mavjs

<#
Meta
    Date: 2022 March 28th
    Authors: Dray Agha (Twitter @purp1ew0lf)
    Company: Huntress Labs
    Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. 
#>

function admin_check{
    if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`

mavjs

Event
| where EventID == "4104"
| extend ParsedEvent = parse_xml(strcat("<root>", ParameterXml, "</root>"))
| extend MessageNumber = tolong(ParsedEvent.root.Param[0])
| extend MessageTotal = tolong(ParsedEvent.root.Param[1])
| extend ScriptBlockElement = iff(
    strlen(tostring(ParsedEvent.root.Param[2]["#text"])) > 0,
        ParsedEvent.root.Param[2]["#text"],
        ParsedEvent.root.Param[2])
| extend ScriptBlockId = tostring(ParsedEvent.root.Param[3])

mavjs

• chime:CreateApiKey
• codepipeline:PollForJobs
• cognito-identity:GetOpenIdToken
• cognito-identity:GetOpenIdTokenForDeveloperIdentity
• cognito-identity:GetCredentialsForIdentity
• connect:GetFederationToken
• connect:GetFederationTokens
• ecr:GetAuthorizationToken
• [gamelift:RequestUploadCredentials](ht

mavjs

About

If your $GOROOT is in ~/goroot and your $GOPATH is in ~/go, you want to make sure that your new go version goes to the right folder. By default the go tar file will unpack with go/ as a prefix directory, thus we want to remove that when unpacking, thus the --strip-components=1.

tar -C ~/goroot -xzvf go$VERSION.linux-amd64.tar.gz --strip-components=1

Script to update

mavjs

import gzip
import io

def gzip_str(string_):
    out = io.BytesIO()

    with gzip.GzipFile(fileobj=out, mode='w') as fo:
        fo.write(string_.encode())

    bytes_obj = out.getvalue()

mavjs

Keybase proof

I hereby claim:

• I am mavjs on github.
• I am mavjs (https://keybase.io/mavjs) on keybase.
• I have a public key ASDiTsnsLVeolOAND9VB-1xXIrQN2ZEIm4IPafZizc2Ftgo

To claim this, I am signing this object: