ag-michael
/ runpoll-<feedname>.sh
Created
July 30, 2020 07:49
Cron job script to run run-taxii-poll.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Run 'run-taxii-poll.py' to poll taxii feeds. | |
| # Set start and end time for the time range of the poll | |
| export START=$(date --date='8 hours ago' "+%Y-%m-%dT%H:%M:%S") | |
| export END=$(date "+%Y-%m-%dT%H:%M:%S") | |
| # Timestamp for the log file | |
| export TS=$(date '+%Y.%m.%d_%H.%M.%S') |
ag-michael
/ remote-servers.yml
Last active
July 29, 2020 04:00
AlienVault config for MISP TAXII feed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Name for the feed | |
| - name: 'AlienVault' | |
| # Hostname/Domain - cannot be a URL | |
| host: 'otx.alienvault.com' | |
| port: 443 | |
| # Discovery/Inbox path, usually documented on the TAXII service's site. | |
| discovery_path: /taxii-discovery-service/ | |
| inbox_path: /taxii-data | |
| rate_limit: 2 | |
| rate_limit_threshold: 2 |
ag-michael
/ gist:738c69e131e9468cfcef0b94cb96e151
Created
May 3, 2020 23:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SyslogFacility AUTH | |
| LogLevel INFO | |
| PermitRootLogin no | |
| StrictModes yes | |
| MaxAuthTries 2 | |
| MaxSessions 2 | |
| AuthorizedKeysFile .ssh/authorized_keys | |
| IgnoreRhosts yes | |
| PasswordAuthentication no | |
| PermitEmptyPasswords no |
ag-michael
/ Invoke-mimikatz.ps1
Created
October 25, 2019 20:16
Invoke-mimikatz - fix processor architecture check
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-Mimikatz | |
| { | |
| <# | |
| .SYNOPSIS | |
| This script leverages Mimikatz 2.1.1 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as | |
| dump credentials without ever writing the mimikatz binary to disk. | |
| The script has a ComputerName parameter which allows it to be executed against multiple computers. | |
| This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed. |
ag-michael
/ ProcessMitigationPolicy.xml
Created
July 31, 2019 22:02
Process Mitigation policy for Windows hardening
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <root> | |
| <SystemConfig> | |
| <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP> | |
| <ASLR BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR> | |
| <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false" Audit="false"></SEHOP> | |
| <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false" StrictControlFlowGuard="false" OverrideStrictCFG="false"></ControlFlowGuard> | |
| </SystemConfig> | |
| <AppConfig Executable="7z.exe"> | |
| <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP> |
ag-michael
/ index_snapshot.py
Created
July 23, 2019 20:13
Create snapshots of elasticsearch indexes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| """ | |
| This script simply creats a snapshot of the configured index pattern | |
| I use it with cron to create daily backups: | |
| $ ln -s /usr/local/bin/index_snapshot.py /etc/cron.daily/ | |
| """ | |
| import elasticsearch | |
| import time |
ag-michael
/ ldapbindspray.py
Created
July 16, 2019 20:01
A very simply LDAP password spray script that validates passwords based on succesful ldap bind()
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ldap | |
| import json | |
| import sys | |
| def ldapbrute(): | |
| ldap_obj = ldap.initialize("ldaps://domaincontroller.corp.local") | |
| ldap_obj.protocol_version = ldap.VERSION3 | |
| ldap_obj.set_option(ldap.OPT_REFERRALS, 0) | |
| passwords=[] | |
| account=sys.argv[1] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ldap | |
| import json | |
| import datetime | |
| import traceback | |
| conf={ | |
| 'adurl':'ldaps://<ldapurl>', | |
| 'domain':"corp.local", | |
| 'computer_basedn':"", | |
| 'person_basedn':"", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/env python2 | |
| import requests | |
| import json | |
| import time | |
| import logging | |
| logging.basicConfig(format='ThehiveAPI: %(asctime)-15s %(message)s') | |
| LOG = logging.getLogger('thehiveapi-alert-aging') | |
| LOG.setLevel(logging.DEBUG) | |
| alert_age=86400 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python2 | |
| import requests | |
| import json | |
| MISPAPI='<misp apikey>' | |
| MISPURL='<misp url>' | |
| BASE='/var/www/iocs/' #files under this path need to be served by a web-server | |
| TYPES=['domain','ip-src','ip-dst','email-src','email-dst','email'] | |
| WHITELIST = "<white list file containing iocs that won't be exported>" |