Brakertech

tech problems: solved

CrowdStrike SIEM Connector Grok Rules

I couldn’t find a good set of Grok rules for the CrowdStrike SIEM connector so I wrote my own. You need two rule sets. Set1: %{IPV4:source_collector_ip} CEF: 0\|CrowdStrike\|FalconHost\|1.0\|%{WORD:event_type}\|%{GREEDYDATA:event_subtype}\|%{INT:event_tactic}\|externalId=%{HOSTNAME:externalID} cn2Label=%{WORD:cn2Label} cn2=%{WORD:cn2} cn1Label=%{WORD:cn1Label} cn1=%{WORD:cn1} dhost=%{HOSTNAME:dhost} duser=%{DATA:duser} msg=%{GREEDYDATA:msg} fname=%{DATA:fname} filePath=%{GREEDYDATA:filepath} cs5Label=%{DATA:cs5Label} cs5=%{GREEDYDATA:cs5} fileHash=%{DATA:fileHash} dntdom=%{DATA:dntdom} cs6Label=%{DATA: cs6Label} cs6=%{GREEDYDATA:cs6} cn3Label=%{DATA: cs3Label} cn3=%{DATA:cn3} rt=%{DATA:rt} src=%{IP:src} smac=%{MAC:smac} cat=%{GREEDYDATA:cat} act=%{GREEDYDATA:act} reason=%{GREEDYDATA:reason} outcome=%{DATA:outcome} CSMTRPatternDisposition=%{GREEDYDATA:CSMTRPatternDisposition}... » read more

0
Read
Steve Stonebraker
Automating Setting up Tenable.io AWS Connector Role

I recently had to set up quite a few AWS Connectors in Tenable.io for various AWS accounts. This can become quite a cumbersome task so I decided to automate it. Prerequisites ~/.aws/config with multiple profiles trustpolicy.json (shown below) trustpolicy.json This will be used by our script for the initial role creation. The account # referenced... » read more

0
Read
Steve Stonebraker
Bulk Lookup Owner of IP Address

To perform a bulk whois lookup of a list of IP addresses use the following script: Bulk whois lookup while read ip; do if [ ! -z "$ip" ]; then echo -n "$ip - " && whois $ip 2>/dev/null grep "Organization" -m 1; fi; done < ip_list.txt Example input (ip_list.txt) 172.217.8.206 172.217.8.203 172.217.8.266 151.101.65.67 Output... » read more

1
Read
Steve Stonebraker
List All Subnets Across Multiple AWS accounts/profiles

Recently I needed to generate a list of all subnets across every AWS account in an organization. I’ve documented an easy way to achieve this Prerequisites Set up your aws config for multiple profiles (one for each account) [default] region=us-east-1 output=json [profile account1] role_arn = arn:aws:iam::XXXXXXXXXXXX:role/OrganizationAccountAccessRole source_profile = default region=us-east-1 output=json [profile account2] role_arn =... » read more

0
Read
Steve Stonebraker
Limiting S3 Sync Bandwidth

Out of the box the aws s3 application is suppose to limit bandwidth by setting the “s3.max_bandwidth” option. Example: aws configure set default.s3.max_bandwidth 5MB/s Problem aws s3 sync is using more bandwidth than the ~/.aws/config file has specified. Replication Steps Run the following command to set a max bandwidth limit for the s3 application aws... » read more

0
Read
Steve Stonebraker
Jenkins Cleanup Old Builds

I wrote a quick shell script to cleanup old Jenkins builds. This will delete any build older than 30 days. #!/bin/bash # jenkins_delete_old_builds.sh # Author: Steve Stonebraker # Date: 8/5/2019 # Description: Deletes any build older than 30 days # Place in crontab # @daily /bin/bash -x /root/scripts/jenkins_cleanup.sh > /root/scripts/jenkins_cleanup.log find /var/lib/jenkins/jobs/*/builds/ -maxdepth 1 -mindepth... » read more

0
Read
Steve Stonebraker
Detecting Windows Lateral Movement

I came across a great article on detecting windows lateral movement and wanted to share it with everyone: CERT-EU Security Whitepaper 17-002 “Detecting Lateral Movements in Windows Infrastructure” https://cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf

0
Read
Steve Stonebraker
Install Chrome using PowerShell

To install Google Chrome using Powershell (headless install) run the following command from and Administrative PowerShell Prompt: $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')"... » read more

0
Read
Steve Stonebraker