ionstorm ion-storm

## sophos removal v1
@echo off
:: Sophos Removal Tool
setlocal
cd /d %~dp0
start /wait net stop "Sophos AutoUpdate Service"
start /wait sc stop "Sophos Agent"
start /wait sc stop "SAVService"
start /wait sc stop "SAVAdminService"
start /wait sc stop "Sophos AutoUpdate Service"
start /wait sc stop "Sophos Client Firewall"

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ion-storm
                / keybase.md
            
            
              Created
              February 19, 2022 17:33
            
          
    Keybase proof

I hereby claim:

I am ion-storm on github.
I am ionstorm_ (https://keybase.io/ionstorm_) on keybase.
I have a public key ASDcmNr5gWQB17z9e3J6fs2d-EuPTVa_33DwKKjKva6KWAo

To claim this, I am signing this object:

  
## SetupCustomGraylogMappings.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ion-storm
                / SetupCustomGraylogMappings.md
            
            
              Created
              January 5, 2019 01:20
                — forked from thomasdarimont/SetupCustomGraylogMappings.md
            
              
                Add custom mappings to graylog (elasticsearch) for additional parameters (_MessageParam0...N) added by GELF Logger
              
          
    Create custom mappings

cat << EOF > graylog-custom-mapping.json
{
  "template": "graylog_*",
  "mappings" : {
    "message" : {
      "properties" : {
        "MessageParam0" : {
          "type" : "string",


## PS Script: SUNBURST DLL
$path_ = "C:\"
$list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse)
$list | % {
    $fullPath = $path_ + $_
    Get-FileHash $fullPath -Algorithm SHA256 | Format-List
}

## sone.conf
input {
  kafka {
    bootstrap_servers => "" #configurable
    group_id => "" #configurable
    auto_offset_reset => "" #configurable
    security_protocol => "SASL_SSL"
    sasl_mechanism => "SCRAM-SHA-512"
    sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';"
    ssl_endpoint_identification_algorithm => ""
    topics => [""] #configurable

## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION


## Base64_CheatSheet.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ion-storm
                / Base64_CheatSheet.md
            
            
              Created
              October 25, 2019 20:15
                — forked from Neo23x0/Base64_CheatSheet.md
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16)


TVq
📺 Television
MZ
MZ header


UEs
🏬 Upper East Side
PK
ZIP, Office documents


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


## CustomASRRuleGenerator.ps1
$ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe

# Merge the block rule into the allow all template rule included in the OS
Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule

# This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it.
ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b
# Now reboot and the policy will take effect.

## dotnet-runtime-etw.py
import time
import etw
import etw.evntrace
import sys
import argparse
import threading


class RundownDotNetETW(etw.ETW):
    def __init__(self, verbose, high_risk_only):

## sophosremoval.bat
@ECHO OFF
ECHO ====================================================================
ECHO Sophos Removal v2.0 - Ed Cooper/Kyle Weller
ECHO Removes Sophos v7 - v10
ECHO ====================================================================
ECHO.
ECHO.
IF NOT EXIST "%~dp0\msizap.exe" GOTO MSIZAPNOTFOUND
ECHO Administrative permissions required. Detecting permissions...
ECHO.
	@echo off
	:: Sophos Removal Tool
	setlocal
	cd /d %~dp0
	start /wait net stop "Sophos AutoUpdate Service"
	start /wait sc stop "Sophos Agent"
	start /wait sc stop "SAVService"
	start /wait sc stop "SAVAdminService"
	start /wait sc stop "Sophos AutoUpdate Service"
	start /wait sc stop "Sophos Client Firewall"
	$path_ = "C:\"
	$list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse)
	$list \| % {
	$fullPath = $path_ + $_
	Get-FileHash $fullPath -Algorithm SHA256 \| Format-List
	}
	input {
	kafka {
	bootstrap_servers => "" #configurable
	group_id => "" #configurable
	auto_offset_reset => "" #configurable
	security_protocol => "SASL_SSL"
	sasl_mechanism => "SCRAM-SHA-512"
	sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';"
	ssl_endpoint_identification_algorithm => ""
	topics => [""] #configurable
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16)
`TVq`	📺 Television	`MZ`	MZ header
`UEs`	🏬 Upper East Side	`PK`	ZIP, Office documents
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
	$ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe

	# Merge the block rule into the allow all template rule included in the OS
	Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule

	# This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it.
	ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b
	# Now reboot and the policy will take effect.
	import time
	import etw
	import etw.evntrace
	import sys
	import argparse
	import threading


	class RundownDotNetETW(etw.ETW):
	def __init__(self, verbose, high_risk_only):
	@ECHO OFF
	ECHO ====================================================================
	ECHO Sophos Removal v2.0 - Ed Cooper/Kyle Weller
	ECHO Removes Sophos v7 - v10
	ECHO ====================================================================
	ECHO.
	ECHO.
	IF NOT EXIST "%~dp0\msizap.exe" GOTO MSIZAPNOTFOUND
	ECHO Administrative permissions required. Detecting permissions...
	ECHO.