This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# MFT-Collector v0.3(+ Azure storage account while network-contained features) | |
# | |
# @author: evild3ad | |
# @copyright: Copyright (c) 2019 Martin Willing. All rights reserved. | |
# @contact: Any feedback or suggestions are always welcome and much appreciated - mwilling@evild3ad.com | |
# @url: https://evild3ad.com/ | |
# @date: 2019-11-19 | |
# | |
# _ _ _ _____ _ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param | |
( | |
[System.IO.FileInfo] $ZccLogExportZip | |
, [System.IO.FileInfo] $extractPoint = (Join-Path $env:TEMP -ChildPath "ZccLogSplicer") | |
, [String] $logFilePattern = "z*.log" | |
) | |
function Expand-NestedArchive ($Archive, $Subfolder) | |
{ | |
if($Subfolder) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Assumes the following are set as configuration variables in you app | |
# $env:SplunkHecUrl | |
# $env:SplunkHecToken_WorkplaceInput | |
using namespace System.Net | |
# Input bindings are passed in via param block. | |
param($Request, $TriggerMetadata) | |
# Splunk settings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param | |
( | |
[Parameter(Mandatory = $false)] [string] $JoeApiBaseUrl = "https://jbxcloud.joesecurity.org/api" | |
, [Parameter(Mandatory = $true)] [string] $JoeApiKey | |
, [Parameter(Mandatory = $true)] [System.IO.FileInfo] $FileSample | |
) | |
$contentType = "multipart/form-data" | |
# We need a boundary (something random() will do best) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param | |
( | |
[Parameter(Mandatory = $false)] [string] $CloudName = "zscalerbeta" | |
, [Parameter(Mandatory = $true)] [string] $ApiKey | |
, [Parameter(Mandatory = $true)] [pscredential] $ZscalerAdminCred | |
, [Parameter(Mandatory = $false)] [string] $ApiRoot = "https://zsapi.{0}.net" -f $CloudName | |
, [Parameter(Mandatory = $true)] [string] $MD5 | |
) | |
[datetime] $UnixEpoch = '1970-01-01 00:00:00Z' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param | |
( | |
[Parameter(Mandatory = $false)] [string] $EpmLoginUrl = "https://login.epm.cyberark.com/EPM/API/Auth/EPM/Logon" | |
, [Parameter(Mandatory = $true)] [string] $Username | |
, [Parameter(Mandatory = $true)] [string] $Password | |
, [Parameter(Mandatory = $false)] [int] $LogDeliveryLagMinutes = 30 # give events n minutes to by sync'd with EPM SaaS. Don't ask for the most recent events | |
, [Parameter(Mandatory = $false)] [switch] $IncludeExceptionDetails | |
, [Parameter(Mandatory = $false)] [int] $queryLimit = 1000 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Description: Additional user context (downloads and Outlook attachments) plus SANS Triage Collection v1.2 | |
Author: | |
Version: 0.1 | |
Id: d4e84b26-47b5-4cd9-a5fd-62ffe2f41178 | |
RecreateDirectories: true | |
Targets: | |
- | |
Name: User Files - Downloads | |
Category: LiveUserFiles | |
Path: C:\Users\%user%\Downloads\ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
myip=$(hostname -I) | |
while :; do | |
timestamp=$(date --iso-8601=minutes --utc) | |
echo "# Capturing incoming SYN to $myip from $timestamp" | |
sudo tcpdump -i eth0 -n -c 100 "dst $myip && tcp[tcpflags] == tcp-syn" 2> /dev/null \ | |
| sed -e "s/^.*\sIP\s\(.*\)\.[[:digit:]]\{4,6\}\s>\s.*\.\([[:digit:]]\{2,6\}\):.*/\1 \2 $timestamp/" \ | |
| sort | uniq -c | sort | tail -10; | |
echo; | |
sleep 1 | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using namespace System.Net | |
# Input bindings are passed in via param block. | |
# https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference-powershell?tabs=portal | |
# Request object passed into the script is of the type HttpRequestContext | |
param($Request, $TriggerMetadata) | |
# Script will look for this field in the search results | |
$time_field = "timestamp" |
NewerOlder