matthew/DCO-SOGs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "8 Tools"

Browse Source
This commit is contained in:
Matthew Iverson
2024-10-26 23:59:47 -04:00
parent 79ac3d851e
commit 903d8fde82
10 changed files with 329 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
8 Tools/Autoruns Guide.rtf Normal file
View File

@ -0,0 +1,70 @@
{\rtf1\ansi\deff3\adeflang1025
{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset0 Liberation Serif{\*\falt Times New Roman};}{\f4\froman\fprq2\fcharset0 Calibri;}{\f5\fswiss\fprq2\fcharset0 Liberation Sans{\*\falt Arial};}{\f6\fnil\fprq2\fcharset0 Microsoft YaHei;}{\f7\fswiss\fprq0\fcharset128 Arial;}{\f8\fnil\fprq2\fcharset0 Arial;}}
{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;}
{\stylesheet{\s0\snext0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052 Normal;}
{\*\cs15\snext15\rtlch\alang255 \ltrch\lang255\langfe255\loch\cf9\lang255\ul\ulc0\dbch\langfe255 Hyperlink;}
{\*\cs16\snext16\hich\af4\loch\f4\fs22\b0 ListLabel 1;}
{\s17\sbasedon0\snext18\rtlch\af8\afs28 \ltrch\hich\af5\loch\sb240\sa120\keepn\f5\fs28\dbch\af6 Heading;}
{\s18\sbasedon0\snext18\loch\sl276\slmult1\sb0\sa140 Text Body;}
{\s19\sbasedon18\snext19\rtlch\af7 \ltrch\loch\sl276\slmult1\sb0\sa140 List;}
{\s20\sbasedon0\snext20\rtlch\af7\afs24\ai \ltrch\loch\sb120\sa120\noline\fs24\i Caption;}
{\s21\sbasedon0\snext21\rtlch\af7\alang255 \ltrch\lang255\langfe255\loch\noline\lang255\dbch\langfe255 Index;}
}{\*\listtable{\list\listtemplateid1
{\listlevel\levelnfc23\leveljc0\levelstartat0\levelfollow0{\leveltext \'01\u183 ?;}{\levelnumbers;}\f1\loch\fs22\b0\fi0\li0}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'01.;}{\levelnumbers\'01;}\fi-360\li1080}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'02.;}{\levelnumbers\'01;}\fi-360\li1440}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'03.;}{\levelnumbers\'01;}\fi-360\li1800}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'04.;}{\levelnumbers\'01;}\fi-360\li2160}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'05.;}{\levelnumbers\'01;}\fi-360\li2520}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'06.;}{\levelnumbers\'01;}\fi-360\li2880}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'07.;}{\levelnumbers\'01;}\fi-360\li3240}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'08.;}{\levelnumbers\'01;}\fi-360\li3600}\listid1}
{\list\listtemplateid2
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}\listid2}
}{\listoverridetable{\listoverride\listid1\listoverridecount0\ls1}{\listoverride\listid2\listoverridecount0\ls2}}{\*\generator LibreOffice/7.2.1.2$Windows_X86_64 LibreOffice_project/87b77fad49947c1441b67c559c339af8f3517e22}{\info{\creatim\yr0\mo0\dy0\hr0\min0}{\revtim\yr2021\mo12\dy10\hr9\min1}{\printim\yr0\mo0\dy0\hr0\min0}}{\*\userprops}\deftab720
\hyphauto1\viewscale100
{\*\pgdsctbl
{\pgdsc0\pgdscuse451\pgwsxn12240\pghsxn15840\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1440\pgdscnxt0 Default Page Style;}}
\formshade\paperh15840\paperw12240\margl1440\margr1440\margt1440\margb1440\sectd\sbknone\pgndec\sftnnar\saftnnrlc\sectunlocked1\pgwsxn12240\pghsxn15840\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1440\ftnbj\ftnstart1\ftnrstcont\ftnnar\aenddoc\aftnrstcont\aftnstart1\aftnnrlc
{\*\ftnsep\chftnsep}\pgndec\pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl240\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\b\f4\loch
WinEventLog Autoruns}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
Autoruns is a tool developed by Sysinternals that allows you to view all of the locations in Windows where applications can insert themselves to launch at boot or when certain applications are opened. Malware often takes advantages of these locations to ensure that it runs whenever your computer boots up. The script can be downloaded from }{{\field{\*\fldinst HYPERLINK "https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog" }{\fldrslt {\hich\af4\loch\fs22\lang1033\b0\f4\loch
https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog}}}}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
More about Autoruns at: }{{\field{\*\fldinst HYPERLINK "https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" }{\fldrslt {\hich\af4\loch\fs22\lang1033\b0\f4\loch
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx}}}}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\b\f4\loch
Installation}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
From an }{\hich\af4\loch\fs22\lang1033\ul\ulc0\b0\f4\loch
Admin Powershell Console}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
run }{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\highlight16\f4\loch
.\\Install.ps1}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
. The script will:}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
Create a directory at c:\\Program Files\\AutorunsToWinEventLog to store and forward all logs}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
Copy over AutorunsToWinEventLog.ps1 to the same directory}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
Download Autorunsc64.exe from }{{\field{\*\fldinst HYPERLINK "https://live.sysinternals.com" }{\fldrslt {\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
https://live.sysinternals.com}}}}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
Create a scheduled task to run the install }{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
s}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
cript daily at 1100}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
To run the task without waiting, open scheduled tasks library and execute it from there.}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\ulnone\ulc0\b\f4\loch
What Does AutorunsToWinEventLog do}
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.}
\par }

