| #! /bin/bash | |
| sudo su | |
| apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd | |
| cd /root | |
| # Update Golang from 1.2 to 1.7 or compilation of go-audit will fail | |
| wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz | |
| tar -xvf go1.7.linux-amd64.tar.gz | |
| mv go /usr/local |
| ''' | |
| IDAPython script that generates a YARA rule to match against the | |
| basic blocks of the current function. It masks out relocation bytes | |
| and ignores jump instructions (given that we're already trying to | |
| match compiler-specific bytes, this is of arguable benefit). | |
| If python-yara is installed, the IDAPython script also validates that | |
| the generated rule matches at least one segment in the current file. | |
| author: Willi Ballenthin <william.ballenthin@fireeye.com> |
Python parser class for CloudTrail event archives, previously dumped to an S3 bucket. Class provides an iterator which will:
Parser contained in cloudtrailparser.py, with timezone.py used as a simple datetime.tzinfo concrete class implement to provide UTC timezone.
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'LateralMovementEvent' | |
| Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' |
| #region Scriptblocks that will execute upon alert trigger | |
| $LateralMovementDetected = { | |
| $Event = $EventArgs.NewEvent | |
| $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) | |
| $MethodName = $Event.MethodName | |
| $Namespace = $Event.Namespace | |
| $Object = $Event.ObjectPath | |
| $User = $Event.User |
| { | |
| "options": { | |
| "config_plugin": "filesystem", | |
| "logger_plugin": "filesystem", | |
| "host_identifier": "hostname", | |
| "event_pubsub_expiry": "86000", | |
| "debug": "false", | |
| "verbose_debug": "false", | |
| "worker_threads": "4", | |
| "schedule_splay_percent": 10 |
| #!/usr/bin/env python | |
| ####################################################################### | |
| ## | |
| ## Extract the disk serial number from the SOFTWARE hive | |
| ## | |
| ####################################################################### | |
| __AUTHOR__ = '@herrcore' | |
| import datetime |
The purpose of this document is to make recommendations on how to browse in a privacy and security conscious manner. This information is compiled from a number of sources, which are referenced throughout the document, as well as my own experiences with the described technologies.
I welcome contributions and comments on the information contained. Please see the How to Contribute section for information on contributing your own knowledge.
| #!/usr/bin/python | |
| # -*- coding: utf-8 -*- | |
| # | |
| # Copyright 2015, Francesco "dfirfpi" Picasso <francesco.picasso@gmail.com> | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory=$True,Position=0)] | |
| [String]$GUID | |
| ) | |
| function Resolve-KnownFolderGuid { | |
| Param( | |
| [Parameter(Mandatory=$True,Position=0)] | |
| [String]$GUID |