Skip to content

zeronetworks/Community

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

307 Commits
.github
.github
 
 
Connect
Connect
 
 
Detections
Detections
 
 
Segment
Segment
 
 
TrustMeter
TrustMeter
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation


name

Community Repo

zeronetworks community forks zeronetworks community scripts zeronetworks community scripts zeronetworks community detections zeronetworks issues zeronetworks pull-requests

A collaborative collection of scripts, tools, and SIEM detection rules for configuring, managing, and monitoring Zero Networks, actively contributed by the community and Zero Networks

Segment · Connect · Trust Meter · Red & Blue Team Tools


Segment

Active Directory (2)

      Get-ADGPOsWithFWRules.ps1 - Gets any firewall rules associated with other AD group policies (GPOs)

      purgeKerberosOnHosts.ps1 - This script accepts a CSV of remote Windows servers, and runs several command useful for forcing GPO processing

API (2)

      Login-ZNAADSAML.ps1 - Login-ZNAADSAML.ps1

      sample.ps1 - sample.ps1

Asset Management (7)

      CreateOTAssets.ps1 - Simple API Call to add an OT/IoT asset entry to Zero Networks

      get-AssetsStaleConnection.ps1 - get-AssetsStaleConnection.ps1

      Get-NoIPAssets.ps1 - Get-NoIPAssets.ps1

      Move-ProtectToLearning.ps1 - Move-ProtectToLearning.ps1

      Unprotect-ZNLearningButNotConnected.ps1 - Unprotect-ZNLearningButNotConnected.ps1

      enrollLinuxAsset.ps1 - This script accepts a CSV of Linux servers, and adds them to the Zero Networks dashboard as a manual Linux asset.

      auditMonitoredAssets.ps1 - This script accepts a CSV of assets which SHOULD be monitored, and queries the ZN API to see if they are showing as monitored..

Rules (2)

      Update-ZNBlockRulewithRiskyIps.ps1 - Update-ZNBlockRulewithRiskyIps.ps1

      Update-ZNOutboundBlockfromURLFile.ps1 - Update-ZNOutboundBlockfromURLFile.ps1

Troubleshooting (4)

      CollectSMBDetails.ps1 - CollectSMBDetails.ps1

      Network Port Connectivity Check.ps1 - Does network connectivity Test on Clients and Trust Server on the required ports based on the Deployment guide

      ZN_Troubleshooter_v01.ps1 - ZN_Troubleshooter_v01.ps1

      ZNConnectivityTest.ps1 - ZNConnectivityTest.ps1

Trust Server (4)

      Add-ZNOutboundRulesProtectGPO.ps1 - Add-ZNOutboundRulesProtectGPO.ps1

      breakglass-single.ps1 - breakglass-single.ps1

      Logs - Parse WinRM from Trust Server logs and Summarize.ps1 - Sample Script to parse through the trust server logs and summarize the last 1000 entries for quick troubleshooting

      znlog-filter.ps1 - Sample Script to parse through the trust server WinRM logs including those that are in zips.


MFA Push - getSecretMicrosoftAuth.ps1 - getSecretMicrosoftAuth.ps1


Settings - Add-ZNTrustedInternetAddresses.ps1 - Simple API Call to Trusted Internet IPs


TrustMeter

Examples (4)

      Ex1 - Simple scan for open ports on all AD assets.ps1 - Example 1 - Scans for open ports on any AD asset within the Domain

      Ex2 - Simple scan for open ports on all AD Assets in Forest.ps1 - Example 2 - Scans for open ports on any AD asset within the AD Forest

      Ex3 - Scan an list of IP Ranges.ps1 - Example 3 - Scans for open ports on an AD asset and any IP residing in the provided input IP ranges

      Ex4 - Scan for open ports and parse JSON output.ps1 - Example 4 - Scans for open ports on any asset and IP range. After scan, parse JSON results from report


POC - POC_TrustMeter_ScanManagedAssets.ps1 - The purpose of this script is to perform a network port scan on assets managed by Zero Networks.


Detections

SIEM detection rules built on Zero Networks connection event telemetry. Rules are provided for Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), and Chronicle (YARA-L) and cover four threat categories:

Category Rules What it detects
Lateral Movement 5 New asset pairs, port fanout, first SMB/RDP/WinRM, OT/IT boundary crossing, dangerous RPC
Ransomware Precursors 4 SMB share fanout, new SMB source, dormant host reactivation, rapid port scan
C2 / Exfiltration 4 First external destination, beaconing pattern, high outbound volume, cloud storage upload
Privilege & Credential Abuse 4 Service account to workstation, multi-machine auth spread, off-hours DC access, DCSync/SAMR

See Detections/README.md for deployment instructions, baseline requirements, and tuning guidance.


Contributing

If you have a script you would like to share to the community or improvements on an existing script, your help is welcome!

How to make a clean pull request

  • Create a personal fork of the project on Github.
  • Clone the fork on your local machine. Your remote repo on Github is called origin.
  • Add the original repository as a remote called upstream.
  • If you created your fork a while ago be sure to pull upstream changes into your local repository.
  • Add your script to an existing folder/subfolder or update an existing script with your improvements.
  • Comment the script so others can understand how the code works.
  • Commit and push your changes to your remote repo origin.
  • Submit a pull request so your changes can be reviewed and added to Zero Networks Community Repo.
  • Once the pull request is approved and merged you can pull the changes from upstream to your local repo.



About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

8 stars

Watchers

6 watching

Forks

13 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages