hkelley
hkelley
/ upload-file-to-Shared-Google-Drive-using-Service-Account.py
Last active
April 2, 2024 21:17
Uploads a fresh copy of a file over an existing file in a shared Google Drive using a service account
hkelley
/ MFT-Collector-to-Azure-storage.ps1
Created
September 12, 2023 23:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # MFT-Collector v0.3(+ Azure storage account while network-contained features) | |
| # | |
| # @author: evild3ad | |
| # @copyright: Copyright (c) 2019 Martin Willing. All rights reserved. | |
| # @contact: Any feedback or suggestions are always welcome and much appreciated - mwilling@evild3ad.com | |
| # @url: https://evild3ad.com/ | |
| # @date: 2019-11-19 | |
| # | |
| # _ _ _ _____ _ |
hkelley
/ merge-Zcc-logs.ps1
Created
May 16, 2023 14:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param | |
| ( | |
| [System.IO.FileInfo] $ZccLogExportZip | |
| , [System.IO.FileInfo] $extractPoint = (Join-Path $env:TEMP -ChildPath "ZccLogSplicer") | |
| , [String] $logFilePattern = "z*.log" | |
| ) | |
| function Expand-NestedArchive ($Archive, $Subfolder) | |
| { | |
| if($Subfolder) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Assumes the following are set as configuration variables in you app | |
| # $env:SplunkHecUrl | |
| # $env:SplunkHecToken_WorkplaceInput | |
| using namespace System.Net | |
| # Input bindings are passed in via param block. | |
| param($Request, $TriggerMetadata) | |
| # Splunk settings |
hkelley
/ submit-joe-sample.ps1
Last active
January 25, 2023 22:09
Submit Sample to Joe Sandbox Cloud via CLI. Handy for direct submission via IR consoles like CrowdStrike RTR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param | |
| ( | |
| [Parameter(Mandatory = $false)] [string] $JoeApiBaseUrl = "https://jbxcloud.joesecurity.org/api" | |
| , [Parameter(Mandatory = $true)] [string] $JoeApiKey | |
| , [Parameter(Mandatory = $true)] [System.IO.FileInfo] $FileSample | |
| ) | |
| $contentType = "multipart/form-data" | |
| # We need a boundary (something random() will do best) |
hkelley
/ get-SandboxReport.ps1
Created
December 16, 2022 01:41
Zscaler API access example for Powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param | |
| ( | |
| [Parameter(Mandatory = $false)] [string] $CloudName = "zscalerbeta" | |
| , [Parameter(Mandatory = $true)] [string] $ApiKey | |
| , [Parameter(Mandatory = $true)] [pscredential] $ZscalerAdminCred | |
| , [Parameter(Mandatory = $false)] [string] $ApiRoot = "https://zsapi.{0}.net" -f $CloudName | |
| , [Parameter(Mandatory = $true)] [string] $MD5 | |
| ) | |
| [datetime] $UnixEpoch = '1970-01-01 00:00:00Z' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param | |
| ( | |
| [Parameter(Mandatory = $false)] [string] $EpmLoginUrl = "https://login.epm.cyberark.com/EPM/API/Auth/EPM/Logon" | |
| , [Parameter(Mandatory = $true)] [string] $Username | |
| , [Parameter(Mandatory = $true)] [string] $Password | |
| , [Parameter(Mandatory = $false)] [int] $LogDeliveryLagMinutes = 30 # give events n minutes to by sync'd with EPM SaaS. Don't ask for the most recent events | |
| , [Parameter(Mandatory = $false)] [switch] $IncludeExceptionDetails | |
| , [Parameter(Mandatory = $false)] [int] $queryLimit = 1000 | |
hkelley
/ additional_user_data.tkape
Created
July 12, 2022 11:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: Additional user context (downloads and Outlook attachments) plus SANS Triage Collection v1.2 | |
| Author: | |
| Version: 0.1 | |
| Id: d4e84b26-47b5-4cd9-a5fd-62ffe2f41178 | |
| RecreateDirectories: true | |
| Targets: | |
| - | |
| Name: User Files - Downloads | |
| Category: LiveUserFiles | |
| Path: C:\Users\%user%\Downloads\ |
hkelley
/ log-SYNers.sh
Created
January 16, 2022 22:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| myip=$(hostname -I) | |
| while :; do | |
| timestamp=$(date --iso-8601=minutes --utc) | |
| echo "# Capturing incoming SYN to $myip from $timestamp" | |
| sudo tcpdump -i eth0 -n -c 100 "dst $myip && tcp[tcpflags] == tcp-syn" 2> /dev/null \ | |
| | sed -e "s/^.*\sIP\s\(.*\)\.[[:digit:]]\{4,6\}\s>\s.*\.\([[:digit:]]\{2,6\}\):.*/\1 \2 $timestamp/" \ | |
| | sort | uniq -c | sort | tail -10; | |
| echo; | |
| sleep 1 | |
| done |
hkelley
/ falcon_scheduled_search_to_splunk_hec.ps1
Last active
January 9, 2022 13:57
Azure Function (serverless) code for a webhook taking CrowdStrike scheduled search notification and sending results to Splunk HEC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using namespace System.Net | |
| # Input bindings are passed in via param block. | |
| # https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference-powershell?tabs=portal | |
| # Request object passed into the script is of the type HttpRequestContext | |
| param($Request, $TriggerMetadata) | |
| # Script will look for this field in the search results | |
| $time_field = "timestamp" |
NewerOlder