faststeak

## PowershellTranscript.json
{
  "id": "PowershellTranscripts",
  "lib": "custom",
  "rules": [
    {
      "condition": "sourcetype=='powershell:transcripts'",
      "type": "regex",
      "timestampAnchorRegex": "/Start time:\\s/",
      "timestamp": {
        "type": "format",

## gist:0ef52e39c80ef15c92731fb0a7fcb234
index=<your target indexes>
| regex "(?i)\${(\${(.*?:|.*?:.*?:-)(\'|\"|\`)*(?1)}*|[jndi:(ldap|ldaps|rmi|dns|nis|iiop|corba|nds|http)](\'|\"|\`)*}*){9,10}"

| rex field=_raw max_match=0 "(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| rex field=_raw "Base64\/(?<base64>[A-Za-z0-9+]{15,}[=]{0,2})"
| decrypt field=base64 b64 emit('payload')

| table _time index sourcetype host ip_addr base64 payload _raw

| mvexpand ip_addr

## gist:c8a0483ca0a25c6c92bab43579596c16
index=<your tenable index here> sourcetype=tenable:sc:vuln (pluginID=10396 OR pluginID=10395 OR pluginID=23973 OR pluginID=24271 OR pluginID=42411 OR pluginID=60119) TERM(<your testuser here>)
| table ip dnsName pluginID pluginName pluginText
| rex field=pluginText max_match=0 (?<allInfo>((?<=\n-\s)((?<=\n-\s)(.+\n)*)*))
| mvexpand allInfo
| rex field=allInfo (?<shareContents>((?<=:\n)(.+\n)*(.)*))
| rex field=allInfo (?<sharePermissions>(((?<=\s{2}-\s\()(.)*)(?=\))))
| rex field=allInfo (?<shareName>((.)*(?=\s{2}-)))
| search sharePermissions=*writable*
| table dnsName shareName

## gist:66918caaf6a0d7e9fcd818515ae63252
index=winevents sourcetype=WinEventLog:Security EventCode=4625 NOT(user=*$ OR host="insert Domain Controllers here") Failure_Reason="Unknown user name or bad password."
| bin span=30m _time
| stats min(_time) as firstTime max(_time) as lastTime count dc(user) as user_count values(user) as user_logon_attempts values(Source_Network_Address) as Source_Network_Addresses by host Logon_Type Failure_Reason
| fields firstTime lastTime host Logon_Type Failure_Reason user_count user_logon_attempts Source_Network_Addresses
| convert ctime(firstTime), ctime(lastTime)

| where user_count>50

| eval user_logon_attempts=mvjoin(user_logon_attempts, ", ")
| eval user_logon_attempts=substr(user_logon_attempts, 0, 500)

## ipam-tools.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                faststeak
                / ipam-tools.md
            
            
              Last active
              November 24, 2019 17:23
                — forked from regnauld/ipam-tools.md
            
              
                Overview of IPAM/DCIM tools - July 2016
              
          
    IPAM and CMDB software

IPAM


HaCi http://haci.larsux.de/ - 2015-03

IPAM only, v4/v6, multiple POPs, uses templates, space visualization


GestioIP  https://www.gestioip.net/ - 2019-10


## gist:275d5d157492b281b6940068f2ae9f6d
SELECT p.pid, p.name, p.state, u.username, lp.*
FROM processes p
INNER JOIN listening_ports lp
ON lp.pid = p.pid
INNER JOIN users u
ON u.uid = p.uid;

SELECT u.username,
g.groupname
FROM users u

## gist:8c2f812f3a9650523aea44cae20fbaa7
# Needs time and host components

| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.src_user Authentication.user | rename Authentication.* as * | stats dc(user) as user_count values(user) as users by src_user

# Base tstats search to get the initial data
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.action Authentication.src Authentication.dest Authentication.src_user Authentication.user Authentication.signature Authentication.signature_id

## gist:e30f6802fd51c3cd325e6b4247e85267
## Any DMs returned are using a lookup, so those lookups need to be on the indexers.
| rest splunk_server=local /services/datamodel/acceleration| fields title search  | eval contains_lookup=if(like(search, "%lookup%"),1,0)   | eval contains_lookup=case(contains_lookup=1,"yes",contains_lookup=0,"no")| table title search contains_lookup | search contains_lookup=yes

## gist:824a9bad9b0a0784f51ed9767b6e9810
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Endpoint.Processes where Processes.process_name="regsvr32.exe" by _time  Processes.dest Processes.parent_process Processes.process span=15m

