ionstorm ion-storm

## Invoke-WMISMB.ps1

function Invoke-SMBWmi {

    [CmdletBinding()]
    param(
        [String[]]
        $ComputerName = ".",

        [String]
        $Pipename = "tf12lol"

## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION


## openvas-automate.sh
#!/bin/bash
#
# OpenVAS automation script.
# Mariusz B. / mgeeky, '17
#	v0.2
#

trap ctrl_c INT

# --- CONFIGURATION ---

## SetupCustomGraylogMappings.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ion-storm
                / SetupCustomGraylogMappings.md
            
            
              Created
              January 5, 2019 01:20
                — forked from thomasdarimont/SetupCustomGraylogMappings.md
            
              
                Add custom mappings to graylog (elasticsearch) for additional parameters (_MessageParam0...N) added by GELF Logger
              
          
    Create custom mappings

cat << EOF > graylog-custom-mapping.json
{
  "template": "graylog_*",
  "mappings" : {
    "message" : {
      "properties" : {
        "MessageParam0" : {
          "type" : "string",


## EDR_Killer.ps1
# PowerShell 2.0
# Name: EDR_Killer.ps1
# Version: 1.0
# Author: @mgreen27
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed.
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a

# Set Variables
$Name = 'EDR_Killer'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")'

## RuleLangAceMod.js
define(function(require, exports, module) {
"use strict";

var oop = require("../lib/oop");
var TextHighlightRules = require("./text_highlight_rules").TextHighlightRules;
var DocCommentHighlightRules = require("./doc_comment_highlight_rules").DocCommentHighlightRules;

var identifierRe = "[a-zA-Z\\$_\u00a1-\uffff][a-zA-Z\\d\\$_\u00a1-\uffff]*";

var GraylogRuleLangHighlightRules = function() {

## kafka installation and systemd
cd /opt
wget http://apache-mirror.rbc.ru/pub/apache/kafka/0.10.1.0/kafka_2.11-0.10.1.0.tgz
tar xvzf kafka_2.11-0.10.1.0.tgz
ln -s kafka_2.11-0.10.1.0/ kafka


vi /etc/systemd/system/kafka-zookeeper.service
[Unit]
Description=Apache Zookeeper server (Kafka)
Documentation=http://zookeeper.apache.org

## windows_hardening.cmd
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"

## FreeNAS.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                ion-storm
                / FreeNAS.md
            
            
              Created
              October 7, 2018 02:52
                — forked from MikeRatcliffe/FreeNAS.md
            
              
                Ultimate FreeNAS Setup
              
          
    FreeNAS

Here are straight-forward instructions to setting up a bunch of different software on FreeNAS. If you make a terrible error, just throw up another plugin sandbox and repeat.
ToC


LEMP Server - FreeBSD, Nginx, MariaDB & PHP FastCGI (FMP)
Couch Potato
nzbget
Sonarr


## CrowdStrike Savedsearches.conf
[POWERSHELL-DOWNLOAD-HUNT]
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
dispatchAs = user
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
search = FileName=powershell.exe (CommandLine=*DownloadFile* OR CommandLine=*invoke-webrequest*) | stats values(CommandLine) as "commands" by ComputerName

	function Invoke-SMBWmi {

	[CmdletBinding()]
	param(
	[String[]]
	$ComputerName = ".",

	[String]
	$Pipename = "tf12lol"
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION
	#!/bin/bash
	#
	# OpenVAS automation script.
	# Mariusz B. / mgeeky, '17
	# v0.2
	#

	trap ctrl_c INT

	# --- CONFIGURATION ---
	# PowerShell 2.0
	# Name: EDR_Killer.ps1
	# Version: 1.0
	# Author: @mgreen27
	# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed.
	# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a

	# Set Variables
	$Name = 'EDR_Killer'
	$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")'
	define(function(require, exports, module) {
	"use strict";

	var oop = require("../lib/oop");
	var TextHighlightRules = require("./text_highlight_rules").TextHighlightRules;
	var DocCommentHighlightRules = require("./doc_comment_highlight_rules").DocCommentHighlightRules;

	var identifierRe = "[a-zA-Z\\$_\u00a1-\uffff][a-zA-Z\\d\\$_\u00a1-\uffff]*";

	var GraylogRuleLangHighlightRules = function() {
	cd /opt
	wget http://apache-mirror.rbc.ru/pub/apache/kafka/0.10.1.0/kafka_2.11-0.10.1.0.tgz
	tar xvzf kafka_2.11-0.10.1.0.tgz
	ln -s kafka_2.11-0.10.1.0/ kafka


	vi /etc/systemd/system/kafka-zookeeper.service
	[Unit]
	Description=Apache Zookeeper server (Kafka)
	Documentation=http://zookeeper.apache.org
	::
	::#######################################################################
	::
	:: Change file associations to protect against common ransomware attacks
	:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
	:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
	:: ---------------------
	ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	[POWERSHELL-DOWNLOAD-HUNT]
	dispatch.earliest_time = -24h@h
	dispatch.latest_time = now
	dispatchAs = user
	display.general.type = statistics
	display.page.search.mode = verbose
	display.page.search.tab = statistics
	display.visualizations.charting.chart = bar
	display.visualizations.show = 0
	search = FileName=powershell.exe (CommandLine=DownloadFile OR CommandLine=invoke-webrequest) \| stats values(CommandLine) as "commands" by ComputerName