MHaggis
/ redcanary_requests.py
Created
October 4, 2017 15:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import os.path | |
| import sys | |
| import json | |
| from datetime import datetime | |
| import requests | |
| TIMEFILE="/opt/splunk/etc/apps/redcanary_app_analysis/bin/redcanary.lastrun" | |
| #TIMEFILE2="/opt/splunk/etc/apps/redcanary_app_analysis/redcanary2.lastrun" |
MHaggis
/ Chain Reaction - Reactor
Last active
January 29, 2018 19:10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: Chain Reaction - Reactor | |
| :: | |
| :: | |
| :: Tactic: Discovery | |
| :: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033 | |
| :: Single Endpoint | |
| :: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt |
MHaggis
/ SafeConnect.json
Created
February 8, 2018 16:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "da12b58c5b20b52bb3f7fe3fa545e236": { | |
| "md5": ["da12b58c5b20b52bb3f7fe3fa545e236"] | |
| }, | |
| "c5c68606e1e3baabb45644a34ceb36c6": { | |
| "md5": ["c5c68606e1e3baabb45644a34ceb36c6"] | |
| }, | |
| "3871d542cfac9dd8af62b8c05ea7304a": { | |
| "md5": ["3871d542cfac9dd8af62b8c05ea7304a"] | |
| }, |
MHaggis
/ ware_behaviors.json
Created
February 23, 2018 12:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "wmic": { | |
| "process_name": ["wmic.exe"], | |
| "cmdline": ["wmic shadowcopy delete"] | |
| }, | |
| "Vssadmin": { | |
| "process_name": ["vssadmin.exe"], | |
| "cmdline": ["vssadmin delete shadows /all /quiet"] | |
| }, | |
| "bcdedit": { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Cl_invocation.ps1": { | |
| "cmdline": ["Cl_invocation.ps1"] | |
| }, | |
| "manage-bde": { | |
| "cmdline": ["manage-bde.vbs"] | |
| }, | |
| "pubprn": { | |
| "process_name": ["pubprn.vbs"] | |
| }, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| OVERVIEW | |
| Extract selected sensor information from Cb Response. | |
| """ | |
| import argparse | |
| import csv |
MHaggis
/ Carbon Black Response - Splunk Hunting
Last active
November 26, 2018 16:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Stats | |
| | metadata type=sourcetypes index=carbonblack | |
| `cb` | stats values(computer_name) | |
| `cb` type=alert | stats values(docs{}.endpoint) by watchlist_name | |
| `cb` notification_type="watchlist.hit.*" | stats values(watchlist_name) | |
| `cb` | stats values(feed_name) |
MHaggis
/ interestingfiles.json
Created
January 31, 2019 19:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "passwords": { | |
| "cmdline": ["passwords.txt", | |
| "password.txt", | |
| "passw.txt", | |
| "password.doc", | |
| "passwords.doc", | |
| "password.doc", | |
| "passwords.docx", | |
| "pwd.txt", |
MHaggis
/ Install Atomic Red Team
Last active
February 8, 2019 15:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://bit.ly/2MRBzTo')" | |
| powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psinstall.atomicredteam.com')" | |
| powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1')" |
MHaggis
/ iocs_to_definition.py
Created
February 26, 2019 16:56
— forked from keithmccammon/iocs_to_definition.py
Make a Surveyor definition given a file full of indicators, one per line. Warning: This is a hack and performs no grouping. It's just a really fast means of asking Cb Response "where do these things appear?"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| To use me: | |
| 1) Make a file full of indicators, one per line, call it indicators.txt. | |
| NOTE: This was written to handle IP addresses. Change line 40 from ipaddr to md5 if passing hashes. | |
| 2) python iocs_to_definition.py indicators.txt |