Skip to content

Instantly share code, notes, and snippets.

View defensivedepth's full-sized avatar

Josh Brower defensivedepth

View GitHub Profile

Keybase proof

I hereby claim:

  • I am defensivedepth on github.
  • I am defensivedepth (https://keybase.io/defensivedepth) on keybase.
  • I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C 4099 71D6 3317 B0E3 C693

To claim this, I am signing this object:

@defensivedepth
defensivedepth / logstash-osquery-shipped-WEL.conf
Created December 21, 2018 17:14
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
filter {
json {
# Do the initial JSON parse
source => "message"
target => "osquery"
}
mutate {
# Remove the \\x0A
@defensivedepth
defensivedepth / Logstash-Filter.conf
Created February 28, 2019 01:45
Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
filter {
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" {
# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
http {
@defensivedepth
defensivedepth / Internet-Exposed-RDP.sql
Last active May 21, 2019 06:04
CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this
SELECT process_open_sockets.remote_address, os_version.name
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
@defensivedepth
defensivedepth / logstash.conf
Created October 17, 2018 12:43
osquery & security onion Integration
# Place under /etc/logstash/custom, see here for more details:
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash
filter {
if "osquery" in [tags] {
json {
source => message
target => osquery
}
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
@defensivedepth
defensivedepth / gist:fd33cc6e7bbd8826ce7e4b27c4841aec
Created March 19, 2021 14:01
Security Onion 2 - Hunt query for HTTP over non-HTTP ports
# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent
event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent
@defensivedepth
defensivedepth / internal_cleartext_protocols.yaml
Created March 31, 2021 16:36
Sigma rule for Internal Cleartext Protocol Usage
title: Internal Cleartext Protocol Usage
status: experimental
description: Detects common cleartext procotols from internal endpoints.
author: Josh Brower
logsource:
category: firewall
defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn.
detection:
internal_ip:
src_ip|startswith:
@defensivedepth
defensivedepth / zeek_svcctl.yaml
Created April 27, 2021 00:12
Sigma rule for Zeek - Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
title: Windows service changed or started remotely with svcctl
status: experimental
description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
references:
- https://github.com/juliourena/SharpNoPSExec
author: 'Josh Brower, @Defensivedepth'
logsource:
product: zeek
service: dce_rpc
detection:
event.dataset: "dce_rpc" | groupby source.ip destination.ip event.module event.dataset dce_rpc.operation