joenorton8014
joenorton8014
/ kql-sysmon-parser.kql
Created
February 24, 2025 20:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // KQL Sysmon Event Parser compatible with OSSEM | |
| // Original work by the Azure Sentinel team | |
| // Maintained by Edoardo Gerosa | |
| // OSSEM link > https://github.com/OTRF/OSSEM | |
| // | |
| // Notes: | |
| // 1. This is a modified version from the original noted above to parse Sysmon logs from | |
| // a machine configured with Swift on Security's sysmon config. | |
| let EventData = Event | |
| | where Source == "Microsoft-Windows-Sysmon" |
joenorton8014
/ zipcracker.py
Created
October 21, 2018 00:52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import zipfile | |
| import random | |
| import itertools | |
| import time | |
| """ | |
| Solves a challenge on pentester academy's Labs. Inefficiently writes | |
| passwords to the screen, only be cause it was used as a debugging method to | |
| figure out how python3 was jacking up the string encoding. Might clean up | |
| into a usable program someday, so that's why I am saving it here... |
joenorton8014
/ logmonitor.py
Created
October 11, 2018 20:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| import time | |
| from datetime import datetime | |
| import smtplib | |
| from email.mime.multipart import MIMEMultipart | |
| from email.mime.text import MIMEText | |
| from pathlib import Path | |
| ''' | |
| Not very user friendly at this point.... |
joenorton8014
/ common sections dict
Last active
October 15, 2024 22:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Dictionary of common PE file sections and descriptions. | |
| # Taken from here: http://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ | |
| common_sections_dict = {".00cfg":"Control Flow Guard CFG section added by newer versions of Visual Studio", \ | |
| ".apiset":"a section present inside the apisetschema.dll", \ | |
| ".arch":"Alpha-architecture section", \ | |
| ".autoload_text":"cygwin/gcc; the Cygwin DLL uses a section to avoid copying certain data on fork.", \ | |
| ".bindat":"Binary data also used by one of the downware installers based on LUA", \ | |
| ".bootdat":"section that can be found inside Visual Studio files; contains palette entries", \ | |
| ".bss":"Uninitialized Data Section", \ |
joenorton8014
/ packer dictionary
Created
September 12, 2018 02:06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Dictionary of packer sections and descriptions. | |
| # Taken from here: http://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ | |
| # Useful in python code :) | |
| packer_dict = {".aspack":"Aspack packer", \ | |
| ".adata":"Aspack packer/Armadillo packer", \ | |
| "ASPack":"Aspack packer", \ | |
| ".ASPack":"ASPAck Protector", \ | |
| ".boom":"The Boomerang List Builder (config+exe xored with a single byte key 0x77)", \ |
joenorton8014
/ messingwithpefile.py
Last active
September 12, 2018 03:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| # Inspriation from here - https://malwology.com/2018/08/24/python-for-malware-analysis-getting-started/ | |
| # Dictionary of packer sections and descriptions. | |
| # Taken from here: http://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ | |
| packer_dict = {".aspack":"Aspack packer", \ |
joenorton8014
/ kill-calc.vbs
Created
August 28, 2018 19:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Kill Calculator | |
| procToKill = "Calculator.exe" | |
| strComputer = "." | |
| Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") | |
| Set colItems = objWMIService.ExecQuery( _ | |
| "SELECT * FROM Win32_Process",,48) | |
| For Each objItem in colItems | |
| If objItem.Name = procToKill Then | |
| Set objShare = objWMIService.Get("Win32_Process.Handle=" & objItem.ProcessID) | |
| Wscript.Echo "-----------------------------------" |
joenorton8014
/ all-pids-owned-by-SYSTEM.vbs
Created
August 28, 2018 17:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dim list | |
| Set list = CreateObject("System.Collections.ArrayList") | |
| strComputer = "." | |
| Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") | |
| Set colItems = objWMIService.ExecQuery( _ | |
| "SELECT * FROM Win32_Process",,48) | |
| For Each objItem in colItems | |
| list.Add objItem.ProcessId | |
| Next |
joenorton8014
/ all-pids-and-owners.vbs
Last active
August 28, 2018 17:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dim list | |
| Set list = CreateObject("System.Collections.ArrayList") | |
| strComputer = "." | |
| Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") | |
| Set colItems = objWMIService.ExecQuery( _ | |
| "SELECT * FROM Win32_Process",,48) | |
| For Each objItem in colItems | |
| list.Add objItem.ProcessId | |
| Next |
joenorton8014
/ all-proc-to-csv.vbs
Last active
August 28, 2018 16:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dim fso, objShell, objShellEnv, strComputerName, objFso, dt | |
| dt = now | |
| timestamp = ((year(dt)*100 + month(dt))*100 + day(dt))*10000 + hour(dt)*100 + minute(dt) | |
| Set objShell = WScript.CreateObject("WScript.Shell") | |
| Set objShellEnv = objShell.Environment("Process") | |
| strComputerName = objShellEnv("ComputerName") | |
| Set objFso = WScript.CreateObject("Scripting.FileSystemObject") | |
| Set outputFile = objFso.CreateTextFile("C:\tools\allproc-" & timestamp & ".csv", True) | |
| strComputer = "." |
NewerOlder