This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os,sys | |
| import requests | |
| import hmac | |
| import hashlib | |
| import datetime | |
| import base64,time | |
| import subprocess | |
| BHE_TOKEN_ID = "<replace me>" | |
| BHE_TOKEN_KEY = "<replace me>" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // To compile:x86_64-w64-mingw32-g++ -shared -fno-stack-protector -o bacon.cpl bacon.c | |
| // To run: rundll32.exe shell32.dll,Control_RunDLL beacon.cpl | |
| // To run: control.exe beacon.cpl | |
| #include <windows.h> | |
| #include <tlhelp32.h> | |
| #include <winternl.h> | |
| typedef NTSTATUS (NTAPI * NtCreateThreadEx_t)( | |
| OUT PHANDLE hThread, | |
| IN ACCESS_MASK DesiredAccess, |
ag-michael
/ gist:bb97d6b4253e016de1c787cd5282c4cc
Created
December 13, 2021 19:20
Log4j exploit regex
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .*jndi:(ldap|ldaps|rmi|dns).*/ | |
| .*j\}.*n\}.*d\}.*i\}.*:\/\/.*/ | |
| .*lower:jndi.*:\/\/.*/ | |
| .*\$\{::.*:\w{3,6}:\/\/.* |
ag-michael
/ Browser-Cleanup.ps1
Last active
August 31, 2021 17:27
Browser-Cleanup: Remove push notificaiton exemptions and non-exempt extensions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Reset push-notification exceptions and remove non-exempt extensions. | |
| With just the -User, it lists the changes that will be made. | |
| .PARAMETER User | |
| The User profile name name in C:\Users\ | |
| .PARAMETER Clean | |
| Commit changes by removing notification exemptions and extensions directories | |
| .PARAMETER KillBrowsers | |
| Kill running browser processes |
ag-michael
/ find_dangling_cname.sh
Last active
June 29, 2022 19:30
Dangling CNAME DNS records: Find A records that resolve to CNAME where the CNAME is not resolving (NXDOMAIN)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Find A records that resolve to CNAME where the CNAME is not resolving (NXDOMAIN) | |
| export results=() | |
| find_dangling(){ | |
| if ! [ -z $2 ] | |
| then | |
| dig $2 | grep -q NXDOMAIN | |
| if [ $? -eq 0 ] |
ag-michael
/ Sparrow.spl
Created
December 29, 2020 16:14
A Splunk query to replicate CISA's Sparrow script's queries: https://raw.githubusercontent.com/NoMoreFood/Sparrow/develop/Sparrow.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sourcetype IN (<replace this with the sourcetype for your aad/o365 audit log data in Splunk. e.g.:"aad,o365">) | |
| (Operation IN ("Set domain authentication*","Set federation settings on domain*") | |
| OR Operation="Update application*" | |
| OR Operation IN ("Update service principal*","Add service principal credentials*") | |
| OR Operation="Add app role assignment*" | |
| OR Operation IN ("Add OAuth2PermissionGrant*","Consent to application*") | |
| OR (Operation IN ("UserLoggedIn*","UserLoginFailed*") ExtendedProperties{}.Value="16457" ) | |
| OR (Operation="MailboxLogin*" AND *Powershell* ) | |
| OR a0c73c16-a7e3-4564-9a95-2bdf47383716 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python3 | |
| misp_url = '<misp url>' | |
| misp_key = '<apikey>' | |
| misp_verifycert = True | |
| relative_path = 'events/restSearch' | |
| body = { | |
| "returnFormat": "json", | |
| "timestamp": "90d", | |
| "published": 0 | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe -ep bypass -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcABzADoALwAvAGQAbwB3AG4AbABvAGEAZAAuAHMAeQBzAGkAbgB0AGUAcgBuAGEAbABzAC4AYwBvAG0ALwBmAGkAbABlAHMALwBTAHkAcwBtAG8AbgAuAHoAaQBwACIALAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuAC4AegBpAHAAIgApADsARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAALQBGAG8AcgBjAGUAIAAtAFAAYQB0AGgAIAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuAC4AegBpAHAAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYg |
ag-michael
/ falcondump.py
Created
October 10, 2020 15:19
Dump Crowdstrike Falcon host data into elasticsearch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import sys | |
| import time | |
| import datetime | |
| from requests.auth import HTTPBasicAuth | |
| import logging | |
| import elasticsearch | |
| import geoip | |
| import traceback |
ag-michael
/ dump_eml.py
Last active
October 4, 2020 20:20
Recursively dump parsed eml file information into a single text file for analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| # Requirement: run python -m pip install eml_parser | |
| # Syntax: python.exe .\dump_eml.py . .\dumpfile.txt | |
| import os,sys,datetime | |
| import eml_parser,json | |
| separator = "\\" | |
| def json_serial(obj): | |
| if isinstance(obj, datetime.datetime): |
NewerOlder