Skip to content

Instantly share code, notes, and snippets.

View richiercyrus's full-sized avatar

Richie Cyrus richiercyrus

68 followers · 16 following
View GitHub Profile
@richiercyrus
richiercyrus / ESF.ipynb
Last active July 14, 2023 19:08
Juypter Notebook demonstrating usefulness of Apple's Endpoint Security Framework.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@richiercyrus
richiercyrus / testing.json
Created February 25, 2019 13:56
Testing
This file has been truncated, but you can view the full file.
{"@timestamp":"2019-02-25T12:34:28.707Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.5.4","topic":"filebeat"},"prospector":{"type":"log"},"input":{"type":"log"},"beat":{"hostname":"pedros-Mac.local","version":"6.5.4","name":"pedros-Mac.local"},"host":{"name":"pedros-Mac.local","architecture":"x86_64","os":{"version":"10.14.2","family":"darwin","build":"18C54","platform":"darwin"}},"offset":0,"message":"{\"Hostname\": \"pedros-Mac.local\", \"users\": [\"daemon\", \"nobody\", \"pedro\", \"root\", \"\"], \"module\": \"Users\"}","source":"/tmp/pedros-Mac.local.json"}
{"@timestamp":"2019-02-25T12:34:28.707Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.5.4","topic":"filebeat"},"beat":{"name":"pedros-Mac.local","hostname":"pedros-Mac.local","version":"6.5.4"},"host":{"architecture":"x86_64","os":{"platform":"darwin","version":"10.14.2","family":"darwin","build":"18C54"},"name":"pedros-Mac.local"},"source":"/tmp/pedros-Mac.local.json","offset":104,"message":"{\"Hostname\": \"pedros-Mac.local
@richiercyrus
richiercyrus / SigCheck.py
Created February 12, 2019 14:17
Python code for checking whether there are any processes running on a macOS system that are missing the LC_CODE_SIGNATURE command. This may be indicative of a LC_LOAD_DYLIB addition attack: https://attack.mitre.org/techniques/T1161/
import os
import sys
import shlex
import argparse
import subprocess
import macholib
import json
import hashlib
#This script is designed to detect the following MITRE ATT&CK Technique:
@richiercyrus
richiercyrus / thing.ini
Created October 3, 2018 21:50
marketingconfig
[GENERAL]
# Enable / Disable logging
LOG = True
[BROWSER]
BROWSER = Chrome
#BROWSER = 'Edge'
# Chrome webdriver
WEBDRIVER = ./webdrivers/chromedriver
# MS Edge webdriver
@richiercyrus
richiercyrus / winlogbeat_hc.yml
Created September 9, 2018 17:04
Training Course Hackcon
###################### Winlogbeat Configuration Example ##########################
# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
#======================= Winlogbeat specific options ==========================
@richiercyrus
richiercyrus / osquery.conf
Last active September 8, 2022 12:35
Defensive Evasion - osquery config
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"log_result_events": "true",
"schedule_splay_percent": "10",
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": "3600",
@richiercyrus
richiercyrus / winlogbeat.yml
Last active February 13, 2024 15:17
Training Course Winlogbeat Config File
###################### Winlogbeat Configuration Example ##########################
# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
#======================= Winlogbeat specific options ==========================