I hereby claim:
- I am defensivedepth on github.
- I am defensivedepth (https://keybase.io/defensivedepth) on keybase.
- I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C 4099 71D6 3317 B0E3 C693
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
filter { | |
json { | |
# Do the initial JSON parse | |
source => "message" | |
target => "osquery" | |
} | |
mutate { | |
# Remove the \\x0A |
# 2/19, @DefensiveDepth | |
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io) | |
filter { | |
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" { | |
# Use the http filter to query the relevant extension data using the identifier and version | |
# Dump the report data & headers into new fields, CE-Raw & CE-Headers | |
http { |
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP) | |
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172 | |
-- If you use 172.16/22 internally, you will need to tweak this | |
SELECT process_open_sockets.remote_address, os_version.name | |
FROM process_open_sockets CROSS JOIN os_version | |
WHERE process_open_sockets.local_port=3389 | |
AND process_open_sockets.remote_address NOT LIKE '10.%' | |
AND process_open_sockets.remote_address NOT LIKE '172.16%' | |
AND process_open_sockets.remote_address NOT LIKE '192.168%' |
# Place under /etc/logstash/custom, see here for more details: | |
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash | |
filter { | |
if "osquery" in [tags] { | |
json { | |
source => message | |
target => osquery | |
} |
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text |
# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent | |
event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent |
title: Internal Cleartext Protocol Usage | |
status: experimental | |
description: Detects common cleartext procotols from internal endpoints. | |
author: Josh Brower | |
logsource: | |
category: firewall | |
defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn. | |
detection: | |
internal_ip: | |
src_ip|startswith: |
title: Windows service changed or started remotely with svcctl | |
status: experimental | |
description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC). | |
references: | |
- https://github.com/juliourena/SharpNoPSExec | |
author: 'Josh Brower, @Defensivedepth' | |
logsource: | |
product: zeek | |
service: dce_rpc | |
detection: |
event.dataset: "dce_rpc" | groupby source.ip destination.ip event.module event.dataset dce_rpc.operation |