holisticinfosec

Keybase proof

I hereby claim:

• I am holisticinfosec on github.
• I am holisticinfosec (https://keybase.io/holisticinfosec) on keybase.
• I have a public key ASAc1t0PISb-ZngqpjZbc97zLn6ThDLJZjGdRHLt6l3QCgo

To claim this, I am signing this object:

holisticinfosec

# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
  # Data Manipulation / Anomaly Detection
  time_decompose(count, method = "stl") %>%
  anomalize(remainder, method = "iqr") %>%
  time_recompose() %>%
  # Anomaly Visualization
  plot_anomalies(time_recomposed = TRUE, ncol = 3, alpha_dots = 0.25) +
  labs(title = "Security Event Log Anomalies", subtitle = "STL + IQR Methods") 

holisticinfosec

# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
library(tidyverse)
library(anomalize)
security_access_logs %>%
  ggplot(aes(date, count)) +
  geom_point(color = "#2c3e50", alpha = 0.25) +
  facet_wrap(~ server, scale = "free_y", ncol = 3) +
  theme_minimal() +
  theme(axis.text.x = element_text(angle = 30, hjust = 1)) +

holisticinfosec

# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
library(dplyr)
library(tibbletime)
setwd("C:/coding/R/anomalize/")
logs <- read_csv("log.csv")
security_access_logs <- logs %>%
  group_by(server) %>%
  as_tbl_time(date)
security_access_logs

holisticinfosec

# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
SERVER549521 %>%
  # STL + IQR Anomaly Detection
  time_decompose(count, method = "stl", trend = "4 months") %>%
  anomalize(remainder, method = "iqr") %>%
  time_recompose() %>%
  # Anomaly Visualization
  plot_anomalies(time_recomposed = TRUE) +
  labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods")

holisticinfosec

# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
  filter(server == "SERVER549521") %>%
  ungroup() %>%
  time_decompose(count) %>%
  anomalize(remainder) %>%
  plot_anomaly_decomposition() +
  labs(title = "Decomposition of Anomalized SERVER-549521 Downloads")

holisticinfosec

# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
# Get only SERVER549521 access
SERVER549521 <- security_access_logs %>%
  filter(server == "SERVER-549521") %>% 
  ungroup()
# Anomalize!!
SERVER549521 %>%
  # Twitter + GESD
  time_decompose(count, method = "twitter", trend = "4 months") %>%

holisticinfosec

Stop-Process -name "SearchIndexer" -force;Start-Sleep -m 500;Select-String -Path $env:USERPROFILE\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat -Encoding unicode -Pattern "password"

holisticinfosec

<?xml version="1.0" encoding="utf-8"?>
<sim>
	<delete>false</delete>
	<errordirectory>C:\Users\Public\Documents\</errordirectory>
	<task>
		<config>
			<name>PowerShell_test</name>
			<loop>3</loop>
			<pause>1000</pause>
		</config>

holisticinfosec

[
        {
            "title": "NOBELLIUM FoggyWeb File Drop Sysmon",
            "description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.",
            "author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)",
            "tags": [
                "attack.persistence",
                "attack.defense_evasion"
            ],
            "level": "critical",