Initial commit

bin/py_pkg_update.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -rf _tp_modules/* && \
+sudo pip install -r requirements.txt -t _tp_modules/

default/app.conf

@@ -0,0 +1,14 @@
+[package]
+id = Aisle25
+
+[install]
+is_configured = 0
+
+[ui]
+is_visible = 1
+label = Aisle25™
+
+[launcher]
+author = ecstatic-nobel
+description = "Use the username of failed logons seen in the Windows Security logs to determine the password of authorized users."
+version = 1.0.0

default/authorize.conf

@@ -0,0 +1,3 @@
+[capability::run_script_aisle25]
+[role_admin]
+run_script_aisle25 = enabled

default/commands.conf

@@ -0,0 +1,5 @@
+[aisle25]
+filename = aisle25.py
+local = true
+maxinputs = 0
+chunked = false

default/data/ui/nav/default.xml

@@ -0,0 +1,7 @@
+<nav search_view="search" >
+  <view name="pwdleak" default='true' />
+  <collection label="Misc" >
+    <view name="search" />
+    <view name="dashboards" />
+  </collection>
+</nav>

default/data/ui/views/pwdleak.xml

@@ -0,0 +1,51 @@
+<form>
+  <label>PwdLeak</label>
+  <description>Use the usernames of failed logins to determine the password of authorized users.</description>
+  <search id="Base_Search">
+    <query>$base_search$</query>
+    <earliest>$time_constraint.earliest$</earliest>
+    <latest>$time_constraint.latest$</latest>
+  </search>
+  <fieldset submitButton="true">
+    <input type="text" token="base_search">
+      <label>Base Search</label>
+      <default>sourcetype=wineventlog EventCode IN (4624, 2525)</default>
+      <initialValue>sourcetype=wineventlog EventCode IN (4624, 2525)</initialValue>
+    </input>
+    <input type="time" token="time_constraint">
+      <label>Time Constraint</label>
+      <default>
+        <earliest>-4h@m</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <title>$base_search$</title>
+      <table>
+        <search base="Base_Search">
+          <query>| table _time, EventCode, Account_Domain, Account_Name, ComputerName, Source_Network_Address
+| sort _time</query>
+        </search>
+        <option name="count">25</option>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">preview</option>
+      </table>
+    </panel>
+    <panel>
+      <title>Results</title>
+      <table>
+        <search base="Base_Search">
+          <query>| table _time, EventCode, Account_Domain, Account_Name, ComputerName, Source_Network_Address
+| sort _time
+| aisle25
+| table Account_Domain, "Possible_Username", "Possible_Password", ComputerName, Source_Network_Address, "Password_Possibility"</query>
+        </search>
+        <option name="count">10</option>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">preview</option>
+      </table>
+    </panel>
+  </row>
+</form>

metadata/default.meta

@@ -0,0 +1,35 @@
+
+# Application-level permissions
+
+[]
+access = read : [ * ], write : [ admin, power ]
+
+### EVENT TYPES
+
+[eventtypes]
+export = system
+
+
+### PROPS
+
+[props]
+export = system
+
+
+### TRANSFORMS
+
+[transforms]
+export = system
+
+
+### LOOKUPS
+
+[lookups]
+export = system
+
+
+### VIEWSTATES: even normal users should be able to create shared viewstates
+
+[viewstates]
+access = read : [ * ], write : [ * ]
+export = system

metadata/local.meta

@@ -0,0 +1,10 @@
+[nav/default]
+version = 7.1.3
+modtime = 1554581358.407871000
+
+[views/pwdleak]
+access = read : [ * ], write : [ admin, power ]
+export = none
+owner = admin
+version = 7.1.3
+modtime = 1554581407.198769000