Recording Notebook Roberto Rodriguez @Cyb3rWard0g, Threat Researcher, Microsoft MSTIC
Roberto Rodriguez Cyb3rWard0g
🍻
Cyb3rWard0g
/ yaml_to_notebook.py
Created
December 18, 2019 05:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import nbformat as nbf | |
| import yaml | |
| # *** Read YAML file *** | |
| analytic = yaml.safe_load(open("WIN-190815181010.yaml").read()) | |
| # *** Create Notebook object *** | |
| nb = nbf.v4.new_notebook() | |
| nb['cells'] = [] |
Cyb3rWard0g
/ es_notebook_nbformat.py
Last active
January 11, 2020 05:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| import nbformat as nbf | |
| # Initializing Notebooks Cells | |
| nb = nbf.v4.new_notebook() | |
| nb['cells'] = [] |
Cyb3rWard0g
/ sigmac_nbformat_notebook.py
Created
January 11, 2020 06:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| # License: GPL-3.0 | |
| import nbformat as nbf | |
| import yaml | |
| import subprocess | |
| import argparse | |
| from os import path |
Cyb3rWard0g
/ ala-workspace.json
Last active
May 30, 2024 05:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "utcValue": { | |
| "type": "string", | |
| "defaultValue": "[utcNow()]", | |
| "metadata": { | |
| "description": "Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used" | |
| } |
Cyb3rWard0g
/ ala-workspace-sentinel.json
Last active
October 1, 2021 20:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "utcValue": { | |
| "type": "string", | |
| "defaultValue": "[utcNow()]", | |
| "metadata": { | |
| "description": "Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used" | |
| } |
Cyb3rWard0g
/ azure-la-windows-event-providers.json
Created
March 20, 2020 00:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "workspaceName": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Name for the Log Analytics workspace used to aggregate data" | |
| } | |
| }, |
Cyb3rWard0g
/ azure-la-agent-windows.json
Created
March 20, 2020 00:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "condition": "[parameters('enableMonitoringAgent')]", | |
| "type": "Microsoft.Compute/virtualMachines/extensions", | |
| "apiVersion": "2019-03-01", | |
| "name": "[concat(variables('VMName'), '/OMSExtension')]", | |
| "location": "[parameters('location')]", | |
| "dependsOn": [ | |
| "[concat('Microsoft.Compute/virtualMachines/', variables('VMName'))]" | |
| ], | |
| "properties": { |
Cyb3rWard0g
/ kafkacat-eventhub.conf
Created
March 22, 2020 21:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| metadata.broker.list=<EVENTHUB-NAMESPACE>.servicebus.windows.net:9093 | |
| security.protocol=SASL_SSL | |
| sasl.mechanisms=PLAIN | |
| sasl.username=$ConnectionString | |
| sasl.password=Endpoint=<ROOTMANAGERSHAREDACCESSKEY-CONNECTION-STRING-PRIMARY-KEY> | |
| enable.ssl.certificate.verification=false | |
| message.max.bytes=1000000 |
Cyb3rWard0g
/ talk-stream-time.md
Created
May 13, 2020 18:16
Cyb3rWard0g
/ seatbelt_registry_basic_exploration.txt
Last active
November 2, 2020 20:03
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer" |