hiddenillusion

Auth

Name/Link	Description/Purpose	Tags
Uber's SSH CA	A pam module that will authenticate a user based on them having an ssh certificate in their ssh-agent signed by a specified ssh CA.	Linux
Netflix's BLESS	An SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys.	AWS,Linux
SSH Cert Authority	An implementation of an SSH certificate authority/
Square's Sharkey	Sharkey is a service for managing certificates for use by OpenSSH	Linux
Google's IAP	Cloud Identity-Aware Proxy (Cloud IAP) controls access to your cloud applications running on Google Cloud Platform. Cloud IAP works by verifying a user’s identity and determining if that user should be allowed to access the application.	Google Cloud Platform

hiddenillusion

Application IDs withing the UAL

Application Name	ID
Global PowerShell	1b730954-1685-4b74-9bfd-dac224a7b894
Microsoft.Azure.ActiveDirectory	00000002-0000-0000-c000-000000000000
Microsoft.Azure.AnalysisServices	00000009-0000-0000-c000-000000000000
Microsoft.Azure.Workflow	00000005-0000-0000-c000-000000000000
Microsoft Office Client Service	0f698dd4-f011-4d23-a33e-b36416dcb1e6
Microsoft.Exchange	00000002-0000-0ff1-ce00-000000000000

hiddenillusion

Term	Description	Link(s)
Alias	Another email address that people can use to email
App Password	An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address	Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate	An account with assigned permissions to a mailbox.
Display Name	Name that appears in the Address Book & on the TO and From lines on an email.
EAC	"Exchange Admin Center"

hiddenillusion

rule test_yara_rule
{
  strings:
    $0 = "Command" nocase wide ascii
    $1 = "Windows" nocase wide ascii
  condition:
    any of them
}

hiddenillusion

Visualization

Name/Link	Description/Purpose	Tags
beagle	Transforms data sources and logs into graphs.	fireeye:hx, win:evtx

Helpers

• EVTX logs

hiddenillusion

input {
  file {
    start_position => "beginning"
    path => "/path/to/*.log"
    type => "apache"
    sincedb_path => "/dev/null" # causes to re-read everytime
  }
}
 
filter {

hiddenillusion

- [Maltrieve](https://registry.hub.docker.com/u/technoskald/maltrieve/)
- [Combine](https://registry.hub.docker.com/u/technoskald/combine/)
- [Scumblr](https://registry.hub.docker.com/u/bprodoehl/scumblr/)
- [CRITs](https://registry.hub.docker.com/u/pnelson/crits/)
- [MISP](https://registry.hub.docker.com/u/eg5846/misp-docker/)
- [ELK](https://registry.hub.docker.com/u/qnib/elk/)
- [Viper](https://registry.hub.docker.com/u/remnux/viper/)
- [JSdetox] (https://registry.hub.docker.com/u/remnux/jsdetox/)
- [PEscanner] (https://registry.hub.docker.com/u/remnux/pescanner/)
- [Rekall] (https://registry.hub.docker.com/u/remnux/rekall/)

hiddenillusion

hiddenillusion

#!/usr/bin/env python

# created by Glenn P. Edwards Jr.
#   https://hiddenillusion.github.io
#       @hiddenillusion
# Date: 2016-10-10
# (while at FireEye)

'''
Based on https://github.com/williballenthin/INDXParse/blob/master/get_file_info.py

hiddenillusion

Note - view this file in RAW form since asterisks get markdown'ed

View Template Name	Works With	Syntax
Microsoft Outlook - Only Email Folders	AutoDFIR	* AND NOT folder_name:(Journal OR Contacts OR Calendar OR Notes OR "Suggested Contacts" OR "RSS Feeds")
Report Details	AutoDFIR	parser:evtxstats
Privilege Escalation	Log2timeline	parser:selinux AND (/bin/sudo OR /bin/su)
Privilege Escalation - Command Executed	Log2timeline	(parser:selinux AND (/bin/sudo OR /bin/su)) OR (reporter:sudo AND message:COMMAND)
Shell Command History	Log2timeline	data_type:"shell:zsh:history" OR data_type:"shell:bash:history"
SSH Activity	Log2timeline	audit_type:("CRED_ACQ" OR "USER_LOGIN" OR "USER_START" OR "USER_END") AND NOT message:(addr=? AND hostname=?) -"usr/sbin/crond"