faststeak
faststeak
/ gist:c8a0483ca0a25c6c92bab43579596c16
Created
March 26, 2021 14:36
Splunk search looking for writable shares with Tenable Nessus data
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=<your tenable index here> sourcetype=tenable:sc:vuln (pluginID=10396 OR pluginID=10395 OR pluginID=23973 OR pluginID=24271 OR pluginID=42411 OR pluginID=60119) TERM(<your testuser here>) | |
| | table ip dnsName pluginID pluginName pluginText | |
| | rex field=pluginText max_match=0 (?<allInfo>((?<=\n-\s)((?<=\n-\s)(.+\n)*)*)) | |
| | mvexpand allInfo | |
| | rex field=allInfo (?<shareContents>((?<=:\n)(.+\n)*(.)*)) | |
| | rex field=allInfo (?<sharePermissions>(((?<=\s{2}-\s\()(.)*)(?=\)))) | |
| | rex field=allInfo (?<shareName>((.)*(?=\s{2}-))) | |
| | search sharePermissions=*writable* | |
| | table dnsName shareName |
faststeak
/ gist:0ef52e39c80ef15c92731fb0a7fcb234
Created
December 13, 2021 17:00
Splunk search for log4j stuff
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=<your target indexes> | |
| | regex "(?i)\${(\${(.*?:|.*?:.*?:-)(\'|\"|\`)*(?1)}*|[jndi:(ldap|ldaps|rmi|dns|nis|iiop|corba|nds|http)](\'|\"|\`)*}*){9,10}" | |
| | rex field=_raw max_match=0 "(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | |
| | rex field=_raw "Base64\/(?<base64>[A-Za-z0-9+]{15,}[=]{0,2})" | |
| | decrypt field=base64 b64 emit('payload') | |
| | table _time index sourcetype host ip_addr base64 payload _raw | |
| | mvexpand ip_addr |
faststeak
/ PowershellTranscript.json
Created
January 27, 2023 22:27
Cribl Custom Eventbreaker for Powershell Transcripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "id": "PowershellTranscripts", | |
| "lib": "custom", | |
| "rules": [ | |
| { | |
| "condition": "sourcetype=='powershell:transcripts'", | |
| "type": "regex", | |
| "timestampAnchorRegex": "/Start time:\\s/", | |
| "timestamp": { | |
| "type": "format", |
OlderNewer