Thomas Patzke thomaspatzke
thomaspatzke
/ splunk-savedsearches-concat.yml
Last active
September 3, 2023 21:27
Processing pipeline using the query postprocessing and output finalization transformations to create a custom Splunk savedsearches.conf output with Sigma CLI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| postprocessing: | |
| - type: template | |
| template: |+ | |
| [{{ rule.id }}] | |
| search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events | |
| description = {{ rule.description }} | |
| finalizers: | |
| - type: concat | |
| prefix: | |
thomaspatzke
/ pipeline.yml
Last active
September 1, 2023 22:11
Full example processing pipeline from Medium blog post about processing pipelines: https://medium.com/sigma-hq/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Fixing the field naming mess | |
| priority: 30 | |
| transformations: | |
| - id: image_fail_path | |
| type: detection_item_failure | |
| message: Image must only contain file name without any further path components. | |
| field_name_conditions: | |
| - type: include_fields | |
| fields: | |
| - Image |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Requires: curl, jq | |
| # Download MITRE ATT&CK data from GitHub repository | |
| curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json | |
| # List all ATT&CK object types | |
| jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json | |
| # List all ATT&CK technique identifiers | |
| jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ransomware Killer v0.1 by Thomas Patzke <[email protected]> | |
| # Kill all parent processes of the command that tries to run "vssadmin Delete Shadows" | |
| # IMPORTANT: This must run with Administrator privileges! | |
| Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action { | |
| # Kill all parent processes from detected vssadmin process | |
| $p = $EventArgs.NewEvent.TargetInstance | |
| while ($p) { | |
| $ppid = $p.ParentProcessID | |
| $pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid" | |
| Write-Host $p.ProcessID |
thomaspatzke
/ Burp-CSRFRandomName.py
Created
February 15, 2017 09:09
Burp Session Handling Extension: CSRF tokens with random parameter names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener) | |
| import re | |
| class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener): | |
| def registerExtenderCallbacks(self, callbacks): | |
| self.callbacks = callbacks | |
| self.helpers = callbacks.getHelpers() | |
| callbacks.setExtensionName("Handling of CSRF Tokens with Random Names") | |
| self.callbacks.registerSessionHandlingAction(self) | |
| self.callbacks.registerHttpListener(self) |
thomaspatzke
/ proxy_http_connect-portscanner.sh
Created
September 1, 2016 13:28
Simple HTTP CONNECT Proxy Portscanner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for (( p=0; p <= 65535; p++ )); do echo "Probing port $p"; echo -n "Port $p: " >> portscan.log; (echo CONNECT targethost:$p HTTP/1.1; echo) | nc -q 3 proxyhost proxyport | head -1 >> portscan.log; done |
thomaspatzke
/ nmap-open-ports.sh
Last active
December 12, 2023 13:33
Extract all open ports in Host:Port format from nmap XML output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| xmlstarlet sel -t -m '//port/state[@state="open"]/parent::port' -v 'ancestor::host/address/@addr' -o : -v './@portid' -n nmap-output.xml |
thomaspatzke
/ create_deleter.py
Created
January 30, 2016 22:29
Create file deletion script from two 'openssl sha1' outputs. Deletions are done in files referenced in source hash file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| from sys import argv, exit | |
| import re | |
| hashline_re = re.compile('^SHA1\((.*?)\)= (.*)$') | |
| dsthashes = dict() | |
| if len(argv) < 4: |
thomaspatzke
/ net-config.sh
Created
January 19, 2016 22:46
Shell script to quickly switch between real Internet connection (NAT) and simulated (INetSim)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| case "$1" in | |
| router) | |
| sysctl -w net.ipv4.ip_forward=1 | |
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| systemctl start dnsmasq.service | |
| ;; | |
| router-stop) | |
| sysctl -w net.ipv4.ip_forward=0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| print("\n".join([" ".join(["{:02x}".format(c) for c in bin[i:i+16]]) for i in range(0, len(bin), 16)])) |
NewerOlder