Skip to content

Instantly share code, notes, and snippets.

@ion-storm
ion-storm / PS Script: SUNBURST DLL
Created December 15, 2020 13:27 — forked from stephent23/PS Script: SUNBURST DLL
PowerShell Script to identify the SolarWinds.Orion.Core.BusinessLayer.dll on host and return the location/file hash
$path_ = "C:\"
$list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse)
$list | % {
$fullPath = $path_ + $_
Get-FileHash $fullPath -Algorithm SHA256 | Format-List
}
@ion-storm
ion-storm / sone.conf
Last active October 9, 2020 21:39 — forked from tuckner/sone.conf
SentinelOne Cloudfunnel Logstash Input
input {
kafka {
bootstrap_servers => "" #configurable
group_id => "" #configurable
auto_offset_reset => "" #configurable
security_protocol => "SASL_SSL"
sasl_mechanism => "SCRAM-SHA-512"
sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';"
ssl_endpoint_identification_algorithm => ""
topics => [""] #configurable
@ion-storm
ion-storm / Get-InjectedThread.ps1
Created February 16, 2020 04:24 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@ion-storm
ion-storm / Base64_CheatSheet.md
Created October 25, 2019 20:15 — forked from Neo23x0/Base64_CheatSheet.md
Learning Aid - Top Base64 Encodings Table

Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16)
TVq 📺 Television MZ MZ header
UEs 🏬 Upper East Side PK ZIP, Office documents
SUVY 🚙 SUV IEX PowerShell Invoke Expression
$ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe
# Merge the block rule into the allow all template rule included in the OS
Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule
# This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it.
ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b
# Now reboot and the policy will take effect.
@ion-storm
ion-storm / dotnet-runtime-etw.py
Created August 23, 2019 02:15 — forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
import time
import etw
import etw.evntrace
import sys
import argparse
import threading
class RundownDotNetETW(etw.ETW):
def __init__(self, verbose, high_risk_only):
CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON');
CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL
@ion-storm
ion-storm / CollectDotNetEvents.ps1
Created August 1, 2019 01:32 — forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets
# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass
# logman stop dotNetTrace -ets
# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe
# I got the process ID by running a procmon trace
$TargetProcessId = 8256
@ion-storm
ion-storm / iddqd.yar
Created May 14, 2019 12:26 — forked from Neo23x0/iddqd.yar
IDDQD - Godmode YARA Rule
/*
_____ __ __ ___ __
/ ___/__ ___/ / / |/ /__ ___/ /__
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__
\ / __ |/ , _/ __ | / , _/ // / / -_)
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
Florian Roth - v0.1 May 2019
function Invoke-SMBWmi {
[CmdletBinding()]
param(
[String[]]
$ComputerName = ".",
[String]
$Pipename = "tf12lol"