Skip to content

Instantly share code, notes, and snippets.

Avatar

Jorrit Folmer jorritfolmer

View GitHub Profile
@jorritfolmer
jorritfolmer / transpose_mitre_eval_carbanak+fin7.py
Created Jun 6, 2021
Python script to help onboard Carbanak+FIN7 EDR eval results into Splunk
View transpose_mitre_eval_carbanak+fin7.py
# Copyright 2021 Jorrit Folmer
# This script is MIT licensed: free to use and provided "as is" without warranty of any kind.
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/AhnLab_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Bitdefender_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CheckPoint_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cisco_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CrowdStrike_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cybereason_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CyCraft_Results.json
@jorritfolmer
jorritfolmer / pelican-tailwind-css.md
Last active Jul 22, 2021
Pelican with Tailwind CSS
View pelican-tailwind-css.md

How to use Tailwind CSS with Pelican

These steps show how to install Tailwind CSS in a Pelican project, purge and minify it so you don't have to reference a 3+ MB CSS file but only several kB.

  1. virtualenv venv
  2. . venv/bin/activate
  3. pip install nodeenv
  4. nodeenv env
  5. . env/bin/activate
  6. npm install postcss postcss-cli autoprefixer tailwindcss purgecss cssnano
@jorritfolmer
jorritfolmer / gist:c421749cd1520b8e2425bd80dc7f25de
Created Feb 16, 2021
Regex to parse AWS Route53 DNS logging in Splunk via CloudWatch logs
View gist:c421749cd1520b8e2425bd80dc7f25de

AWS Route53 DNS logging via CloudWatch Logs

^\S+ \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+Z \S+ (?<query>\S+) (?<record_type>\S+) (?<reply_code>\S+) (?<transport>\w+) (?<dest>\S+) (?<src>\S+) (?<vendor_edns_client_subnet>\S+)

View gist:d6713c344e173765b06352b858b186ba

Installing MITRE Caldera on RHEL7

Doesn't seem to want to run in a virtualenv, not sure why.

Steps

  1. yum install rh-python36
  2. yum install gcc
  3. scl enable rh-python36 bash
  4. git clone https://github.com/mitre/caldera.git --recursive --branch 2.7.0
@jorritfolmer
jorritfolmer / transpose_mitre_eval_apt29.md
Created Apr 27, 2020
Transpose MITRE EDR APT29 results for better Splunking
View transpose_mitre_eval_apt29.md

Onboarding MITRE EDR evaluations round 2 (APT29) into Splunk

MITRE have just published the JSON results of their EDR evalutions simulating APT29. However also this time their structure makes it difficult to Splunk. Use this Python script for easier Splunking.

Usage

$ python transpose_mitre_eval_apt29.py file.json > file_for_splunk.json
@jorritfolmer
jorritfolmer / transpose_mitre_attack_evals.md
Last active Apr 30, 2021
Script to transpose JSON files from MITRE ATTACK EDR evaluations for easier use in Splunk
View transpose_mitre_attack_evals.md

Comparing MITRE ATTACK evaluations of EDR software in Splunk, APT3

The JSON results of the APT3 evaluations can be found here: Round 1, APT3. For easier Splunking you have to transpose the JSON files from MITRE with the script below. This allows you to perform searches to compare detection results from each EDR vendor.

Usage

$ python transpose_mitre_eval.py file_from_mitre.json > better_file_for_splunking.json
View Systemd unit file for Splunk.md
[Unit]
After=network.target
Wants=network.target
Description=Splunk Enterprise


[Service]
Type=forking
RemainAfterExit=False
@jorritfolmer
jorritfolmer / qemu-kvm-ovirt-windows-server-2016.md
Last active Jun 8, 2021
Installing Windows Server 2016 on oVirt qemu/kvm
View qemu-kvm-ovirt-windows-server-2016.md

Installing Windows Server 2016 on Ovirt v4 qemu/kvm

The install fails with BSOD and "Your PC ran into a problem and needs to restart. We're just collecting some error info, and then we'll restart for you."

Windows installer BSOD on qemu/kvm

After reboot it returns with the following message: "The computer restarted unexpectedly or encountered an unexpected error. Windows installation cannot proceed. To install Windows, click OK to restart the computer, and then restart the installation.":

Windows installer restarted unexpectedly on qemu/kvm

@jorritfolmer
jorritfolmer / gist:bc6374b48bde2ba99f983cc0889da8a9
Last active Aug 30, 2018
NXlog config to create a syslog server on Windows
View gist:bc6374b48bde2ba99f983cc0889da8a9

NXlog config to create a syslog server on Windows

Creates a log file for each connecting syslog client, based on IP address. Also takes care of rotating the files, limiting the archive to 5 log files of 100M This config is meant to allow a Splunk Universal Forwarder to collect the syslog files, using the following inputs.conf:

inputs.conf (Splunk):

[monitor://c:/log/192.168.1.1/*.log]
View rhel7-docker-splunk.md

Dockerfile

# Well ok CENTOS then
FROM centos:7

# Point to your local repository with Splunk(forwarder)s
RUN echo $'[splunk]\n\
name=Splunk\n\
baseurl=http://repo.testlab.local/splunk\n\