Nicolas Bareil nbareil
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # gem install active_support | |
| require 'active_support/inflector' | |
| require 'active_support/core_ext/string' | |
| # gem install webrick (only ruby3) | |
| require 'webrick' | |
| # gem install mechanize |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## hacked together by @JohnLaTwC, Nov 2016, v 0.5 | |
| ## This script attempts to decode common PowerShell encoded scripts. This version handles: | |
| ## * base64 data which encode unicode, gzip, or deflate encoded strings | |
| ## * it can operate on a file or stdin | |
| ## * it can run recursively in the event of multiple layers | |
| ## With apologies to @Lee_Holmes for using Python instead of PowerShell | |
| ## | |
| import sys | |
| import zlib | |
| import re |
williballenthin
/ yara_fn.py
Last active
December 4, 2020 05:25
generate a yara rule that matches the basic blocks of the current function in IDA Pro
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| IDAPython script that generates a YARA rule to match against the | |
| basic blocks of the current function. It masks out relocation bytes | |
| and ignores jump instructions (given that we're already trying to | |
| match compiler-specific bytes, this is of arguable benefit). | |
| If python-yara is installed, the IDAPython script also validates that | |
| the generated rule matches at least one segment in the current file. | |
| author: Willi Ballenthin <[email protected]> |
williballenthin
/ strings.py
Last active
July 14, 2022 21:10
Extract ASCII and Unicode strings using Python.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from collections import namedtuple | |
| ASCII_BYTE = " !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t" | |
| String = namedtuple("String", ["s", "offset"]) | |
mattifestation
/ Example_WMI_Detection_EventLogAlert.ps1
Created
January 14, 2016 21:53
An example of how to use permanent WMI event subscriptions to log a malicious action to the event log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'LateralMovementEvent' | |
| Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' |