trevorbryant
/ Windows Event Collection - Service Control: Start
Created
November 14, 2018 15:52
Splunk dashboard for Windows Event Collection - Service Control: Start
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Windows Event Collection - Service Control: Start</label> | |
| <description>Filtered search to discover started services</description> | |
| <fieldset submitButton="false" autoRun="true"> | |
| <input type="text" token="computername" searchWhenChanged="true"> | |
| <label>Computer Name (FQDN)</label> | |
| <default>*</default> | |
| <initialValue>*</initialValue> | |
| </input> | |
| <input type="text" token="servicename" searchWhenChanged="true"> |
trevorbryant
/ Windows Event Collection - Service Control
Created
November 14, 2018 15:52
Splunk dashboard for Windows Event Collection - Service Control Installed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Windows Event Collection - Service Control Installed</label> | |
| <description>Filtered search to discover installed services</description> | |
| <fieldset submitButton="false" autoRun="true"> | |
| <input type="text" token="computername" searchWhenChanged="true"> | |
| <label>Computer Name (FQDN)</label> | |
| <default>*</default> | |
| <initialValue>*</initialValue> | |
| </input> | |
| <input type="text" token="servicename" searchWhenChanged="true"> |
trevorbryant
/ Windows Event Collection - Sensitive Local Groups
Created
November 14, 2018 15:51
Splunk dashboard for Windows Event Collection - Sensitive Local Groups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Windows Event Collection - Sensitive Local Groups</label> | |
| <description>Filtered search for modification of sensitive local groups.</description> | |
| <fieldset submitButton="false" autoRun="true"> | |
| <input type="time" token="time" searchWhenChanged="true"> | |
| <label>Time Range</label> | |
| <default> | |
| <earliest>-24h@h</earliest> | |
| <latest>now</latest> | |
| </default> |
trevorbryant
/ Windows Event Collection - Process Creation
Created
November 14, 2018 15:50
Splunk dashboard for Windows Event Collection - Process Creation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Windows Event Collection - Process Creation</label> | |
| <description>Filtered search to discover new processes</description> | |
| <fieldset submitButton="false" autoRun="true"> | |
| <input type="text" token="computername" searchWhenChanged="true"> | |
| <label>Computer Name (FQDN)</label> | |
| <default>*</default> | |
| <initialValue>*</initialValue> | |
| </input> | |
| <input type="text" token="processname" searchWhenChanged="true"> |
trevorbryant
/ Windows Event Collection - Primary User Logons
Created
November 14, 2018 15:50
Splunk dashboard for Windows Event Collection - Primary User Logons
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Windows Event Collection - Primary User Logons</label> | |
| <description>Filtered search for identifying non-administrative log on to servers.</description> | |
| <fieldset submitButton="false" autoRun="true"> | |
| <input type="text" token="computername" searchWhenChanged="true"> | |
| <label>Computer Name (FQDN)</label> | |
| <default>*</default> | |
| <initialValue>*</initialValue> | |
| </input> | |
| <input type="text" token="workstationname" searchWhenChanged="true"> |
trevorbryant
/ Windows Event Collection - Pass The Hash
Created
November 14, 2018 15:48
Splunk dashboard for Windows Event Collection - Pass The Hash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Windows Event Collection - Pass The Hash</label> | |
| <description>Filtered search for Pass The hash</description> | |
| <fieldset submitButton="false" autoRun="true"> | |
| <input type="text" token="computername" searchWhenChanged="true"> | |
| <label>Computer Name (FQDN)</label> | |
| <default>*</default> | |
| <initialValue>*</initialValue> | |
| </input> | |
| <input type="text" token="workstationname" searchWhenChanged="true"> |
trevorbryant
/ Windows Event Collection - Offensive PowerShell
Created
November 14, 2018 15:46
Splunk dashboard for Windows Event Collection - Offensive PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Windows Event Collection - Offensive PowerShell</label> | |
| <description>Detect Offensive PowerShell Attacks. Not every result is offensive; requires verification</description> | |
| <fieldset submitButton="false" autoRun="true"> | |
| <input type="time" token="time" searchWhenChanged="true"> | |
| <label>Time Range</label> | |
| <default> | |
| <earliest>-24h@h</earliest> | |
| <latest>now</latest> | |
| </default> |
trevorbryant
/ Windows Event Collection - Logon Activities
Created
November 14, 2018 15:41
Splunk dashboard for Windows Event Collection - Logon Activities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Windows Event Collection - Logon Activities</label> | |
| <fieldset submitButton="false" autoRun="true"> | |
| <input type="text" token="username" searchWhenChanged="true"> | |
| <label>Username</label> | |
| <default>*</default> | |
| <initialValue>*</initialValue> | |
| </input> | |
| <input type="text" token="sid" searchWhenChanged="true"> | |
| <label>Security ID</label> |
trevorbryant
/ Get-StaleADUserAccounts.ps1
Created
November 14, 2018 15:15
Dirty PowerShell audit script to query against accounts management non-compliance to FISMA (loosely)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Super duper dumb PS script to query ActiveDirectory for misconfigured User accounts. | |
| # Created by Trevor Bryant (@apporima) | |
| # Get-StaleADUserAccounts.ps1 version 1.0.0 | |
| # Set variables | |
| $timestamp = (Get-Date -f HHmmss_MMddyyyy) | |
| $ADDomainInfo = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | |
| $ADDomainInfoMode = $ADDomainInfo.DomainMode | |
| $ADDomainInfoName = $ADDomainInfo.Name | |
| $Export = "C:\temp\AD_Audit\Stale_AD_User_Account_Audit_$ADDomainInfoName`_$timestamp.csv" |
trevorbryant
/ Get-ADGroupEnum.ps1
Created
November 7, 2018 19:04
Enumerate member objects of target Active Directory group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Users = @() | |
| $Export = @() | |
| $RecursiveUsers = @() | |
| $AdminGroups = $args | |
| ForEach ($Group in $args) { | |
| Get-ADGroupMember "$Group" -ErrorAction SilentlyContinue | ForEach-Object { | |
| $Export = New-Object -TypeName PSObject |
NewerOlder