This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Bro-IDS Logstash parser | |
# Parts of this taken from http://www.appliednsm.com/wp-content/uploads/logstash-SObro22-parse.conf_.txt | |
#Logs being parsed: | |
#app_stats.log | |
#conn.log | |
#dns.log | |
#dpd.log | |
#files.log | |
#http.log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<manifest schemaversion="4.0" binaryversion="1.01"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="none" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<manifest schemaversion="4.1" binaryversion="8.00"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="none" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<DataCollectorSet><Status>0</Status><Duration>0</Duration><Description/><DescriptionUnresolved/><DisplayName/><DisplayNameUnresolved/><SchedulesEnabled>-1</SchedulesEnabled><LatestOutputLocation>C:\temp\</LatestOutputLocation><Name>sysmon</Name><OutputLocation>D:\temp\</OutputLocation><RootPath>D:\temp</RootPath><Segment>0</Segment><SegmentMaxDuration>0</SegmentMaxDuration><SegmentMaxSize>0</SegmentMaxSize><SerialNumber>7</SerialNumber><Server/><Subdirectory/><SubdirectoryFormat>1</SubdirectoryFormat><SubdirectoryFormatPattern/><Task/><TaskRunAsSelf>0</TaskRunAsSelf><TaskArguments/><TaskUserTextArguments/><UserAccount>SYSTEM</UserAccount><Security>O:BAG:DUD:AI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FR;;;LU)(A;;0x1301ff;;;S-1-5-80-2661322625-712705077-2999183737-3043590567-590698655)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200ab;;;LU)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)</Security><StopOnCompletion>0</StopOnCompletion><PerformanceCounterDataCollector><DataCollectorType>0</DataCollectorType><Name>System Monitor Log</Name> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<manifest schemaversion="4.2" binaryversion="8.00"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="none" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Required module > ImportExcel | |
# Install it like this > "Install-Module ImportExcel" | |
# | |
# Get the dataset from the ATT&CK matrix | |
# TODO: | |
# Diff online and offline, to only download on updates | |
# parameters for download, xlsx file and so on. | |
write-host "[+] Loading MITRE ATT&CK Data" -ForegroundColor Cyan | |
$dataset=Get-Content -Path enterprise-attack.json | ConvertFrom-Json | Select-Object -ExpandProperty objects | where type -eq "attack-pattern" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<manifest schemaversion="4.21" binaryversion="9.10"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<manifest schemaversion="4.22" binaryversion="9.20"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<manifest schemaversion="4.30" binaryversion="9.20"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
OlderNewer