { | |
docker run --rm --entrypoint sh kolide/openssl -c "cat /dev/random | base64 | head -c $1" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo osqueryi --extension osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext --allow_unsafe --verbose | |
I1214 15:24:28.376690 3197526976 init.cpp:382] osquery initialized [version=2.10.2] | |
I1214 15:24:28.376940 3197526976 extensions.cpp:288] Could not autoload extensions: Failed reading: /var/osquery/extensions.load | |
I1214 15:24:28.378172 153985024 watcher.cpp:563] Created and monitoring extension child (30280): osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext | |
I1214 15:24:28.378330 155058176 interface.cpp:327] Extension manager service starting: .osquery/shell.em | |
Connecting to the running osquery instance... | |
I1214 15:24:28.388691 3197526976 init.cpp:385] osquery extension initialized [sdk=2.10.4] | |
I1214 15:24:28.391145 156119040 interface.cpp:141] Registering extension (efigy, 42198, version=1.0.0, sdk=2.10.4) | |
I1214 15:24:28.410346 156119040 registry.cpp:351] Extension 42198 registered table plugin efigy | |
I1214 15:24:28.412704 56770560 interface.cpp:316] Extension service |