Josh Frantz jfrantz1-r7

## gist:1941622f7e0ec3687e52e336ab37124d
$DateTime = Get-Date -f "yyyy-MM"
$CSVFile = "C:\AD_Groups"+$DateTime+".csv"
$CSVOutput = @()

$ADGroups = Get-ADGroup -Filter *

$i=0
$tot = $ADGroups.count

foreach ($ADGroup in $ADGroups) {

## purge_orphan_asset_data.sql
------------------------------------------------------------------------------------------------------------------------------------------------------------
-- Asset Purge v3
------------------------------------------------------------------------------------------------------------------------------------------------------------
SET search_path TO nxsilo_default, nxadmin, nxglobal;
ANALYZE VERBOSE;

\echo  `date`  'Disable constraints'
SET session_replication_role = replica;

------------------------------------------------------------------------------------------------------------------------------------------------------------

## delete_recursive_empty_directories.ps1
Get-ChildItem $directory -Directory -Recurse -Force |
Sort-Object -Property FullName -Descending |
Where-Object { $($_ | Get-ChildItem -Force | Select-Object -First 1).Count -eq 0 } |
Remove-Item

## gist:97d50920a6d1cacb7abf029b4cc0935d
#!/bin/bash

#############################################################################################################
##                          Information                                                                    ##
#############################################################################################################
## Created by Clay Nelson on 2/15/19                                                                       ##
## Sources:                                                                                                ##
##     Shannon Johnson - https://www.jamf.com/jamf-nation/discussions/29555/script-to-install-update-java  ##
##     Lewis Lebentz - https://lew.im/2017/03/auto-update-chrome/                                          ##
##     Joe Farage - https://www.jamf.com/jamf-nation/third-party-products/files/764/firefox-install-update ##

## puppet.pp
class sethostname {
  file { "/etc/hostname":
    ensure  => present,
    owner   => root,
    group   => root,
    mode    => '0644',
    content => "$::fqdn\n",
    notify  => Exec["set-hostname"],
  }
  exec { "set-hostname":

## vulnerability_aging.sql
SELECT to_char(fav.date, 'Mon-YY') AS date, COUNT(*) AS count,
	CASE
		WHEN age(dv.date_published) < '30 days' THEN '<30 days'
		WHEN age(dv.date_published) <= '60 days' THEN '30-60 days'
		ELSE '60+ days'
	END AS vuln_age
-- The fav table has the asset test date...
FROM fact_asset_vulnerability_instance AS fav
-- and the dv table has the vulnerability release date
	INNER JOIN dim_vulnerability AS dv

## threat-detection-aws-idr.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jfrantz1-r7
                / threat-detection-aws-idr.md
            
            
              Last active
              November 7, 2019 18:31
            
          
    Threat detection in AWS using InsightIDR

Just some notes


A list of all current eventName fields https://gist.github.com/jfrantz1-r7/207225e8811588a50c1e230222469053
responseElements will only apper in a cloudtrail log if something actually changes
When a role is assume in one account from another, there is a sharedEventID key in the logs that gets added. By searching multiple log streams, you can combine the view for multiple accounts to find matching logs to verify suspicious activity
There are a few different userIdentity types:

Root
IAMUser
AssumedRole
FederatedUser


## updated_eventnames.aws
AbortDocumentVersionUpload
AbortEnvironmentUpdate
AbortMultipartUpload
AbortVaultLock
AcceptAccountMapping
AcceptCertificateTransfer
AcceptDelegate
AcceptDirectConnectGatewayAssociationProposal
AcceptFxPaymentCurrencyTermsAndConditions
AcceptHandshake

## gist:055ed4e3aeacc0e5d2a68e64eccd7812
SELECT count(da.asset_id) as asset_count, ds.vendor, ds.name as software_name,  ds.family, ds.version
FROM dim_asset_software das
  JOIN dim_software ds using (software_id)
  JOIN dim_asset da on da.asset_id = das.asset_id
GROUP BY ds.vendor, ds.name, ds.family, ds.version, ds.cpe
ORDER BY asset_count DESC

