Jonathan Johnson jsecurity101
jsecurity101
/ SQL Query for Process Reimaging
Created
September 13, 2019 14:19
Query ran to detect Process Reimaging behavior
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT | |
| a.computer_name, | |
| a.OriginalFileName, | |
| a.LogonId, | |
| b.ProcessId, | |
| c.TargetFilename | |
| FROM processreimaging a | |
| JOIN processreimaging b | |
| ON a.ProcessGuid = b.ProcessGuid | |
| AND b.channel = "Microsoft-Windows-Sysmon/Operational" |
jsecurity101
/ Notebook_Interval.ipynb
Created
November 6, 2019 06:00
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ sysmon.xml
Last active
May 8, 2020 01:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.30"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> | |
| <Image condition="contains">btool.exe</Image> | |
| <Image condition="contains">SnareCore</Image> | |
| <Image condition="contains">nxlog</Image> |
jsecurity101
/ winlogbeat.yml
Last active
September 14, 2023 14:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###################### Winlogbeat Configuration Example ######################## | |
| # This file is an example configuration file highlighting only the most common | |
| # options. The winlogbeat.reference.yml file from the same directory contains | |
| # all the supported options with more comments. You can use it as a reference. | |
| # | |
| # You can find the full configuration reference here: | |
| # https://www.elastic.co/guide/en/beats/winlogbeat/index.html | |
| # ======================== Winlogbeat specific options ========================= |
jsecurity101
/ Sysmon_Winlogbeat_Install.ps1
Last active
July 28, 2020 02:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Author: Jonathan Johnson | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $WinlogbeatUrl = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.5.2-windows-x86_64.zip" | |
| $WinlogbeatOutputFile = "winlogbeat.zip" | |
| $WinlogbeatConfig = "https://gist.github.com/jsecurity101/ec4c829e6d32a984d7ccf4c1e9247590/archive/8d85c6c443704e821a7f53e536be61667c67febd.zip" | |
| $WinlogZip = "winlogconfig.zip" |
jsecurity101
/ DUMPING_LSASS_SPLUNK_SYSMON.ipynb
Last active
December 5, 2021 23:51
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Venator.ipynb
Created
July 1, 2020 14:46
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Remote_Service_Creation.ipynb
Created
July 1, 2020 14:50
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Netsync.ipynb
Last active
October 30, 2020 02:18
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ rpc-mapping.json
Created
September 20, 2021 15:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "RPC to Technique Mapping", | |
| "versions": { | |
| "attack": "9", | |
| "navigator": "4.4.1", | |
| "layer": "4.2" | |
| }, | |
| "domain": "enterprise-attack", | |
| "description": "", | |
| "filters": { |
OlderNewer