Skip to content

Instantly share code, notes, and snippets.

View fryguy04's full-sized avatar

Fred Frey fryguy04

View GitHub Profile
@fryguy04
fryguy04 / Sysmon-AllVersions_Parser_SnapAttack.txt
Created May 6, 2022 15:08
Improved Sysmon Sentinel Kusto parser - Extracts ProcessName, ParentProcessName, MD5, SHA256, IMPHASH for easier searching.
// KQL Sysmon Event Parser - Customized for SnapAttack use
//
// Heavily based on: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Sysmon/Sysmon-AllVersions_Parser.txt
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. Sysmon_Normalized).
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Sysmon_Normalized | take 10).
// Reference :
// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
//
@fryguy04
fryguy04 / dhcp_pfsense.py
Created June 23, 2019 15:15
Scrape pfSense DHCP List into Python Struct
#!/usr/bin/env python
# Scrapes pfSense DHCP Leases into List of (IP, MAC, Hostname) format.
# Change URL/Username/Password below ... pip install lxml ... then you are all set.
#
# Modified 6/23/2019 (FryGuy)
# Edits: Aligned IP/MAC/Hostname into struct accounting for blank lines
# Minor: Cleaned up spacing, created global url/user/password vars, removed write to file
# Original Code/Inspiration: https://gist.github.com/pletch/037a4a01c95688fff65752379534455f
import sys
@fryguy04
fryguy04 / vti_summarize.py
Last active March 11, 2019 14:11
Given VirusTotal API Key & Malware Hash, summarize key words that AntiVirus companies used to describe it .. Example output for PWdump hash: d1337b9e8bac0ee285492b89f895cadb pwdump trojan pswtool hacktool malicious riskware virus malware pwdump7 pwcrack 001b9ce61 hktl orsam unsafe genericpmf
#!/usr/bin/python
# File: vti_summarize.py
# Description: Given VirusTotal API Key & Malware Hash, summarize key words that AntiVirus companies used to describe it
# Author: Fred Frey
# Date: 3/10/2019
import requests
import json
import re