-
HaCi http://haci.larsux.de/ - 2015-03
- IPAM only, v4/v6, multiple POPs, uses templates, space visualization
-
GestioIP https://www.gestioip.net/ - 2019-10
faststeak
faststeak
/ PowershellTranscript.json
Created
January 27, 2023 22:27
Cribl Custom Eventbreaker for Powershell Transcripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "id": "PowershellTranscripts", | |
| "lib": "custom", | |
| "rules": [ | |
| { | |
| "condition": "sourcetype=='powershell:transcripts'", | |
| "type": "regex", | |
| "timestampAnchorRegex": "/Start time:\\s/", | |
| "timestamp": { | |
| "type": "format", |
faststeak
/ gist:0ef52e39c80ef15c92731fb0a7fcb234
Created
December 13, 2021 17:00
Splunk search for log4j stuff
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=<your target indexes> | |
| | regex "(?i)\${(\${(.*?:|.*?:.*?:-)(\'|\"|\`)*(?1)}*|[jndi:(ldap|ldaps|rmi|dns|nis|iiop|corba|nds|http)](\'|\"|\`)*}*){9,10}" | |
| | rex field=_raw max_match=0 "(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | |
| | rex field=_raw "Base64\/(?<base64>[A-Za-z0-9+]{15,}[=]{0,2})" | |
| | decrypt field=base64 b64 emit('payload') | |
| | table _time index sourcetype host ip_addr base64 payload _raw | |
| | mvexpand ip_addr |
faststeak
/ gist:c8a0483ca0a25c6c92bab43579596c16
Created
March 26, 2021 14:36
Splunk search looking for writable shares with Tenable Nessus data
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=<your tenable index here> sourcetype=tenable:sc:vuln (pluginID=10396 OR pluginID=10395 OR pluginID=23973 OR pluginID=24271 OR pluginID=42411 OR pluginID=60119) TERM(<your testuser here>) | |
| | table ip dnsName pluginID pluginName pluginText | |
| | rex field=pluginText max_match=0 (?<allInfo>((?<=\n-\s)((?<=\n-\s)(.+\n)*)*)) | |
| | mvexpand allInfo | |
| | rex field=allInfo (?<shareContents>((?<=:\n)(.+\n)*(.)*)) | |
| | rex field=allInfo (?<sharePermissions>(((?<=\s{2}-\s\()(.)*)(?=\)))) | |
| | rex field=allInfo (?<shareName>((.)*(?=\s{2}-))) | |
| | search sharePermissions=*writable* | |
| | table dnsName shareName |
faststeak
/ gist:66918caaf6a0d7e9fcd818515ae63252
Created
March 23, 2020 19:48
Splunk Search for finding password spray - useful for "Jacked directly into the matrix"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=winevents sourcetype=WinEventLog:Security EventCode=4625 NOT(user=*$ OR host="insert Domain Controllers here") Failure_Reason="Unknown user name or bad password." | |
| | bin span=30m _time | |
| | stats min(_time) as firstTime max(_time) as lastTime count dc(user) as user_count values(user) as user_logon_attempts values(Source_Network_Address) as Source_Network_Addresses by host Logon_Type Failure_Reason | |
| | fields firstTime lastTime host Logon_Type Failure_Reason user_count user_logon_attempts Source_Network_Addresses | |
| | convert ctime(firstTime), ctime(lastTime) | |
| | where user_count>50 | |
| | eval user_logon_attempts=mvjoin(user_logon_attempts, ", ") | |
| | eval user_logon_attempts=substr(user_logon_attempts, 0, 500) |
faststeak
/ ipam-tools.md
Last active
November 24, 2019 17:23
— forked from regnauld/ipam-tools.md
Overview of IPAM/DCIM tools - July 2016
faststeak
/ gist:275d5d157492b281b6940068f2ae9f6d
Last active
November 15, 2019 17:12
Osquery Queries from various sources
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT p.pid, p.name, p.state, u.username, lp.* | |
| FROM processes p | |
| INNER JOIN listening_ports lp | |
| ON lp.pid = p.pid | |
| INNER JOIN users u | |
| ON u.uid = p.uid; | |
| SELECT u.username, | |
| g.groupname | |
| FROM users u |
faststeak
/ gist:8c2f812f3a9650523aea44cae20fbaa7
Last active
October 14, 2019 13:49
Splunk searches to find password spraying in Auth DM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Needs time and host components | |
| | tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.src_user Authentication.user | rename Authentication.* as * | stats dc(user) as user_count values(user) as users by src_user | |
| # Base tstats search to get the initial data | |
| | tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.action Authentication.src Authentication.dest Authentication.src_user Authentication.user Authentication.signature Authentication.signature_id |
faststeak
/ gist:e30f6802fd51c3cd325e6b4247e85267
Created
June 17, 2019 16:19
Splunk search to find Accelerated Data Models that are using a lookup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Any DMs returned are using a lookup, so those lookups need to be on the indexers. | |
| | rest splunk_server=local /services/datamodel/acceleration| fields title search | eval contains_lookup=if(like(search, "%lookup%"),1,0) | eval contains_lookup=case(contains_lookup=1,"yes",contains_lookup=0,"no")| table title search contains_lookup | search contains_lookup=yes |
faststeak
/ gist:824a9bad9b0a0784f51ed9767b6e9810
Created
May 20, 2019 16:21
Splunk Endpoint DM search for regsvr32.exe activity
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| | tstats summariesonly=true allow_old_summaries=true count from datamodel=Endpoint.Processes where Processes.process_name="regsvr32.exe" by _time Processes.dest Processes.parent_process Processes.process span=15m |
faststeak
/ gist:ee18ab9fd4b815bcedb56b196d1127e0
Created
April 1, 2019 15:51
Splunk DHCP Lookup Search
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Assumes the presence of SA-Netops (the normalize macro). | |
| # Configured for Stream data as written | |
| index=dhcp chaddr=* ciaddr=* NOT (ciaddr="0.0.0.0" OR ciaddr=169.254.*) | |
| | streamstats earliest(_time) as earliest_time latest(_time) as latest_time latest(chaddr) as latest_mac latest(ciaddr) as latest_ip by chaddr ciaddr reset_on_change=true | |
| | stats min(earliest_time) as start_time max(latest_time) as end_time by latest_mac latest_ip | |
| | rename latest_mac AS mac latest_ip as ip | |
| | `normalize_mac_address(mac)` | |
| | inputlookup dhcp_lookup append=t | |
| | stats dc(mac) as mac_count values(*) as * by ip |
NewerOlder