Skip to content

Instantly share code, notes, and snippets.

View defensivedepth's full-sized avatar

Josh Brower defensivedepth

View GitHub Profile
@defensivedepth
defensivedepth / CIS-Benchmark-diff.py
Created November 22, 2023 12:15
CIS-Benchmark-Diff
# This script takes two CIS Benchmark PDFs as input and diffs them
# For example: It will generate a diff of the Win10 & W11 benchmarks
import fitz # PyMuPDF
import re
import difflib
import sys
from datetime import datetime
def is_start_of_new_item(line):
event.dataset: "dce_rpc" | groupby source.ip destination.ip event.module event.dataset dce_rpc.operation
@defensivedepth
defensivedepth / zeek_svcctl.yaml
Created April 27, 2021 00:12
Sigma rule for Zeek - Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
title: Windows service changed or started remotely with svcctl
status: experimental
description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
references:
- https://github.com/juliourena/SharpNoPSExec
author: 'Josh Brower, @Defensivedepth'
logsource:
product: zeek
service: dce_rpc
detection:
@defensivedepth
defensivedepth / internal_cleartext_protocols.yaml
Created March 31, 2021 16:36
Sigma rule for Internal Cleartext Protocol Usage
title: Internal Cleartext Protocol Usage
status: experimental
description: Detects common cleartext procotols from internal endpoints.
author: Josh Brower
logsource:
category: firewall
defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn.
detection:
internal_ip:
src_ip|startswith:
@defensivedepth
defensivedepth / gist:fd33cc6e7bbd8826ce7e4b27c4841aec
Created March 19, 2021 14:01
Security Onion 2 - Hunt query for HTTP over non-HTTP ports
# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent
event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
@defensivedepth
defensivedepth / ATC-Chrome_History
Created July 19, 2019 22:45
One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint
# @DefensiveDepth
# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint.
# Further reading & reference:
# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories
# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS.
echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \
@defensivedepth
defensivedepth / Internet-Exposed-RDP.sql
Last active May 21, 2019 06:04
CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP)
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172
-- If you use 172.16/22 internally, you will need to tweak this
SELECT process_open_sockets.remote_address, os_version.name
FROM process_open_sockets CROSS JOIN os_version
WHERE process_open_sockets.local_port=3389
AND process_open_sockets.remote_address NOT LIKE '10.%'
AND process_open_sockets.remote_address NOT LIKE '172.16%'
AND process_open_sockets.remote_address NOT LIKE '192.168%'
@defensivedepth
defensivedepth / Logstash-Filter.conf
Created February 28, 2019 01:45
Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
# 2/19, @DefensiveDepth
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
filter {
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" {
# Use the http filter to query the relevant extension data using the identifier and version
# Dump the report data & headers into new fields, CE-Raw & CE-Headers
http {
@defensivedepth
defensivedepth / logstash-osquery-shipped-WEL.conf
Created December 21, 2018 17:14
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
filter {
json {
# Do the initial JSON parse
source => "message"
target => "osquery"
}
mutate {
# Remove the \\x0A