## gist:ee18ab9fd4b815bcedb56b196d1127e0
# Assumes the presence of SA-Netops (the normalize macro).
# Configured for Stream data as written

index=dhcp chaddr=* ciaddr=* NOT (ciaddr="0.0.0.0" OR ciaddr=169.254.*)
| streamstats  earliest(_time) as earliest_time latest(_time) as latest_time latest(chaddr) as latest_mac latest(ciaddr) as latest_ip by chaddr ciaddr reset_on_change=true
| stats  min(earliest_time) as start_time max(latest_time) as end_time by latest_mac latest_ip
| rename latest_mac AS mac latest_ip as ip
| `normalize_mac_address(mac)`
| inputlookup dhcp_lookup append=t
| stats dc(mac) as mac_count values(*) as *  by ip
	{
	"id": "PowershellTranscripts",
	"lib": "custom",
	"rules": [
	{
	"condition": "sourcetype=='powershell:transcripts'",
	"type": "regex",
	"timestampAnchorRegex": "/Start time:\\s/",
	"timestamp": {
	"type": "format",
	index=<your target indexes>
	\| regex "(?i)\${(\${(.?:\|.?:.?:-)(\'\|\"\|\`)(?1)}\|[jndi:(ldap\|ldaps\|rmi\|dns\|nis\|iiop\|corba\|nds\|http)](\'\|\"\|\`)}*){9,10}"

	\| rex field=_raw max_match=0 "(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
	\| rex field=_raw "Base64\/(?<base64>[A-Za-z0-9+]{15,}[=]{0,2})"
	\| decrypt field=base64 b64 emit('payload')

	\| table _time index sourcetype host ip_addr base64 payload _raw

	\| mvexpand ip_addr
	index=<your tenable index here> sourcetype=tenable:sc:vuln (pluginID=10396 OR pluginID=10395 OR pluginID=23973 OR pluginID=24271 OR pluginID=42411 OR pluginID=60119) TERM(<your testuser here>)
	\| table ip dnsName pluginID pluginName pluginText
	\| rex field=pluginText max_match=0 (?<allInfo>((?<=\n-\s)((?<=\n-\s)(.+\n))))
	\| mvexpand allInfo
	\| rex field=allInfo (?<shareContents>((?<=:\n)(.+\n)(.)))
	\| rex field=allInfo (?<sharePermissions>(((?<=\s{2}-\s\()(.)*)(?=\))))
	\| rex field=allInfo (?<shareName>((.)*(?=\s{2}-)))
	\| search sharePermissions=writable
	\| table dnsName shareName
	index=winevents sourcetype=WinEventLog:Security EventCode=4625 NOT(user=*$ OR host="insert Domain Controllers here") Failure_Reason="Unknown user name or bad password."
	\| bin span=30m _time
	\| stats min(_time) as firstTime max(_time) as lastTime count dc(user) as user_count values(user) as user_logon_attempts values(Source_Network_Address) as Source_Network_Addresses by host Logon_Type Failure_Reason
	\| fields firstTime lastTime host Logon_Type Failure_Reason user_count user_logon_attempts Source_Network_Addresses
	\| convert ctime(firstTime), ctime(lastTime)

	\| where user_count>50

	\| eval user_logon_attempts=mvjoin(user_logon_attempts, ", ")
	\| eval user_logon_attempts=substr(user_logon_attempts, 0, 500)
	SELECT p.pid, p.name, p.state, u.username, lp.*
	FROM processes p
	INNER JOIN listening_ports lp
	ON lp.pid = p.pid
	INNER JOIN users u
	ON u.uid = p.uid;

	SELECT u.username,
	g.groupname
	FROM users u
	# Needs time and host components

	\| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.src_user Authentication.user \| rename Authentication.* as * \| stats dc(user) as user_count values(user) as users by src_user

	# Base tstats search to get the initial data
	\| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.action Authentication.src Authentication.dest Authentication.src_user Authentication.user Authentication.signature Authentication.signature_id
	## Any DMs returned are using a lookup, so those lookups need to be on the indexers.
	\| rest splunk_server=local /services/datamodel/acceleration\| fields title search \| eval contains_lookup=if(like(search, "%lookup%"),1,0) \| eval contains_lookup=case(contains_lookup=1,"yes",contains_lookup=0,"no")\| table title search contains_lookup \| search contains_lookup=yes
	# Assumes the presence of SA-Netops (the normalize macro).
	# Configured for Stream data as written

	index=dhcp chaddr=* ciaddr=* NOT (ciaddr="0.0.0.0" OR ciaddr=169.254.*)
	\| streamstats earliest(_time) as earliest_time latest(_time) as latest_time latest(chaddr) as latest_mac latest(ciaddr) as latest_ip by chaddr ciaddr reset_on_change=true
	\| stats min(earliest_time) as start_time max(latest_time) as end_time by latest_mac latest_ip
	\| rename latest_mac AS mac latest_ip as ip
	\| `normalize_mac_address(mac)`
	\| inputlookup dhcp_lookup append=t
	\| stats dc(mac) as mac_count values() as by ip