This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rpc | |
filter | |
add rule layer=um actiontype=permit | |
add condition field=if_uuid matchtype=equal data=<uuidguid> | |
add condition field=auth_type matchtype=equal data=16 | |
add condition field=auth_level matchtype=equal data=6 | |
add filter | |
add rule layer=um actiontype=block | |
add condition field=if_uuid matchtype=equal data=<uuidguid> | |
add filter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"name": "RPC to Technique Mapping", | |
"versions": { | |
"attack": "9", | |
"navigator": "4.4.1", | |
"layer": "4.2" | |
}, | |
"domain": "enterprise-attack", | |
"description": "", | |
"filters": { |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Author: Jonathan Johnson | |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
$WinlogbeatUrl = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.5.2-windows-x86_64.zip" | |
$WinlogbeatOutputFile = "winlogbeat.zip" | |
$WinlogbeatConfig = "https://gist.github.com/jsecurity101/ec4c829e6d32a984d7ccf4c1e9247590/archive/8d85c6c443704e821a7f53e536be61667c67febd.zip" | |
$WinlogZip = "winlogconfig.zip" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
###################### Winlogbeat Configuration Example ######################## | |
# This file is an example configuration file highlighting only the most common | |
# options. The winlogbeat.reference.yml file from the same directory contains | |
# all the supported options with more comments. You can use it as a reference. | |
# | |
# You can find the full configuration reference here: | |
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html | |
# ======================== Winlogbeat specific options ========================= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Sysmon schemaversion="4.30"> | |
<!-- Capture all hashes --> | |
<HashAlgorithms>*</HashAlgorithms> | |
<EventFiltering> | |
<!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
<ProcessCreate onmatch="exclude"> | |
<Image condition="contains">splunk</Image> | |
<Image condition="contains">btool.exe</Image> | |
<Image condition="contains">SnareCore</Image> | |
<Image condition="contains">nxlog</Image> |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.