I hereby claim:
- I am defensivedepth on github.
- I am defensivedepth (https://keybase.io/defensivedepth) on keybase.
- I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C 4099 71D6 3317 B0E3 C693
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
-- Joins chrome_extension and users table, looks for Mega chrome identifier and specific version number; should also consider running without the version number, to find all users with Mega extension installed and then get it removed prior to it updating. | |
SELECT users.username,chrome_extensions.name,chrome_extensions.version,chrome_extensions.path FROM chrome_extensions JOIN users ON users.uid = chrome_extensions.uid where chrome_extensions.identifier = 'bigefpfhnfcobdlfbedofhhaibnlghod' and chrome_extensions.version = '3.39.4'; |
# Place under /etc/logstash/custom, see here for more details: | |
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash | |
filter { | |
if "osquery" in [tags] { | |
json { | |
source => message | |
target => osquery | |
} |
filter { | |
json { | |
# Do the initial JSON parse | |
source => "message" | |
target => "osquery" | |
} | |
mutate { | |
# Remove the \\x0A |
# 2/19, @DefensiveDepth | |
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io) | |
filter { | |
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" { | |
# Use the http filter to query the relevant extension data using the identifier and version | |
# Dump the report data & headers into new fields, CE-Raw & CE-Headers | |
http { |
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP) | |
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172 | |
-- If you use 172.16/22 internally, you will need to tweak this | |
SELECT process_open_sockets.remote_address, os_version.name | |
FROM process_open_sockets CROSS JOIN os_version | |
WHERE process_open_sockets.local_port=3389 | |
AND process_open_sockets.remote_address NOT LIKE '10.%' | |
AND process_open_sockets.remote_address NOT LIKE '172.16%' | |
AND process_open_sockets.remote_address NOT LIKE '192.168%' |
# @DefensiveDepth | |
# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint. | |
# Further reading & reference: | |
# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c | |
# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories | |
# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS. | |
echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \ | |
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text |
# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent | |
event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent |
title: Internal Cleartext Protocol Usage | |
status: experimental | |
description: Detects common cleartext procotols from internal endpoints. | |
author: Josh Brower | |
logsource: | |
category: firewall | |
defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn. | |
detection: | |
internal_ip: | |
src_ip|startswith: |