ecapuano

# A retired winlogbeats config maintained by the Recon InfoSec SOC
# contains most the higher value events needed for detection and response
# should be tuned for your specific environment and log volume tolerance

winlogbeat.event_logs: # Global Event Logs Config
  - name: Security
    ignore_older: 24h
    processors:
      - script:
          when.equals.winlog.channel: Security

ecapuano

name: Windows.Destroy.System
description: |
  **WARNING! THIS IS HIGHLY DESTRUCTIVE!**
  
  Deletes ALL of the things. UNRECOVERABLE!
  
  First deletes sensitive areas (user profiles, event logs) then moves 
  to wiping and zeroizing the entire C: drive.
  
  The system will ultimately fail before the process finishes, but the

ecapuano

# inspired by https://gist.github.com/JonnyWong16/f8139216e2748cb367558070c1448636
# adapted by eric capuano, @eric_capuano@infosec.exchange
# modified to support python3, and supports updating ALL users instead of specifying userIDs manually.
#
# first, add your PLEX_TOKEN and SERVER_ID
# second, add the libraries you want to share/unshare to SHARED_LIBRARY_IDS
# usage: python3 share_unshare_libraries.py share/unshare

import requests
from xml.dom import minidom

ecapuano

name: Custom.Winlogbeat.Deploy
description: |
   Quick and dirty way to deploy Winlogbeat via Velociraptor
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
parameters:
   - name: binaryURL
     default: http://url.to/winlogbeat.exe
   - name: installPath
     default: C:\Program Files\winlogbeat

ecapuano

rule sliver_github_file_paths_function_names {
  meta:
    author = "NCSC UK"
    description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary"
  strings:
    $p1 = "/sliver/"
    $p2 = "sliverpb."
    $fn1 = "RevToSelfReq"
    $fn2 = "ScreenshotReq"
    $fn3 = "IfconfigReq"

ecapuano

rule sliver_strings {
  meta:
    author = "Eric Capuano, inspired by NCSC UK"
    description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)"
  strings:
    $p1 = "/sliver/"
    $p2 = "sliverpb"
  condition:
    all of ($p*)
}

ecapuano

/*
  Yara signatures for identifying secrets in text files. Requires libmagic!

  Mostly all stolen from Trufflehog regexes:
  - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json

*/

import "magic"

ecapuano

# A script that will safely remove adversary footholds on systems. 
# 
# Be sure to replace your observables down below. Be careful not to
# included LOLBINs as they cannot be safely killed this way. Use
# Kill-Threads.ps1 for those.
#
# Used with great success during CF20
#
# Author: Eric Capuano

ecapuano

name: Custom.CapsSysmon.Deploy
description: |
   A quick and dirty way to download and install sysmon via Velociraptor
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
parameters:
   - name: sysmonURL
     default: http://url.to/sysmon8_64.exe
   - name: binPath
     default: C:\sysmon.exe

ecapuano

// Run against hunt results from Windows.System.Pslist
// Note: Returns ONLY unsigned processes, which minimizes less critical API calls
// Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert

LET VTKey <= "$apikey"
LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source()
WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries
LIMIT 50

SELECT *, {SELECT * FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)