0xtf
/ tcprewrite-cheat-sheet
Last active
June 6, 2019 00:29
tcpreplay, tcprewrite and tcpdump cheat sheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Visualization (tcpdump, tshark) | |
| tcpdump -qns 0 -X -r file.pcap | |
| tcpdump -qns 0 -A -r file.pcap | |
| tcpdump -X -r file.pcap | |
| tshark -r file.pcap -V | |
| Packet manipulation (tcprewrite) | |
| Port: tcprewrite --portmap=OLDPORT:NEWPORT -i in.pcap -o out.pcap |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| TLP:RED #FF2B2B | |
| TLP:AMBER #ffc000 | |
| TLP:GREEN #33ff00 | |
| TLP:WHITE #ffffff |
0xtf
/ myip-SG-update-based-on-description
Last active
June 23, 2019 15:34
Update entries inside a AWS Security Group based on their description
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This is based on the work done at https://gist.github.com/isalgueiro/212a612fc232f1437ce88876937691d3/revisions#diff-c6d6f47361666bfba5538e6e0101bafd | |
| #################### | |
| # Define variables # | |
| #################### | |
| # Expected for securityGroupIds is sg-... | |
| securityGroupIds="Insert_Your_SGID" | |
| # Expected for ruleDescription is something like Home, or OfficeNY |
0xtf
/ S3 + Cloudfront CICD Policy
Created
November 11, 2019 19:41
A minimal IAM policy for usage in CICD giving access to a single bucket and allowing for CloudFront invalidations
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": "s3:*", | |
| "Resource": [ | |
| "arn:aws:s3:::your_website.com", | |
| "arn:aws:s3:::your_website.com/*" | |
| ] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| tmux new-session -d -s d4 | |
| tmux send-keys -t d4 'tmux new-window -n d4-auth ' ENTER | |
| tmux send-keys -t d4 'tmux new-window -n d4-eve ' ENTER | |
| tmux send-keys -t d4 'tmux new-window -n suricata ' ENTER | |
| # D4 - auth.log | |
| tmux send-keys -t d4 'tmux send-keys -t d4-auth "tail -F /var/log/auth.log | grep --line-buffered sshd | egrep --line-buffered '"'Invalid user'"' | /home/user/d4-goclient/d4-goclient_linux_amd64 -c /home/administrator/d4-goclient/confs/ssh/" ENTER' ENTER |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| literals: | |
| - ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*)) | |
| - ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*)) | |
| - ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin")) | |
| - ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin")) | |
| - ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*)) | |
| - ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_code.keyword:* OR aws.clo |
0xtf
/ sigma-overrides-regexes.yaml
Created
May 1, 2020 19:24
example of regex definition for sigma overrides
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| regexes: | |
| - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\)) | |
| - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\)) | |
| - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\)) | |
| - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\)) | |
| - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\)) | |
| - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\)) | |
| - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\)) | |
| - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\)) |
0xtf
/ sigma-overrides-config.yaml
Created
May 1, 2020 22:19
example of full overrides configuration using literals and regex
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| overrides: | |
| - field: event.outcome | |
| value: failure | |
| regexes: | |
| - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\)) | |
| - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\)) | |
| - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\)) | |
| - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\)) | |
| - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\)) | |
| - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\)) |
0xtf
/ sigma-with-failure-logic.yaml
Created
May 1, 2020 23:15
example sigma rule for cloudtrail with success/failure logic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: AWS EC2 VM Export failure | |
| id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b | |
| status: experimental | |
| description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. | |
| references: | |
| - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance | |
| author: Diogo Braz | |
| date: 2020/04/16 | |
| tags: | |
| - attack.collection |
0xtf
/ ecs-cloudtrail-mapping
Created
May 1, 2020 23:20
example output of rule with overrides and cloudtrail mapping
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| python3 sigmac -c config/ecs-cloudtrail.yml -t es-qs ../rules/cloud/aws_ec2_vm_export_failure.yml | |
| ((event.action:"CreateInstanceExportTask" AND event.provider:"ec2.amazonaws.com") AND event.outcome:failure) |
OlderNewer