This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
for %i in (D:\webcache_files\*) do BrowsingHistoryView.exe /HistorySource 6 /CustomFiles.IE10Files "%i" /scomma %~ni.csv |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Parse evtx logs with evtxdump.py (https://github.com/williballenthin/python-evtx) | |
2. Create custom Splunk sourcetype "winevtx": | |
Edit $SPLUNK_HOME/etc/system/local/props.conf | |
[winevtx] | |
NO_BINARY_CHECK = 1 | |
SHOULD_LINEMERGE = true | |
BREAK_ONLY_BEFORE = ^\<Event xmlns= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Slight modification of tcpdump filter expression included in heartbleed.py script by Riverbed [1][2] to detect live client side heartbleed attacks. | |
Modified the original filter to detect traffic to a specific client host from any port. Also modified lengths check to 68. For more information about this tcpdump filter take a look at Riverbed blog post [2]. | |
Detection tested with https://reverseheartbleed.com | |
tcpdump -i <INTERFACE> "((not ether proto 0x8100) and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))" | |
Example to detect client heartbleed att |