Thomas Patzke thomaspatzke

## splunk-savedsearches-concat.yml
postprocessing:
- type: template
  template: |+
    [{{ rule.id }}]
    search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events
    description = {{ rule.description }}

finalizers:
- type: concat
  prefix: |

## pipeline.yml
name: Fixing the field naming mess
priority: 30
transformations:
- id: image_fail_path
  type: detection_item_failure
  message: Image must only contain file name without any further path components.
  field_name_conditions:
  - type: include_fields
    fields:
    - Image

## mitre_attack_oneliners.sh
# Requires: curl, jq

# Download MITRE ATT&CK data from GitHub repository
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

# List all ATT&CK object types
jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json

# List all ATT&CK technique identifiers
jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json

## Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
    # Kill all parent processes from detected vssadmin process
    $p = $EventArgs.NewEvent.TargetInstance
    while ($p) {
       $ppid = $p.ParentProcessID
        $pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
        Write-Host $p.ProcessID

## Burp-CSRFRandomName.py
from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener)
import re

class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener):
    def registerExtenderCallbacks(self, callbacks):
        self.callbacks = callbacks
        self.helpers = callbacks.getHelpers()
        callbacks.setExtensionName("Handling of CSRF Tokens with Random Names")
        self.callbacks.registerSessionHandlingAction(self)
        self.callbacks.registerHttpListener(self)

## proxy_http_connect-portscanner.sh
for (( p=0; p <= 65535; p++ )); do echo "Probing port $p"; echo -n "Port $p: " >> portscan.log; (echo CONNECT targethost:$p HTTP/1.1; echo) | nc -q 3 proxyhost proxyport | head -1 >> portscan.log; done

## nmap-open-ports.sh
xmlstarlet sel -t -m '//port/state[@state="open"]/parent::port' -v 'ancestor::host/address/@addr' -o : -v './@portid' -n nmap-output.xml

## create_deleter.py
#!/usr/bin/python3

from sys import argv, exit
import re

hashline_re = re.compile('^SHA1\((.*?)\)= (.*)$')

dsthashes = dict()

if len(argv) < 4:

## net-config.sh
#!/bin/bash

case "$1" in
router)
	sysctl -w net.ipv4.ip_forward=1
	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	systemctl start dnsmasq.service
	;;
router-stop)
	sysctl -w net.ipv4.ip_forward=0

## hexdump.py
print("\n".join([" ".join(["{:02x}".format(c) for c in bin[i:i+16]]) for i in range(0, len(bin), 16)]))
	postprocessing:
	- type: template
	template: \|+
	[{{ rule.id }}]
	search = {{ query }} \| eval rule="{{ rule.id }}", title="{{ rule.title }}" \| collect index=notable_events
	description = {{ rule.description }}

	finalizers:
	- type: concat
	prefix: \|
	name: Fixing the field naming mess
	priority: 30
	transformations:
	- id: image_fail_path
	type: detection_item_failure
	message: Image must only contain file name without any further path components.
	field_name_conditions:
	- type: include_fields
	fields:
	- Image
	# Requires: curl, jq

	# Download MITRE ATT&CK data from GitHub repository
	curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

	# List all ATT&CK object types
	jq -r '[ .objects[].type ] \| unique \| .[]' enterprise-attack.json

	# List all ATT&CK technique identifiers
	jq -r '[ .objects[] \| select(.type == "attack-pattern") \| .external_references[] \| select(.source_name == "mitre-attack") \| .external_id ] \| sort \| .[]' enterprise-attack.json
	# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
	# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
	# IMPORTANT: This must run with Administrator privileges!
	Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
	# Kill all parent processes from detected vssadmin process
	$p = $EventArgs.NewEvent.TargetInstance
	while ($p) {
	$ppid = $p.ParentProcessID
	$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
	Write-Host $p.ProcessID
	from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener)
	import re

	class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener):
	def registerExtenderCallbacks(self, callbacks):
	self.callbacks = callbacks
	self.helpers = callbacks.getHelpers()
	callbacks.setExtensionName("Handling of CSRF Tokens with Random Names")
	self.callbacks.registerSessionHandlingAction(self)
	self.callbacks.registerHttpListener(self)
	#!/usr/bin/python3

	from sys import argv, exit
	import re

	hashline_re = re.compile('^SHA1\((.?)\)= (.)$')

	dsthashes = dict()

	if len(argv) < 4:
	#!/bin/bash

	case "$1" in
	router)
	sysctl -w net.ipv4.ip_forward=1
	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	systemctl start dnsmasq.service
	;;
	router-stop)
	sysctl -w net.ipv4.ip_forward=0