Skip to content

Instantly share code, notes, and snippets.

View dlee35's full-sized avatar

Dustin Lee dlee35

30 followers · 3 following
View GitHub Profile
@dlee35
dlee35 / AO4-185.245.62.231.md
Last active March 6, 2022 17:59
Attack Observation Four - Notes (185.245.62.231)

IP info:

ip: "185.245.62.231",
city: "Frankfurt am Main",
org: "AS200303 Jan Philipp Waldecker trading as LUMASERV Systems",
postal: "60306",
timezone: "Europe/Berlin"

test.sh (f0869b01daa7d4ca611de720e87a8423c5ab03b194d4dfe92b54302a7ee74ceb):

@dlee35
dlee35 / app_rule
Created May 14, 2020 16:56
Qbot App Rule
service = 80 && filename regex '[0-9]{4,8}\.png' && filetype = 'windows executable'
@dlee35
dlee35 / esa_rule
Last active May 14, 2020 16:56
Qbot ESA Rule
/*
Version: 2
*/
@Name('Module_QbotCampaign_Alert')
@Description('Current Qbot campaigns attempt to download a supposed PNG file with a filename consisting of between 4-8 numeric characters that is actually an EXE. This is a good post infection IoC.')
@RSAAlert(oneInSeconds=0)
SELECT * FROM
Event
@dlee35
dlee35 / 6500_winlogbeat_sysmon.conf
Created October 31, 2019 16:40
# Author: Wes Lambert
#
# Last Update: 09/24/2018
#
# This conf file is based on accepting Sysmon logs from winlogbeat
filter {
if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
@dlee35
dlee35 / 6503_winlogbeat_autoruns.conf
Created October 31, 2019 16:38
filter {
if "autorunstowin" in [tags] {
kv {
prefix => "[event_data]"
remove_char_key => "\ "
transform_key => "lowercase"
field_split => "\n"
value_split => ":"
}
mutate {
@dlee35
dlee35 / 6503_winlogbeat_autoruns.conf
Created October 31, 2019 16:38
filter {
if "autorunstowin" in [tags] {
kv {
prefix => "[event_data]"
remove_char_key => "\ "
transform_key => "lowercase"
field_split => "\n"
value_split => ":"
}
mutate {
@dlee35
dlee35 / attack_kibana.json
Created October 31, 2019 16:37
[
{
"_id": "4b4e1580-80e7-11e9-8875-bf8cb5a12e3d",
"_type": "visualization",
"_source": {
"title": "ATT&CK - Technique ID (Heat Map By Host)",
"visState": "{\"title\":\"ATT&CK - Technique ID (Heat Map By Host)\",\"type\":\"heatmap\",\"params\":{\"type\":\"heatmap\",\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"bottom\",\"times\":[],\"colorsNumber\":10,\"colorSchema\":\"Reds\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"overwriteColor\":false,\"color\":\"#555\"}}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_data.Technique_id\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"o
@dlee35
dlee35 / giacflask.py
Last active November 6, 2019 13:48
Flask App for querying GIAC cert info
from flask import Flask, make_response
from flask_restful import Api, Resource, reqparse
from io import StringIO
import requests, re, csv
import lxml.html as lh
app = Flask(__name__)
api = Api(app)
proxyDict = {}
@dlee35
dlee35 / pptxsanity.py
Last active September 18, 2019 23:11
parse urls from pptx. creates tab-delimited links.txt output w/page numbers and http status codes
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Originally authored by Josh Wright (https://github.com/joswr1ght/pptxsanity)
# With code by Eric Jang ericjang2004@gmail.com
# Updated by Dustin Lee
# https://gist.github.com/992db55dfa9c9dc6a7738f9c3006045b
TIMEOUT=6 # URL request timeout in seconds
MAXRETRY=4
@dlee35
dlee35 / build_fleet.sh
Created September 16, 2019 14:36
#!/bin/bash
FLEETDIR="$PWD/fleet"
WORKDIR="$PWD/fleetbuild"
FLEETGIT="kolide"
FLEETVER="HH1.1.0"
APKPACKS="git make yarn nodejs npm make g++ dep"
CONTAINERNAME="soshybridhunter_fleet_dev"
if [ ! -d $PWD/fleet ]; then
git clone https://github.com/$FLEETGIT/fleet