Skip to content

Instantly share code, notes, and snippets.

@ion-storm
ion-storm / PS Script: SUNBURST DLL
Created Dec 15, 2020 — forked from stephent23/PS Script: SUNBURST DLL
PowerShell Script to identify the SolarWinds.Orion.Core.BusinessLayer.dll on host and return the location/file hash
View PS Script: SUNBURST DLL
$path_ = "C:\"
$list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse)
$list | % {
$fullPath = $path_ + $_
Get-FileHash $fullPath -Algorithm SHA256 | Format-List
}
@ion-storm
ion-storm / sone.conf
Last active Oct 9, 2020 — forked from tuckner/sone.conf
SentinelOne Cloudfunnel Logstash Input
View sone.conf
input {
kafka {
bootstrap_servers => "" #configurable
group_id => "" #configurable
auto_offset_reset => "" #configurable
security_protocol => "SASL_SSL"
sasl_mechanism => "SCRAM-SHA-512"
sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';"
ssl_endpoint_identification_algorithm => ""
topics => [""] #configurable
@ion-storm
ion-storm / Get-InjectedThread.ps1
Created Feb 16, 2020 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@ion-storm
ion-storm / Base64_CheatSheet.md
Created Oct 25, 2019 — forked from Neo23x0/Base64_CheatSheet.md
Learning Aid - Top Base64 Encodings Table
View Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16)
TVq 📺 Television MZ MZ header
UEs 🏬 Upper East Side PK ZIP, Office documents
SUVY 🚙 SUV IEX PowerShell Invoke Expression
View CustomASRRuleGenerator.ps1
$ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe
# Merge the block rule into the allow all template rule included in the OS
Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule
# This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it.
ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b
# Now reboot and the policy will take effect.
@ion-storm
ion-storm / dotnet-runtime-etw.py
Created Aug 23, 2019 — forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
View dotnet-runtime-etw.py
import time
import etw
import etw.evntrace
import sys
import argparse
import threading
class RundownDotNetETW(etw.ETW):
def __init__(self, verbose, high_risk_only):
View sysmon-join.commands
CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON');
CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL
@ion-storm
ion-storm / CollectDotNetEvents.ps1
Created Aug 1, 2019 — forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
View CollectDotNetEvents.ps1
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets
# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass
# logman stop dotNetTrace -ets
# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe
# I got the process ID by running a procmon trace
$TargetProcessId = 8256
@ion-storm
ion-storm / iddqd.yar
Created May 14, 2019 — forked from Neo23x0/iddqd.yar
IDDQD - Godmode YARA Rule
View iddqd.yar
/*
_____ __ __ ___ __
/ ___/__ ___/ / / |/ /__ ___/ /__
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__
\ / __ |/ , _/ __ | / , _/ // / / -_)
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
Florian Roth - v0.1 May 2019
View Invoke-WMISMB.ps1
function Invoke-SMBWmi {
[CmdletBinding()]
param(
[String[]]
$ComputerName = ".",
[String]
$Pipename = "tf12lol"