3
8 Tools/SCCMSog.md Normal file
View File

@ -0,0 +1,3 @@
create windows 2019 server
https://www.youtube.com/watch?v=amrg_mlFvuk&t=2078s&ab_channel=PatchMyPC

BIN
8 Tools/Shodan S.O.P..pdf Normal file
View File

Binary file not shown.

BIN
8 Tools/Ventoy S.O.P.pdf Normal file
View File

Binary file not shown.

22
8 Tools/bpf.md Normal file
View File

@ -0,0 +1,22 @@
location in SO - /opt/so/saltstack/local/pillar/global.sls
block range
- no net <IP>/<CIDR>
block ipv6
- no ip6
block host
- no host <IP>
block port
- no <PORT>
```
steno:
- no 443 &&
- no net 10.1.5.0/24 &&
- no ip6
nid:
- no net 10.1.5.0/24 &&
- no host 20.1.8.2
zeek:
- no net 10.1.5.0/24
```

23
8 Tools/deploymentlaptop.md Normal file
View File

@ -0,0 +1,23 @@
[Download rocky linux](https://rockylinux.org/download)
dnf update
dnf upgrade
dnf install epel-release ntfs-3g *ntfs* ansible screen
Grab DCWS/Ansible directory USB - format as NTFS
make dco_admin in sudoers
mkdir -p /data/media/
cd /data/media
mkdir drivers isos licenses qcows sdks splunk vmware
- ansible (make dco_admin in sudoers)
- intel-icen-1.10.3.0.zip -> /drivers
- vmware-7.0.3-esxi.iso -> /isos
- vmware-7.0.3-vcenter.iso -> /isos
- vsan-sdk-python.zip -> /sdks
- splunk-add-on-for-microsoft-windows_812.tgz -> /splunk
- splunk-add-on-for-unix-and-linux_830.tgz -> /splunk
- ansible_main -> /opt
Switch
reset physically on front
3 commands
ansible-playbook 02_infastructure.yml

36
8 Tools/remnux.md Normal file
View File

@ -0,0 +1,36 @@
# Created by Cpl Iverson, Matthew
minimum specs
RAM: 4GB
Hard drive: 60GB
install ubuntu
continue
minimal install, download updates while installing ubuntu
erase disk
continue
your timezone
swap .iso with disk
dont upgrade
update
open terminal
```
sudo apt install curl
wget https://REMnux.org/remnux-cli
mv remnux-cli remnux
chmod +x remnux
sudo mv remnux /usr/local/bin
sudo apt install -y gnupg
sudo remnux install
sudo reboot
```

48
8 Tools/rita.md Normal file
View File

@ -0,0 +1,48 @@
- By Cpl Iverson, Matthew
## Overview
RITA is an open-source framework for network traffic analysis.
The framework ingests Zeek Logs in TSV format, and currently supports the following major features:
- Beaconing Detection: Search for signs of beaconing behavior in and out of your network
- DNS Tunneling Detection Search for signs of DNS-based covert channels
- Blacklist Checking: Query blacklists to search for suspicious domains and hosts
## Requirements
#### Without ZEEK
CPU: 2+
Ram: 16GB+
STORAGE: 40GB
#### With ZEEK
CPUs: 3-8
RAM: 16GB - 128GB
STORAGE: 300GB+
NICs: 2
normal ubuntu install
```
sudo apt install git
git clone https://github.com/activecm/rita.git
cd /rita
sudo ./install.sh
```
```
Would you like to continue running the zeek configuration script and generate a new node.cfg file?
y
Would you like to include it as a sniff interface (y/n)?
y
```enp2s0```
would you like to replace the existing node.cfg with the above file?
yes
sudo apt install zkg
zkg install zeek/activecm/zeek-open-connections
```

112
8 Tools/syslogSOG.md Normal file
View File

@ -0,0 +1,112 @@
[Create Syslog Server Video](https://www.youtube.com/watch?v=Cw-TXDirgcQ&ab_channel=EdGoad)
1. Instal OS
install fedora 40 server
```
dnf update
dnf upgrade
```
2. Configure Log Location
```
mkdir /var/log/syslog
```
3. Open Firewall
```
firewall-cmd --get-default-zone
<ZONE> // This zone is put below
firewall-cmd --zone=<ZONE> --add-port=514/udp --permanent
firewall-cmd --zone=<ZONE> --add-port=514/tcp --permanent
firewall-cmd --reload
```
trouble shooting with fedora firewall-cmd
```
firewall-cmd --get-zones
```
4. Install rsyslog
```
dnf install rsyslog
vi /etc/rsyslog.conf
```
uncomment # in the front of the lines
scroll to bottom of file
```
$template PerHostLog,"/var/log/syslog/%HOSTNAME%.log"
if $fromhost-ip startswith '10.' then -?PerHostLog
& STOP
```
5. Test syslog server
```
cd /opt
wget https://raw.githubusercontent.com/edgoad/syslog-generator/master/syslogGen1.sh
// change SOURCES to what files your range from what you specified above
SOURCES=
// Change DEST_IP to your IP of your syslog server
//uncomment line towards bottom `#echo` to see when script is functioning
```
6. Setup Logrotate
```
cd /etc/logrotate.d/
cp rsyslog syslog
vi syslog
```
```
// add syslog folder to file at the top
/var/log/syslog/*.log
// next add three lines inside the {}
// these lines will be to rotate in a year, expire after a year and create new logs daily for each IP
rotate 365
maxage 366
daily
```
/etc/logrotate.d/syslog file
7. Point remote syslogs to your syslog server
8. Set up splunk universal forwarder on syslog server
[Setup Splunk Universal Forwarder](https://www.youtube.com/watch?v=smyLZ6ataK0&embeds_referring_euri=https%3A%2F%2Fcdn.iframe.ly%2F&source_ve_path=MjM4NTE)
install the 64 tar
```
wget -O splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/linux/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz"
```
```
useradd -m splunkfwd
groupadd splunkfwd
export SPLUNK_HOME="/opt/splunkforwarder"
mkdir $SPLUNK_HOME
```
```
tar xvzf splunkforwarder_package_name.tgz
```
```
chown -R splunkfwd:splunkfwd $SPLUNK_HOME
sudo $SPLUNK_HOME/bin/splunk start --accept-license
$SPLUNK_HOME/bin/splunk add forward-server <IP>:<PORT>
$SPLUNK_HOME/bin/splunk restart
$SPLUNK_HOME/bin/splunk add monitor /var/log/syslog
```

15
8 Tools/winlogbeatwithossysbeat.md Normal file
View File

@ -0,0 +1,15 @@
Host Visibility — Security Onion 2.3 documentation
***Modifying the Winlogbeat.yaml to work with the OSSysbeat.ps1 script to set up the shipping of host logs to Security Onion***
Right click and edit the winlogbeat.yaml file
Scroll down to the “winlogbeat.event_logs:” section
The bottom line of this section should read as follows:
name: Microsoft-Windows-Sysmon/Operational
Scroll down to the Elasticsearch section and comment out the host's line
Scroll down to the Logstash section and uncomment the “output.logstash:” line and the “hosts” line below it
Then, change the IP in the square brackets to be the IP address of our security onion sensor
Ctrl + S to save, close the file
by cpl adams