Skip to content

Instantly share code, notes, and snippets.

View jfrantz1-r7's full-sized avatar

Josh Frantz jfrantz1-r7

  • Rapid7
View GitHub Profile
class sethostname {
file { "/etc/hostname":
ensure => present,
owner => root,
group => root,
mode => '0644',
content => "$::fqdn\n",
notify => Exec["set-hostname"],
}
exec { "set-hostname":
SELECT to_char(fav.date, 'Mon-YY') AS date, COUNT(*) AS count,
CASE
WHEN age(dv.date_published) < '30 days' THEN '<30 days'
WHEN age(dv.date_published) <= '60 days' THEN '30-60 days'
ELSE '60+ days'
END AS vuln_age
-- The fav table has the asset test date...
FROM fact_asset_vulnerability_instance AS fav
-- and the dv table has the vulnerability release date
INNER JOIN dim_vulnerability AS dv
#!/bin/zsh
# This script is meant to be used with Jamf Pro and makes use of Jamf Helper.
# The idea behind this script is that it alerts the user that there are required OS
# updates that need to be installed. Rather than forcing updates to take place through the
# command line using "softwareupdate", the user is encouraged to use the GUI to update.
# In recent OS versions, Apple has done a poor job of testing command line-based workflows
# of updates and failed to account for scenarios where users may or may not be logged in.
# The update process through the GUI has not suffered from these kind of issues. The
# script will allow end users to postpone/defer updates X amount of times and then will

Threat detection in AWS using InsightIDR

Just some notes

  • A list of all current eventName fields https://gist.github.com/jfrantz1-r7/207225e8811588a50c1e230222469053
  • responseElements will only apper in a cloudtrail log if something actually changes
  • When a role is assume in one account from another, there is a sharedEventID key in the logs that gets added. By searching multiple log streams, you can combine the view for multiple accounts to find matching logs to verify suspicious activity
  • There are a few different userIdentity types:
    • Root
    • IAMUser
    • AssumedRole
    • FederatedUser
AbortDocumentVersionUpload
AbortEnvironmentUpdate
AbortMultipartUpload
AbortVaultLock
AcceptAccountMapping
AcceptCertificateTransfer
AcceptDelegate
AcceptDirectConnectGatewayAssociationProposal
AcceptFxPaymentCurrencyTermsAndConditions
AcceptHandshake
SELECT count(da.asset_id) as asset_count, ds.vendor, ds.name as software_name, ds.family, ds.version
FROM dim_asset_software das
JOIN dim_software ds using (software_id)
JOIN dim_asset da on da.asset_id = das.asset_id
GROUP BY ds.vendor, ds.name, ds.family, ds.version, ds.cpe
ORDER BY asset_count DESC
WITH max_certainty AS (
SELECT asset_id, max(certainty) AS certainty
FROM dim_asset_operating_system
GROUP BY asset_id
),
asset_cred_status AS (
SELECT DISTINCT fa.asset_id,
CASE WHEN dacs.aggregated_credential_status_id IN ('1','2') THEN 'FAIL'
WHEN dacs.aggregated_credential_status_id IN ('3', '4') THEN 'SUCCESS'
ELSE 'N/A' END AS auth_status
//cd /opt/rapid7/panasonic_avionics_log_processor/venv
//. bin/activate
//cd /opt/rapid7/panasonic_avionics_log_processor/latest/bin/
//python3.6 main.py
#!/usr/bin/env bash
# check a list of gsuite emails
if [[ $# -eq 0 ]]; then
echo 'Give me a list of emails!'
exit 1
fi
email_list="$1"
SELECT DISTINCT Md5(title) AS "Unique ID",
title AS "Vulnerability Title",
Proofastext(description) AS "Description"
FROM dim_vulnerability
WHERE description NOT LIKE '%Deprecated%'
ORDER BY title ASC