Skip to content

Instantly share code, notes, and snippets.

Josh Brower defensivedepth

Block or report user

Report or block defensivedepth

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
defensivedepth / Internet-Exposed-RDP.sql
Last active May 21, 2019
CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7
View Internet-Exposed-RDP.sql
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 -
-- If you use 172.16/22 internally, you will need to tweak this
SELECT process_open_sockets.remote_address,
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
defensivedepth / Logstash-Filter.conf
Created Feb 28, 2019
Logstash Filter for enriching osquery chrome extension data with CRXcavator (
View Logstash-Filter.conf
# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (
filter {
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" {
# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
http {
defensivedepth / logstash-osquery-shipped-WEL.conf
Created Dec 21, 2018
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
View logstash-osquery-shipped-WEL.conf
filter {
json {
# Do the initial JSON parse
source => "message"
target => "osquery"
mutate {
# Remove the \\x0A
defensivedepth / logstash.conf
Created Oct 17, 2018
osquery & security onion Integration
View logstash.conf
# Place under /etc/logstash/custom, see here for more details:
filter {
if "osquery" in [tags] {
json {
source => message
target => osquery
defensivedepth / osquery-compromised-mega-chrome-ext.sql
Last active Sep 5, 2018
osquery query to find systems that have the compromised Mega Chrome Extension installed
View osquery-compromised-mega-chrome-ext.sql
-- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating.
SELECT users.username,,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4';

Keybase proof

I hereby claim:

  • I am defensivedepth on github.
  • I am defensivedepth ( on keybase.
  • I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C 4099 71D6 3317 B0E3 C693

To claim this, I am signing this object:

You can’t perform that action at this time.