Roberto Rodriguez Cyb3rWard0g
🍻
Cyb3rWard0g
/ elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
Created
December 8, 2018 09:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert: | |
| - slack | |
| slack_webhook_url: https://hooks.slack.com/services/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 | |
| description: Detects suspicious PowerShell invocation with a parameter substring | |
| filter: | |
| - query: | |
| query_string: | |
| query: (process_path:("*\\Powershell.exe") AND event_id:"1" AND process_command_line:(" | |
| \-windowstyle h " " \-windowstyl h" " \-windowsty h" " \-windowst h" " \-windows | |
| h" " \-windo h" " \-wind h" " \-win h" " \-wi h" " \-win h " " \-win hi " |
Cyb3rWard0g
/ sigma_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
Created
December 8, 2018 09:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Suspicious PowerShell Parameter Substring | |
| status: experimental | |
| description: Detects suspicious PowerShell invocation with a parameter substring | |
| references: | |
| - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier | |
| tags: | |
| - attack.execution | |
| - attack.t1086 | |
| author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) | |
| logsource: |
Cyb3rWard0g
/ ksql_demo.yml
Last active
December 18, 2018 22:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HELK KSQL Winlogbeat Config - Blog | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| winlogbeat.event_logs: | |
| - name: Microsoft-windows-sysmon/operational | |
| ignore_older: 4h | |
| #----------------------------- Kafka output -------------------------------- | |
| output.kafka: | |
| # initial brokers for reading cluster metadata | |
| hosts: ["192.168.64.138:9092"] |
Cyb3rWard0g
/ sysmon-ksql-processcreate-event
Last active
December 18, 2018 23:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 12/18/18 10:42:32 PM UTC , NULL , | |
| { | |
| "@timestamp":"2018-12-18T22:42:32.841Z", | |
| "@metadata": | |
| { | |
| "beat":"winlogbeat", | |
| "type":"doc", | |
| "version":"6.5.3", | |
| "topic":"winlogbeat" | |
| }, |
Cyb3rWard0g
/ sysmon-ksql-networkconnection-event
Created
December 18, 2018 23:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 12/18/18 10:42:58 PM UTC , NULL , | |
| { | |
| "@timestamp":"2018-12-18T22:42:58.788Z", | |
| "@metadata": | |
| { | |
| "beat":"winlogbeat", | |
| "type":"doc", | |
| "version":"6.5.3", | |
| "topic":"winlogbeat" | |
| }, |
Cyb3rWard0g
/ sysmon-join.commands
Last active
March 31, 2020 01:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON'); | |
| CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL |
Cyb3rWard0g
/ sysmon_event_manifest_v9.0.xml
Last active
April 19, 2019 03:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <manifest schemaversion="4.2" binaryversion="8.00"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="none" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
Cyb3rWard0g
/ securityevent-4688-schema.xml
Created
September 17, 2019 04:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
| <System> | |
| <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> | |
| <EventID>4688</EventID> | |
| <Version>2</Version> | |
| <Level>0</Level> | |
| <Task>13312</Task> | |
| <Opcode>0</Opcode> | |
| <Keywords>0x8020000000000000</Keywords> | |
| <TimeCreated SystemTime="2019-09-17T03:03:59.074909100Z" /> |
Cyb3rWard0g
/ ruben-silkserviceconfig-template.xml
Created
September 19, 2019 13:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <SilkServiceConfig> | |
| <!-- | |
| This is a user collector | |
| -> Microsoft-Windows-DotNETRuntime | |
| -> GUID or string based name | |
| --> | |
| <ETWCollector> | |
| <Guid>45c82358-c52d-4892-8237-ba001d396fb4</Guid> | |
| <CollectorType>user</CollectorType> | |
| <ProviderName>e13c0d23-ccbc-4e12-931b-d9cc2eee27e4</ProviderName> |
Cyb3rWard0g
/ dotnetruntime-silkservice-config.xml
Created
September 19, 2019 13:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <SilkServiceConfig> | |
| <!-- | |
| Microsoft-Windows-DotNETRuntime ETW Provider | |
| --> | |
| <ETWCollector> | |
| <Guid>072e0373-213b-4e3d-881a-6430d6d9e369</Guid> | |
| <CollectorType>user</CollectorType> | |
| <ProviderName>e13c0d23-ccbc-4e12-931b-d9cc2eee27e4</ProviderName> | |
| <UserKeywords>0x2038</UserKeywords> | |
| <OutputType>eventlog</OutputType> |