This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This script takes two CIS Benchmark PDFs as input and diffs them | |
# For example: It will generate a diff of the Win10 & W11 benchmarks | |
import fitz # PyMuPDF | |
import re | |
import difflib | |
import sys | |
from datetime import datetime | |
def is_start_of_new_item(line): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
event.dataset: "dce_rpc" | groupby source.ip destination.ip event.module event.dataset dce_rpc.operation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Windows service changed or started remotely with svcctl | |
status: experimental | |
description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC). | |
references: | |
- https://github.com/juliourena/SharpNoPSExec | |
author: 'Josh Brower, @Defensivedepth' | |
logsource: | |
product: zeek | |
service: dce_rpc | |
detection: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Internal Cleartext Protocol Usage | |
status: experimental | |
description: Detects common cleartext procotols from internal endpoints. | |
author: Josh Brower | |
logsource: | |
category: firewall | |
defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn. | |
detection: | |
internal_ip: | |
src_ip|startswith: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent | |
event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @DefensiveDepth | |
# One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint. | |
# Further reading & reference: | |
# ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c | |
# SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories | |
# echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS. | |
echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP) | |
-- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172 | |
-- If you use 172.16/22 internally, you will need to tweak this | |
SELECT process_open_sockets.remote_address, os_version.name | |
FROM process_open_sockets CROSS JOIN os_version | |
WHERE process_open_sockets.local_port=3389 | |
AND process_open_sockets.remote_address NOT LIKE '10.%' | |
AND process_open_sockets.remote_address NOT LIKE '172.16%' | |
AND process_open_sockets.remote_address NOT LIKE '192.168%' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 2/19, @DefensiveDepth | |
# Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io) | |
filter { | |
if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" { | |
# Use the http filter to query the relevant extension data using the identifier and version | |
# Dump the report data & headers into new fields, CE-Raw & CE-Headers | |
http { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter { | |
json { | |
# Do the initial JSON parse | |
source => "message" | |
target => "osquery" | |
} | |
mutate { | |
# Remove the \\x0A |
NewerOlder