Michael ag-michael

## thehivedump.py
import sys
import datetime
from thehive4py.api import TheHiveApi
from thehive4py.query import String

def mkstmp(ts,tfmt='%m/%d/%Y %H:%M CDT'):
        if not type(ts) is int:
                ts=int(ts)
        return datetime.datetime.fromtimestamp(ts/1000).strftime(tfmt)

## thehivefileobservable.py
def thehive_alert(alert):
    global CONFIG
    authheader={'Content-Type': 'application/json', 'Authorization': 'Bearer '+CONFIG['thehiveapikey']}
    print(requests.post("http://127.0.0.1:9000/api/alert",headers=authheader,data=json.dumps(alert),verify=False))

myfile=''
try:
    with open(fname,"rb") as f:
        myfile=fname+";text/plain;"+base64.b64encode(f.read())
except Exception:

## FalconHuntqueries.md

      
              1 file
            
          
              8 forks
            
          
              0 comments
            
          
              38 stars
            
          
                ag-michael
                / FalconHuntqueries.md
            
            
              Last active
              November 23, 2023 12:02
            
              
                Falcon hunt queries
              
          
    timestamp convert:


 convert ctime(timestamp/1000)

.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count &lt;4 | sort – count


## ADenrichment.html
<style>
#reportrow {
  position:relative;
  overflow-wrap:anywhere;
  border-bottom:solid 1px;
}
</style>

<div class="panel panel-info" ng-if="success">
    <div class="panel-heading">

## misp-dsv.py
#!/usr/bin/python2
import requests
import json

MISPAPI='<misp apikey>'
MISPURL='<misp url>'
BASE='/var/www/iocs/' #files under this path need to be served by a web-server
TYPES=['domain','ip-src','ip-dst','email-src','email-dst','email']
WHITELIST = "<white list file containing iocs that won't be exported>"

## thehive-alert-aging.py
#!/bin/env python2
import requests
import json
import time
import logging

logging.basicConfig(format='ThehiveAPI: %(asctime)-15s  %(message)s')
LOG = logging.getLogger('thehiveapi-alert-aging')
LOG.setLevel(logging.DEBUG)
alert_age=86400

## ldapquery.py
import ldap
import json
import datetime
import traceback

conf={
	'adurl':'ldaps://<ldapurl>',
	'domain':"corp.local",
	'computer_basedn':"",
	'person_basedn':"",

## ldapbindspray.py
import ldap
import json
import sys

def ldapbrute():
    ldap_obj = ldap.initialize("ldaps://domaincontroller.corp.local")
    ldap_obj.protocol_version = ldap.VERSION3
    ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
    passwords=[]
    account=sys.argv[1]

## index_snapshot.py
#!/usr/bin/python3
"""
This script simply creats a snapshot of the configured index pattern
I use it with cron to create daily backups:
$ ln -s /usr/local/bin/index_snapshot.py /etc/cron.daily/

"""

import elasticsearch
import time

## ProcessMitigationPolicy.xml
<?xml version="1.0" encoding="UTF-8"?>
<root>
  <SystemConfig>
    <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
    <ASLR BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
    <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false" Audit="false"></SEHOP>
    <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false" StrictControlFlowGuard="false" OverrideStrictCFG="false"></ControlFlowGuard>
  </SystemConfig>
  <AppConfig Executable="7z.exe">
    <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
	import sys
	import datetime
	from thehive4py.api import TheHiveApi
	from thehive4py.query import String

	def mkstmp(ts,tfmt='%m/%d/%Y %H:%M CDT'):
	if not type(ts) is int:
	ts=int(ts)
	return datetime.datetime.fromtimestamp(ts/1000).strftime(tfmt)
	def thehive_alert(alert):
	global CONFIG
	authheader={'Content-Type': 'application/json', 'Authorization': 'Bearer '+CONFIG['thehiveapikey']}
	print(requests.post("http://127.0.0.1:9000/api/alert",headers=authheader,data=json.dumps(alert),verify=False))

	myfile=''
	try:
	with open(fname,"rb") as f:
	myfile=fname+";text/plain;"+base64.b64encode(f.read())
	except Exception:
	<style>
	#reportrow {
	position:relative;
	overflow-wrap:anywhere;
	border-bottom:solid 1px;
	}
	</style>

	<div class="panel panel-info" ng-if="success">
	<div class="panel-heading">
	#!/usr/bin/python2
	import requests
	import json

	MISPAPI='<misp apikey>'
	MISPURL='<misp url>'
	BASE='/var/www/iocs/' #files under this path need to be served by a web-server
	TYPES=['domain','ip-src','ip-dst','email-src','email-dst','email']
	WHITELIST = "<white list file containing iocs that won't be exported>"
	#!/bin/env python2
	import requests
	import json
	import time
	import logging

	logging.basicConfig(format='ThehiveAPI: %(asctime)-15s %(message)s')
	LOG = logging.getLogger('thehiveapi-alert-aging')
	LOG.setLevel(logging.DEBUG)
	alert_age=86400
	import ldap
	import json
	import datetime
	import traceback

	conf={
	'adurl':'ldaps://<ldapurl>',
	'domain':"corp.local",
	'computer_basedn':"",
	'person_basedn':"",
	#!/usr/bin/python3
	"""
	This script simply creats a snapshot of the configured index pattern
	I use it with cron to create daily backups:
	$ ln -s /usr/local/bin/index_snapshot.py /etc/cron.daily/

	"""

	import elasticsearch
	import time
	<?xml version="1.0" encoding="UTF-8"?>
	<root>
	<SystemConfig>
	<DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
	<ASLR BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
	<SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false" Audit="false"></SEHOP>
	<ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false" StrictControlFlowGuard="false" OverrideStrictCFG="false"></ControlFlowGuard>
	</SystemConfig>
	<AppConfig Executable="7z.exe">
	<DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>