zbalkan
/ list_cases.sh
Created
April 16, 2025 17:09
Lists all user-defined views in the shared DuckDB database.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| cd "$(dirname "$0")" | |
| db_file="investigations.db" |
zbalkan
/ create_view.sh
Last active
April 17, 2025 08:33
Creates a case-specific DuckDB view over compressed .json.gz log files matching a given date pattern.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| if [[ "${TRACE-0}" == "1" ]]; then | |
| set -o xtrace | |
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter (or what’s left of it — X) someimes gives headaches. | |
| // I used the script of Isaac King at https://outsidetheasylum.blog/twitter-blocker/ at the beginning. | |
| // But the HTTP 428 is a headache. At first I added some random latency one each and every 10th action. | |
| // Then I blocked the queries to the bottlenecks like avatar loading API. | |
| // Now, it is harder to get blocked by Twitter's rate limiting. | |
| // Usage | |
| // Pick the tweet you want to block th RTers. | |
| // On the menu at the righthand side, click "View post engagements" | |
| // Navigate to "Reposts" tab |
zbalkan
/ csv-viewer.html
Last active
March 24, 2025 15:56
Single-page CSV viewer with search and sort options. It can be used for basic report generation over scripts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="UTF-8"> | |
| <title>CSV Table Viewer</title> | |
| <style> | |
| body { | |
| background-color: #3e94ec; | |
| font: 18px/28px -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, sans-serif; | |
| font-size: 16px; |
zbalkan
/ sysmonconfig.xml
Created
February 25, 2025 09:38
Sysmon configuration by @Neo23x0, fine-tuned for Wazuh usage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| Since Wazuh File Integrity Monitoring (FIM) overlaps with some sysmon capabilities, it is better to fine-tune Sysmon configuration. | |
| Another aspect would be to diable Wazuh FIM and rely on Sysmon. That is not covered here. | |
| --> | |
| <!-- | |
| sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community | |
| Source version: 74 | Date: 2021-07-08 | |
| Source project: https://github.com/SwiftOnSecurity/sysmon-config | |
| Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. |
zbalkan
/ sysmonconfig.xml
Last active
February 23, 2025 17:43
Sysmon configuration by @olafhartong, fine-tuned for Wazuh usage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| Since Wazuh File Integrity Monitoring (FIM) overlaps with some sysmon capabilities, it is better to fine-tune Sysmon configuration. | |
| Another aspect would be to diable Wazuh FIM and rely on Sysmon. That is not covered here. | |
| --> | |
| <!-- NOTICE : This is a balanced generated output of Sysmon-modular with medium verbosity --> | |
| <!-- due to the balanced nature of this configuration there will be potential blind spots --> | |
| <!-- for more information go to https://github.com/olafhartong/sysmon-modular/wiki --> | |
| <!-- --> | |
| <!-- //** ***// --> |
zbalkan
/ sysmonconfig.xml
Last active
February 23, 2025 17:40
Sysmon configuration by @SwiftOnSecurity, fine-tuned for Wazuh usage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| Since Wazuh File Integrity Monitoring (FIM) overlaps with some sysmon capabilities, it is better to fine-tune Sysmon configuration. | |
| Another aspect would be to diable Wazuh FIM and rely on Sysmon. That is not covered here. | |
| --> | |
| <!-- | |
| sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community | |
| Source version: 74 | Date: 2021-07-08 | |
| Source project: https://github.com/SwiftOnSecurity/sysmon-config | |
| Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set-Content -Path (Join-Path -Path $env:TEMP -ChildPath 'PsReadlineTest.txt') -Value 'Hello, world!' |
zbalkan
/ PATH_Cleanup.ps1
Created
May 19, 2024 13:40
This script checks the Machine and User level environment variable PATH, and remove entries if the path does not exist. Requires Administrator Privileges.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $environments = @([EnvironmentVariableTarget]::Machine, [EnvironmentVariableTarget]::User) | |
| foreach ($e in $environments) | |
| { | |
| $path = ([Environment]::GetEnvironmentVariable('Path', $e)).Split(';', [StringSplitOptions]::RemoveEmptyEntries) | |
| $pathList = [System.Collections.Generic.List[string]]::new() | |
| foreach ($p in $path) | |
| { | |
| if(Test-Path -Path $p) | |
| { |
zbalkan
/ New-SysmonArchiveQuota.ps1
Last active
November 8, 2024 13:13
If you use Sysmon and enabled FileDelete events started with Sysmon 11, you probably came up with the issue of instantly growing hidden archive. For those who have not solved the problem yet, I came up with a PowerShell cmdlet (run as SYSTEM) based on the article https://blog.nviso.eu/2022/06/30/enforcing-a-sysmon-archive-quota/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| <# | |
| .Synopsis | |
| Generates Sysmon Archive file quota for `File Delete` events to help managing the size. | |
| .DESCRIPTION | |
| Based on: https://blog.nviso.eu/2022/06/30/enforcing-a-sysmon-archive-quota/ | |
| .INPUTS | |
| None. Cmdlet does not accept pipe values. | |
| .OUTPUTS |
NewerOlder