Skip to content

Instantly share code, notes, and snippets.

@curi0usJack
curi0usJack / parseagentlog.py
Created February 14, 2017 23:12
Parse AD Info from Empire agent.log
#!/usr/bin/env python
# Run this script on the agent.log file after you've run the situational_awareness/network/powerview/get_user module.
# userdata.log file is pipe delimited.
import sys
import os
class User:
UserName = ""
{
"template": "graylog_*",
"mappings" : {
"message" : {
"properties" : {
"CommandLine" : {
"type" : "string",
"index" : "analyzed"
},
"ScriptBlockText" : {
@curi0usJack
curi0usJack / aai_bash_aliases
Created August 17, 2018 22:45
Advanced Attack Infrastructure Training Aliases
alias vim='sudo vim'
alias nano='sudo nano'
alias vi='sudo vi'
alias aplog='sudo tail -f /var/log/apache2/CHANGEME.log'
alias apedit='sudo nano /etc/apache2/sites-available/CHANGEME.conf'
alias apstart='sudo service apache2 start'
alias apstop='sudo service apache2 stop'
alias apload='sudo service apache2 reload'
# Carbon Black Evil PowerShell LSASS Query
#
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe
#
# Author: Jason Lang (@curi0usJack)
#
# Prereqs (Windows 10)
# Install bash on Win10
# sudo apt-get install python-pip
# sudo pip install --upgrade requests
set PROMPT %red%L %yel%J %grn%S %blu%D
load nessus
load alias
alias j "jobs -v"
alias s "sessions -v"
alias -f w "workspace"
alias so "show options"
alias sa "show advanced"
alias -f e "exploit -j -z"
alias um "use multi/handler"
@curi0usJack
curi0usJack / sources.list
Created April 25, 2019 21:11 — forked from h0bbel/sources.list
/etc/apt/sources.list for Ubuntu 18.04.1 LTS Bionic Beaver
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
#!/bin/bash
# Converts AD pwdlastset field to readable date
# Kudos: https://www.adminsys.ch/2013/07/31/convert-active-directory-pwdlastset-attribute-readable-time/
function convert {
unixepoc=$((($1/10000000)-11644473600))
adlastset=$(/bin/date -d "1970-01-01 ${unixepoc} sec GMT")
echo -e ${adlastset}
}
# Add to your .bashrc. May need to tweak the ifconfig output for your distro.
# Ubuntu
PROMPT_COMMAND='PS1="\[\033[01;34m\][\u.\h \[\033[0;33m\]`ifconfig eth0 2>/dev/null | sed -n 2,2p | cut -d":" -f 2| cut -d" " -f 1`: \[\033[32m\]\`if [[ `pwd|wc -c|tr -d " "` > 18 ]]; then echo "\\W"; else echo "\\w"; fi\`]\$\[\033[0m\] "'
# Kali
PROMPT_COMMAND='PS1="\[\033[01;34m\][\u.\h \[\033[0;33m\]`ifconfig eth1 2>/dev/null | sed -n 2,2p | awk {'"'"'print $2'"'"'}`: \[\033[32m\]\`if [[ `pwd|wc -c|tr -d " "` > 18 ]]; then echo "\\W"; else echo "\\w"; fi\`]\$\[\033[0m\] "'
# AWS EC2
PROMPT_COMMAND='PS1="\[\033[01;34m\][\u.\h \D{%F %T} \[\033[0;33m\]`curl http://169.254.169.254/latest/meta-data/public-ipv4 2>/dev/null`: \[\033[32m\]\`if [[ `pwd|wc -c|tr -d " "` > 18 ]]; then echo "\\W"; else echo "\\w"; fi\`]\n\$\[\033[0m\] "'
# This is not my work. All credit goes to https://github.com/Neo23x0/sigma. I just used the tool to convert to graylog format,
# skipped over the errors, and added some carriage returns for ease of reading. If you see a blank rule, it means there was a conversion error.
rules/application/appframework_django_exceptions.yml
("SuspiciousOperation" OR "DisallowedHost" OR "DisallowedModelAdminLookup" OR "DisallowedModelAdminToField" OR "DisallowedRedirect" OR "InvalidSessionKey" OR "RequestDataTooBig" OR "SuspiciousFileOperation" OR "SuspiciousMultipartForm" OR "SuspiciousSession" OR "TooManyFieldsSent" OR "PermissionDenied")
alias tmconf='vim ~/.tmux.conf'
alias tmls='tmux ls'
alias tmsess='tmux attach -t'
alias tmcolors='for i in {0..255}; do printf "\x1b[38;5;${i}mcolor%-5i\x1b[0m" $i ; if ! (( ($i + 1 ) % 8 )); then echo ; fi ; done'
alias tmnew='tmux new -s'
alias tmload='tmux source-file ~/.tmux.conf'
alias tmlayout='tmux list-windows | sed -n "s/.*layout \(.*\)] @.*/\1/p"'
alias mux='tmuxinator'