Maverick mavjs

## Sysmon_Lab.ps1
<#
Meta
    Date: 2022 March 28th
    Authors: Dray Agha (Twitter @purp1ew0lf)
    Company: Huntress Labs
    Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab.
#>

function admin_check{
    if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`

## PowerShell Script Block Merge in Kusto
Event
| where EventID == "4104"
| extend ParsedEvent = parse_xml(strcat("<root>", ParameterXml, "</root>"))
| extend MessageNumber = tolong(ParsedEvent.root.Param[0])
| extend MessageTotal = tolong(ParsedEvent.root.Param[1])
| extend ScriptBlockElement = iff(
    strlen(tostring(ParsedEvent.root.Param[2]["#text"])) > 0,
        ParsedEvent.root.Param[2]["#text"],
        ParsedEvent.root.Param[2])
| extend ScriptBlockId = tostring(ParsedEvent.root.Param[3])

## AWS API calls that return credentials.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                mavjs
                / AWS API calls that return credentials.md
            
            
              Created
              February 20, 2021 12:05
                — forked from kmcquade/AWS API calls that return credentials.md
            
              
                AWS API calls that return credentials
              
          
chime:CreateApiKey
codepipeline:PollForJobs
cognito-identity:GetOpenIdToken
cognito-identity:GetOpenIdTokenForDeveloperIdentity
cognito-identity:GetCredentialsForIdentity
connect:GetFederationToken
connect:GetFederationTokens
ecr:GetAuthorizationToken
[gamelift:RequestUploadCredentials](ht


## gzip_str.py
import gzip
import io

def gzip_str(string_):
    out = io.BytesIO()

    with gzip.GzipFile(fileobj=out, mode='w') as fo:
        fo.write(string_.encode())

    bytes_obj = out.getvalue()
	<#
	Meta
	Date: 2022 March 28th
	Authors: Dray Agha (Twitter @purp1ew0lf)
	Company: Huntress Labs
	Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab.
	#>

	function admin_check{
	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
	Event
	\| where EventID == "4104"
	\| extend ParsedEvent = parse_xml(strcat("<root>", ParameterXml, "</root>"))
	\| extend MessageNumber = tolong(ParsedEvent.root.Param[0])
	\| extend MessageTotal = tolong(ParsedEvent.root.Param[1])
	\| extend ScriptBlockElement = iff(
	strlen(tostring(ParsedEvent.root.Param[2]["#text"])) > 0,
	ParsedEvent.root.Param[2]["#text"],
	ParsedEvent.root.Param[2])
	\| extend ScriptBlockId = tostring(ParsedEvent.root.Param[3])
	import gzip
	import io

	def gzip_str(string_):
	out = io.BytesIO()

	with gzip.GzipFile(fileobj=out, mode='w') as fo:
	fo.write(string_.encode())

	bytes_obj = out.getvalue()