I hereby claim:
- I am keithmccammon on github.
- I am kwm (https://keybase.io/kwm) on keybase.
- I have a public key whose fingerprint is 142F DB63 ACB2 E176 484B 184E 0ACD C417 A011 DD72
To claim this, I am signing this object:
Keith McCammon keithmccammon
keithmccammon
/ netconns-by-domain.py
Created
July 20, 2015 13:32
Extracting historical network events (netconns) given a list of domains
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """Dump a comma-separated list of domain,ipaddr pairings where the domain | |
| includes at least one element from the list (domains). | |
| Useful for dumping historical name resolution data, compiling lists of | |
| endpoints that have talked to a domain, etc. | |
| Depends on https://github.com/redcanaryco/cbapi2. | |
| """ |
keithmccammon
/ decode-posh-base64string.py
Last active
March 30, 2016 16:48
Decode input passed to PowerShell's FromBase64String function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import gzip | |
| import base64 | |
| import StringIO | |
| import sys | |
| def gunzip(raw_data): | |
| decoded_data_obj = StringIO.StringIO(raw_data) |
keithmccammon
/ cb-response-delete-file.py
Created
June 16, 2016 18:40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Given a sensor ID and a file path, delete the file. This performs no logging | |
| and returns no status. It is generally unhelpful and not a template upon which | |
| you want to build. But if the file is present and not locked it will be | |
| destroyed :) | |
| """ | |
| import argparse |
keithmccammon
/ cblr-batch.py
Last active
July 27, 2016 19:06
Cb Enterprise Response Live Response batch harness
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import argparse | |
| import sys | |
| from cbapi.response import CbEnterpriseResponseAPI | |
| from cbapi.response.models import Process, Sensor | |
| from cbapi.response.live_response_api import LiveResponseSession | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Given a sensor ID and a file path, delete the file. This performs no logging | |
| and returns no status. It is generally unhelpful and not a template upon which | |
| you want to build. But if the file is present and not locked it will be | |
| destroyed :) | |
| """ | |
| import argparse |
keithmccammon
/ MakeMyMacBookProCameraFunctionalAgain.sh
Last active
January 12, 2017 20:09
Make my MacBook Pro camera functional again
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ### Why? | |
| # Because it's apparently too much to ask that my $3K laptop be able to | |
| # broker access to my camera without letting it die. But I totally get that | |
| # this is a low priority in comparison to the Touch Bar. You can live without a | |
| # camera, but you can't live without emoji. | |
| ### | |
| sudo killall coreaudiod |
keithmccammon
/ snake.json
Last active
May 4, 2017 17:11
A cb-response-surveyor (https://github.com/redcanaryco/cb-response-surveyor) definition file to look for Snake malware as seen in https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Snake Files": { | |
| "filemod": [".gdm-selinux", | |
| ".gdm-socket", | |
| ".ur-*", | |
| "/Library/Scripts/queue", | |
| "/Library/Scripts/installd.sh", | |
| "/Library/LaunchDaemons/com.adobe.update.plist"] | |
| }, | |
| "Snake Network": { |
keithmccammon
/ get-attack-techniques.py
Created
November 22, 2017 06:55
Download MITRE ATT&CK techniques via Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import json | |
| import pprint | |
| import requests | |
| if __name__ == '__main__': | |
| request_all = requests.get('https://attack.mitre.org/api.php?action=ask&format=json&query=%5B%5BCategory%3ATechnique%5D%5D%7C%3FHas%20tactic%7C%3FHas%20ID%7C%3FHas%20display%20name%7Climit%3D9999') |
keithmccammon
/ get-preattack-techniques.py
Created
January 4, 2018 05:10
Download MITRE PRE-ATT&CK techniques via Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import json | |
| import pprint | |
| import requests | |
| if __name__ == '__main__': | |
| request_all = requests.get('https://attack.mitre.org/pre-attack/api.php?action=ask&format=json&query=%5B%5BCategory%3ATechnique%5D%5D%7C%3FHas%20tactic%7C%3FHas%20ID%7C%3FHas%20display%20name%7Climit%3D9999') |
OlderNewer