This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 1: Download and extract DeepBlueCLI on each target computer | |
# https://github.com/sans-blue-team/DeepBlueCLI | |
# Step 2: Get the path for Deepblue.ps1 and change it in the ```DeepBluePath``` below | |
workflow Analyze-EventLogsDeepBlue { | |
param ( | |
[string[]]$ComputerName, | |
[string]$LogName = 'Security', | |
[string]$DeepBluePath = "C:\Path\To\DeepBlue.ps1" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
workflow Detect-UnsignedProcesses { | |
param ( | |
[string[]]$ComputerName | |
) | |
if (-not $ComputerName) { | |
$ComputerName = @("localhost") | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"properties": { | |
"displayName": "Linux machines should meet requirements for the Azure compute security baseline - custom 2", | |
"policyType": "Custom", | |
"mode": "Indexed", | |
"description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.", | |
"metadata": { | |
"category": "Guest Configuration", | |
"createdBy": "73175a57-a138-4125-8bf9-8373cff050bf", | |
"createdOn": "2023-11-14T20:27:31.7401264Z", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"properties": { | |
"displayName": "Linux machines should meet requirements for the Azure compute security baseline", | |
"policyType": "BuiltIn", | |
"mode": "Indexed", | |
"description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.", | |
"metadata": { | |
"version": "2.1.0", | |
"category": "Guest Configuration", | |
"requiredProviders": [ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"properties": { | |
"displayName": "Block all azure vm extensions policy", | |
"policyType": "Custom", | |
"mode": "All", | |
"metadata": { | |
"version": "2.0.0", | |
"createdBy": "73175a57-a138-4125-8bf9-8373cff050bf", | |
"createdOn": "2023-11-09T19:12:54.3579633Z", | |
"updatedBy": null, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "region" { | |
default = "us-east-1" | |
} | |
resource "aws_ec2_host" "example_host" { | |
instance_type = "mac1.metal" | |
availability_zone = "us-east-2b" | |
} | |
data "aws_ami" "macos" { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Secrets scanning at scale: 3 different tools | |
# trufflehog | |
#!/bin/bash | |
# 1. get all repos: gh repo list <organization> --limit 1000 > repos.txt | |
# 2. parse repos.txt so each line looks similar to: https://github.com/username/repo-name.git | |
# Remotely scan the repos using trufflehog without downloading | |
while IFS= read -r repo | |
do |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Credit and props to Manoel Abreu @reefbr - Thank you man! | |
# This one-liner uses dockerized gitleaks to detect a custom toml file with AWS access keys and secret | |
wget https://gist.githubusercontent.com/iknowjason/64914c08c0512f7380dbe7240812d69d/raw/6044896415ba9adc02a055fe774f67e31ecddad0/aws_key.toml; docker run --rm -v "$PWD:/script" -v <GIT_DIRECTORY_FULL_PATH>/:/code/ --name=gitleaks zricethezav/gitleaks -v detect -c=/script/aws_key.toml -p=/code |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title = "gitleaks aws secrets config" | |
[[rules]] | |
description = "AWS Key ID" | |
regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' | |
tags = ["key", "AWS"] | |
[[rules]] | |
description = "AWS Secret Key2" | |
regex = '''(?i)aws_secret_key=''' | |
tags = ["key", "AWS"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted | |
# Insert your domain environment variable below | |
DOMAIN="microsoft.com" | |
# Check the getuserrealm.srf endpoint for domain information | |
# Check autodiscover.$DOMAIN DNS entry | |
host autodiscover.$DOMAIN | |
# Note: Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com |
NewerOlder