Nate Guagenti neu5ron

## PowerShell Command Line Logging
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions

Log Source Type:
  MS Event Log for Win7/Win8/2008/2012 - PowerShell

Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true

## fake_sandbox.ps1
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
# It's just a PoC and it's ugly as f*ck but hey, if it works...

# Usage: .\fake_sandbox.ps1 -action {start,stop}

param([Parameter(Mandatory=$true)][string]$action)

$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
    "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",

## 10-cisco-elasticsearch.conf
#
# INPUT - Logstash listens on port 8514 for these logs.
#

input {
  udp {
    port => "8514"
    type => "syslog-cisco"
  }


## logstash.conf
input {
    tcp {
        port => 5000
        codec => json_lines {
        }
    }
}

## Add your filters / logstash plugins configuration here
filter {

## rock_hardware.adoc

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              5 stars
            
          
                dcode
                / rock_hardware.adoc
            
            
              Last active
              July 31, 2019 04:41
            
          
    ROCK Sensor Parts List


Below is the hardware I use for development and home use of my ROCK sensor. It’s an extremely powerful system in a small form factor, under $1000. The most important aspects to me were that I wanted IPMI for baremetal remote management, dual Intel NICs, quiet, and relatively low-power. I sit by this thing and work everyday and don’t want to wear hearing protection while I write code.


The prices reflect what I paid for them in March 2016. No doubt the prices will have changed and newer, better stuff is probably available. Things like RAM and SSDs go on sale all the time, so look for that if you’re a bargain shopper.


Sensor Hardware


Case

Antec ISK 300-150 Black Mini-ITX Desktop Computer Case 150 Watt Power Supply - $70.70

RAM

https://www.amazon.com/gp/product/B015YPB1NK/ref=oh_aui_detailpage_o04_s00?ie=UTF8&psc=1[CRUCIAL TECHNOLOGY 16GBx2 32GB Kit, DDR4 2133 MT/s DIMM 288 (CT2K16G4D


## Azure
admin.iris.net
admin.mywebvalet.net
admin.seo.com.cn
api.mywebvalet.net
api.nuget.org
api.squaremeal.co.uk
app.iris.net
app.mywebvalet.net
app.swyftmedia.com
cdn.24sevenoffice.com
	# PowerShell Audit Logging for LogRhythm SIEM - 2015
	# For detecting dangerous PowerShell Commands/Functions

	Log Source Type:
	MS Event Log for Win7/Win8/2008/2012 - PowerShell

	Add this file to your PowerShell directory to enable verbose command line audit logging
	profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true
	# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
	# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
	# It's just a PoC and it's ugly as f*ck but hey, if it works...

	# Usage: .\fake_sandbox.ps1 -action {start,stop}

	param([Parameter(Mandatory=$true)][string]$action)

	$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
	"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",
	#
	# INPUT - Logstash listens on port 8514 for these logs.
	#

	input {
	udp {
	port => "8514"
	type => "syslog-cisco"
	}
	input {
	tcp {
	port => 5000
	codec => json_lines {
	}
	}
	}

	## Add your filters / logstash plugins configuration here
	filter {
	admin.iris.net
	admin.mywebvalet.net
	admin.seo.com.cn
	api.mywebvalet.net
	api.nuget.org
	api.squaremeal.co.uk
	app.iris.net
	app.mywebvalet.net
	app.swyftmedia.com
	cdn.24sevenoffice.com