Skip to content

Instantly share code, notes, and snippets.


Josh Frantz jfrantz1-r7

  • Rapid7
View GitHub Profile
View puppet.pp
class sethostname {
file { "/etc/hostname":
ensure => present,
owner => root,
group => root,
mode => '0644',
content => "$::fqdn\n",
notify => Exec["set-hostname"],
exec { "set-hostname":
View vulnerability_aging.sql
SELECT to_char(, 'Mon-YY') AS date, COUNT(*) AS count,
WHEN age(dv.date_published) < '30 days' THEN '<30 days'
WHEN age(dv.date_published) <= '60 days' THEN '30-60 days'
ELSE '60+ days'
END AS vuln_age
-- The fav table has the asset test date...
FROM fact_asset_vulnerability_instance AS fav
-- and the dv table has the vulnerability release date
INNER JOIN dim_vulnerability AS dv
View gist:ff43fc8f0545f1af8621a33a8e978400
# This script is meant to be used with Jamf Pro and makes use of Jamf Helper.
# The idea behind this script is that it alerts the user that there are required OS
# updates that need to be installed. Rather than forcing updates to take place through the
# command line using "softwareupdate", the user is encouraged to use the GUI to update.
# In recent OS versions, Apple has done a poor job of testing command line-based workflows
# of updates and failed to account for scenarios where users may or may not be logged in.
# The update process through the GUI has not suffered from these kind of issues. The
# script will allow end users to postpone/defer updates X amount of times and then will

Threat detection in AWS using InsightIDR

Just some notes

  • A list of all current eventName fields
  • responseElements will only apper in a cloudtrail log if something actually changes
  • When a role is assume in one account from another, there is a sharedEventID key in the logs that gets added. By searching multiple log streams, you can combine the view for multiple accounts to find matching logs to verify suspicious activity
  • There are a few different userIdentity types:
    • Root
    • IAMUser
    • AssumedRole
    • FederatedUser
View gist:055ed4e3aeacc0e5d2a68e64eccd7812
SELECT count(da.asset_id) as asset_count, ds.vendor, as software_name,, ds.version
FROM dim_asset_software das
JOIN dim_software ds using (software_id)
JOIN dim_asset da on da.asset_id = das.asset_id
GROUP BY ds.vendor,,, ds.version, ds.cpe
ORDER BY asset_count DESC
View gist:56428e19ea6fb40360222eec1da7b0af
WITH max_certainty AS (
SELECT asset_id, max(certainty) AS certainty
FROM dim_asset_operating_system
GROUP BY asset_id
asset_cred_status AS (
SELECT DISTINCT fa.asset_id,
CASE WHEN dacs.aggregated_credential_status_id IN ('1','2') THEN 'FAIL'
WHEN dacs.aggregated_credential_status_id IN ('3', '4') THEN 'SUCCESS'
ELSE 'N/A' END AS auth_status
View gist:4dea2696a3ae3a229115f8db29720a87
//cd /opt/rapid7/panasonic_avionics_log_processor/venv
//. bin/activate
//cd /opt/rapid7/panasonic_avionics_log_processor/latest/bin/
View gist:52ccf577ce49d207c8f66d1ad5639a70
#!/usr/bin/env bash
# check a list of gsuite emails
if [[ $# -eq 0 ]]; then
echo 'Give me a list of emails!'
exit 1
View gist:96163880dfd4991071b35b60d4efe2f3
SELECT DISTINCT Md5(title) AS "Unique ID",
title AS "Vulnerability Title",
Proofastext(description) AS "Description"
FROM dim_vulnerability
WHERE description NOT LIKE '%Deprecated%'