This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
postprocessing: | |
- type: template | |
template: |+ | |
[{{ rule.id }}] | |
search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events | |
description = {{ rule.description }} | |
finalizers: | |
- type: concat | |
prefix: | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Fixing the field naming mess | |
priority: 30 | |
transformations: | |
- id: image_fail_path | |
type: detection_item_failure | |
message: Image must only contain file name without any further path components. | |
field_name_conditions: | |
- type: include_fields | |
fields: | |
- Image |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Requires: curl, jq | |
# Download MITRE ATT&CK data from GitHub repository | |
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json | |
# List all ATT&CK object types | |
jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json | |
# List all ATT&CK technique identifiers | |
jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org> | |
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows" | |
# IMPORTANT: This must run with Administrator privileges! | |
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action { | |
# Kill all parent processes from detected vssadmin process | |
$p = $EventArgs.NewEvent.TargetInstance | |
while ($p) { | |
$ppid = $p.ParentProcessID | |
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid" | |
Write-Host $p.ProcessID |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener) | |
import re | |
class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener): | |
def registerExtenderCallbacks(self, callbacks): | |
self.callbacks = callbacks | |
self.helpers = callbacks.getHelpers() | |
callbacks.setExtensionName("Handling of CSRF Tokens with Random Names") | |
self.callbacks.registerSessionHandlingAction(self) | |
self.callbacks.registerHttpListener(self) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
for (( p=0; p <= 65535; p++ )); do echo "Probing port $p"; echo -n "Port $p: " >> portscan.log; (echo CONNECT targethost:$p HTTP/1.1; echo) | nc -q 3 proxyhost proxyport | head -1 >> portscan.log; done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
xmlstarlet sel -t -m '//port/state[@state="open"]/parent::port' -v 'ancestor::host/address/@addr' -o : -v './@portid' -n nmap-output.xml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
from sys import argv, exit | |
import re | |
hashline_re = re.compile('^SHA1\((.*?)\)= (.*)$') | |
dsthashes = dict() | |
if len(argv) < 4: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
case "$1" in | |
router) | |
sysctl -w net.ipv4.ip_forward=1 | |
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
systemctl start dnsmasq.service | |
;; | |
router-stop) | |
sysctl -w net.ipv4.ip_forward=0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
print("\n".join([" ".join(["{:02x}".format(c) for c in bin[i:i+16]]) for i in range(0, len(bin), 16)])) |
NewerOlder