I hereby claim:
- I am lennartkoopmann on github.
- I am lennartkoopmann (https://keybase.io/lennartkoopmann) on keybase.
- I have a public key whose fingerprint is 8B0F E307 8647 AD50 1081 EC37 AEEA 55EE 8A48 D868
To claim this, I am signing this object:
Lennart Koopmann lennartkoopmann
🤠
lennartkoopmann
/ gist:6f6bd3c122d5be77d18ef66a7349484d
Created
December 15, 2020 14:35
Graylog: command_and_control_sunburst_dst_ip
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule "command_and_control_sunburst_dst_ip" | |
| // Written by Recon InfoSec SOC Team | |
| // | |
| // https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv | |
| // https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | |
| // https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv | |
| when | |
| has_field("dst_ip_is_internal") | |
| AND | |
| to_string($message.dst_ip_is_internal) == "false" |
lennartkoopmann
/ gist:9c71bc32c8d6f30cdfb268bde4eef83e
Created
December 15, 2020 14:34
Graylog: command_and_control_sunburst_dst_hostname
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule "command_and_control_sunburst_dst_hostname" | |
| // Written by Recon InfoSec SOC Team | |
| // | |
| // https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv | |
| // https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | |
| // https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv | |
| when | |
| has_field("dst_ip_is_internal") | |
| AND | |
| to_string($message.dst_ip_is_internal) == "false" |
lennartkoopmann
/ ifconfig
Created
August 3, 2020 00:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pi@parabola:~ $ ifconfig | |
| eth0 Link encap:Ethernet HWaddr b8:27:eb:0f:0e:d4 | |
| inet addr:172.16.0.136 Bcast:172.16.0.255 Mask:255.255.255.0 | |
| inet6 addr: fe80::8966:2353:4688:c9a/64 Scope:Link | |
| UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | |
| RX packets:349 errors:0 dropped:8 overruns:0 frame:0 | |
| TX packets:378 errors:0 dropped:0 overruns:0 carrier:0 | |
| collisions:0 txqueuelen:1000 | |
| RX bytes:75761 (73.9 KiB) TX bytes:69865 (68.2 KiB) |
lennartkoopmann
/ ifconfig
Created
August 3, 2020 00:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pi@parabola:~ $ ifconfig | |
| eth0 Link encap:Ethernet HWaddr b8:27:eb:0f:0e:d4 | |
| inet addr:172.16.0.136 Bcast:172.16.0.255 Mask:255.255.255.0 | |
| inet6 addr: fe80::8966:2353:4688:c9a/64 Scope:Link | |
| UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | |
| RX packets:1327 errors:0 dropped:22 overruns:0 frame:0 | |
| TX packets:1118 errors:0 dropped:0 overruns:0 carrier:0 | |
| collisions:0 txqueuelen:1000 | |
| RX bytes:290630 (283.8 KiB) TX bytes:233228 (227.7 KiB) |
lennartkoopmann
/ nzyme.conf
Created
July 26, 2020 04:27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| interfaces: { | |
| rest_listen_uri: "https://0.0.0.0:22900/" | |
| http_external_uri: "https://nzyme.example.org:22900/" | |
| use_tls: true | |
| tls_certificate_path: /path/to/cert.pem | |
| tls_key_path: /path/to/key.pem | |
| } |
lennartkoopmann
/ openssl-nzyme.cnf
Created
July 26, 2020 04:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [req] | |
| distinguished_name = req_distinguished_name | |
| x509_extensions = v3_req | |
| prompt = no | |
| # Details about the issuer of the certificate | |
| [req_distinguished_name] | |
| C = US | |
| ST = Some-State | |
| L = Some-City |
lennartkoopmann
/ nzyme.conf
Created
July 25, 2020 23:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| type: email | |
| enabled: false | |
| # One of: SMTP, SMTPS or SMTP_TLS | |
| transport_strategy: SMTP_TLS | |
| host: smtp.example.org | |
| port: 587 | |
| username: "your_username" |
lennartkoopmann
/ nzyme.conf
Created
July 25, 2020 22:53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alerting { | |
| # Notifications and callbacks for triggered alerts. | |
| callbacks: [ | |
| { | |
| type: email | |
| enabled: false | |
| # One of: SMTP, SMTPS or SMTP_TLS | |
| transport_strategy: SMTP_TLS |
lennartkoopmann
/ gist:235f47b4426c54e5606fb618d54ba475
Created
May 15, 2019 19:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| output.logstash: | |
| hosts: ["192.168.191.10:5044", "192.168.191.20:5044"] | |
| loadbalance: false | |
| winlogbeat: | |
| event_logs: | |
| - name: Application | |
| - name: System | |
| - name: Security | |
| - name: Microsoft-Windows-Sysmon/Operational |
lennartkoopmann
/ keybase.md
Created
November 27, 2016 00:20
NewerOlder