Skip to content

Instantly share code, notes, and snippets.

View tlansec's full-sized avatar

Tom Lancaster tlansec

  • Volexity
  • UK
View GitHub Profile
@tlansec
tlansec / domain_fronting.py
Created March 13, 2023 13:58
Domain fronting example
import requests
r = {
'url':'https://pypi.python.org',
'method' : "GET",
"headers" : {
"Host" : "totally-python.org",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36"
},
"verify" : True
}
@tlansec
tlansec / keybase.md
Created November 11, 2022 09:26
Keybase verification

Keybase proof

I hereby claim:

  • I am tlansec on github.
  • I am tlansec (https://keybase.io/tlansec) on keybase.
  • I have a public key ASBn6NaQHKRGN-ymHfWx1epyZK7Q07E9UQlOXmsoZKuG-wo

To claim this, I am signing this object:

@tlansec
tlansec / entropy.yar
Created July 21, 2022 09:27
Print out information about a files entropy
// Add as an alias like:
// alias entropy=yara /path/to/entropy.yar $*
// Usage:
// entropy file.bin
import "console"
import "math"
rule entropy
@tlansec
tlansec / things.md
Created March 29, 2022 08:21
DFRWS things

Things you might want to install if you have not already

[required]

  • YARA -> https://github.com/virustotal/yara
  • Strings -> https://docs.microsoft.com/en-us/sysinternals/downloads/strings (or UNIX equivalent)

[nice_to_have]

  • PEStudio -> https://www.winitor.com/
@tlansec
tlansec / entropy_functions.yar
Created March 14, 2022 14:01
Generic rule for suspicious function names
import "math"
rule general_vba_high_entropy_function_names : General
{
meta:
author = "threatintel@volexity.com"
description = "Looks for VBA files containing function names that have been randomized based on their entropy."
date = "2022-03-14"
hash1 = "c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49"
memory_suitable = 0
@tlansec
tlansec / externals_example.py
Created February 21, 2022 10:08
Simple script to demo use of yara-python + externals
# Simple script to demo use of yara-python + externals
# think of all the externals you could define!
import os
import sys
import yara
example_rule = '''
rule demo_externals
{
@tlansec
tlansec / pe_check.yar
Created January 6, 2022 10:33
Use with -D flag to dump PE metadata about a file, I have an alias of "pe_yara=yara -D $*" so I can just run "pe_yara -D foo.bin"
import "pe"
rule always_false
{
condition:
false
}
@tlansec
tlansec / casing_anomaly.yar
Created January 5, 2022 10:21
Casing anomaly YARA rule
rule general_win_runkey_casing_anomaly : General
{
meta:
author = "threatintel@volexity.com"
description = "Looks for files containing to a reference to the HKCU run key where the reference uses unusual casing."
date = "2021-08-03"
hash1 = "c20997c72508bc7340f4ec99fe9eb4f1ccde518e81bda66e7c86632f0748bffa"
memory_suitable = 0
strings: