Skip to content

Instantly share code, notes, and snippets.

View 2xyo's full-sized avatar

2*yo 2xyo

69 followers · 115 following
  • Personnal
  • France
View GitHub Profile
@2xyo
2xyo / ping.json
Created November 24, 2017 21:06
Unfetter analytics - ping
{
"_index": "sysmon-2017.11.24",
"_type": "sysmon_process",
"_id": "AV_v1-kZAnLqT_pijW1u",
"_score": 1,
"_source": {
"Task": 1,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"LogonGuid": "{6B166207-852C-5A18-0000-00200D6D0100}",
"EventType": "INFO",
@2xyo
2xyo / addNetworkService.ps1
Created December 7, 2016 10:00
Add NetworkService account to "Lecteurs des journaux d’événements" group
$Connexion = [ADSI]"WinNT://localhost"
$strGroupName = $Connexion.psbase.children | where { $_.psbase.schemaClassName -eq 'group' -and $_.name -like '*journaux*' } | % { $_.path }
$NewMember = "WinNT://NetworkService"
$Connexion = [ADSI]"$strGroupName,group"
$Connexion.Add($NewMember)
@2xyo
2xyo / config.xml
Created November 19, 2016 16:42
Sysmon config
<!--
Microsoft Sysmon configuation to be used on Windows workstations
v0.1
@2xyo
Credits:
- https://gist.github.com/Neo23x0/f56bea38d95040b70cf5
- https://github.com/MotiBa/Sysmon/blob/master/config_v3.xml
- https://github.com/tomchop/volatility-autoruns/blob/master/autoruns.py
@2xyo
2xyo / sysmonman.xml
Created November 19, 2016 13:07
Sysmon v5.0 fields
<?xml version="1.0" encoding="UTF-16"?>
<instrumentationManifest xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace">
<instrumentation>
<events>
<provider name="Microsoft-Windows-Sysmon" guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" symbol="SYSMON_PROVIDER" resourceFileName="%filename%" messageFileName="%filename%">
<events>
<event symbol="SYSMON_ERROR_EVENT" value="255" version="3" channel="Microsoft-Windows-Sysmon/Operational" level="win:Error" task="SysmonTask-SYSMON_ERROR" opcode="win:Info" template="Error report" message="$(string.event.str_SYSMON_ERROR)" />
<event symbol="SYSMON_CREATE_PROCESS_EVENT" value="1" version="5" channel="Microsoft-Windows-Sysmon/Operational"
@2xyo
2xyo / build.txt
Created October 12, 2016 15:45
Metron 609ea40c2e8ab3b35b645f4238d2f66afc120fb5
yoyo@yoyo-vm:~/incubator-metron$ git rev-parse HEAD
609ea40c2e8ab3b35b645f4238d2f66afc120fb5
yoyo@yoyo-vm:~/incubator-metron$ mvn clean package -DskipTests
...
[INFO] --- maven-assembly-plugin:2.4.1:single (build-tarball) @ metron_mpack ---
[INFO] Reading assembly descriptor: src/main/assemblies/metron-mpack.xml
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] Metron ............................................. SUCCESS [ 0.118 s]
@2xyo
2xyo / audit.log
Last active September 25, 2016 17:05
audit.log RAW and ENRICHED
RAW
192.168.1.64 Sep 25 19:59:31 node1 user info audispd node=node1 type=SYSCALL msg=audit(1474826371.771:57): arch=c000003e syscall=2 success=yes exit=3 a0=1bb3030 a1=c2 a2=180 a3=d4253a9ebf1c5554 items=2 ppid=2052 pid=2069 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mktemp" exe="/usr/bin/mktemp" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpfiles"
192.168.1.64 Sep 25 19:59:31 node1 user info audispd node=node1 type=CWD msg=audit(1474826371.771:57): cwd="/root"
192.168.1.64 Sep 25 19:59:31 node1 user info audispd node=node1 type=PATH msg=audit(1474826371.771:57): item=0 name="/tmp/" inode=133 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT
192.168.1.64 Sep 25 19:59:31 node1 user info audispd node=node1 type=PATH msg=audit(1474826371.771:57): item=1 name="/tmp/tmp.Ktbeo4w5Kc" inode=901770 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r
@2xyo
2xyo / readme.md
Last active August 22, 2016 16:03
Metron metadata

Metadata extracted from raw (PCAP) traffic:

Field Name Description Type Example
frame.len Frame length on the wire Unsigned integer, 4 bytes 123
ip.src Source Address IPv4 address 192.0.2.1
ip.dst Destination Address IPv4 address 192.0.2.1
ip.proto Protocol Unsigned integer, 1 byte 6
ip.srcport Source or Destination Port Unsigned integer, 2 bytes 12345
@2xyo
2xyo / Readme-metron-full-dev-platform.md
Last active May 9, 2017 06:38
Metron full dev platform without Vagrant (Windows - 02/12/2016) -- in progress

Metron full dev platform 0.3 (Windows - 02/12/2016)

Two VM inside Virtualbox/VmWare/Qemu/whatever.

  • Client :
    • OS: Ubuntu (from ubuntu-16.04.1-desktop-amd64.iso)
    • Disk: 40 GB
    • RAM: 4 GB
  • vCPU: 2
@2xyo
2xyo / full page.html
Last active July 19, 2016 14:19
OpenCV EK
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-US">
<head>
<link rel="shortcut icon" href="http://opencv.org/wp-content/themes/opencv/favicon.ico" />
<meta charset="UTF-8" />
<title>OpenCV | OpenCV</title>
<link rel="stylesheet" href="http://opencv.org/wp-content/themes/opencv/style.css" type="text/css" media="screen" />
<!--[if lt IE 7]>
<script type="text/javascript" src="http://opencv.org/wp-content/themes/opencv/js/unitpngfix.js"></script>
<![endif]-->
@2xyo
2xyo / misp-taxonomies-ETSI-GS-ISI.json
Last active July 10, 2016 09:20
misp-taxonomies - Information-security-indicators
{
"namespace": "Information-security-indicators",
"description": "A full set of operational indicators for organizations to use to benchmark their security posture",
"version": "1.1.2",
"predicates": [
{
"value": "IEX",
"expanded": "Intrusions and external attacks",
"description": "Indicators of this category give information on the occurrence of incidents caused by external malicious threat sources."
},