I hereby claim:
- I am deruke on github.
- I am derekbanks (https://keybase.io/derekbanks) on keybase.
- I have a public key ASAOau90RIe9f3aw2svuIabRL7emSd9uVmtko-F05pmmWQo
To claim this, I am signing this object:
deruke
deruke
/ keybase.md
Created
October 13, 2017 14:37
deruke
/ forwarded-events-logstash.conf
Created
September 20, 2017 12:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| tcp { | |
| port => 3515 | |
| codec => json | |
| } | |
| } | |
| filter { | |
| mutate { | |
| add_tag => "forwardedevtx" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # define ROOT dir | |
| define ROOT C:\Program Files (x86)\nxlog | |
| Moduledir %ROOT%\modules | |
| CacheDir %ROOT%\data | |
| Pidfile %ROOT%\data\nxlog.pid | |
| SpoolDir %ROOT%\data | |
| LogFile %ROOT%\data\nxlog.log | |
| #<Extension _syslog> |
deruke
/ Sysmon_only_script
Created
September 6, 2017 19:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if not exist "C:\windows\sysmon_config.xml" ( | |
| copy /z /y "\\lab.local\SYSVOL\lab.local\scripts\sysmon\sysmon_config.xml" "C:\windows\" | |
| ) | |
| sc query "Sysmon" | Find "RUNNING" | |
| If "%ERRORLEVEL%" EQU "1" ( | |
| goto startsysmon | |
| ) | |
| :startsysmon | |
| net start Sysmon |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # capture windows events over JSON | |
| # expects to be sent by the NXLOG package | |
| # author: Joff Thyer, 2017 | |
| input { | |
| tcp { | |
| port => 3515 | |
| codec => json | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| :install_nxlog | |
| sc query "nxlog" | Find "RUNNING" >NUL | |
| If NOT "%ERRORLEVEL%" EQU "1" ( | |
| goto install_sysmon | |
| ) | |
| echo Installing NXLOG | |
| \\domain.local\SYSVOL\software\nxlog-ce-2.9.1716.msi /quiet | |
| copy /z /y “\\domain.local\SYSVOL\software\nxlog.conf" "C:\Program Files (x86)\nxlog\conf" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # define ROOT dir | |
| define ROOT C:\Program Files (x86)\nxlog | |
| Moduledir %ROOT%\modules | |
| CacheDir %ROOT%\data | |
| Pidfile %ROOT%\data\nxlog.pid | |
| SpoolDir %ROOT%\data | |
| LogFile %ROOT%\data\nxlog.log | |
| #<Extension _syslog> |
deruke
/ iptables.rules
Created
April 25, 2017 20:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -d 127.0.0.0/8 -j REJECT | |
| # Accept all established inbound connections | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow all outbound traffic - you can modify this to only allow certain traffic |