Thomas Patzke thomaspatzke

Loves to build InfoSec-related tools.

526 followers · 26 following

Code published here is private and not affiliated with my employer.
Germany
http://patzke.org
@[email protected]

View GitHub Profile

Recently created

Least recently created

Recently updated

Least recently updated

thomaspatzke / Burp-CSRFRandomName.py

Created February 15, 2017 09:09

Burp Session Handling Extension: CSRF tokens with random parameter names

	from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener)
	import re

	class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener):
	def registerExtenderCallbacks(self, callbacks):
	self.callbacks = callbacks
	self.helpers = callbacks.getHelpers()
	callbacks.setExtensionName("Handling of CSRF Tokens with Random Names")
	self.callbacks.registerSessionHandlingAction(self)
	self.callbacks.registerHttpListener(self)

thomaspatzke / Kill-Ransomware.ps1

Created November 5, 2019 12:29

Ransomware Killer

	# Ransomware Killer v0.1 by Thomas Patzke <[email protected]>
	# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
	# IMPORTANT: This must run with Administrator privileges!
	Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
	# Kill all parent processes from detected vssadmin process
	$p = $EventArgs.NewEvent.TargetInstance
	while ($p) {
	$ppid = $p.ParentProcessID
	$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
	Write-Host $p.ProcessID

thomaspatzke / mitre_attack_oneliners.sh

Created December 17, 2019 00:10

MITRE ATT&CK oneliners

	# Requires: curl, jq

	# Download MITRE ATT&CK data from GitHub repository
	curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

	# List all ATT&CK object types
	jq -r '[ .objects[].type ] \| unique \| .[]' enterprise-attack.json

	# List all ATT&CK technique identifiers
	jq -r '[ .objects[] \| select(.type == "attack-pattern") \| .external_references[] \| select(.source_name == "mitre-attack") \| .external_id ] \| sort \| .[]' enterprise-attack.json

thomaspatzke / pipeline.yml

Last active September 1, 2023 22:11

Full example processing pipeline from Medium blog post about processing pipelines: https://medium.com/sigma-hq/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070

	name: Fixing the field naming mess
	priority: 30
	transformations:
	- id: image_fail_path
	type: detection_item_failure
	message: Image must only contain file name without any further path components.
	field_name_conditions:
	- type: include_fields
	fields:
	- Image

thomaspatzke / splunk-savedsearches-concat.yml

Last active September 3, 2023 21:27

Processing pipeline using the query postprocessing and output finalization transformations to create a custom Splunk savedsearches.conf output with Sigma CLI

	postprocessing:
	- type: template
	template: \|+
	[{{ rule.id }}]
	search = {{ query }} \| eval rule="{{ rule.id }}", title="{{ rule.title }}" \| collect index=notable_events
	description = {{ rule.description }}

	finalizers:
	- type: concat
	prefix: \|

OlderNewer