keyboardcrunch

rule phishing_eviltokens_phishing_page {
    meta:
        malware = "EvilTokens"
        description = "Find EvilTokens device code phishing pages based on characteristic strings"
        source = "Sekoia.io"
        creation_date = "2026-03-05"
        modification_date = "2026-03-05"
        classification = "TLP:CLEAR"
        reference = "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/"

keyboardcrunch

SentinelOne Resources

This is just a list of unofficial SentinelOne resources, anything that helps with administration, deployment, automation, or queries.

Custom Rules and Queries

Frameworks

• @fragtastic - Python S1 Framework
• @mdejongh - SentinelOne ELK data importer

keyboardcrunch

<#
.SYNOPSIS
    Generates a malicious Inno setup script for executing a commandline.

.DESCRIPTION
    This script generates an installer using the Inno Setup Compiler.
    It requires certain parameters to be provided for creating the setup package.

.PARAMETER Name
    The name of the application being installed (optional).

keyboardcrunch

# Get the task info
$TaskName = $(get-scheduledtask -TaskName AutoRepair* -TaskPath \Sentinel\).TaskName
$settings = $(get-scheduledtask -TaskName $TaskName -TaskPath \Sentinel\).Settings
$action = $(get-scheduledtask -TaskName AutoRepair* -TaskPath \Sentinel\).Actions

# Tweak settings objects
$new_action = New-ScheduledTaskAction -Execute "C:\Windows\System32\cmd.exe" -Argument "/c whoami > C:\Windows\Temp\IAM.txt"
$settings.AllowDemandStart=$true

# Apply changes

keyboardcrunch

# https://support.mozilla.org/en-US/questions/1393427

||id.google.com^

||accounts.google.com/gsi/$3p

||smartlock.google.com^

! Block "Sign in with Google" iframe in top right corner of websites
||accounts.google.com/gsi/iframe

keyboardcrunch

Headless Applications with xvfb and x11vnc

In the code block below we're going to launch two graphical applications on a headless server (no desktop environment) within their own virtual display, then launch an instance of x11vnc server connected to each virtual display. Generally if you have more than one application you might as well run a full desktop environment and vnc server, but this is more fun.

Requirements

• x11vnc
• the desktop apps you want (handbrake and firefox used in example)
• (optional) fluxbox or other minimal DE

keyboardcrunch

# Setup an "upstream" to allow preferences between local or tailscale endpoints for an Ollama service
# Note: I'm running a similar config on my laptop so I can access services while local or remote but
#       use upstream to pick the endpoint to use.
upstream chat {
    ip_hash;
    server 192.168.1.3:11434;
    server 100.44.39.165:11434;
}

# Setup a map to associate our proxy endpoint with the subdomain

keyboardcrunch

# Listen on 11434 and proxy requests to a local Ollama server, either by local network or tailscale.
# ip_hash should maintain sessions while upstream handles one being offline.
# upstream 'load balancing' is used to maintain connectivity while working remote.


upstream ollama {
    ip_hash;
    server 192.168.1.166:11434;
    server 100.94.79.62:11434;
}

keyboardcrunch

# Device configuration
esphome:
  name: "remoteOne"
  friendly_name: RemoteOne

esp32:
  board: esp32-s3-devkitc-1
  framework:
    type: arduino

keyboardcrunch

$ChocoFile = Join-Path -Path $(Get-Location) -ChildPath "choco_config.txt"
$ChocoFileSettings = @'
# Software
choco install adobereader
choco install googlechrome
choco install firefox
choco install 7zip.install

# runtimes
choco install adoptopenjdk12