I hereby claim:
- I am holisticinfosec on github.
- I am holisticinfosec (https://keybase.io/holisticinfosec) on keybase.
- I have a public key ASAc1t0PISb-ZngqpjZbc97zLn6ThDLJZjGdRHLt6l3QCgo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
library(dplyr) | |
library(tibbletime) | |
setwd("C:/coding/R/anomalize/") | |
logs <- read_csv("log.csv") | |
security_access_logs <- logs %>% | |
group_by(server) %>% | |
as_tbl_time(date) | |
security_access_logs |
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
library(tidyverse) | |
library(anomalize) | |
security_access_logs %>% | |
ggplot(aes(date, count)) + | |
geom_point(color = "#2c3e50", alpha = 0.25) + | |
facet_wrap(~ server, scale = "free_y", ncol = 3) + | |
theme_minimal() + | |
theme(axis.text.x = element_text(angle = 30, hjust = 1)) + |
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
security_access_logs %>% | |
# Data Manipulation / Anomaly Detection | |
time_decompose(count, method = "stl") %>% | |
anomalize(remainder, method = "iqr") %>% | |
time_recompose() %>% | |
# Anomaly Visualization | |
plot_anomalies(time_recomposed = TRUE, ncol = 3, alpha_dots = 0.25) + | |
labs(title = "Security Event Log Anomalies", subtitle = "STL + IQR Methods") |
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
# Get only SERVER549521 access | |
SERVER549521 <- security_access_logs %>% | |
filter(server == "SERVER-549521") %>% | |
ungroup() | |
# Anomalize!! | |
SERVER549521 %>% | |
# Twitter + GESD | |
time_decompose(count, method = "twitter", trend = "4 months") %>% |
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
SERVER549521 %>% | |
# STL + IQR Anomaly Detection | |
time_decompose(count, method = "stl", trend = "4 months") %>% | |
anomalize(remainder, method = "iqr") %>% | |
time_recompose() %>% | |
# Anomaly Visualization | |
plot_anomalies(time_recomposed = TRUE) + | |
labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods") |
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
security_access_logs %>% | |
filter(server == "SERVER549521") %>% | |
ungroup() %>% | |
time_decompose(count) %>% | |
anomalize(remainder) %>% | |
plot_anomaly_decomposition() + | |
labs(title = "Decomposition of Anomalized SERVER-549521 Downloads") |
Stop-Process -name "SearchIndexer" -force;Start-Sleep -m 500;Select-String -Path $env:USERPROFILE\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat -Encoding unicode -Pattern "password" |
<?xml version="1.0" encoding="utf-8"?> | |
<sim> | |
<delete>false</delete> | |
<errordirectory>C:\Users\Public\Documents\</errordirectory> | |
<task> | |
<config> | |
<name>PowerShell_test</name> | |
<loop>3</loop> | |
<pause>1000</pause> | |
</config> |
[ | |
{ | |
"title": "NOBELLIUM FoggyWeb File Drop Sysmon", | |
"description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.", | |
"author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)", | |
"tags": [ | |
"attack.persistence", | |
"attack.defense_evasion" | |
], | |
"level": "critical", |