Name/Link | Description/Purpose | Tags |
---|---|---|
Uber's SSH CA | A pam module that will authenticate a user based on them having an ssh certificate in their ssh-agent signed by a specified ssh CA. | Linux |
Netflix's BLESS | An SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys. | AWS,Linux |
SSH Cert Authority | An implementation of an SSH certificate authority/ | |
Square's Sharkey | Sharkey is a service for managing certificates for use by OpenSSH | Linux |
Google's IAP | Cloud Identity-Aware Proxy (Cloud IAP) controls access to your cloud applications running on Google Cloud Platform. Cloud IAP works by verifying a user’s identity and determining if that user should be allowed to access the application. | Google Cloud Platform |
Application IDs withing the UAL
Application Name | ID |
---|---|
Global PowerShell | 1b730954-1685-4b74-9bfd-dac224a7b894 |
Microsoft.Azure.ActiveDirectory | 00000002-0000-0000-c000-000000000000 |
Microsoft.Azure.AnalysisServices | 00000009-0000-0000-c000-000000000000 |
Microsoft.Azure.Workflow | 00000005-0000-0000-c000-000000000000 |
Microsoft Office Client Service | 0f698dd4-f011-4d23-a33e-b36416dcb1e6 |
Microsoft.Exchange | 00000002-0000-0ff1-ce00-000000000000 |
Term | Description | Link(s) |
---|---|---|
Alias | Another email address that people can use to email | |
App Password | An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application. | |
Alternate email address | Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users | |
AuditAdmin | ||
AuditDelegate | ||
Delegate | An account with assigned permissions to a mailbox. | |
Display Name | Name that appears in the Address Book & on the TO and From lines on an email. | |
EAC | "Exchange Admin Center" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule test_yara_rule | |
{ | |
strings: | |
$0 = "Command" nocase wide ascii | |
$1 = "Windows" nocase wide ascii | |
condition: | |
any of them | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
file { | |
start_position => "beginning" | |
path => "/path/to/*.log" | |
type => "apache" | |
sincedb_path => "/dev/null" # causes to re-read everytime | |
} | |
} | |
filter { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- [Maltrieve](https://registry.hub.docker.com/u/technoskald/maltrieve/) | |
- [Combine](https://registry.hub.docker.com/u/technoskald/combine/) | |
- [Scumblr](https://registry.hub.docker.com/u/bprodoehl/scumblr/) | |
- [CRITs](https://registry.hub.docker.com/u/pnelson/crits/) | |
- [MISP](https://registry.hub.docker.com/u/eg5846/misp-docker/) | |
- [ELK](https://registry.hub.docker.com/u/qnib/elk/) | |
- [Viper](https://registry.hub.docker.com/u/remnux/viper/) | |
- [JSdetox] (https://registry.hub.docker.com/u/remnux/jsdetox/) | |
- [PEscanner] (https://registry.hub.docker.com/u/remnux/pescanner/) | |
- [Rekall] (https://registry.hub.docker.com/u/remnux/rekall/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Event Log Type | Category | Event Log Name | EID | Description/Message | |||
---|---|---|---|---|---|---|---|
evt | Logon/Logoff | Security | 528 | successful logon | |||
evt | Logon/Logoff | Security | 538 | user logoff | |||
evt | Security Controls | Security | 848 | FW policy active when started | |||
evt | Security Controls | Security | 849 | app listed as an exception in FW | |||
evt | Security Controls | Security | 851 | change made to FW app exception list | |||
evt | Security Controls | Security | 852 | change made to FW port exception list | |||
evt | Security Controls | Security | 857 | FW setting to allow remote admin has changed | |||
evt | Security Controls | Security | 859 | FW group policy settings removed | |||
evt | Security Controls | Security | 860 | FW switched active policy profile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# created by Glenn P. Edwards Jr. | |
# https://hiddenillusion.github.io | |
# @hiddenillusion | |
# Date: 2016-10-10 | |
# (while at FireEye) | |
''' | |
Based on https://github.com/williballenthin/INDXParse/blob/master/get_file_info.py |
Note - view this file in RAW form since asterisks get markdown'ed
View Template Name | Works With | Syntax |
---|---|---|
Microsoft Outlook - Only Email Folders | AutoDFIR | * AND NOT folder_name:(Journal OR Contacts OR Calendar OR Notes OR "Suggested Contacts" OR "RSS Feeds") |
Report Details | AutoDFIR | parser:evtxstats |
Privilege Escalation | Log2timeline | parser:selinux AND (/bin/sudo OR /bin/su) |
Privilege Escalation - Command Executed | Log2timeline | (parser:selinux AND (/bin/sudo OR /bin/su)) OR (reporter:sudo AND message:COMMAND) |
Shell Command History | Log2timeline | data_type:"shell:zsh:history" OR data_type:"shell:bash:history" |
SSH Activity | Log2timeline | audit_type:("CRED_ACQ" OR "USER_LOGIN" OR "USER_START" OR "USER_END") AND NOT message:(addr=? AND hostname=?) -"usr/sbin/crond" |
NewerOlder