ion-storm / IDN_DNS.md

Created October 27, 2025 15:00

Hash-Based IPv6 Address Derivation for Deterministic Name Resolution

Internet Engineering Task Force (IETF) K. Weller Request for Comments: XXXX Category: Experimental October 27, 2025 ISSN: 2070-1721

              Hash-Based IPv6 Address Derivation for
                    Deterministic Name Resolution

Abstract

ion-storm / gist:7b0f9781730ea56c310e4758a57b8e77

Created March 27, 2025 11:46

Splunk to sigma

	import re
	import argparse
	from typing import Dict, List, Set

	class SplunkToSigmaParser:
	def __init__(self):
	self.index_pattern = r'index=(\S+)'
	self.sourcetype_pattern = r'sourcetype=(\S+)'
	self.datamodel_pattern = r'datamodel=(\S+)' # New: Capture datamodel in base search
	self.field_value_pattern = r'(\w+(?:\.\w+)?)=(?:"([^"]+)"\|(\S+))' # Updated: Allow datamodel.field syntax

ion-storm / keybase.md

Created February 19, 2022 17:33

I hereby claim:

To claim this, I am signing this object:

ion-storm / PS Script: SUNBURST DLL

Created December 15, 2020 13:27 — forked from stephent23/PS Script: SUNBURST DLL

PowerShell Script to identify the SolarWinds.Orion.Core.BusinessLayer.dll on host and return the location/file hash

	$path_ = "C:\"
	$list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse)
	$list \| % {
	$fullPath = $path_ + $_
	Get-FileHash $fullPath -Algorithm SHA256 \| Format-List
	}

ion-storm / sone.conf

Last active October 9, 2020 21:39 — forked from tuckner/sone.conf

SentinelOne Cloudfunnel Logstash Input

	input {
	kafka {
	bootstrap_servers => "" #configurable
	group_id => "" #configurable
	auto_offset_reset => "" #configurable
	security_protocol => "SASL_SSL"
	sasl_mechanism => "SCRAM-SHA-512"
	sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';"
	ssl_endpoint_identification_algorithm => ""
	topics => [""] #configurable

ion-storm / Get-InjectedThread.ps1

Created February 16, 2020 04:24 — forked from jaredcatkinson/Get-InjectedThread.ps1

Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone

	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION

ion-storm / Base64_CheatSheet.md

Created October 25, 2019 20:15 — forked from Neo23x0/Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding

Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16)
`TVq`	📺 Television	`MZ`	MZ header
`UEs`	🏬 Upper East Side	`PK`	ZIP, Office documents
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression

ion-storm / CustomASRRuleGenerator.ps1

Created September 10, 2019 02:38 — forked from mattifestation/CustomASRRuleGenerator.ps1

	$ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe

	# Merge the block rule into the allow all template rule included in the OS
	Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule

	# This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it.
	ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b
	# Now reboot and the policy will take effect.

ion-storm / dotnet-runtime-etw.py

Created August 23, 2019 02:15 — forked from countercept/dotnet-runtime-etw.py

A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.

	import time
	import etw
	import etw.evntrace
	import sys
	import argparse
	import threading


	class RundownDotNetETW(etw.ETW):
	def __init__(self, verbose, high_risk_only):

ionstorm ion-storm

Learning Aid - Top Base64 Encodings Table