Richie Cyrus richiercyrus
richiercyrus
/ winlogbeat.yml
Last active
February 13, 2024 15:17
Training Course Winlogbeat Config File
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###################### Winlogbeat Configuration Example ########################## | |
| # This file is an example configuration file highlighting only the most common | |
| # options. The winlogbeat.reference.yml file from the same directory contains all the | |
| # supported options with more comments. You can use it as a reference. | |
| # | |
| # You can find the full configuration reference here: | |
| # https://www.elastic.co/guide/en/beats/winlogbeat/index.html | |
| #======================= Winlogbeat specific options ========================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "options": { | |
| "config_plugin": "filesystem", | |
| "logger_plugin": "filesystem", | |
| "logger_path": "/var/log/osquery", | |
| "disable_logging": "false", | |
| "log_result_events": "true", | |
| "schedule_splay_percent": "10", | |
| "pidfile": "/var/osquery/osquery.pidfile", | |
| "events_expiry": "3600", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###################### Winlogbeat Configuration Example ########################## | |
| # This file is an example configuration file highlighting only the most common | |
| # options. The winlogbeat.reference.yml file from the same directory contains all the | |
| # supported options with more comments. You can use it as a reference. | |
| # | |
| # You can find the full configuration reference here: | |
| # https://www.elastic.co/guide/en/beats/winlogbeat/index.html | |
| #======================= Winlogbeat specific options ========================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [GENERAL] | |
| # Enable / Disable logging | |
| LOG = True | |
| [BROWSER] | |
| BROWSER = Chrome | |
| #BROWSER = 'Edge' | |
| # Chrome webdriver | |
| WEBDRIVER = ./webdrivers/chromedriver | |
| # MS Edge webdriver |
richiercyrus
/ SigCheck.py
Created
February 12, 2019 14:17
Python code for checking whether there are any processes running on a macOS system that are missing the LC_CODE_SIGNATURE command. This may be indicative of a LC_LOAD_DYLIB addition attack: https://attack.mitre.org/techniques/T1161/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import shlex | |
| import argparse | |
| import subprocess | |
| import macholib | |
| import json | |
| import hashlib | |
| #This script is designed to detect the following MITRE ATT&CK Technique: |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"@timestamp":"2019-02-25T12:34:28.707Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.5.4","topic":"filebeat"},"prospector":{"type":"log"},"input":{"type":"log"},"beat":{"hostname":"pedros-Mac.local","version":"6.5.4","name":"pedros-Mac.local"},"host":{"name":"pedros-Mac.local","architecture":"x86_64","os":{"version":"10.14.2","family":"darwin","build":"18C54","platform":"darwin"}},"offset":0,"message":"{\"Hostname\": \"pedros-Mac.local\", \"users\": [\"daemon\", \"nobody\", \"pedro\", \"root\", \"\"], \"module\": \"Users\"}","source":"/tmp/pedros-Mac.local.json"} | |
| {"@timestamp":"2019-02-25T12:34:28.707Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.5.4","topic":"filebeat"},"beat":{"name":"pedros-Mac.local","hostname":"pedros-Mac.local","version":"6.5.4"},"host":{"architecture":"x86_64","os":{"platform":"darwin","version":"10.14.2","family":"darwin","build":"18C54"},"name":"pedros-Mac.local"},"source":"/tmp/pedros-Mac.local.json","offset":104,"message":"{\"Hostname\": \"pedros-Mac.local |
richiercyrus
/ ESF.ipynb
Last active
July 14, 2023 19:08
Juypter Notebook demonstrating usefulness of Apple's Endpoint Security Framework.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.