ag-michael

import os,sys
import requests
import hmac
import hashlib
import datetime
import base64,time
import subprocess

BHE_TOKEN_ID = "<replace me>"
BHE_TOKEN_KEY = "<replace me>"

ag-michael

// To compile:x86_64-w64-mingw32-g++ -shared  -fno-stack-protector  -o bacon.cpl bacon.c
// To run: rundll32.exe shell32.dll,Control_RunDLL beacon.cpl
// To run: control.exe beacon.cpl
#include <windows.h>
#include <tlhelp32.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI * NtCreateThreadEx_t)(
	OUT PHANDLE hThread,
	IN ACCESS_MASK DesiredAccess,

ag-michael

.*jndi:(ldap|ldaps|rmi|dns).*/
.*j\}.*n\}.*d\}.*i\}.*:\/\/.*/
.*lower:jndi.*:\/\/.*/
.*\$\{::.*:\w{3,6}:\/\/.*

ag-michael

<#
.SYNOPSIS
    Reset push-notification exceptions and remove non-exempt extensions.
	With just the -User, it lists the changes that will be made.
.PARAMETER User
The User profile name name in C:\Users\
.PARAMETER Clean
Commit changes by removing notification exemptions and extensions directories
.PARAMETER KillBrowsers
Kill running browser processes

ag-michael

#!/bin/bash
# Find A records that resolve to CNAME where the CNAME is not resolving (NXDOMAIN)

export results=()

find_dangling(){
if ! [ -z $2 ]
then
	dig $2 | grep -q NXDOMAIN
	if [ $? -eq 0 ]

ag-michael

sourcetype IN (<replace this with the sourcetype for your aad/o365 audit log data in Splunk. e.g.:"aad,o365">) 
(Operation IN ("Set domain authentication*","Set federation settings on domain*")
OR Operation="Update application*"
OR Operation IN ("Update service principal*","Add service principal credentials*")
OR Operation="Add app role assignment*"
OR Operation IN ("Add OAuth2PermissionGrant*","Consent to application*")

OR (Operation IN ("UserLoggedIn*","UserLoginFailed*") ExtendedProperties{}.Value="16457" )
OR (Operation="MailboxLogin*" AND *Powershell* )
OR a0c73c16-a7e3-4564-9a95-2bdf47383716

ag-michael

#! /usr/bin/python3
misp_url = '<misp url>'
misp_key = '<apikey>'
misp_verifycert = True
relative_path = 'events/restSearch'
body = {
    "returnFormat": "json",
    "timestamp": "90d",
    "published": 0
}

ag-michael

powershell.exe -ep bypass -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcABzADoALwAvAGQAbwB3AG4AbABvAGEAZAAuAHMAeQBzAGkAbgB0AGUAcgBuAGEAbABzAC4AYwBvAG0ALwBmAGkAbABlAHMALwBTAHkAcwBtAG8AbgAuAHoAaQBwACIALAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuAC4AegBpAHAAIgApADsARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAALQBGAG8AcgBjAGUAIAAtAFAAYQB0AGgAIAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuAC4AegBpAHAAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIAAiAGMAOgBcAHUAcwBlAHIAcwBcACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAXABhAHAAcABkAGEAdABhAFwAbABvAGMAYQBsAFwAdABlAG0AcABcAHMAeQBzAG0AbwBuACIAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYg

ag-michael

import requests
import json
import sys
import time
import datetime
from requests.auth import HTTPBasicAuth
import logging 
import elasticsearch
import geoip
import traceback

ag-michael

#! /usr/bin/python
# Requirement: run python -m pip install eml_parser
# Syntax: python.exe .\dump_eml.py . .\dumpfile.txt

import os,sys,datetime
import eml_parser,json

separator = "\\"
def json_serial(obj):
  if isinstance(obj, datetime.datetime):