Josh Brower defensivedepth
defensivedepth
/ zeek_svcctl.yaml
Created
April 27, 2021 00:12
Sigma rule for Zeek - Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Windows service changed or started remotely with svcctl | |
| status: experimental | |
| description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC). | |
| references: | |
| - https://github.com/juliourena/SharpNoPSExec | |
| author: 'Josh Brower, @Defensivedepth' | |
| logsource: | |
| product: zeek | |
| service: dce_rpc | |
| detection: |
defensivedepth
/ gist:748b1e8859c0559621eaeb30c3ea3322
Created
April 27, 2021 00:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event.dataset: "dce_rpc" | groupby source.ip destination.ip event.module event.dataset dce_rpc.operation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script takes two CIS Benchmark PDFs as input and diffs them | |
| # For example: It will generate a diff of the Win10 & W11 benchmarks | |
| import fitz # PyMuPDF | |
| import re | |
| import difflib | |
| import sys | |
| from datetime import datetime | |
| def is_start_of_new_item(line): |
OlderNewer