Skip to content

Instantly share code, notes, and snippets.

Russ McRee holisticinfosec

View GitHub Profile
@holisticinfosec
holisticinfosec / WaitList.dat.ps1
Created Sep 19, 2018
Barnaby Skeggs's WaitList.dat PowerShell enumerator
View WaitList.dat.ps1
Stop-Process -name "SearchIndexer" -force;Start-Sleep -m 500;Select-String -Path $env:USERPROFILE\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat -Encoding unicode -Pattern "password"
@holisticinfosec
holisticinfosec / Decomposition_Anomalized_Downloads.R
Last active Jun 3, 2018
Decomposition of Anomalized SERVER-549521 Downloads
View Decomposition_Anomalized_Downloads.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
filter(server == "SERVER549521") %>%
ungroup() %>%
time_decompose(count) %>%
anomalize(remainder) %>%
plot_anomaly_decomposition() +
labs(title = "Decomposition of Anomalized SERVER-549521 Downloads")
@holisticinfosec
holisticinfosec / SERVER-549521_Anomalies_STL+IQR.R
Last active Jun 3, 2018
SERVER-549521 Anomalies STL + IQR Methods
View SERVER-549521_Anomalies_STL+IQR.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
SERVER549521 %>%
# STL + IQR Anomaly Detection
time_decompose(count, method = "stl", trend = "4 months") %>%
anomalize(remainder, method = "iqr") %>%
time_recompose() %>%
# Anomaly Visualization
plot_anomalies(time_recomposed = TRUE) +
labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods")
@holisticinfosec
holisticinfosec / SERVER-549521_Anomalies_Twitter+GESD.R
Last active Jun 16, 2018
SERVER-549521 Anomalies Twitter + GESD Methods
View SERVER-549521_Anomalies_Twitter+GESD.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
# Get only SERVER549521 access
SERVER549521 <- security_access_logs %>%
filter(server == "SERVER-549521") %>%
ungroup()
# Anomalize!!
SERVER549521 %>%
# Twitter + GESD
time_decompose(count, method = "twitter", trend = "4 months") %>%
@holisticinfosec
holisticinfosec / Security_Event_Log_Anomalies.R
Last active Jun 3, 2018
Security Event Log Anomalies
View Security_Event_Log_Anomalies.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
# Data Manipulation / Anomaly Detection
time_decompose(count, method = "stl") %>%
anomalize(remainder, method = "iqr") %>%
time_recompose() %>%
# Anomaly Visualization
plot_anomalies(time_recomposed = TRUE, ncol = 3, alpha_dots = 0.25) +
labs(title = "Security Event Log Anomalies", subtitle = "STL + IQR Methods")
@holisticinfosec
holisticinfosec / Server_Logon_Counts.R
Last active Jun 3, 2018
Server Logon Counts - Anomalize
View Server_Logon_Counts.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
library(tidyverse)
library(anomalize)
security_access_logs %>%
ggplot(aes(date, count)) +
geom_point(color = "#2c3e50", alpha = 0.25) +
facet_wrap(~ server, scale = "free_y", ncol = 3) +
theme_minimal() +
theme(axis.text.x = element_text(angle = 30, hjust = 1)) +
@holisticinfosec
holisticinfosec / Security_Access_Logs_Function.R
Last active Jun 3, 2018
Security Access Logs Function
View Security_Access_Logs_Function.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
library(dplyr)
library(tibbletime)
setwd("C:/coding/R/anomalize/")
logs <- read_csv("log.csv")
security_access_logs <- logs %>%
group_by(server) %>%
as_tbl_time(date)
security_access_logs
@holisticinfosec
holisticinfosec / keybase.md
Created Feb 22, 2018
Keybase.io
View keybase.md

Keybase proof

I hereby claim:

  • I am holisticinfosec on github.
  • I am holisticinfosec (https://keybase.io/holisticinfosec) on keybase.
  • I have a public key ASAc1t0PISb-ZngqpjZbc97zLn6ThDLJZjGdRHLt6l3QCgo

To claim this, I am signing this object:

You can’t perform that action at this time.