colindix

# Converter.sh by @xdavidhu
# This is a script inspired by the Bug Hunter's Methodology 3 by @Jhaddix
# With this script, you can convert domain lists to resolved IP lists without duplicates.
# Usage: ./converter.sh [domain-list-file] [output-file]

echo -e "[+] Converter.sh by @xdavidhu\n"
if [ -z "$1" ] || [ -z "$2" ]; then
  echo "[!] Usage: ./converter.sh [domain-list-file] [output-file]"
  exit 1
fi

colindix

# Get login credentials 
$UserCredential = Get-Credential 
$psOption = New-PSSessionOption -ProxyAccessType IEConfig -ProxyAuthentication Negotiate
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection -SessionOption $psOption

Import-PSSession $Session -AllowClobber -DisableNameChecking 
$searchQry = '(Subject:<YOUR SUBJECT HERE) AND (Received:today)' #KQL https://msdn.microsoft.com/library/ee558911(v=office.15).aspx
$compName = "20180514-01-MalwareEmails"

colindix

{
	"name": "Priority_Threat_Groups_Scoring",
	"version": "2.1",
	"domain": "mitre-enterprise",
	"description": "",
	"filters": {
		"stages": [
			"act"
		],
		"platforms": [

colindix

pd.set_option('display.max_columns', 500)
pd.set_option('display.width', 2000)
pd.set_option('max_colwidth', 500)

colindix

# ### This one works in the dataframe syntax
dfuserrgx1 = r"\\users\\[^\\]+\\"
dfuserrgx2 = r"\\userdata\\[^\\]+\\"
#userrgx3 = r'\bS-1-5-21-\d{8,10}-\d{8,10}-\d{8,10}-\d{5,10}\b'
dfuserrgx3 = r'S-1-5-21-\d{8,10}-\d{8,10}-\d{8,10}-\d{5,10}'
dfusermatch = f"(?i)(?:{dfuserrgx1})|(?:{dfuserrgx2})|(?:{dfuserrgx3})"

################################################################

# ### Works in SQL - can reduce these to 4 x backslashes if raw strings are used

colindix

client = Client(n_workers=3, threads_per_worker=1, processes=True, # processes=True for computationally intensive work
                memory_limit='16GB', scheduler_port=0, 
                diagnostics_port=0, silence_logs=False)
# diagnostics_port and scheduler_port with 0 as the param will cause random selection for the client.

colindix

abb
abbott
abc
abogado
abudhabi
ac
academy
accountant
accountants
aco

colindix

# Logparser 


###############
# Security Log
###############

# Find Event id
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'"

colindix

def graceful_cleanup(signum, frame):
    """
    signal handler function should perform all clean up tasks and optionall exit.
    I here it is just shutting down an executor which will exit the main loop, 
    i have also used it to set a flag so that processing in other threads will exit on the next test of that flag.
    The code below is unlikely to work as i was just using it in a test harness, but the signal module does work well for this 
    use case.
    """
    try:
        futurelist_lock.release()

colindix

$cdate = (get-date).ToUniversalTime() ; $bup = ((gcim Win32_OperatingSystem).LastBootupTime).ToUniversalTime(); $ut = (($cdate) - $bup); Write-Output "`nUptime: $($ut.Days)d $($ut.Hours)h $($ut.Minutes)m $($ut.Seconds)s | TotalSeconds: $($ut.TotalSeconds) || Booted: $($bup.ToString('u')) | $(get-date -date $bup -UFormat '%s')`n"