lucam luca-m
luca-m
/ sam-template.yaml
Last active
June 26, 2023 09:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Transform: 'AWS::Serverless-2016-10-31' | |
| Description: "This is an AWS Lambda function that collects CloudWatch logs and sends them to Logz.io in bulk, over HTTP." | |
| Parameters: | |
| logzioListener: | |
| Type: "String" | |
| Description: "The Logz.io listener URL for your region. You can find explanations here: https://docs.logz.io/user-guide/accounts/account-region.html" | |
| Default: "" | |
| logzioToken: |
luca-m
/ generateYara.sh
Last active
March 27, 2023 13:32
generateYara.sh A script to automatically generate Yara rule using Binlex (https://github.com/c3rb3ru5d3d53c/binlex)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## | |
| ## Script to automatically generate Yara rule using Binlex (https://github.com/c3rb3ru5d3d53c/binlex). | |
| ## It will output a .yar file suitable to be loaded on yaraify. | |
| ## | |
| ## Usage: | |
| ## | |
| ## ./generateYara.sh "RUNELANE" "FILEPATH" "TYPE" "NTRAITS" | |
| ## Parameters: | |
| ## RULENAME the name of the rule |
luca-m
/ makop_rdp_guessing_pwd.list
Created
March 14, 2023 13:16
Password list in use by Makop ransomware Gang
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %domain% | |
| %Domain% | |
| %username% | |
| %null% | |
| %username%1 | |
| %username%12 | |
| %username%123 | |
| %username%1234 | |
| %username%12345 | |
| %username%123456 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Query for Outbound SMTP, SMTPS, STARTLS and SSH communications | |
| dst.port.number in (587,465,25,2525,22) | |
| | let rfc1918 = not ($dst.ip.address matches "((127\\..*)|(192\\.168\..*)|(10\\..*)|(172\\.1[6-9]\\..*)|(172\\.2[0-9]\\..*)|(172\\.3[0-1]\\..*)).*") | |
| | filter rfc1918 = true | |
| | group hits = count(src.process.name), endpoints = hacklist(endpoint.name) by dst.ip.address, dst.port.number | |
| | sort -endpoints |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * ESPIO payload decryption utility | |
| * Author: @luc4m | |
| * | |
| * Compile with g++ ./espiod espiod.cpp | |
| * Usage: | |
| * ./espiod KEYFILE ENCRYPTEDPAYLOADFILE | |
| * it outputs the decrypted file on "plaintext.bin" | |
| * | |
| * References: |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"8":6,"15":"oORv7\/ATbKyQyfXwMEjUq6PuAaIx\/Dsatp+yrExUEfreI0PCPIjH203QqddJnWtTGYyK6BvyZEH3xn01GbN5okINgI5dmiok31+QLyKax3TH3DomHnElG5vIo+Us8uBKFsNXNrWvbo++sEfYR1Ag6XiYWwawLZnX32SGTxxnoUJM37fAGB4MdqN16GkjIQ+XCPnw7\/XaBZQYXXFJ3bkkZMIK3Nofps4tOk6mNmQJ55Q3YTlEettVIDAsLb\/q0KMQQ3dJQdvvo3Af4r2c9PLT8Sxhw9T7UnoDHCgOJjj2KYj9mbLeoFZ7rq\/IN0FY96gVE6iP6rPoGl1+NAJgDG00WA==","16":1562511178,"18":1,"19":19,"20":["TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABZwncQHaMZQx2jGUMdoxlDFNuMQxKjGUMU251DBaMZQxTbmkNLoxlDFNuKQwyjGUMdoxhDbKMZQx2jGUMcoxlDEPHCQxyjGUMQ8cdDHKMZQ1JpY2gdoxlDAAAAAAAAAABQRQAATAEHAG2pIF4AAAAAAAAAAOAAAwELAQcAAFACAABYAAAAAAAAIzkBAAAQAAAAUAIAAABAAAAQAAAAEAAABQAAAAUAAAAFAAAAAAAAAAAgDgAAEAAAAAAAAAIAAIEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAKRhBADmAAAAABAOAJgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAEgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAIA5AEAAAAAAAAAAAAAAAAAAAAAAAAA |
luca-m
/ pwsh_tips_for_malware_analysis.ps1
Created
June 12, 2019 09:58
Powershell Tips for Malware Analysits
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| ## Powershell Tips for Malware Analysits | |
| ## | |
| # In-Memory base64 payload decoding | |
| $BASE64='AAA'; | |
| sal a New-Object; | |
| (a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($BASE64),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() |
luca-m
/ extract.ui3
Last active
December 14, 2018 16:32
autoit dropper payloa extractor (rif. https://app.any.run/tasks/9227e21a-9747-4e9b-8b67-a43f2bbb77a3)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; CONFIG HERE | |
| $INIFILE="C:\\TEMP\uaf.ui3" | |
| $OUTFILE="C:\\TEMP\extracted.exe" | |
| ; -> | |
| Global Const $4063A0C69862A72A9 = 0x1 | |
| Global Const $53675A741B726EAC88522D14B9F334E1 = 24 | |
| Global Const $368080A29D90F5BA0B1D1E0DEAF11686 = 0xF0000000 | |
| Global Const $2BADE2A6917E4FD3141FF478399B9C29 = 0x0004 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; CONFIG HERE | |
| $INIFILE="C:\\TEMP\uaf.ui3" | |
| $OUTFILE="C:\\TEMP\extracted.exe" | |
| ; -> | |
| Global Const $4063A0C69862A72A9 = 0x1 | |
| Global Const $53675A741B726EAC88522D14B9F334E1 = 24 | |
| Global Const $368080A29D90F5BA0B1D1E0DEAF11686 = 0xF0000000 | |
| Global Const $2BADE2A6917E4FD3141FF478399B9C29 = 0x0004 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A shortcut function that simplifies usage of xclip. | |
| # - Accepts input from either stdin (pipe), or params. | |
| # ------------------------------------------------ | |
| cb() { | |
| local _scs_col="\e[0;32m"; local _wrn_col='\e[1;31m'; local _trn_col='\e[0;33m' | |
| # Check that xclip is installed. | |
| if ! type xclip > /dev/null 2>&1; then | |
| echo -e "$_wrn_col""You must have the 'xclip' program installed.\e[0m" | |
| # Check user is not root (root doesn't have access to user xorg server) | |
| elif [[ "$USER" == "root" ]]; then |
NewerOlder