seamustuohy

sudo apt install python3-pip
pip3 install setuptools wheel
pip3 install pyaml
# Download the python script from this GIST

seamustuohy

Term	Description	Link(s)
Alias	Another email address that people can use to email
App Password	An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address	Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate	An account with assigned permissions to a mailbox.
Display Name	Name that appears in the Address Book & on the TO and From lines on an email.
EAC	"Exchange Admin Center"

seamustuohy

Auth and copy token at https://irc.gitter.im/.

Ignore the /PASS thing, it doesn't work in weechat.

/server add gitter irc.gitter.im -ssl -ssl_verify -ssl_dhkey_size=1024 -password=<REPLACE_WITH_YOUR_TOKEN>
/connect gitter

seamustuohy

# This file is part of Viper - https://github.com/viper-framework/viper
# See the file 'LICENSE' for copying permission.
#

FROM ubuntu:rolling
# FROM debian:buster
MAINTAINER Viper-Framework (https://github.com/viper-framework)

# Set Local
ENV LANG C.UTF-8

seamustuohy

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

seamustuohy

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000

seamustuohy

{
  "objects": [
    {
      "labels": [
        "source--eiq-fusion"
      ],
      "name": "EclecticIQ Fusion Center",
      "external_references": [
        {
          "source_name": "external-url",

seamustuohy

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Copyright © 2020 seamus tuohy, <[email protected]>
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option)
# any later version.
#

seamustuohy

# ADVANCED HUNTING REFERENCES

# Kusto Queries
# - Query Language REFERENCE
#   - https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/
# - Regular Expression  in Kusto
#   - https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/re2
# - Allowed Regular Expression Syntax for Kusto Queries
#   - https://github.com/google/re2/wiki/Syntax

seamustuohy

// STRONTIUM: Detecting new patterns in credential harvesting
// https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/
// Microsoft Threat Protection (MTP) Query
// Thanks Microsoft for not providing your own plain text version! I loved writing this from an image.
IdentityLogonEvents
| where Timestamp > ago(30d)
| where ActionType == "LogonFailed"
| where IPAddress startswith "185.220.101." or IPAddress startswith "199.249.230." or IPAddress startswith "23.129.64." or  IPAddress startswith "109.70.100." or  IPAddress startswith "185.220.102."
| summarize authAttempts=dcount(Timestamp), firstAttempt=min(Timestamp), lastAttempt=max(Timestamp),uniqueIPs=dcount(IPAddress), uniqueAccounts=dcount(AccountObjectId),attemptedAccounts=make_set(AccountObjectId) by DeviceType, OSPlatform
| sort by uniqueAccounts