Jonathan Johnson jsecurity101
jsecurity101
/ DUMPING_LSASS_SPLUNK_SYSMON.ipynb
Last active
December 5, 2021 23:51
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Sysmon_Winlogbeat_Install.ps1
Last active
July 28, 2020 02:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Author: Jonathan Johnson | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $WinlogbeatUrl = "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.5.2-windows-x86_64.zip" | |
| $WinlogbeatOutputFile = "winlogbeat.zip" | |
| $WinlogbeatConfig = "https://gist.github.com/jsecurity101/ec4c829e6d32a984d7ccf4c1e9247590/archive/8d85c6c443704e821a7f53e536be61667c67febd.zip" | |
| $WinlogZip = "winlogconfig.zip" |
jsecurity101
/ winlogbeat.yml
Last active
September 14, 2023 14:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###################### Winlogbeat Configuration Example ######################## | |
| # This file is an example configuration file highlighting only the most common | |
| # options. The winlogbeat.reference.yml file from the same directory contains | |
| # all the supported options with more comments. You can use it as a reference. | |
| # | |
| # You can find the full configuration reference here: | |
| # https://www.elastic.co/guide/en/beats/winlogbeat/index.html | |
| # ======================== Winlogbeat specific options ========================= |
jsecurity101
/ sysmon.xml
Last active
May 8, 2020 01:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.30"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> | |
| <Image condition="contains">btool.exe</Image> | |
| <Image condition="contains">SnareCore</Image> | |
| <Image condition="contains">nxlog</Image> |
jsecurity101
/ Notebook_Interval.ipynb
Created
November 6, 2019 06:00
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ SQL Query for Process Reimaging
Created
September 13, 2019 14:19
Query ran to detect Process Reimaging behavior
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT | |
| a.computer_name, | |
| a.OriginalFileName, | |
| a.LogonId, | |
| b.ProcessId, | |
| c.TargetFilename | |
| FROM processreimaging a | |
| JOIN processreimaging b | |
| ON a.ProcessGuid = b.ProcessGuid | |
| AND b.channel = "Microsoft-Windows-Sysmon/Operational" |
NewerOlder