"bash_reverse_shell": {
"query": "SELECT * FROM processes WHERE cmdline LIKE '/bin/bash -i >& /dev/tcp/%';",
"interval": 30,
"description": "Looks for processes that resemble a bash reverse shell"
}
Chris Long clong
clong
/ Native-Windows-Useragentss.txt
Created
September 23, 2017 06:41
Native Windows UserAgents for Threat Hunting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Invoke-WebRequest: | |
| Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066 | |
| System.Net.WebClient.DownloadFile(): | |
| None | |
| Start-BitsTransfer: | |
| Microsoft BITS/7.8 | |
| certutil.exe: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT * FROM python_packages WHERE name = 'acqusition' OR name = 'apidev-coop' OR name = 'bzip' OR name = 'crypt' OR name = 'django-server' OR name = 'pwd' OR name = 'setup-tools' OR name = 'telnet' OR name = 'urlib3' OR name = 'urllib'; |
clong
/ scenario.md
Last active
March 11, 2019 21:07
clong
/ hardware_events.md
Created
March 15, 2017 07:15
{
"action": "added",
"columns": {
"vendor_id": "1050",
"vendor": "Yubico",
"type": "IOUSBDevice",
"action": "attach",
"driver": "IOUSBDeviceUserClientV2",
"model": "Yubikey NEO OTP+U2F+CCID",{
"name": "file_events",
"hostIdentifier": "computer.local",
"calendarTime": "Mon Mar 13 07:03:13 2017 UTC",
"unixTime": "1489388593",
"columns": {
"action": "CREATED",
"atime": "1489388581",
"category": "tmp",
clong
/ install-go-audit-osquery.sh
Last active
March 17, 2017 12:13
go-audit and osquery bootstrap script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| sudo su | |
| apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd | |
| cd /root | |
| # Update Golang from 1.2 to 1.7 or compilation of go-audit will fail | |
| wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz | |
| tar -xvf go1.7.linux-amd64.tar.gz | |
| mv go /usr/local |
clong
/ osquery.conf
Created
September 1, 2015 18:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "options": { | |
| "config_plugin": "filesystem", | |
| "logger_plugin": "filesystem", | |
| "host_identifier": "hostname", | |
| "event_pubsub_expiry": "86000", | |
| "debug": "false", | |
| "verbose_debug": "false", | |
| "worker_threads": "4", | |
| "schedule_splay_percent": 10 |
NewerOlder