I hereby claim:
- I am klingerko on github.
- I am kk_konstantin (https://keybase.io/kk_konstantin) on keybase.
- I have a public key ASD-v8A3DHdOwuNtWDVgtONLyxtSfHhjRDBmo-pATCtVIQo
To claim this, I am signing this object:
Konstantin Klinger klingerko
klingerko
/ gist:a50460928729582c37ddfb7b5a102c49
Created
February 16, 2022 18:57
Reverse HTTP(S) ClamAV sigs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Info.ReverseHttpHtml;Engine:81-255,Target:3;(0|1);2f2f3a7370747468::i;2f2f3a70747468::i | |
| Info.ReverseHttpAscii;Engine:81-255,Target:7;(0|1);2f2f3a7370747468::i;2f2f3a70747468::i |
klingerko
/ dirty_cape_config.py
Created
September 25, 2021 09:13
Quick and dirty script to get config task ids and examples for a given DETECTION name on CAPEv2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import sys | |
| import time | |
| # create your api token with: curl -d "username=<USER>&password=<PASSWD>" https://capesandbox.com/apiv2/api-token-auth/ | |
| headers = {"Authorization": "Token <token>"} | |
| DETECTION = "Azorult" | |
| # quick check for status api endpoint to see if api token works and we can reach the api |
klingerko
/ dirty_remcos_cape.py
Created
August 27, 2021 08:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import sys | |
| import time | |
| # create your api token with: curl -d "username=<USER>&password=<PASSWD>" https://capesandbox.com/apiv2/api-token-auth/ | |
| headers = {"Authorization": "Token <INSERT_TOKEN>"} | |
| # quick check for status api endpoint to see if api token works and we can reach the api | |
| response = requests.get("https://www.capesandbox.com/apiv2/cuckoo/status/", headers=headers) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ... | |
| response = requests.get(api_url, headers=headers) | |
| if not response or response.status_code != 200: | |
| return None | |
| # we have the file as gzip in response.content | |
| # we decompress it and store it on disk | |
| with open(f"{hash_}.bin", 'wb') as tmp_file: | |
| tmp_file.write(zlib.decompress(response.content, 16+zlib.MAX_WBITS)) | |
| # ... |