defensivedepth

Keybase proof

I hereby claim:

• I am defensivedepth on github.
• I am defensivedepth (https://keybase.io/defensivedepth) on keybase.
• I have a public key whose fingerprint is 490B F7E2 AF7A BF3B A50C 4099 71D6 3317 B0E3 C693

To claim this, I am signing this object:

defensivedepth

filter {  

  json {
    # Do the initial JSON parse
    source => "message"
    target => "osquery"
        }

  mutate {
    # Remove the \\x0A

defensivedepth

# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)

filter {

if  "^pack_server-windows_Chrome.*" =~  "[osquery][name]" {

# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
 http {

defensivedepth

-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this

SELECT process_open_sockets.remote_address, os_version.name 
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'

defensivedepth

# Place under /etc/logstash/custom, see here for more details: 
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash

filter {
  if "osquery" in [tags] {
 
        json {
                source => message
                target => osquery
            }

defensivedepth

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

defensivedepth

# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent

event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent

defensivedepth

# @DefensiveDepth
# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint.

# Further reading & reference:
# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories

# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS.
   echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \
   

defensivedepth

title: Internal Cleartext Protocol Usage
status: experimental
description: Detects common cleartext procotols from internal endpoints.
author: Josh Brower
logsource:
    category: firewall
    defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn.
detection:
    internal_ip:
      src_ip|startswith:

defensivedepth

title: Windows service changed or started remotely with svcctl
status: experimental
description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC). 
references:
    - https://github.com/juliourena/SharpNoPSExec
author: 'Josh Brower, @Defensivedepth'
logsource:
    product: zeek
    service: dce_rpc
detection: