Upload files to "8 Tools"

8 Tools/Autoruns Guide.rtf

@@ -0,0 +1,70 @@
+{\rtf1\ansi\deff3\adeflang1025
+{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset0 Liberation Serif{\*\falt Times New Roman};}{\f4\froman\fprq2\fcharset0 Calibri;}{\f5\fswiss\fprq2\fcharset0 Liberation Sans{\*\falt Arial};}{\f6\fnil\fprq2\fcharset0 Microsoft YaHei;}{\f7\fswiss\fprq0\fcharset128 Arial;}{\f8\fnil\fprq2\fcharset0 Arial;}}
+{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;}
+{\stylesheet{\s0\snext0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052 Normal;}
+{\*\cs15\snext15\rtlch\alang255 \ltrch\lang255\langfe255\loch\cf9\lang255\ul\ulc0\dbch\langfe255 Hyperlink;}
+{\*\cs16\snext16\hich\af4\loch\f4\fs22\b0 ListLabel 1;}
+{\s17\sbasedon0\snext18\rtlch\af8\afs28 \ltrch\hich\af5\loch\sb240\sa120\keepn\f5\fs28\dbch\af6 Heading;}
+{\s18\sbasedon0\snext18\loch\sl276\slmult1\sb0\sa140 Text Body;}
+{\s19\sbasedon18\snext19\rtlch\af7 \ltrch\loch\sl276\slmult1\sb0\sa140 List;}
+{\s20\sbasedon0\snext20\rtlch\af7\afs24\ai \ltrch\loch\sb120\sa120\noline\fs24\i Caption;}
+{\s21\sbasedon0\snext21\rtlch\af7\alang255 \ltrch\lang255\langfe255\loch\noline\lang255\dbch\langfe255 Index;}
+}{\*\listtable{\list\listtemplateid1
+{\listlevel\levelnfc23\leveljc0\levelstartat0\levelfollow0{\leveltext \'01\u183 ?;}{\levelnumbers;}\f1\loch\fs22\b0\fi0\li0}
+{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'01.;}{\levelnumbers\'01;}\fi-360\li1080}
+{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'02.;}{\levelnumbers\'01;}\fi-360\li1440}
+{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'03.;}{\levelnumbers\'01;}\fi-360\li1800}
+{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'04.;}{\levelnumbers\'01;}\fi-360\li2160}
+{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'05.;}{\levelnumbers\'01;}\fi-360\li2520}
+{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'06.;}{\levelnumbers\'01;}\fi-360\li2880}
+{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'07.;}{\levelnumbers\'01;}\fi-360\li3240}
+{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'08.;}{\levelnumbers\'01;}\fi-360\li3600}\listid1}
+{\list\listtemplateid2
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
+{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}\listid2}
+}{\listoverridetable{\listoverride\listid1\listoverridecount0\ls1}{\listoverride\listid2\listoverridecount0\ls2}}{\*\generator LibreOffice/7.2.1.2$Windows_X86_64 LibreOffice_project/87b77fad49947c1441b67c559c339af8f3517e22}{\info{\creatim\yr0\mo0\dy0\hr0\min0}{\revtim\yr2021\mo12\dy10\hr9\min1}{\printim\yr0\mo0\dy0\hr0\min0}}{\*\userprops}\deftab720
+\hyphauto1\viewscale100
+{\*\pgdsctbl
+{\pgdsc0\pgdscuse451\pgwsxn12240\pghsxn15840\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1440\pgdscnxt0 Default Page Style;}}
+\formshade\paperh15840\paperw12240\margl1440\margr1440\margt1440\margb1440\sectd\sbknone\pgndec\sftnnar\saftnnrlc\sectunlocked1\pgwsxn12240\pghsxn15840\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1440\ftnbj\ftnstart1\ftnrstcont\ftnnar\aenddoc\aftnrstcont\aftnstart1\aftnnrlc
+{\*\ftnsep\chftnsep}\pgndec\pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl240\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\b\f4\loch
+WinEventLog Autoruns}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
+Autoruns is a tool developed by Sysinternals that allows you to view all of the locations in Windows where applications can insert themselves to launch at boot or when certain applications are opened. Malware often takes advantages of these locations to ensure that it runs whenever your computer boots up. The script can be downloaded from }{{\field{\*\fldinst HYPERLINK "https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog" }{\fldrslt {\hich\af4\loch\fs22\lang1033\b0\f4\loch
+https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog}}}}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
+More about Autoruns at: }{{\field{\*\fldinst HYPERLINK "https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" }{\fldrslt {\hich\af4\loch\fs22\lang1033\b0\f4\loch
+https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx}}}}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\b\f4\loch
+Installation}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
+From an }{\hich\af4\loch\fs22\lang1033\ul\ulc0\b0\f4\loch
+Admin Powershell Console}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+ run }{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\highlight16\f4\loch
+.\\Install.ps1}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+. The script will:}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+Create a directory at c:\\Program Files\\AutorunsToWinEventLog to store and forward all logs}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+Copy over AutorunsToWinEventLog.ps1 to the same directory}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+Download Autorunsc64.exe from }{{\field{\*\fldinst HYPERLINK "https://live.sysinternals.com" }{\fldrslt {\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+https://live.sysinternals.com}}}}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+Create a scheduled task to run the install }{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+s}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+cript daily at 1100}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+To run the task without waiting, open scheduled tasks library and execute it from there.}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\ulnone\ulc0\b\f4\loch
+What Does AutorunsToWinEventLog do}
+\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
+Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.}
+\par }

