Skip to content

Instantly share code, notes, and snippets.

View tvfischer's full-sized avatar
😾
Quis custodiet ipsos custodes?

Thomas V. Fischer tvfischer

😾
Quis custodiet ipsos custodes?
22 followers · 62 following
View GitHub Profile
@invictus-ir
invictus-ir / CloudTrail.csv
Last active May 2, 2024 12:56
An overview of CloudTrail events that are interesting from an Incident Response perspective
We can make this file beautiful and searchable if this error is corrected: It looks like row 8 should actually have 10 columns, instead of 9. in line 7.
"Initial Access","Execution","Persistence","Privilege Escalation","Defense Evasion","Credential Access","Discovery","Lateral Movement","Exfiltration","Impact"
ConsoleLogin,StartInstance,CreateAccessKey,CreateGroup,StopLogging,GetSecretValue,ListUsers,AssumeRole,CreateSnapShot,PutBucketVersioning
PasswordRecoveryRequested,StartInstances,CreateUser,CreateRole,DeleteTrail,GetPasswordData,ListRoles,SwitchRole,ModifySnapshotAttributes ,RunInstances
,Invoke,CreateNetworkAclEntry,UpdateAccessKey,UpdateTrail,RequestCertificate,ListIdentities,,ModifyImageAttribute,DeleteAccountPublicAccessBlock
,SendCommand,CreateRoute,PutGroupPolicy,PutEventSelectors,UpdateAssumeRolePolicy,ListAccessKeys,,SharedSnapshotCopyInitiated,
,,CreateLoginProfile,PutRolePolicy,DeleteFlowLogs,,ListServiceQuotas,,SharedSnapshotVolumeCreated,
,,AuthorizeSecurityGroupEgress,PutUserPolicy,DeleteDetector,,ListInstanceProfiles,,ModifyDBSnapshotAttribute,
,,AuthorizeSecurityGroupIngress,AddRoleToInstanceProfile,DeleteMembers,,ListBuckets,,PutBucketP
@tvfischer
tvfischer / AddingBOTSv1DatatoHELK.md
Last active July 26, 2023 04:11
The goal is to document the steps taken to pull the Splunk BOTS endpoint hunting data into a HELK instance. The idea was to be able to add this data for simulation and training purposes.

Adding BOTSv1 Data to HELK

HELK is an interesting platform to carry endpoint threat hunting and is useful both in a production situation as well as for research and training. For research and training purposes a key part is to add sample data to be able to practice hunting queries.

Yes this could probably be done in a better way but the goal here was K.I.S.S. and quick and dirty.

Goal

Splunk provides sample data from it's BOSS of the SOC CTF. Both v1 and v2 has been published as open source, more info here. The v1 data is available on github here unfortunately it is formatted for ingestion into Splunk.

The goal is to import into the HELK platform which is based on an ELK stack (elasticsearch, logstash and kibana). Thankfully, Sébastien Lehuédé has converted the data and done th

@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active March 10, 2024 09:15
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)
@doegox
doegox / troopers2019_img2badge.py
Last active April 16, 2019 04:18
Image to badge shitty script, with script helper for uploading it directly on the badge via USB
#!/usr/bin/env python3
# TROOPERS2019
# @doegox
# The script will resize the image and convert it to BW image if needed but
# I would advise to do it yourself first with e.g. Gimp for a better control
# of the aspect ration and the BW threshold.
# Target: 296x128, black & white (no grey)
# Shall we display the result locally?
@msuiche
msuiche / GetPowerShellInfo.ps1
Last active May 23, 2020 19:20
Memory Forensics and PowerShell
##
## A good excuse to learn LINQ in WinDbg.
## Author: Matt Suiche (@msuiche) - 18-Jan-2019
##
## References:
## Extracting Forensic Script Content from PowerShell Process Dumps (Lee Holmes) - 17 Jan 2019
## http://www.leeholmes.com/blog/2019/01/17/extracting-forensic-script-content-from-powershell-process-dumps/
## Extracting Activity History from PowerShell Process Dumps (Lee Holmes) - 4 Jan 2019
## https://www.leeholmes.com/blog/2019/01/04/extracting-activity-history-from-powershell-process-dumps/
##
@apolloclark
apolloclark / threat hunting in the cloud.md
Last active November 30, 2018 19:35

Approach

  1. Inventory Management
  2. Access Management
  3. Configuration Management
  4. Patch Management
  5. Logging and Monitoring
  6. Alerts
  7. Automated Remediation
  • Keep it simple
@dezhub
dezhub / Get-Doppelgangers.ps1
Created December 21, 2017 21:08
function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
@picheljitsu
picheljitsu / Get-RecentFiles.ps1
Last active October 10, 2021 23:29
Parsing Forensic Recent Files
function Get-RecentFiles{
<#
.SYNOPSIS
Lists files in a user's Recent directory sorted by lastwritetime property.
.DESCRIPTION
The files returned in the specified user's Recent directory are .lnk files. Analyzing the
contents of the files will show what documents were accessed as Windows mantains a history
@hrbrmstr
hrbrmstr / a.r
Last active May 14, 2016 08:26
library(xml2)
library(purrr)
fil <- "https://gist.githubusercontent.com/hrbrmstr/f9c3bbc561e824219954ab5eecc12f2b/raw/65dad652d575b9c475559cbed86fceb5f0ff4d1b/books.xml"
doc <- read_xml(fil)
i <- 1
walk(xml_find_all(doc, "//book"), function(x) {
writeLines(as.character(x), sprintf("out-%03d.xml", i))
i <<- i + 1
@secabstraction
secabstraction / Export-MFT.ps1
Last active April 1, 2024 21:03
function Export-MFT {
<#
.SYNOPSIS
Extracts master file table from volume.
Version: 0.1
Author : Jesse Davis (@secabstraction)
License: BSD 3-Clause
.DESCRIPTION