Josh Brower defensivedepth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script takes two CIS Benchmark PDFs as input and diffs them | |
| # For example: It will generate a diff of the Win10 & W11 benchmarks | |
| import fitz # PyMuPDF | |
| import re | |
| import difflib | |
| import sys | |
| from datetime import datetime | |
| def is_start_of_new_item(line): |
defensivedepth
/ gist:748b1e8859c0559621eaeb30c3ea3322
Created
April 27, 2021 00:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event.dataset: "dce_rpc" | groupby source.ip destination.ip event.module event.dataset dce_rpc.operation |
defensivedepth
/ zeek_svcctl.yaml
Created
April 27, 2021 00:12
Sigma rule for Zeek - Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Windows service changed or started remotely with svcctl | |
| status: experimental | |
| description: Detects when a Windows service has been changed or started with svcctl remotely (using DCE/RPC). | |
| references: | |
| - https://github.com/juliourena/SharpNoPSExec | |
| author: 'Josh Brower, @Defensivedepth' | |
| logsource: | |
| product: zeek | |
| service: dce_rpc | |
| detection: |
defensivedepth
/ internal_cleartext_protocols.yaml
Created
March 31, 2021 16:36
Sigma rule for Internal Cleartext Protocol Usage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Internal Cleartext Protocol Usage | |
| status: experimental | |
| description: Detects common cleartext procotols from internal endpoints. | |
| author: Josh Brower | |
| logsource: | |
| category: firewall | |
| defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn. | |
| detection: | |
| internal_ip: | |
| src_ip|startswith: |
defensivedepth
/ gist:fd33cc6e7bbd8826ce7e4b27c4841aec
Created
March 19, 2021 14:01
Security Onion 2 - Hunt query for HTTP over non-HTTP ports
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent | |
| event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent |
defensivedepth
/ gist:f5a71dcc8602a6330068a1eda0e43413
Created
January 21, 2020 19:00
Check for proxy cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text |
defensivedepth
/ ATC-Chrome_History
Created
July 19, 2019 22:45
One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # @DefensiveDepth | |
| # One-liner that runs osqueryi with ATC configuration to read in the chrome history file, export as json and curl the json to an API endpoint. Requires the osqueryi binary on the endpoint. | |
| # Further reading & reference: | |
| # ATC - https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c | |
| # SQLite queries for Chrome, Safari, Firefox, etc - https://gist.github.com/dropmeaword/9372cbeb29e8390521c2#browser-histories | |
| # echo the ATC (Automatic Table Construction) configuration to /tmp/config - the path is for MacOS. | |
| echo '{"auto_table_construction":{"chrome_history":{"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls","path":"/Users/%/Library/Application\\ Support/Google/Chrome/Default/History","columns":["last_visited","url","title","visit_count"]}}}' > /tmp/config \ | |
defensivedepth
/ Internet-Exposed-RDP.sql
Last active
May 21, 2019 06:04
CVE-2019-0708 - Osquery - Detect Internet-exposed RDP endpoints, <= Windows 2008 R2 / Win7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP) | |
| -- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172 | |
| -- If you use 172.16/22 internally, you will need to tweak this | |
| SELECT process_open_sockets.remote_address, os_version.name | |
| FROM process_open_sockets CROSS JOIN os_version | |
| WHERE process_open_sockets.local_port=3389 | |
| AND process_open_sockets.remote_address NOT LIKE '10.%' | |
| AND process_open_sockets.remote_address NOT LIKE '172.16%' | |
| AND process_open_sockets.remote_address NOT LIKE '192.168%' |
defensivedepth
/ Logstash-Filter.conf
Created
February 28, 2019 01:45
Logstash Filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 2/19, @DefensiveDepth | |
| # Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io) | |
| filter { | |
| if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" { | |
| # Use the http filter to query the relevant extension data using the identifier and version | |
| # Dump the report data & headers into new fields, CE-Raw & CE-Headers | |
| http { |
defensivedepth
/ logstash-osquery-shipped-WEL.conf
Created
December 21, 2018 17:14
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter { | |
| json { | |
| # Do the initial JSON parse | |
| source => "message" | |
| target => "osquery" | |
| } | |
| mutate { | |
| # Remove the \\x0A |
NewerOlder