This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/opt/research/venv/bin/python | |
""" | |
IQ Auto DIFF leverages InQuest Labs API to collate a list of post DFI string features from both malicious (bad) and | |
seemingly benign (non) files. While ignoring gibberish, we'll next identify the string features exclusive to each set. | |
The idea is that the top 25 strings found from the malicious (mal) corpus can be inclusive for a YARA rule where the | |
top 25 strings from the seemingly benign (non) corpus can be exclusive for a YARA rule. | |
This script will take upwards of 20 minutes to run. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/env python | |
""" | |
This script is intended to be run via a daily cron job and will retrieve up to MAX_DAILY interesting samples with | |
relevant JSON metadata containing extruded layers, IOCs, etc. | |
This script requires the installation of: | |
https://github.com/inquest/python-inquestlabs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
00077dbdfe4e79c38048d2060cb90ea2bdd50cc346a45bae87ea6093ddb02321 vt=25 iq=9 | |
0039413ea9580579720c262bf207d64bacac7b1c93056c8b5fa2f2347714b096 vt=27 iq=9 | |
005307ad7426c4c1b014c27f51ba5c0ad2ca752195099a7378e3d622cdf7a2d6 vt=29 iq=9 | |
007fc402dd61e8222bb4fd1214544b0a620f622aaa186b1bd5a2207613fdd558 vt=28 iq=9 | |
00812e8bf247cc4740941ed973f367678110761be944eef39e69217fc78412cb vt=25 iq=9 | |
00884a49002e25be473b8704fa9935f7cfcbb2d4bf75dc4fa054f16019eac82d vt=24 iq=9 | |
00dd0eb0c5acbcc376a26eb4f974187be2bac8a4e9c00876faa23d656953fa53 vt=28 iq=9 | |
014e0bfbd01c796a79ea0324177bf7bb89e6e1d7dccd58008d62024f1bbcfe5d vt=27 iq=9 | |
01663b94d847370d937c017344092fb204b3fef3bca2c0d26c9f49ebac946525 vt=29 iq=9 | |
0195eda6f0dbf03b6fa7c2689f538bb998ce4cc533fd7117c956c7c5c2f62437 vt=27 iq=9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' Our comments are prefixed with the string "[InQuest]". Other comments are preserved originals from the macro. | |
' The sample is available for download from InQuest Labs: | |
' | |
' https://labs.inquest.net/dfi/sha256/12d21da9bd0f7d877e04e59ad347b0e8787124c9f0ec170a913451acfb14a3b6 | |
' | |
' Examining the OLE directory structure with oledump: | |
' | |
' $ oledump.py 12d21da9bd0f7d877e04e59ad347b0e8787124c9f0ec170a913451acfb14a3b6 | |
' 1: 146 '\x01CompObj' | |
' 2: 6 '\x03ObjInfo' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
if len(sys.argv) != 2: | |
sys.stderr.write("usage: %s <input path>\n" % sys.argv[0]) | |
sys.exit(1) | |
path = sys.argv.pop() | |
data1 = [] | |
data2 = [] | |
data3 = [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# source: https://gist.github.com/pedramamini/54df2648a1b73adf9a0d6d0b1a75ca0a | |
import os | |
import re | |
import sys | |
import errno | |
import string | |
# debug output. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options] | |
"DontUpdateLinks"=dword:00000001 | |
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options] | |
"DontUpdateLinks"=dword:00000001 | |
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options] | |
"DontUpdateLinks"=dword:00000001 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "hash" | |
private rule Macho | |
{ | |
meta: | |
description = "private rule to match Mach-O binaries" | |
condition: | |
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
IDAPython script that generates a YARA rule to match against the | |
basic blocks of the current function. It masks out relocation bytes | |
and ignores jump instructions (given that we're already trying to | |
match compiler-specific bytes, this is of arguable benefit). | |
If python-yara is installed, the IDAPython script also validates that | |
the generated rule matches at least one segment in the current file. | |
author: Willi Ballenthin <[email protected]> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import thax | |
import datetime | |
y = thax.misc.finance.yahoo() | |
my_adds = ["ALU", "AMZN", "CMG", "COMS", "DCA", "PLA", "PZZA", "RICK", "UA", "VMW"] | |
sp_500 = ["BBT", "BDX", "BBBY", "BMS", "BBY", "BIG", "BIIB", "BJS", "BDK", "HRB", "BMC", "BA", "BXP", "BSX", "BMY", "BRCM", "BF.B", "BNI", "CHRW", "CA", "COG", "CAM", "CPB", "COF", "CAH", "CCL", "CAT", "CBG", "CBS", "CELG", "CNP", "CTX", "CTL", "CF", "SCHW", "CHK", "CVX", "CB", "CIEN", "CI", "CINF", "CTAS", "CSCO", "CIT", "C", "CTXS", "CLX", "CME", "CMS", "COH", "KO", "CCE", "CTSH", "CL", "CMCSA", "CMA", "CSC", "CPWR", "CAG", "COP", "CNX", "ED", "STZ", "CEG", "CVG", "CBE", "GLW", "COST", "CVH", "COV", "CSX", "CMI", "CVS", "DHI", "DHR", "DRI", "DVA", "DF", "DE", "DELL", "DDR", "DVN", "DTV", "DFS", "D", "RRD", "DOV", "DOW", "DPS", "DTE", "DD", "DUK", "DYN", "ETFC", "EMN", "EK", "ETN", "EBAY", "ECL", "EIX", "EP", "ERTS", "EQ", "EMC", "EMR", "ESV", "ETR", "EOG", "EFX", "EQR", "EL", "EXC", "EXPE", "EXPD", "ESRX", "XOM", "FDO", "FAST", "FII", "FDX", "FIS", "FITB |