Skip to content

Instantly share code, notes, and snippets.

View austinsonger's full-sized avatar
🙃
Localhost

Austin Songer, CISSP austinsonger

🙃
Localhost
504 followers · 1.6k following
View GitHub Profile
@oz9un
oz9un / only_ping.xml
Created October 18, 2021 08:46
SysmonForLinux - Log only pings [Disable other mess]
<Sysmon schemaversion="4.70">
<EventFiltering>
<!-- Event ID 1 == ProcessCreate. Log only ping process. -->
<RuleGroup name="pingDetected" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="is">/usr/bin/ping</Image>
<CommandLine condition="contains">ping</CommandLine>
</ProcessCreate>
</RuleGroup>
@MHaggis
MHaggis / malleable_c2_profiles_09272021
Last active February 26, 2025 19:05
https://raw.githubusercontent.com/FortyNorthSecurity/C2concealer/3630a87e56a1e36ea0d907903fc9b7460419e71f/C2concealer/components/postex.py
https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/Payload_Type/apollo/agent_code/Apollo/CommandModules/SpawnTo.cs
https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile
https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/documentation-payload/apollo/commands/spawnto_x64.md
https://raw.githubusercontent.com/TheRipperJhon/CAPE/2bc977577a8fcc81a46046fe5bf9248ed3ac0c28/modules/processing/parsers/malwareconfig/CobaltStrike.py
https://raw.githubusercontent.com/Tylous/SourcePoint/7bebe641d9c0d2dbc41c27ef621333f257cbd3e6/Struct/Struct.go
https://raw.githubusercontent.com/MythicAgents/Apollo/92958fc2c9511d738bc1cd2dd44405c650991014/documentation-payload/apollo/opsec.md
https://raw.githubusercontent.com/nsquar3/malware_analysis/e7f3070f4
@MHaggis
MHaggis / allthesysmon.xml
Last active January 28, 2025 01:08
Hunt Naked
<Sysmon schemaversion="4.90">
<HashAlgorithms>md5,sha256</HashAlgorithms>
<DnsLookup>False</DnsLookup>
<CheckRevocation>False</CheckRevocation>
<ArchiveDirectory>sysmon</ArchiveDirectory>
<EventFiltering>
<!--Event ID 1: Process creation-->
<ProcessCreate onmatch="exclude"></ProcessCreate>
<!--Event ID 2: A process changed a file creation time-->
<FileCreateTime onmatch="exclude"></FileCreateTime>
@dmattera
dmattera / launchctl_man_pages.md
Last active December 13, 2024 20:39
macOS man page entries for launchctl services

This list was auto-generated on macOS 10.15 (Catalina) using a script that did the following:

  1. grabbed the name of all the .plist files located in the 5 folders used by launchctl:
  • ~/Library/LaunchAgents Per-user agents provided by the user.
  • /Library/LaunchAgents Per-user agents provided by the administrator.
  • /Library/LaunchDaemons System wide daemons provided by the administrator.
  • /System/Library/LaunchAgents OS X Per-user agents.
  • /System/Library/LaunchDaemons OS X System wide daemons.
@Yapcheekian
Yapcheekian / guide.md
Created July 22, 2021 12:29
Integrate elastic cloud with okta

Okta

  1. Create an application in okta
  2. Choose SAML2.0
  3. Give a random app name
  4. Single sign on URL: KIBANA_ENDPOINT_URL/api/security/saml/callback
  5. Audience URI (SP Entity ID): KIBANA_ENDPOINT_URL/

elasticsearch.yml

xpack:
@bgoonz
bgoonz / Ultimate-Cheatsheet.md
Last active April 28, 2025 22:55
Ultimate-Cheatsheet
@alexverboon
alexverboon / lolbinsnetworkpublic.kql
Created May 16, 2021 14:39
Hunt for lolbins connecting to public ip addresses
// Inspiration from https://github.com/jangeisbauer/AdvancedHunting/blob/master/hunt_for_lolbins just changed Processes to Networkevents
// T1218 Living of the land binaries connecting to the internet
// network activities with lolbins
DeviceNetworkEvents
| where RemoteIPType == 'Public'
| where InitiatingProcessFileName contains "Atbroker.exe" or
InitiatingProcessFileName contains "Bash.exe" or
InitiatingProcessFileName contains "Bitsadmin.exe" or
InitiatingProcessFileName contains "Certutil.exe" or
InitiatingProcessFileName contains "Cmdkey.exe" or
@svch0stz
svch0stz / scanning_cobaltstrike_config.csv
Created May 6, 2021 10:55
scanning_cobaltstrike_config.csv
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 5.
ip,port,time_scanned,arch,Beacon Type,Port,Polling,Jitter,Max DNS,C2 Server,User Agent,HTTP Method Path 2,Header 1,Header 2,Injection Process,Pipe Name,Year,Month,Day,DNS Idle,DNS Sleep,Method 1,Method 2,Spawn To,Proxy Hostname,Proxy Username,Proxy Password,Proxy Access Type,CreateRemoteThread,Watermark
185.20.186.108,443,1.62002E+12,x86,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,1359593325
185.20.186.108,443,1.62002E+12,x64,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\sysnative\rundll32.exe,,,,,,1359593325
213.202.211.246,80,1.62002E+12,x86,0 (HTTP),80,10000,5,,"213.202.211.246,/metro91/admin/1/ppptp.jpg",,/metro91/admin/1/secure.php,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,0
213.202.211.246,80,1.62002E+12,x64,0 (HTTP),80,10000,5,,"213.202.211.246,/metr
@mathieucarbou
mathieucarbou / github-fork-sync.sh
Last active June 1, 2024 17:45
#!/usr/bin/env bash
#
# Setup automatic sync from a Github upstream repository to a fork
# - a branch "actions" will be created (or re-used) to hold the Github action to run
# - sync is done each hour
# - branch 'actions' needs to be the default branch of your fork (=> settings)
# - the script is able to both create and update and rewrite the sync script if you modify this script file
#
# Author: Mathiue Carbou
@alexverboon
alexverboon / MDE Safe Links.md
Created March 31, 2021 15:47