## gist:56428e19ea6fb40360222eec1da7b0af
WITH max_certainty AS (
    SELECT asset_id, max(certainty) AS certainty
    FROM dim_asset_operating_system
    GROUP BY asset_id
),
asset_cred_status AS (
    SELECT DISTINCT fa.asset_id,
           CASE WHEN dacs.aggregated_credential_status_id IN ('1','2') THEN 'FAIL'
              WHEN dacs.aggregated_credential_status_id IN ('3', '4') THEN 'SUCCESS'
              ELSE 'N/A' END AS auth_status
	$DateTime = Get-Date -f "yyyy-MM"
	$CSVFile = "C:\AD_Groups"+$DateTime+".csv"
	$CSVOutput = @()

	$ADGroups = Get-ADGroup -Filter *

	$i=0
	$tot = $ADGroups.count

	foreach ($ADGroup in $ADGroups) {
	------------------------------------------------------------------------------------------------------------------------------------------------------------
	-- Asset Purge v3
	------------------------------------------------------------------------------------------------------------------------------------------------------------
	SET search_path TO nxsilo_default, nxadmin, nxglobal;
	ANALYZE VERBOSE;

	\echo `date` 'Disable constraints'
	SET session_replication_role = replica;

	------------------------------------------------------------------------------------------------------------------------------------------------------------
	Get-ChildItem $directory -Directory -Recurse -Force \|
	Sort-Object -Property FullName -Descending \|
	Where-Object { $($_ \| Get-ChildItem -Force \| Select-Object -First 1).Count -eq 0 } \|
	Remove-Item
	#!/bin/bash

	#############################################################################################################
	## Information ##
	#############################################################################################################
	## Created by Clay Nelson on 2/15/19 ##
	## Sources: ##
	## Shannon Johnson - https://www.jamf.com/jamf-nation/discussions/29555/script-to-install-update-java ##
	## Lewis Lebentz - https://lew.im/2017/03/auto-update-chrome/ ##
	## Joe Farage - https://www.jamf.com/jamf-nation/third-party-products/files/764/firefox-install-update ##
	class sethostname {
	file { "/etc/hostname":
	ensure => present,
	owner => root,
	group => root,
	mode => '0644',
	content => "$::fqdn\n",
	notify => Exec["set-hostname"],
	}
	exec { "set-hostname":
	SELECT to_char(fav.date, 'Mon-YY') AS date, COUNT(*) AS count,
	CASE
	WHEN age(dv.date_published) < '30 days' THEN '<30 days'
	WHEN age(dv.date_published) <= '60 days' THEN '30-60 days'
	ELSE '60+ days'
	END AS vuln_age
	-- The fav table has the asset test date...
	FROM fact_asset_vulnerability_instance AS fav
	-- and the dv table has the vulnerability release date
	INNER JOIN dim_vulnerability AS dv
	AbortDocumentVersionUpload
	AbortEnvironmentUpdate
	AbortMultipartUpload
	AbortVaultLock
	AcceptAccountMapping
	AcceptCertificateTransfer
	AcceptDelegate
	AcceptDirectConnectGatewayAssociationProposal
	AcceptFxPaymentCurrencyTermsAndConditions
	AcceptHandshake
	SELECT count(da.asset_id) as asset_count, ds.vendor, ds.name as software_name, ds.family, ds.version
	FROM dim_asset_software das
	JOIN dim_software ds using (software_id)
	JOIN dim_asset da on da.asset_id = das.asset_id
	GROUP BY ds.vendor, ds.name, ds.family, ds.version, ds.cpe
	ORDER BY asset_count DESC
	WITH max_certainty AS (
	SELECT asset_id, max(certainty) AS certainty
	FROM dim_asset_operating_system
	GROUP BY asset_id
	),
	asset_cred_status AS (
	SELECT DISTINCT fa.asset_id,
	CASE WHEN dacs.aggregated_credential_status_id IN ('1','2') THEN 'FAIL'
	WHEN dacs.aggregated_credential_status_id IN ('3', '4') THEN 'SUCCESS'
	ELSE 'N/A' END AS auth_status