Skip to content

Instantly share code, notes, and snippets.

Avatar

Josh Brower defensivedepth

View GitHub Profile
View gist:748b1e8859c0559621eaeb30c3ea3322
event.dataset: "dce_rpc" | groupby source.ip destination.ip event.module event.dataset dce_rpc.operation
@defensivedepth
defensivedepth / zeek_svcctl.yaml
Created Apr 27, 2021
Sigma rule for Zeek - Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
View zeek_svcctl.yaml
title: Windows service changed or started remotely with svcctl
status: experimental
description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
references:
- https://github.com/juliourena/SharpNoPSExec
author: 'Josh Brower, @Defensivedepth'
logsource:
product: zeek
service: dce_rpc
detection:
@defensivedepth
defensivedepth / internal_cleartext_protocols.yaml
Created Mar 31, 2021
Sigma rule for Internal Cleartext Protocol Usage
View internal_cleartext_protocols.yaml
title: Internal Cleartext Protocol Usage
status: experimental
description: Detects common cleartext procotols from internal endpoints.
author: Josh Brower
logsource:
category: firewall
defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn.
detection:
internal_ip:
src_ip|startswith:
@defensivedepth
defensivedepth / gist:fd33cc6e7bbd8826ce7e4b27c4841aec
Created Mar 19, 2021
Security Onion 2 - Hunt query for HTTP over non-HTTP ports
View gist:fd33cc6e7bbd8826ce7e4b27c4841aec
# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent
event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent
View gist:f5a71dcc8602a6330068a1eda0e43413
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
@defensivedepth
defensivedepth / ATC-Chrome_History
Created Jul 19, 2019
One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint
View ATC-Chrome_History
# @DefensiveDepth
# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint.
# Further reading & reference:
# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories
# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS.
echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \
@defensivedepth
defensivedepth / Internet-Exposed-RDP.sql
Last active May 21, 2019
CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7
View Internet-Exposed-RDP.sql
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this
SELECT process_open_sockets.remote_address, os_version.name
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
@defensivedepth
defensivedepth / Logstash-Filter.conf
Created Feb 28, 2019
Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
View Logstash-Filter.conf
# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
filter {
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" {
# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
http {
@defensivedepth
defensivedepth / logstash-osquery-shipped-WEL.conf
Created Dec 21, 2018
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
View logstash-osquery-shipped-WEL.conf
filter {
json {
# Do the initial JSON parse
source => "message"
target => "osquery"
}
mutate {
# Remove the \\x0A
@defensivedepth
defensivedepth / logstash.conf
Created Oct 17, 2018
osquery & security onion Integration
View logstash.conf
# Place under /etc/logstash/custom, see here for more details:
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash
filter {
if "osquery" in [tags] {
json {
source => message
target => osquery
}