Jonathan Johnson jsecurity101
jsecurity101
/ Prevent_Relay_RPC_Filter.txt
Last active
February 13, 2023 02:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rpc | |
| filter | |
| add rule layer=um actiontype=permit | |
| add condition field=if_uuid matchtype=equal data=<uuidguid> | |
| add condition field=auth_type matchtype=equal data=16 | |
| add condition field=auth_level matchtype=equal data=6 | |
| add filter | |
| add rule layer=um actiontype=block | |
| add condition field=if_uuid matchtype=equal data=<uuidguid> | |
| add filter |
jsecurity101
/ rpc-mapping.json
Created
September 20, 2021 15:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "RPC to Technique Mapping", | |
| "versions": { | |
| "attack": "9", | |
| "navigator": "4.4.1", | |
| "layer": "4.2" | |
| }, | |
| "domain": "enterprise-attack", | |
| "description": "", | |
| "filters": { |
jsecurity101
/ Netsync.ipynb
Last active
October 30, 2020 02:18
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Remote_Service_Creation.ipynb
Created
July 1, 2020 14:50
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Venator.ipynb
Created
July 1, 2020 14:46
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ DUMPING_LSASS_SPLUNK_SYSMON.ipynb
Last active
December 5, 2021 23:51
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Sysmon_Winlogbeat_Install.ps1
Last active
July 28, 2020 02:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Author: Jonathan Johnson | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $WinlogbeatUrl = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.5.2-windows-x86_64.zip" | |
| $WinlogbeatOutputFile = "winlogbeat.zip" | |
| $WinlogbeatConfig = "https://gist.github.com/jsecurity101/ec4c829e6d32a984d7ccf4c1e9247590/archive/8d85c6c443704e821a7f53e536be61667c67febd.zip" | |
| $WinlogZip = "winlogconfig.zip" |
jsecurity101
/ winlogbeat.yml
Last active
September 14, 2023 14:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###################### Winlogbeat Configuration Example ######################## | |
| # This file is an example configuration file highlighting only the most common | |
| # options. The winlogbeat.reference.yml file from the same directory contains | |
| # all the supported options with more comments. You can use it as a reference. | |
| # | |
| # You can find the full configuration reference here: | |
| # https://www.elastic.co/guide/en/beats/winlogbeat/index.html | |
| # ======================== Winlogbeat specific options ========================= |
jsecurity101
/ sysmon.xml
Last active
May 8, 2020 01:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.30"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> | |
| <Image condition="contains">btool.exe</Image> | |
| <Image condition="contains">SnareCore</Image> | |
| <Image condition="contains">nxlog</Image> |
jsecurity101
/ Notebook_Interval.ipynb
Created
November 6, 2019 06:00
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.