This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-Mimikatz | |
{ | |
<# | |
.SYNOPSIS | |
This script leverages Mimikatz 2.1.1 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as | |
dump credentials without ever writing the mimikatz binary to disk. | |
The script has a ComputerName parameter which allows it to be executed against multiple computers. | |
This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SyslogFacility AUTH | |
LogLevel INFO | |
PermitRootLogin no | |
StrictModes yes | |
MaxAuthTries 2 | |
MaxSessions 2 | |
AuthorizedKeysFile .ssh/authorized_keys | |
IgnoreRhosts yes | |
PasswordAuthentication no | |
PermitEmptyPasswords no |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Name for the feed | |
- name: 'AlienVault' | |
# Hostname/Domain - cannot be a URL | |
host: 'otx.alienvault.com' | |
port: 443 | |
# Discovery/Inbox path, usually documented on the TAXII service's site. | |
discovery_path: /taxii-discovery-service/ | |
inbox_path: /taxii-data | |
rate_limit: 2 | |
rate_limit_threshold: 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Run 'run-taxii-poll.py' to poll taxii feeds. | |
# Set start and end time for the time range of the poll | |
export START=$(date --date='8 hours ago' "+%Y-%m-%dT%H:%M:%S") | |
export END=$(date "+%Y-%m-%dT%H:%M:%S") | |
# Timestamp for the log file | |
export TS=$(date '+%Y.%m.%d_%H.%M.%S') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/python | |
# Requirement: run python -m pip install eml_parser | |
# Syntax: python.exe .\dump_eml.py . .\dumpfile.txt | |
import os,sys,datetime | |
import eml_parser,json | |
separator = "\\" | |
def json_serial(obj): | |
if isinstance(obj, datetime.datetime): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import json | |
import sys | |
import time | |
import datetime | |
from requests.auth import HTTPBasicAuth | |
import logging | |
import elasticsearch | |
import geoip | |
import traceback |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
powershell.exe -ep bypass -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcABzADoALwAvAGQAbwB3AG4AbABvAGEAZAAuAHMAeQBzAGkAbgB0AGUAcgBuAGEAbABzAC4AYwBvAG0ALwBmAGkAbABlAHMALwBTAHkAcwBtAG8AbgAuAHoAaQBwACIALAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuAC4AegBpAHAAIgApADsARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAALQBGAG8AcgBjAGUAIAAtAFAAYQB0AGgAIAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuAC4AegBpAHAAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/python3 | |
misp_url = '<misp url>' | |
misp_key = '<apikey>' | |
misp_verifycert = True | |
relative_path = 'events/restSearch' | |
body = { | |
"returnFormat": "json", | |
"timestamp": "90d", | |
"published": 0 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sourcetype IN (<replace this with the sourcetype for your aad/o365 audit log data in Splunk. e.g.:"aad,o365">) | |
(Operation IN ("Set domain authentication*","Set federation settings on domain*") | |
OR Operation="Update application*" | |
OR Operation IN ("Update service principal*","Add service principal credentials*") | |
OR Operation="Add app role assignment*" | |
OR Operation IN ("Add OAuth2PermissionGrant*","Consent to application*") | |
OR (Operation IN ("UserLoggedIn*","UserLoginFailed*") ExtendedProperties{}.Value="16457" ) | |
OR (Operation="MailboxLogin*" AND *Powershell* ) | |
OR a0c73c16-a7e3-4564-9a95-2bdf47383716 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Find A records that resolve to CNAME where the CNAME is not resolving (NXDOMAIN) | |
export results=() | |
find_dangling(){ | |
if ! [ -z $2 ] | |
then | |
dig $2 | grep -q NXDOMAIN | |
if [ $? -eq 0 ] |