scusi
/ ConvertBinaryBpjmData.sh
Last active
August 29, 2015 14:07
convert binary bpjm data from FritzBox routers into text files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # USAGE: | |
| # $> ./ConvertBinaryBpjmData.sh bpjm.data | |
| # | |
| RAWFILE=$1 | |
| OUTFILE=`strings $RAWFILE | head -n 1` | |
| od -t x1 -An -j 64 $RAWFILE | tr -d '\n ' > $OUTFILE |
scusi
/ dns_xor.go
Last active
August 29, 2015 14:08
encode/decode FrameworkPOS Malware DNS exfiltrated data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // domain data encoding/decoding algo for FrameworkPOS Malware DNS-Tunneling Variant, | |
| // as described on: | |
| // https://blog.gdata.de/artikel/neue-variante-von-frameworkpos-schoepft-daten-ueber-dns-anfragen-ab/ | |
| // | |
| package main | |
| import( | |
| "fmt" | |
| "os" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // parse a FritzBox Bpjm File | |
| package main | |
| import ( | |
| "os" | |
| "fmt" | |
| "bytes" | |
| "io" | |
| "io/ioutil" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // go library to scope with the BPjM Censorship list | |
| package Bpjm | |
| import ( | |
| "net/url" | |
| "regexp" | |
| "crypto/md5" | |
| "strings" | |
| "bytes" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // tool that uses my bpjm library to load and parse a BPJM File from a FritzBox | |
| package main | |
| import( | |
| "github.com/scusi/bpjm" | |
| "fmt" | |
| "os" | |
| ) | |
| func main(){ |
scusi
/ gifExeExtract.go
Created
March 30, 2017 13:49
extract payload exe from downloaded gif as Trojan-Ransom.Win32.Foreign does
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "bufio" | |
| "bytes" | |
| "container/ring" | |
| "encoding/hex" | |
| "flag" | |
| "fmt" | |
| "io/ioutil" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "container/ring" | |
| "flag" | |
| "io/ioutil" | |
| "log" | |
| ) | |
| var keyFile string |
scusi
/ disableTelemetry.ps1
Last active
November 9, 2019 10:07
disable telemetry call home in windows10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # powershell script to disable telemetry in win10 | |
| # | |
| # Source: | |
| # https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Analyse_Telemetriekomponente.pdf?__blob=publicationFile&v=3 | |
| # run as admin | |
| if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit } | |
| # Step 1: deactivate DiagTrack service | |
| Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\DiagTrack\ -name Start -Value 4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # powershell script to (re-)enable telemetry in win10 | |
| # | |
| # flw@posteo.de | |
| # | |
| # run as admin | |
| if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit } | |
| # Step 1: deactivate DiagTrack service | |
| Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\DiagTrack\ -name Start -Value 2 |
scusi
/ log-forwarding-with-etw.ps1
Created
November 20, 2021 08:50
— forked from ajpc500/log-forwarding-with-etw.ps1
Quick-and-dirty PowerShell script to install Sysmon (SwiftOnSecurity config), SilkService and Winlogbeat, and forward logs to HELK based on IP set in environment variable "HELK_IP" (see Line 224).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $wc = New-Object System.Net.WebClient | |
| if (!(Test-Path "C:\Tools")) { | |
| New-Item -Path "C:\" -Name "Tools" -ItemType "directory" | |
| } | |
| # SYSMON | |
| # Download Sysmon | |
| $SysmonDirectory = "C:\Tools\Sysmon\" |
OlderNewer