Whitney Champion shortstack
🍪
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "8.8.8.8" | |
| "8.8.4.4" | |
| "1.1.1.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "": { | |
| "Category": "vulnerable driver", | |
| "Commands": { | |
| "Command": "sc.exe create fiddrv64.sys binPath=C:\\windows\\temp\\fiddrv64.sys type=kernel && sc.exe start fiddrv64.sys", | |
| "Description": "", | |
| "OperatingSystem": "Windows 10", | |
| "Privileges": "kernel", | |
| "Usecase": "Elevate privileges" | |
| }, |
shortstack
/ Windows.Application.LimaCharlieInstall.yaml
Last active
October 22, 2023 20:44
Velociraptor artifact to deploy the LimaCharlie EDR sensor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.Applications.LimaCharlieInstall | |
| author: Whitney Champion (@shortxstack) | |
| description: | | |
| This artifact installs the LimaCharlie EDR sensor. | |
| tools: | |
| - name: LimaCharlieBinary | |
| url: https://downloads.limacharlie.io/sensor/windows/64 | |
| serve_locally: true |
shortstack
/ cylance_detections.py
Created
March 16, 2023 22:51
Python Flask app to log detections from Cylance API
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import time | |
| from datetime import datetime, timedelta | |
| import jwt | |
| import uuid | |
| from flask import Flask | |
| from config import Config | |
shortstack
/ limacharlie_secrets.py
Last active
February 11, 2023 19:49
Store and retrieve secrets from LimaCharlie
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def generate_jwt(): | |
| api_key = "" | |
| base_url = "https://jwt.limacharlie.io" | |
| uid = "" | |
| url = "%s?uid=%s&secret=%s" % (base_url, uid, api_key) | |
| try: | |
| r = requests.get(url) |
shortstack
/ deploy_sysmon.yml
Created
February 9, 2023 23:24
Deploy Sysmon With A LimaCharlie D&R Rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| deploy_sysmon: | |
| detect: | |
| event: OS_SERVICES_REP | |
| op: and | |
| rules: | |
| - op: is platform | |
| name: windows | |
| - op: contains | |
| not: true | |
| case sensitive: false |
shortstack
/ sigma_to_limacharlie.py
Created
September 21, 2022 13:29
Convert Sigma rule to LimaCharlie rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import yaml | |
| import requests | |
| url = "https://sigma.limacharlie.io/convert/rule" | |
| files = {'rule': open('sigma_rule.yml', 'rb').read()} | |
| headers = { | |
| "Content-Type": "application/x-www-form-urlencoded" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import boto3 | |
| import pytz | |
| from datetime import datetime,timedelta | |
| from os import path | |
| s3 = boto3.resource('s3') | |
| s3_client = boto3.client('s3') |
shortstack
/ cloudwatch_to_logstash.py
Created
January 13, 2021 18:08
Python lambda to ship logs from Cloudwatch to Logstash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import socket | |
| import sys | |
| import json | |
| import zlib | |
| import copy | |
| import base64 | |
| import re | |
| import ssl | |
| import logging |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import requests | |
| import time | |
| import json | |
| from multiprocessing import Process | |
| def follow(thefile): | |
| thefile.seek(0,2) |
NewerOlder