Linux persistence techniques as a map

Pepe Berba has created a nice overview of linux persistence techniques as a maphttps://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/

Linux persistence map v0.2 from pberba

It shows places/locations/paths for persistense in systemd-generators, motd, /usr/sbin/cron (Cron Scheduler), rootkits, /sbin/init [PID 1] (System systemd), web server (web shells), systemd --user (User systemd), /usr/sbin/sshd (SSH Daemon), /bin/bash (Login Shell), user systemd-generators, user systemd timers, user systemd services, etc and its mitre attack technique ids. 

Git for Windows - Git uses certificate from internal PKI

If you initially want to git clone a repository from an internal git system from a windows system and the internal git system uses a certificate from a internal PKI, you'll receive an error: SSL certificate problem: self signed certificate in certificate chain

PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk> git clone https://git.domain.tld/ansible-playbooks/carbonblack-threatfeeds.git
Cloning into 'carbonblack-threatfeeds'...
fatal: unable to access 'https://git.domain.tld/ansible-playbooks/carbonblack-threatfeeds.git/': SSL certificate problem: self signed certificate in certificate chain
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk>

Check your windows git settings with git config -l. In the attribute http.sslcainfo is the ca-cert-bundle-file, which is used by git as certification authority certificate store.

PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk> git config -l
diff.astextplain.textconv=astextplain
filter.lfs.clean=git-lfs clean -- %f
filter.lfs.smudge=git-lfs smudge -- %f
filter.lfs.process=git-lfs filter-process
filter.lfs.required=true
http.sslbackend=openssl
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
core.autocrlf=true
core.fscache=true
core.symlinks=false
pull.rebase=false
credential.helper=manager-core
credential.https://dev.azure.com.usehttppath=true
init.defaultbranch=master
user.email=flo@some.mail
user.name=flo
core.editor="C:\Users\flo\AppData\Local\Programs\Microsoft VS Code\Code.exe" --wait
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk>

So append your CA certificate in the file "C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt". Then it works:

PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk> git clone https://git.domain.tld/ansible-playbooks/carbonblack-threatfeeds.git
Cloning into 'carbonblack-threatfeeds'...
remote: Enumerating objects: 104, done.
remote: Counting objects: 100% (104/104), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 104 (delta 50), reused 93 (delta 40), pack-reused 0 eceiving objects:  34% (36/104)
Receiving objects: 100% (104/104), 20.03 KiB | 2.86 MiB/s, done.
Resolving deltas: 100% (50/50), done.
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk>

Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...