Skip to content

Instantly share code, notes, and snippets.

View keybase.md

Keybase proof

I hereby claim:

  • I am pe3zx on github.
  • I am pe3z (https://keybase.io/pe3z) on keybase.
  • I have a public key ASAU2yKbpXrwC7sNTh3-BoTC9V9qgbdHXH_LIVbhIf_rcQo

To claim this, I am signing this object:

@pe3zx
pe3zx / misp.conf
Last active Jan 20, 2019
Apache2 configuration to enable SSL/TLS support on MISP
View misp.conf
<VirtualHost *:443>
ServerName misp.local
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
@pe3zx
pe3zx / unpacking.py
Created Apr 20, 2019
Unpacking sudoers_timestamp struct
View unpacking.py
import sys
import binascii
import struct
from ctypes import Union, Structure, c_int, c_long, c_ushort, c_uint, c_short
from collections import namedtuple
from pprint import pprint
# struct timestamp_entry {
# unsigned short version; /* version number */
# unsigned short size; /* entry size */
@pe3zx
pe3zx / malware_carriers_hunting.yar
Last active Oct 13, 2019
Extracted YARA rules from BlackHat USA 2019 talk "Worm Charming - Harvesting Malware Lures for Fun and Profit"
View malware_carriers_hunting.yar
// any Office document with macros.
rule macro_hunter
{
strings:
$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
$macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
$macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
condition:
new_file and (
tags contains "macros" or (
@pe3zx
pe3zx / cmpv.ps1
Created Sep 7, 2020
cmpv function for PowerShell code analysis
View cmpv.ps1
$AutomaticVariables = Get-Variable
function cmpv {
Compare-Object (Get-Variable) $AutomaticVariables -Property Name -PassThru | Where -Property Name -ne "AutomaticVariables"
}
@pe3zx
pe3zx / MAZE_Group_1.json
Last active Oct 9, 2020
MAZE Tactics and Techniques for ATT&CK Navigator
View MAZE_Group_1.json
{
"name": "MAZE Group 1",
"version": "2.2",
"domain": "mitre-enterprise",
"description": "",
"filters": {
"stages": [
"act"
],
"platforms": [
@pe3zx
pe3zx / disable_windows_defender.bat
Last active Oct 9, 2020
Disable Windows Defender on Windows 10 1903
View disable_windows_defender.bat
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
You can’t perform that action at this time.