Josh Brower defensivedepth

## keybase.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                defensivedepth
                / keybase.md
            
            
              Created
              May 31, 2015 13:10
            
          
    Keybase proof

I hereby claim:

I am defensivedepth on github.
I am defensivedepth (https://keybase.io/defensivedepth) on keybase.
I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C  4099 71D6 3317 B0E3 C693

To claim this, I am signing this object:

  
## logstash-osquery-shipped-WEL.conf
filter {

  json {
    # Do the initial JSON parse
    source => "message"
    target => "osquery"
        }

  mutate {
    # Remove the \\x0A

## Logstash-Filter.conf
# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)

filter {

if  "^pack_server-windows_Chrome.*" =~  "[osquery][name]" {

# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
 http {

## Internet-Exposed-RDP.sql
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this

SELECT process_open_sockets.remote_address, os_version.name
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'

## logstash.conf
# Place under /etc/logstash/custom, see here for more details:
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash

filter {
  if "osquery" in [tags] {

        json {
                source => message
                target => osquery
            }

## gist:f5a71dcc8602a6330068a1eda0e43413
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

## gist:fd33cc6e7bbd8826ce7e4b27c4841aec
# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent

event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent

## internal_cleartext_protocols.yaml
title: Internal Cleartext Protocol Usage
status: experimental
description: Detects common cleartext procotols from internal endpoints.
author: Josh Brower
logsource:
    category: firewall
    defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn.
detection:
    internal_ip:
      src_ip|startswith:

## zeek_svcctl.yaml
title: Windows service changed or started remotely with svcctl
status: experimental
description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
references:
    - https://github.com/juliourena/SharpNoPSExec
author: 'Josh Brower, @Defensivedepth'
logsource:
    product: zeek
    service: dce_rpc
detection:

## gist:748b1e8859c0559621eaeb30c3ea3322
event.dataset: "dce_rpc" |  groupby source.ip destination.ip event.module event.dataset dce_rpc.operation
	filter {

	json {
	# Do the initial JSON parse
	source => "message"
	target => "osquery"
	}

	mutate {
	# Remove the \\x0A
	# 2/19, @DefensiveDepth
	# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)

	filter {

	if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" {

	# Use the http filter to query the relevant extension data using the identifier and version
	# Dump the report data & headers into new fields, CE-Raw & CE-Headers
	http {
	-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
	-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
	-- If you use 172.16/22 internally, you will need to tweak this

	SELECT process_open_sockets.remote_address, os_version.name
	FROM process_open_sockets CROSS JOIN os_version
	WHERE process_open_sockets.local_port=3389
	AND process_open_sockets.remote_address NOT LIKE '10.%'
	AND process_open_sockets.remote_address NOT LIKE '172.16%'
	AND process_open_sockets.remote_address NOT LIKE '192.168%'
	# Place under /etc/logstash/custom, see here for more details:
	# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash

	filter {
	if "osquery" in [tags] {

	json {
	source => message
	target => osquery
	}
	# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent

	event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" \| groupby destination.port http.method http.virtual_host http.uri http.useragent
	title: Internal Cleartext Protocol Usage
	status: experimental
	description: Detects common cleartext procotols from internal endpoints.
	author: Josh Brower
	logsource:
	category: firewall
	defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn.
	detection:
	internal_ip:
	src_ip\|startswith:
	title: Windows service changed or started remotely with svcctl
	status: experimental
	description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
	references:
	- https://github.com/juliourena/SharpNoPSExec
	author: 'Josh Brower, @Defensivedepth'
	logsource:
	product: zeek
	service: dce_rpc
	detection: