Skip to content

Instantly share code, notes, and snippets.

View thomaspatzke's full-sized avatar

Thomas Patzke thomaspatzke

View GitHub Profile
@thomaspatzke
thomaspatzke / splunk-savedsearches-concat.yml
Last active September 3, 2023 21:27
Processing pipeline using the query postprocessing and output finalization transformations to create a custom Splunk savedsearches.conf output with Sigma CLI
postprocessing:
- type: template
template: |+
[{{ rule.id }}]
search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events
description = {{ rule.description }}
finalizers:
- type: concat
prefix: |
@thomaspatzke
thomaspatzke / pipeline.yml
Last active September 1, 2023 22:11
Full example processing pipeline from Medium blog post about processing pipelines: https://medium.com/sigma-hq/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070
name: Fixing the field naming mess
priority: 30
transformations:
- id: image_fail_path
type: detection_item_failure
message: Image must only contain file name without any further path components.
field_name_conditions:
- type: include_fields
fields:
- Image
@thomaspatzke
thomaspatzke / mitre_attack_oneliners.sh
Created December 17, 2019 00:10
MITRE ATT&CK oneliners
# Requires: curl, jq
# Download MITRE ATT&CK data from GitHub repository
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
# List all ATT&CK object types
jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json
# List all ATT&CK technique identifiers
jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
@thomaspatzke
thomaspatzke / Kill-Ransomware.ps1
Created November 5, 2019 12:29
Ransomware Killer
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID
@thomaspatzke
thomaspatzke / Burp-CSRFRandomName.py
Created February 15, 2017 09:09
Burp Session Handling Extension: CSRF tokens with random parameter names
from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener)
import re
class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
self.callbacks = callbacks
self.helpers = callbacks.getHelpers()
callbacks.setExtensionName("Handling of CSRF Tokens with Random Names")
self.callbacks.registerSessionHandlingAction(self)
self.callbacks.registerHttpListener(self)
@thomaspatzke
thomaspatzke / proxy_http_connect-portscanner.sh
Created September 1, 2016 13:28
Simple HTTP CONNECT Proxy Portscanner
for (( p=0; p <= 65535; p++ )); do echo "Probing port $p"; echo -n "Port $p: " >> portscan.log; (echo CONNECT targethost:$p HTTP/1.1; echo) | nc -q 3 proxyhost proxyport | head -1 >> portscan.log; done
@thomaspatzke
thomaspatzke / nmap-open-ports.sh
Last active December 12, 2023 13:33
Extract all open ports in Host:Port format from nmap XML output
xmlstarlet sel -t -m '//port/state[@state="open"]/parent::port' -v 'ancestor::host/address/@addr' -o : -v './@portid' -n nmap-output.xml
@thomaspatzke
thomaspatzke / create_deleter.py
Created January 30, 2016 22:29
Create file deletion script from two 'openssl sha1' outputs. Deletions are done in files referenced in source hash file.
#!/usr/bin/python3
from sys import argv, exit
import re
hashline_re = re.compile('^SHA1\((.*?)\)= (.*)$')
dsthashes = dict()
if len(argv) < 4:
@thomaspatzke
thomaspatzke / net-config.sh
Created January 19, 2016 22:46
Shell script to quickly switch between real Internet connection (NAT) and simulated (INetSim)
#!/bin/bash
case "$1" in
router)
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
systemctl start dnsmasq.service
;;
router-stop)
sysctl -w net.ipv4.ip_forward=0
@thomaspatzke
thomaspatzke / hexdump.py
Last active August 29, 2015 14:20
Hex-only dump in Python in one line
print("\n".join([" ".join(["{:02x}".format(c) for c in bin[i:i+16]]) for i in range(0, len(bin), 16)]))