8 Tools/SCCMSog.md

@@ -0,0 +1,3 @@
+create windows 2019 server
+
+https://www.youtube.com/watch?v=amrg_mlFvuk&t=2078s&ab_channel=PatchMyPC

8 Tools/bpf.md

@@ -0,0 +1,22 @@
+location in SO - /opt/so/saltstack/local/pillar/global.sls
+
+block range
+    - no net <IP>/<CIDR>
+block ipv6
+    - no ip6
+block host
+    - no host <IP>
+block port
+    - no <PORT>
+
+```
+steno:
+    - no 443 &&
+    - no net 10.1.5.0/24 &&
+    - no ip6
+nid:
+    - no net 10.1.5.0/24 &&
+    - no host 20.1.8.2
+zeek:
+    - no net 10.1.5.0/24
+```

8 Tools/deploymentlaptop.md

@@ -0,0 +1,23 @@
+[Download rocky linux](https://rockylinux.org/download)
+
+
+dnf update
+dnf upgrade
+dnf install epel-release ntfs-3g *ntfs* ansible screen
+Grab DCWS/Ansible directory USB - format as NTFS
+make dco_admin  in sudoers
+mkdir -p /data/media/
+cd /data/media
+mkdir drivers isos licenses qcows sdks splunk vmware
+- ansible (make dco_admin  in sudoers)
+    - intel-icen-1.10.3.0.zip -> /drivers
+    - vmware-7.0.3-esxi.iso -> /isos
+    - vmware-7.0.3-vcenter.iso -> /isos
+    - vsan-sdk-python.zip -> /sdks
+    - splunk-add-on-for-microsoft-windows_812.tgz -> /splunk
+    - splunk-add-on-for-unix-and-linux_830.tgz -> /splunk
+    - ansible_main -> /opt
+Switch 
+reset physically on front
+3 commands
+ansible-playbook 02_infastructure.yml

8 Tools/remnux.md

@@ -0,0 +1,36 @@
+# Created by Cpl Iverson, Matthew
+
+minimum specs
+
+RAM: 4GB
+
+Hard drive: 60GB
+
+install ubuntu
+continue
+minimal install, download updates while installing ubuntu
+erase disk
+continue
+your timezone
+
+swap .iso with disk
+dont upgrade
+update
+open terminal
+
+```
+sudo apt install curl
+
+wget https://REMnux.org/remnux-cli
+
+mv remnux-cli remnux
+chmod +x remnux
+sudo mv remnux /usr/local/bin
+
+sudo apt install -y gnupg
+
+sudo remnux install
+
+sudo reboot
+```
+

8 Tools/rita.md

@@ -0,0 +1,48 @@
+- By Cpl Iverson, Matthew
+
+
+## Overview
+
+RITA is an open-source framework for network traffic analysis.
+The framework ingests Zeek Logs in TSV format, and currently supports the following major features:
+    - Beaconing Detection: Search for signs of beaconing behavior in and out of your network
+    - DNS Tunneling Detection Search for signs of DNS-based covert channels
+    - Blacklist Checking: Query blacklists to search for suspicious domains and hosts
+
+## Requirements
+
+#### Without ZEEK
+CPU: 2+
+Ram: 16GB+
+STORAGE: 40GB 
+
+#### With ZEEK
+CPUs: 3-8
+RAM: 16GB - 128GB
+STORAGE: 300GB+
+NICs: 2
+
+normal ubuntu install
+
+```
+sudo apt install git
+git clone https://github.com/activecm/rita.git
+cd /rita
+sudo ./install.sh
+```
+
+```
+Would you like to continue running the zeek configuration script and generate a new node.cfg file?
+y
+
+Would you like to include it as a sniff interface (y/n)?
+y
+
+```enp2s0```
+
+would you like to replace the existing node.cfg with the above file?
+yes
+
+sudo apt install zkg
+zkg install zeek/activecm/zeek-open-connections
+```

