iknowjason
/ Analyze-EventLogsDeepBlue.ps1
Created
September 15, 2024 17:48
Powershell Workflow Example - Malware Process Detection - DeepBlueCLI Threat Hunting in Windows Event Logs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step 1: Download and extract DeepBlueCLI on each target computer | |
| # https://github.com/sans-blue-team/DeepBlueCLI | |
| # Step 2: Get the path for Deepblue.ps1 and change it in the ```DeepBluePath``` below | |
| workflow Analyze-EventLogsDeepBlue { | |
| param ( | |
| [string[]]$ComputerName, | |
| [string]$LogName = 'Security', | |
| [string]$DeepBluePath = "C:\Path\To\DeepBlue.ps1" | |
| ) |
iknowjason
/ Detect-UnsignedProcess.ps1
Last active
September 15, 2024 17:56
Powershell Workflow Example - Malware Process Detection - Check for Unsigned Process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| workflow Detect-UnsignedProcesses { | |
| param ( | |
| [string[]]$ComputerName | |
| ) | |
| if (-not $ComputerName) { | |
| $ComputerName = @("localhost") | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "properties": { | |
| "displayName": "Linux machines should meet requirements for the Azure compute security baseline - custom 2", | |
| "policyType": "Custom", | |
| "mode": "Indexed", | |
| "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.", | |
| "metadata": { | |
| "category": "Guest Configuration", | |
| "createdBy": "73175a57-a138-4125-8bf9-8373cff050bf", | |
| "createdOn": "2023-11-14T20:27:31.7401264Z", |
iknowjason
/ tag-exception-policy.json
Created
November 13, 2023 13:09
Azure policy exception sample rule. This policy checks for existence of a tag of 'Jason-Created-Resource'. Cloned from Azure default policy of "Linux machines should meet requirements for the Azure compute security baseline." If tag exists, it returns false on the logic check and rest of policy is ignored.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "properties": { | |
| "displayName": "Linux machines should meet requirements for the Azure compute security baseline", | |
| "policyType": "BuiltIn", | |
| "mode": "Indexed", | |
| "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.", | |
| "metadata": { | |
| "version": "2.1.0", | |
| "category": "Guest Configuration", | |
| "requiredProviders": [ |
iknowjason
/ blockallextensions.json
Created
November 9, 2023 19:26
Azure policy block all vm extensions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "properties": { | |
| "displayName": "Block all azure vm extensions policy", | |
| "policyType": "Custom", | |
| "mode": "All", | |
| "metadata": { | |
| "version": "2.0.0", | |
| "createdBy": "73175a57-a138-4125-8bf9-8373cff050bf", | |
| "createdOn": "2023-11-09T19:12:54.3579633Z", | |
| "updatedBy": null, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "region" { | |
| default = "us-east-1" | |
| } | |
| resource "aws_ec2_host" "example_host" { | |
| instance_type = "mac1.metal" | |
| availability_zone = "us-east-2b" | |
| } | |
| data "aws_ami" "macos" { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Secrets scanning at scale: 3 different tools | |
| # trufflehog | |
| #!/bin/bash | |
| # 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt | |
| # 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git | |
| # Remotely scan the repos using trufflehog without downloading | |
| while IFS= read -r repo | |
| do |
iknowjason
/ gitleaks_docker.sh
Last active
February 16, 2022 19:00
aws_key.toml and gitleaks docker in one line
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Credit and props to Manoel Abreu @reefbr - Thank you man! | |
| # This one-liner uses dockerized gitleaks to detect a custom toml file with AWS access keys and secret | |
| wget https://gist.githubusercontent.com/iknowjason/64914c08c0512f7380dbe7240812d69d/raw/6044896415ba9adc02a055fe774f67e31ecddad0/aws_key.toml; docker run --rm -v "$PWD:/script" -v <GIT_DIRECTORY_FULL_PATH>/:/code/ --name=gitleaks zricethezav/gitleaks -v detect -c=/script/aws_key.toml -p=/code |
iknowjason
/ aws_key.toml
Created
July 23, 2021 01:07
AWS gitleaks configuration for access keys and secret
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title = "gitleaks aws secrets config" | |
| [[rules]] | |
| description = "AWS Key ID" | |
| regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' | |
| tags = ["key", "AWS"] | |
| [[rules]] | |
| description = "AWS Secret Key2" | |
| regex = '''(?i)aws_secret_key=''' | |
| tags = ["key", "AWS"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted | |
| # Insert your domain environment variable below | |
| DOMAIN="microsoft.com" | |
| # Check the getuserrealm.srf endpoint for domain information | |
| # Check autodiscover.$DOMAIN DNS entry | |
| host autodiscover.$DOMAIN | |
| # Note: Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com |
NewerOlder