Skip to content

Instantly share code, notes, and snippets.

View truekonrads's full-sized avatar

Konrads Klints truekonrads

33 followers · 2 following
View GitHub Profile
@truekonrads
truekonrads / windows_registry_hex_to_datetime.py
Created June 3, 2024 02:17
def decode_date_last_connected(hex_string):
# Convert hex to bytes
bytes_array = bytes.fromhex(hex_string)
# Swap every 2-byte chunk to convert from little endian to big endian
swapped_bytes = bytearray()
for i in range(0, len(bytes_array), 2):
swapped_bytes.extend(bytes_array[i:i+2][::-1])
# Convert each chunk from bytes to integer
@truekonrads
truekonrads / vt-bulk.py
Last active November 17, 2022 03:30
try:
import ujson as json
except ImportError:
import json
import aiohttp, asyncio
import logging
logging.basicConfig(
format="{'time':'%(asctime)s', 'name': '%(name)s', \
'level': '%(levelname)s', 'message': '%(message)s'}"
@truekonrads
truekonrads / readaff4.py
Last active July 3, 2022 15:24
from pyaff4 import data_store
from pyaff4 import aff4_image
from pyaff4 import lexicon
from pyaff4 import rdfvalue
from pyaff4 import zip
import urllib.parse
def getAff4Images(filepath):
volume_path_urn = rdfvalue.URN.NewURNFromFilename(filepath)
resolver = data_store.MemoryDataStore()
@truekonrads
truekonrads / lr_parser.py
Last active August 22, 2020 00:58
Parse logrhythm unarchived log files
#!/usr/bin/env python3
# To add a new cell, type '# %%'
# To add a new markdown cell, type '# %% [markdown]'
# %%
from datetime import datetime
from multiprocessing import Pool
from lxml import etree
from lxml.etree import XMLSyntaxError
import logging
import sys
@truekonrads
truekonrads / iistojson.py
Last active August 13, 2020 09:25
#!/usr/bin/env python
import urllib.parse
try:
import ujson as json
except ImportError:
import json
import datetime
import sys
import re
@truekonrads
truekonrads / gist:2b370f16bfdd407234a9fd9d10cd037b
Created August 31, 2017 22:46
messagebandit.py
import pefile
import pprint
pe = pefile.PE(r"D:\Training\AdditionalDLLs\Security\MsAuditE.dll")
for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
if entry.id == 11:
actual_data = entry.directory.entries[0].directory.entries[0].data
size = actual_data.struct.Size
@truekonrads
truekonrads / elasticsearch update fields.md
Created July 24, 2017 13:55

How to update ElasticSearch fields

Suppose you have a field which you have ingested as "text", but it is actually an IP address (sometimes). You would like to treat it as an IP address, but can't or won't re-create the index. Then do this:

$ curl -XPUT 'http://localhost:9200/myindex/logs/_mapping
{
  
        "properties": {
 "Network Information Network Address": {
@truekonrads
truekonrads / evtx_to_json.py
Created July 20, 2017 19:59
Convert evtx to json
#!/usr/bin/env python
# Convert evtx to json
import Evtx.Evtx as evtx
import sys
import json
def recursive_dict(element):
# https://stackoverflow.com/questions/42925074/python-lxml-etree-element-to-json-or-dict
t = element.tag
@truekonrads
truekonrads / parsehttp2datastreams.py
Last active August 22, 2020 01:02
Retrieve a particular http2 stream for packet capture
#!/usr/bin/env python
import pyshark
import sys
cap=pyshark.FileCapture(sys.argv[1])
targetstream=sys.argv[2]
for p in cap:
if "http2" in p:
i=0
for s in p.http2.stream.all_fields:
@truekonrads
truekonrads / manage-osqueryd.ps1
Created June 11, 2017 13:43
bugfixes for manage-osqueryd.ps1
# Copyright (c) 2014-present, Facebook, Inc.
# All rights reserved.
#
# This source code is licensed under the BSD-style license found in the
# LICENSE file in the root directory of this source tree. An additional grant
# of patent rights can be found in the PATENTS file in the same directory.
param(
[string] $args = "",
[switch] $install = $false,