8 Tools/syslogSOG.md

@@ -0,0 +1,112 @@
+[Create Syslog Server Video](https://www.youtube.com/watch?v=Cw-TXDirgcQ&ab_channel=EdGoad)
+
+1. Instal OS
+install fedora 40 server
+
+```
+dnf update
+dnf upgrade
+```
+
+2. Configure Log Location
+
+```
+mkdir /var/log/syslog
+```
+
+3. Open Firewall
+
+```
+firewall-cmd --get-default-zone
+<ZONE> // This zone is put below
+firewall-cmd --zone=<ZONE> --add-port=514/udp --permanent
+firewall-cmd --zone=<ZONE> --add-port=514/tcp --permanent
+firewall-cmd --reload
+```
+
+trouble shooting with fedora firewall-cmd
+
+```
+firewall-cmd --get-zones
+```
+
+4. Install rsyslog
+
+```
+dnf install rsyslog
+vi /etc/rsyslog.conf
+```
+
+uncomment # in the front of the lines
+
+
+scroll to bottom of file
+
+```
+$template PerHostLog,"/var/log/syslog/%HOSTNAME%.log"
+if $fromhost-ip startswith '10.' then -?PerHostLog
+& STOP
+```
+
+5. Test syslog server
+
+```
+cd /opt
+wget https://raw.githubusercontent.com/edgoad/syslog-generator/master/syslogGen1.sh
+// change SOURCES to what files your range from what you specified above
+SOURCES=
+// Change DEST_IP to your IP of your syslog server
+//uncomment line towards bottom `#echo` to see when script is functioning
+```
+
+6. Setup Logrotate
+
+```
+cd /etc/logrotate.d/
+cp rsyslog syslog
+vi syslog
+```
+
+```
+// add syslog folder to file at the top
+/var/log/syslog/*.log
+
+// next add three lines inside the {}
+// these lines will be to rotate in a year, expire after a year and create new logs daily for each IP
+    rotate 365
+    maxage 366
+    daily
+```
+
+/etc/logrotate.d/syslog file
+
+7. Point remote syslogs to your syslog server
+
+8. Set up splunk universal forwarder on syslog server
+
+[Setup Splunk Universal Forwarder](https://www.youtube.com/watch?v=smyLZ6ataK0&embeds_referring_euri=https%3A%2F%2Fcdn.iframe.ly%2F&source_ve_path=MjM4NTE)
+
+install the 64 tar
+
+```
+wget -O splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/linux/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz"
+```
+
+```
+useradd -m splunkfwd
+groupadd splunkfwd
+export SPLUNK_HOME="/opt/splunkforwarder"
+mkdir $SPLUNK_HOME
+```
+
+```
+tar xvzf splunkforwarder_package_name.tgz
+```
+
+```
+chown -R splunkfwd:splunkfwd $SPLUNK_HOME
+sudo $SPLUNK_HOME/bin/splunk start --accept-license
+$SPLUNK_HOME/bin/splunk add forward-server <IP>:<PORT>
+$SPLUNK_HOME/bin/splunk restart
+$SPLUNK_HOME/bin/splunk add monitor /var/log/syslog
+```

8 Tools/winlogbeatwithossysbeat.md

@@ -0,0 +1,15 @@
+Host Visibility — Security Onion 2.3 documentation
+***Modifying the Winlogbeat.yaml to work with the OSSysbeat.ps1 script to set up the shipping of host logs to Security Onion***
+Right click and edit the winlogbeat.yaml file
+Scroll down to the “winlogbeat.event_logs:” section
+The bottom line of this section should read as follows:
+name: Microsoft-Windows-Sysmon/Operational
+
+Scroll down to the Elasticsearch section and comment out the host's line
+
+Scroll down to the Logstash section and uncomment the “output.logstash:” line and the “hosts” line below it
+Then, change the IP in the square brackets to be the IP address of our security onion sensor
+
+Ctrl + S to save, close the file
+
+by cpl adams