yaya2devops
/ sly.man.truth.latest
Created
October 5, 2024 11:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ⦿ Last time reflected on; Oct 4, 2024, 12:12 p.m - Doha Time | |
| ⦿ Gistposted: Oct 5, 2:15 p.m - Doha Time | |
| Yahya Abulhaj, | |
| The Sly Man, | |
| Who Found A lucky Path | |
| Welcome to A Story of man that, | |
| Started somewhere in early 2020, | |
| At eighteen, Yahya made the critical decision that he needed to pass high school. He struck a deal |
yaya2devops
/ sly.man.truth
Created
October 2, 2024 18:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2 Oct, 2024, 09:55 p.m | |
| Yahya Abulhaj, | |
| A sly man, | |
| Who Found A Lucky Path | |
| At eighteen, Yahya made the critical decision that he needed to pass high school. He struck a deal | |
| with his neighbor, Yassine, who was studying the same major but in a different school, to get serious | |
| about their studies. Both had missed opportunities in previous years, and now they needed to make | |
| up for lost time by intensifying their efforts. This partnership, based on mutual support, proved |
yaya2devops
/ code-build-backend-success.yaml
Created
April 16, 2023 14:05
Codebuild Cloudwatch Logs in YAML
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - | |
| timestamp: 1681601913497 | |
| message: "433875ea4139: Pull complete\n" | |
| - | |
| timestamp: 1681601913497 | |
| message: "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n" | |
| - | |
| timestamp: 1681601913497 | |
| message: "Status: Downloaded newer image for python:3.10-slim-buster\n" |
yaya2devops
/ code-build-backend-success.json
Created
April 16, 2023 14:05
Codebuild Cloudwatch Logs JSON format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "timestamp": 1681601913497, | |
| "message": "433875ea4139: Pull complete\n" | |
| }, | |
| { | |
| "timestamp": 1681601913497, | |
| "message": "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n" | |
| }, | |
| { |
yaya2devops
/ [TABULAR]code-build-backend-success.json
Created
April 16, 2023 14:04
Codebuild Cloudwatch Logs in Tabluar JSON format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| [1681601913497,"433875ea4139: Pull complete\n" ], | |
| [1681601913497,"Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n" ], | |
| [1681601913497,"Status: Downloaded newer image for python:3.10-slim-buster\n" ], | |
| [1681601913497," ---> 6f74f1480ab7\n" ], | |
| [1681601913497,"Step 2/7 : WORKDIR /backend-flask\n" ], | |
| [1681601915513," ---> Running in af21b329eb4d\n" ], | |
| [1681601915513,"Removing intermediate container af21b329eb4d\n" ], | |
| [1681601915513," ---> 39c4f7b30297\n" ], | |
| [1681601915513,"Step 3/7 : COPY requirements.txt requirements.txt\n" ], |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: 0.2 | |
| phases: | |
| install: | |
| runtime-versions: | |
| docker: 19 | |
| commands: | |
| - echo "cd into $CODEBUILD_SRC_DIR/backend" | |
| - cd $CODEBUILD_SRC_DIR/backend-flask | |
| - "aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $IMAGE_URL" | |
| build: |
yaya2devops
/ SuspiciousServicePrincipalcreationactivity.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 6852d9da-8015-4b95-8ecf-d9572ee0395d | |
| name: Suspicious Service Principal creation activity | |
| description: | | |
| 'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)' | |
| severity: Low | |
| requiredDataConnectors: | |
| - connectorId: AzureActiveDirectory | |
| dataTypes: | |
| - AuditLogs | |
| - AADServicePrincipalSignInLogs |
yaya2devops
/ UnusualGuestActivity.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: acc4c247-aaf7-494b-b5da-17f18863878a | |
| name: External guest invitation followed by Azure AD PowerShell signin | |
| description: | | |
| 'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests | |
| users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. | |
| Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' | |
| severity: Medium | |
| requiredDataConnectors: | |
| - connectorId: AzureActiveDirectory | |
| dataTypes: |
yaya2devops
/ insider-threat-detection-queries.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 4685d7ec-8134-43ce-b579-7c31286b0bc5 | |
| name: insider-threat-detection-queries (1) | |
| description: | | |
| Intent: | |
| - Use MTP capability to look for insider threat potential risk indicators | |
| - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools | |
| Definition of Insider Threat: | |
| "The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization." | |
| This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat. | |
| Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat pro |
yaya2devops
/ TEAMS_ExternalUserAddedRemovedInTeams_HuntVersion.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c | |
| name: External user added and removed in a short timeframe - Hunt Version | |
| description: | | |
| 'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.' | |
| requiredDataConnectors: | |
| - connectorId: Office365 | |
| dataTypes: | |
| - OfficeActivity (Teams) | |
| tactics: | |
| - Persistence |
NewerOlder