0xtf’s gists

0xtf / 3cs-rule-example.yaml

Created December 16, 2020 05:20

SIEGMA rule example / 3CORESec Rule Development

	title: Windows ETW Tampering
	id: 29d02e66-cc4e-4cd4-8fd3-7e729e1a230d
	status: experimental
	description: Detects commands that remove, disable, stop or tamper tracing sessions relevant to security.
	author: 3CORESec
	date: 2020/11/16
	references:
	- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
	- https://github.com/Neo23x0/sigma/blob/8f6ad7df6b7f099db4bc1e867c4614074ea57e87/rules/windows/process_creation/win_etw_trace_evasion.yml
	tags:

0xtf / fireeye_ost_nids.yml

Last active December 11, 2020 16:11

	title: NIDS FireEye Breached Red Team Tool Detected
	id: ce129fbc-5c2e-4e49-ac2d-9742afa10c25
	status: experimental
	description: A red team tool, from the FireEye breach, has been detected.
	author: 3CORESec
	date: 2020/12/09
	modified: 2020/12/10
	references:
	- https://github.com/fireeye/red_team_tool_countermeasures
	tags:

0xtf / ecs-cloudtrail-mapping

Created May 1, 2020 23:20

example output of rule with overrides and cloudtrail mapping

	python3 sigmac -c config/ecs-cloudtrail.yml -t es-qs ../rules/cloud/aws_ec2_vm_export_failure.yml

	((event.action:"CreateInstanceExportTask" AND event.provider:"ec2.amazonaws.com") AND event.outcome:failure)

0xtf / sigma-with-failure-logic.yaml

Created May 1, 2020 23:15

example sigma rule for cloudtrail with success/failure logic

	title: AWS EC2 VM Export failure
	id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
	status: experimental
	description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
	references:
	- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
	author: Diogo Braz
	date: 2020/04/16
	tags:
	- attack.collection

0xtf / sigma-overrides-config.yaml

Created May 1, 2020 22:19

example of full overrides configuration using literals and regex

	overrides:
	- field: event.outcome
	value: failure
	regexes:
	- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))

0xtf / sigma-overrides-regexes.yaml

Created May 1, 2020 19:24

example of regex definition for sigma overrides

	regexes:
	- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
	- (\(\(aws.cloudtrail.response_elements.keyword:\Failure\.* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(aws.cloudtrail.response_elements.keyword:\Failure\.* aws.cloudtrail.error_code.keyword:\*\)\))

0xtf / sigma-overrides-literals.yaml

Created May 1, 2020 19:19

example of literals definition

	literals:
	- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure*))
	- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure*))
	- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:) OR (aws.cloudtrail.response_elements.keyword:Failure* AND event.action:"ConsoleLogin"))
	- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:) OR (aws.cloudtrail.response_elements.keyword:Failure* AND event.action:"ConsoleLogin"))
	- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
	- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure) OR (aws.cloudtrail.error_code.keyword:* OR aws.clo

0xtf / d4-tmux.sh

Created April 8, 2020 12:35

D4 Client tmux script (auth.log and Suricata eve.log)

	#!/bin/bash

	tmux new-session -d -s d4

	tmux send-keys -t d4 'tmux new-window -n d4-auth ' ENTER
	tmux send-keys -t d4 'tmux new-window -n d4-eve ' ENTER
	tmux send-keys -t d4 'tmux new-window -n suricata ' ENTER

	# D4 - auth.log
	tmux send-keys -t d4 'tmux send-keys -t d4-auth "tail -F /var/log/auth.log \| grep --line-buffered sshd \| egrep --line-buffered '"'Invalid user'"' \| /home/user/d4-goclient/d4-goclient_linux_amd64 -c /home/administrator/d4-goclient/confs/ssh/" ENTER' ENTER

0xtf / S3 + Cloudfront CICD Policy

Created November 11, 2019 19:41

A minimal IAM policy for usage in CICD giving access to a single bucket and allowing for CloudFront invalidations

0xtf / myip-SG-update-based-on-description

Last active June 23, 2019 15:34

Update entries inside a AWS Security Group based on their description

	#!/bin/bash

	# This is based on the work done at https://gist.github.com/isalgueiro/212a612fc232f1437ce88876937691d3/revisions#diff-c6d6f47361666bfba5538e6e0101bafd

	####################
	# Define variables #
	####################
	# Expected for securityGroupIds is sg-...
	securityGroupIds="Insert_Your_SGID"
	# Expected for ruleDescription is something like Home, or OfficeNY

	literals:
	- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure*))
	- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure*))
	- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:) OR (aws.cloudtrail.response_elements.keyword:Failure* AND event.action:"ConsoleLogin"))
	- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:) OR (aws.cloudtrail.response_elements.keyword:Failure* AND event.action:"ConsoleLogin"))
	- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
	- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure) OR (aws.cloudtrail.error_code.keyword:* OR aws.clo

Tiago Faria 0xtf