Skip to content

Instantly share code, notes, and snippets.

View ion-storm's full-sized avatar

ionstorm ion-storm

225 followers · 172 following
View GitHub Profile
@ion-storm
ion-storm / sysmon-join.commands
Created August 8, 2019 01:54 — forked from Cyb3rWard0g/sysmon-join.commands
CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON');
CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL
@ion-storm
ion-storm / CollectDotNetEvents.ps1
Created August 1, 2019 01:32 — forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets
# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass
# logman stop dotNetTrace -ets
# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe
# I got the process ID by running a procmon trace
$TargetProcessId = 8256
@ion-storm
ion-storm / iddqd.yar
Created May 14, 2019 12:26 — forked from Neo23x0/iddqd.yar
IDDQD - Godmode YARA Rule
/*
_____ __ __ ___ __
/ ___/__ ___/ / / |/ /__ ___/ /__
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__
\ / __ |/ , _/ __ | / , _/ // / / -_)
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
Florian Roth - v0.1 May 2019
@ion-storm
ion-storm / Invoke-WMISMB.ps1
Created April 17, 2019 00:10 — forked from rvrsh3ll/Invoke-WMISMB.ps1
function Invoke-SMBWmi {
[CmdletBinding()]
param(
[String[]]
$ComputerName = ".",
[String]
$Pipename = "tf12lol"
@ion-storm
ion-storm / openvas-automate.sh
Created February 14, 2019 15:45 — forked from mgeeky/openvas-automate.sh
OpenVAS automation script.
#!/bin/bash
#
# OpenVAS automation script.
# Mariusz B. / mgeeky, '17
# v0.2
#
trap ctrl_c INT
# --- CONFIGURATION ---
@ion-storm
ion-storm / Get-InjectedThread.ps1
Created February 19, 2019 13:44 — forked from olafhartong/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@ion-storm
ion-storm / EDR_Killer.ps1
Created December 17, 2018 16:29 — forked from mgreen27/EDR_Killer.ps1
WMI EventConsumer to disable EDR (or other tools) tools when installed
# PowerShell 2.0
# Name: EDR_Killer.ps1
# Version: 1.0
# Author: @mgreen27
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed.
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a
# Set Variables
$Name = 'EDR_Killer'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")'
@ion-storm
ion-storm / windows_hardening.cmd
Created November 4, 2018 02:26 — forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
@ion-storm
ion-storm / RuleLangAceMod.js
Created December 6, 2018 03:16 — forked from thomasdarimont/RuleLangAceMod.js
PoC for custom Highlighting for the RuleLang of the Graylog Pipeline Plugin
define(function(require, exports, module) {
"use strict";
var oop = require("../lib/oop");
var TextHighlightRules = require("./text_highlight_rules").TextHighlightRules;
var DocCommentHighlightRules = require("./doc_comment_highlight_rules").DocCommentHighlightRules;
var identifierRe = "[a-zA-Z\\$_\u00a1-\uffff][a-zA-Z\\d\\$_\u00a1-\uffff]*";
var GraylogRuleLangHighlightRules = function() {
@ion-storm
ion-storm / kafka installation and systemd
Created November 27, 2018 22:22 — forked from vipmax/kafka install systemd.md
cd /opt
wget http://apache-mirror.rbc.ru/pub/apache/kafka/0.10.1.0/kafka_2.11-0.10.1.0.tgz
tar xvzf kafka_2.11-0.10.1.0.tgz
ln -s kafka_2.11-0.10.1.0/ kafka
vi /etc/systemd/system/kafka-zookeeper.service
[Unit]
Description=Apache Zookeeper server (Kafka)
Documentation=http://zookeeper.apache.org