- Change Java to
java-11-openjdk-amd64 - Added
sleep 10under logstash - Added
transport.host: localhostandtransport.tcp.port: 9300andxpack.security.enabled: trueandsetup.ilm.overwrite: true
Austin Songer, CISSP austinsonger
🙃
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| r 0/tcp # Reserved<BR> | |
| r 0/udp # Reserved<BR> | |
| tcpmux 1/tcp # TCP Port Service Multiplexer One of original portmappers. SGI/IRIX is still using it, thus scans for it are probable attempts to locate IRIX targets. A "HELP" request to it returns Irix host's service listings. | |
| tcpmux 1/udp # TCP Port Service Multiplexer One of original portmappers. SGI/IRIX is still using it, thus scans for it are probable attempts to locate IRIX targets. A "HELP" request to it returns Irix host's service listings. | |
| compressnet 2/tcp # Management Utility<BR> | |
| compressnet 2/udp # Management Utility<BR> | |
| compressnet 3/tcp # Compression Process<BR> | |
| compressnet 3/udp # Compression Process<BR> | |
| rje 5/tcp # Remote Job Entry<BR> | |
| rje 5/udp # Remote Job Entry<BR> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| read -p "[*]Please enter your username, this will help me fix permissions:" myname | |
| clear | |
| echo "[*]what would be your prefered directory name for the tools? the tools will be installed in /opt/nameyouchose" | |
| clear | |
| read -p "[*]Please enter the directory name you would like:" mydirectory | |
| clear | |
| ## Ubuntu Install 18+ |
austinsonger
/ install.sh
Created
January 19, 2021 00:01
— forked from wdullaer/install.sh
Install Latest Docker and Docker-compose on Ubuntu
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ask for the user password | |
| # Script only works if sudo caches the password for a few minutes | |
| sudo true | |
| # Install kernel extra's to enable docker aufs support | |
| # sudo apt-get -y install linux-image-extra-$(uname -r) | |
| # Add Docker PPA and install latest version | |
| # sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9 | |
| # sudo sh -c "echo deb https://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list" |
austinsonger
/ edr-networkloginbuiltin.ndjson
Created
February 6, 2021 21:43
Elastic Detection Rule - Network Login via Built-In Account (via audit)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"author":["Austin Songer"],"actions":[],"created_at":"2021-02-06T21:31:44.315Z","updated_at":"2021-02-06T21:32:23.413Z","created_by":"667492525","description":"Detects network (type 3) logins and login attempts with built-in/default accounts (guest, admin, etc)\"","enabled":true,"false_positives":[],"filters":[],"from":"now-660s","id":"4fb662af-518c-4358-a74a-4f183054c046","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*"],"interval":"10m","rule_id":"c49ad3c1-0bdc-4cd1-8a6d-2035fe80b637","language":"kuery","license":"","output_index":".siem-signals-default","max_signals":100,"risk_score":47,"risk_score_mapping":[],"name":"Network Login via Built-In Account (via audit)","query":"(log_name:(\\\"Security\\\") AND event_id:(\\\"4624\\\" \\\"4625\\\")) AND ( (event_data.LogonType:(\\\"3\\\") AND event_data.TargetUserSid.keyword:(*\\\\-500 *\\\\-501 *\\\\-503 *\\\\-504)) ) AND NOT ( (computer_name:(\\\"WORKSTATION-NAME\\\") AND \\\"USER-NA |
austinsonger
/ o365m-api.txt
Created
February 12, 2021 19:36
Office 365 Management API - AuditLogRecordType
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AuditLogRecordType | |
| Value Member name Description | |
| 1 ExchangeAdmin Events from the Exchange admin audit log. | |
| 2 ExchangeItem Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. | |
| 3 ExchangeItemGroup Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages. | |
| 4 SharePoint SharePoint events. | |
| 6 SharePointFileOperation SharePoint file operation events. | |
| 7 OneDrive OneDrive for Business events. | |
| 8 AzureActiveDirectory Azure Active Directory events. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # install pre-requisites | |
| sudo yum install -y amazon-linux-extras | |
| sudo yum -y update | |
| sudo yum -y groupinstall "Development Tools" | |
| sudo yum -y install openssl-devel bzip2-devel libffi-devel | |
| sudo amazon-linux-extras enable python3.8 | |
| # Installing openssl-devel alone seems to result in SSL errors in pip (see https://medium.com/@moreless/pip-complains-there-is-no-ssl-support-in-python-edbdce548852) | |
| # Need to install OpenSSL also to avoid these errors |
austinsonger
/ VolexityIP.txt
Created
March 7, 2021 19:14
Volexity has seen attackers leverage the following IP addresses related to HAFNIUM 0Day.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 103.77.192.219 | |
| 104.140.114.110 | |
| 104.250.191.110 | |
| 108.61.246.56 | |
| 149.28.14.163 | |
| 157.230.221.198 | |
| 167.99.168.251 | |
| 185.250.151.72 | |
| 192.81.208.169 | |
| 203.160.69.66 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Requirements | |
| sudo apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release -y | |
| sudo apt install gpgv gpgsm gnupg-l10n gnupg dirmngr -y | |
| add-apt-repository ppa:openjdk-r/ppa | |
| sudo apt update -y | |
| sudo curl -so /etc/profile.d/myenvvars.sh https://gist.githubusercontent.com/austinsonger/2385ff1ef5ccb014aaed4d8684dd6e54/raw/e1d9b85b3383d1a50a54eac68ab7ad7c3e0c2797/myenvvars.sh | |
| export JAVA_HOME=/usr/ | |
| sudo apt install openjdk-11-jdk -y | |
| # Wazuh Prep |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| export JAVA_HOME=/usr/ | |