Skip to content

Instantly share code, notes, and snippets.

View defensivedepth's full-sized avatar

Josh Brower defensivedepth

View GitHub Profile

Keybase proof

I hereby claim:

  • I am defensivedepth on github.
  • I am defensivedepth (https://keybase.io/defensivedepth) on keybase.
  • I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C 4099 71D6 3317 B0E3 C693

To claim this, I am signing this object:

@defensivedepth
defensivedepth / osquery-compromised-mega-chrome-ext.sql
Last active March 30, 2024 12:47
osquery query to find systems that have the compromised Mega Chrome Extension installed
-- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating.
SELECT users.username,chrome_extensions.name,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4';
@defensivedepth
defensivedepth / logstash.conf
Created October 17, 2018 12:43
osquery & security onion Integration
# Place under /etc/logstash/custom, see here for more details:
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash
filter {
if "osquery" in [tags] {
json {
source => message
target => osquery
}
@defensivedepth
defensivedepth / logstash-osquery-shipped-WEL.conf
Created December 21, 2018 17:14
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
filter {
json {
# Do the initial JSON parse
source => "message"
target => "osquery"
}
mutate {
# Remove the \\x0A
@defensivedepth
defensivedepth / Logstash-Filter.conf
Created February 28, 2019 01:45
Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
filter {
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" {
# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
http {
@defensivedepth
defensivedepth / Internet-Exposed-RDP.sql
Last active May 21, 2019 06:04
CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this
SELECT process_open_sockets.remote_address, os_version.name
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
@defensivedepth
defensivedepth / ATC-Chrome_History
Created July 19, 2019 22:45
One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint
# @DefensiveDepth
# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint.
# Further reading & reference:
# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories
# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS.
echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
@defensivedepth
defensivedepth / gist:fd33cc6e7bbd8826ce7e4b27c4841aec
Created March 19, 2021 14:01
Security Onion 2 - Hunt query for HTTP over non-HTTP ports
# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent
event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent
@defensivedepth
defensivedepth / internal_cleartext_protocols.yaml
Created March 31, 2021 16:36
Sigma rule for Internal Cleartext Protocol Usage
title: Internal Cleartext Protocol Usage
status: experimental
description: Detects common cleartext procotols from internal endpoints.
author: Josh Brower
logsource:
category: firewall
defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn.
detection:
internal_ip:
src_ip|startswith: