Ebryx Labs

__DFIR-scripts

Quick & Dirty DFIR scripts developed by Ebryx DFIR team to keep handy during field assignment

cwl-to-es

Send cloudwatch logs to Elasticsearch

dnsMonitor

A project to monitor DNS and point out stale values.

awsip

A project to check whether an IP address exists in Amazon infrastructure

ebryx

Repo for ebryx python library.

forestHog

Searches through git repositories for high entropy strings and secrets, digging deep into commit history

opencrypt

Symmetric encryption and decryption compatible with openSSL.

Vetter

Calculate hashes from files and check against VirusTotal (using the PublicAPIV3)

aws-role_credentials_leakage_monitor

Monitors if the AWS role credentials set on any of the EC2 instances are compromised

cbSweep

Sweeps IPs in bulk off of carbon black.

dExter

Checks userdata and launch templates of all EC2s against regexes.

gitSearch

Searches for repositories with keywords and then filter out individual files too.

ip_reputation_checker

For a file containing list of IPs, shares IP reputation results.

lbWafChecker

Checks WAF association for ALBs and alerts on slack.

s3_obj_downloader

Script to download objects from an S3 bucket

usm2jira

A project to push AlientVault USM alarms to JIRA automatically.

usmConnect

Checks status of USM sensors via selenium.

auto-elasticsearch

Gets targeted data out of elastic search automatically.

aws-cloudtrail-to-firehose

aws-cloudwatch_alarms_to_slack

Sends Cloudwatch alarms to Slack

aws-kinesis_demo_bruteforce_app

Fake bruteforce attempts on demo APIs and its detection via Kinesis Analytics app

elasticsearch-indices-deleter

Easily delete Elasticsearch indices by setting this script as a cron job and managed config file

sentinel-attack

Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK

sysmon-config

Sysmon configuration file template with default high-quality event tracing

sysmon-modular

A repository of sysmon configuration modules