I hereby claim:
- I am ion-storm on github.
- I am ionstorm_ (https://keybase.io/ionstorm_) on keybase.
- I have a public key ASDcmNr5gWQB17z9e3J6fs2d-EuPTVa_33DwKKjKva6KWAo
To claim this, I am signing this object:
ionstorm ion-storm
ion-storm
/ keybase.md
Created
February 19, 2022 17:33
ion-storm
/ PS Script: SUNBURST DLL
Created
December 15, 2020 13:27
— forked from stephent23/PS Script: SUNBURST DLL
PowerShell Script to identify the SolarWinds.Orion.Core.BusinessLayer.dll on host and return the location/file hash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $path_ = "C:\" | |
| $list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse) | |
| $list | % { | |
| $fullPath = $path_ + $_ | |
| Get-FileHash $fullPath -Algorithm SHA256 | Format-List | |
| } |
ion-storm
/ sone.conf
Last active
October 9, 2020 21:39
— forked from tuckner/sone.conf
SentinelOne Cloudfunnel Logstash Input
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| kafka { | |
| bootstrap_servers => "" #configurable | |
| group_id => "" #configurable | |
| auto_offset_reset => "" #configurable | |
| security_protocol => "SASL_SSL" | |
| sasl_mechanism => "SCRAM-SHA-512" | |
| sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';" | |
| ssl_endpoint_identification_algorithm => "" | |
| topics => [""] #configurable |
ion-storm
/ Get-InjectedThread.ps1
Created
February 16, 2020 04:24
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
ion-storm
/ Base64_CheatSheet.md
Created
October 25, 2019 20:15
— forked from Neo23x0/Base64_CheatSheet.md
Learning Aid - Top Base64 Encodings Table
MITRE ATT4CK - T1132 - Data Encoding
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16) |
TVq |
📺 Television | MZ |
MZ header |
UEs |
🏬 Upper East Side | PK |
ZIP, Office documents |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
ion-storm
/ CustomASRRuleGenerator.ps1
Created
September 10, 2019 02:38
— forked from mattifestation/CustomASRRuleGenerator.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe | |
| # Merge the block rule into the allow all template rule included in the OS | |
| Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule | |
| # This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it. | |
| ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b | |
| # Now reboot and the policy will take effect. |
ion-storm
/ dotnet-runtime-etw.py
Created
August 23, 2019 02:15
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
ion-storm
/ sysmon-join.commands
Created
August 8, 2019 01:54
— forked from Cyb3rWard0g/sysmon-join.commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON'); | |
| CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL |
ion-storm
/ CollectDotNetEvents.ps1
Created
August 1, 2019 01:32
— forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
| # Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
| # logman stop dotNetTrace -ets | |
| # This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
| # I got the process ID by running a procmon trace | |
| $TargetProcessId = 8256 |
ion-storm
/ iddqd.yar
Created
May 14, 2019 12:26
— forked from Neo23x0/iddqd.yar
IDDQD - Godmode YARA Rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| _____ __ __ ___ __ | |
| / ___/__ ___/ / / |/ /__ ___/ /__ | |
| / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
| \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/ | |
| \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ | |
| \ / __ |/ , _/ __ | / , _/ // / / -_) | |
| /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ | |
| Florian Roth - v0.1 May 2019 |
NewerOlder