Skip to content

Instantly share code, notes, and snippets.

View Create Pulse
from OTXv2 import OTXv2
# API key for the user api_example
# Pulses will appear at https://otx.alienvault.com/user/api_example/pulses
otx = OTXv2("766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad")
name = 'Test Pulse'
indicators = [
{'indicator': '69.73.130.198', 'type': 'IPv4'},
{'indicator': 'aoldaily.com', 'type': 'Domain'}
]
@chrisdoman
chrisdoman / getBitly.py
Created Dec 26, 2017
Get stats on bitly urls
View getBitly.py
# Script to enumerate bit.ly data - suffers from strict rate limits
import requests, base62
#start = "1dstjX5"
start = 93340621247
def getUrl(url):
try:
r = requests.get(url)
View openioc2csv.py
# Script to convert openioc to csv
# Forked from PyMisp
# -*- coding: utf-8 -*-
import os
try:
from bs4 import BeautifulSoup
has_bs4 = True
except ImportError:
@chrisdoman
chrisdoman / getReports.py
Last active Aug 6, 2018
Quick example to pull reports from OTX with tagged Adversaries (i.e. probably APT)
View getReports.py
'''
Quick example to pull reports with tagged Adversaries (i.e. probably APT)
'''
from OTXv2 import OTXv2, IndicatorTypes
# This is the API key for the user "api_example"
otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad')
pulses = otx.getall()
@chrisdoman
chrisdoman / malware.rules
Created Oct 1, 2018
Autogenerated Rules
View malware.rules
This file has been truncated, but you can view the full file.
/*
Yara rules to identify malware families, made by Yabin
Auto-generated - plenty of these rules won't work as they rely on looking for compiled code
*/
rule BackdoorAndroidOSCoca_51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 {
strings:
@chrisdoman
chrisdoman / cannon_samples.js
Created Sep 2, 2019
Samples from the Great Cannon
View cannon_samples.js
var _a="(,& vXh)C;sf<H8O1J|iRY9dj?G%m4}n_M'pQZkFyaEP=Ko2/\\x]!cquSV.57B^lW*Utr{z+N-ADg>[we0b\"I6:TL3",_b="^JL,qMP(*IjReDE<xiQYo{tp>8!-[W&hOcbv12Fn\".%4Ks=5 Z]Cl'uXfAHrdGaN/9}zg\\+U6|kSV:;wmyB7T)_03?",_c="DjOx.}S=Q's_\"I:]c[E(g/JG)k!2yY,zBV4>PFu9rp;N1i<%ZUM*?0K5^nX 8td{LAmH6hbolv&\\a7-ReCq|fw+3TW";eval(function(_,b,a,c,n,r){if(n=function(_){return(_<62?"":n(parseInt(_/62)))+((_%=62)>35?String[_a[11]+_c[40]+_b[20]+_c[66]+_b[51]+_a[6]+_b[62]+_c[40]+_b[51]+_b[20]+_c[62]+_b[12]](_+29):_[_c[61]+_c[71]+_a[56]+_c[61]+_a[68]+_a[19]+_c[57]+_b[68]](36))},0==_a[81][_a[68]+_b[12]+_b[23]+_b[52]+_b[62]+_a[53]+_c[80]](0,n)){for(;a--;)r[n(a)]=c[a];c=[function(_){return r[_]||_}],n=function(){return _c[17]+_c[27]+_b[27]+_a[22]+_a[82]+_b[33]+_c[80]+_a[73]+_a[10]+_a[55]+_c[78]+_a[70]+_a[74]+_c[78]+_a[37]+_c[15]},a=1}for(;a--;)c[a]&&(_=_[_c[40]+_a[80]+_b[23]+_b[52]+_b[62]+_a[53]+_b[12]](new RegExp(_a[49]+_a[82]+n(a)+(_b[69]+_a[82]),_a[76]),c[a]));return _}(_c[27]+_c[59]+_b[84]+_c[65]+_b[75]+_a[45]+_b[9]+_c[0]+_a[44]+_a[89]+_b[88]
View cannon.rule
rule hunt_great_cannon {
strings:
$ = "requesttime_list" nocase wide ascii
$ = "responsetime_list" nocase wide ascii
$ = "cloudflare_js_validate_url" nocase wide ascii
$ = "116.255.226.154" nocase wide ascii
$ = "responsetime-requesttime>TIMEGAP" nocase wide ascii
condition:
any of them
}
View get_otx_domains_to_rpz.py
# Short demonstration script to write OTX hostnames to a RPZ format text-file
from OTXv2 import OTXv2
import os
# This is the API key for the user "api_example"
otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad')
events = otx.get_all_indicators(author_name='alienvault')
output = ''
View aws_credentials_honeytoken
[default]
aws_access_key_id = AKIAXYZDQCENYTNALZP5
aws_secret_access_key = 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
output = json
region = us-east-2
* This is just a honey token to detect automated scanners looking for AWS keys - this is not a real AWS account! *
@chrisdoman
chrisdoman / TestFeed.csv
Last active Mar 27, 2020
Test Feed for MISP
View TestFeed.csv
We can't make this file beautiful and searchable because it's too large.
indicator,indicator_type,pulse_title,pulse_author,tlp
ihracat.myq-see.com,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
phantom101.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
goodattack.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/savekey.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/createkeys.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
http://www.tempinfo.96.lt/wras/RANSOM20.jpg,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
www.tempinfo.96.lt,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white
2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326,file,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white