Skip to content

Instantly share code, notes, and snippets.

View joswr1ght's full-sized avatar

Joshua Wright joswr1ght

461 followers · 23 following
View GitHub Profile
@joswr1ght
joswr1ght / sigma.md
Created January 24, 2026 14:40
Claude Code Skill for Building Sigma Rules (copy to .claude/commands, invoke with /sigma)
description
Generate Sigma detection rules from attack descriptions or observed artifacts

Generate Sigma detection rules from analyst input: behavior descriptions, observed artifacts, or MITRE ATT&CK technique references.

Process

  1. Parse input to identify log source, detection fields, and attack context
  2. Map to log source using the table below
@joswr1ght
joswr1ght / twine-ttx-prompt.md
Last active January 17, 2026 18:10
Twine Interactive Tabletop Generator Prompt

You are an incident response tabletop exercise designer. Your job is to create immersive, branching scenarios in Twee format (SugarCube 2) that can be imported into Twine.

Before generating the scenario, ask the user the following questions one at a time. Wait for their response before asking the next question.

GATHER SCENARIO PARAMETERS

Ask these questions to understand what scenario to build:

  1. "What type of security incident should this exercise cover? For example: ransomware, data breach, supply chain compromise, insider threat, BEC/wire fraud, DDoS, or something else?"
@joswr1ght
joswr1ght / irplaybook-example.md
Created January 16, 2026 14:37
IR Playbook Example for Infostealer and Cloud Exfiltration EOI

IR Playbook - Windows Infostealer With Cloud Storage Exfiltration

Overview

The purpose of this playbook is to guide incident responders through detection, verification, triage, scoping, containment, eradication, and recovery for a suspected Windows infostealer infection where stolen data is being staged and exfiltrated via a cloud storage service (e.g., OneDrive/SharePoint, Dropbox, Google Drive, Box). This playbook prioritizes rapid containment of credential theft and exfiltration while preserving evidence to support root cause analysis and accurate scoping. It assumes an attacker goal of stealing browser credentials/session tokens, crypto wallet data, and sensitive files, then uploading them through legitimate-looking cloud channels (ATT&CK T1567.002). oai_citation:0‡MITRE ATT&CK

Description

This event involves one or more Windows endpoints exhibiting infostealer behavior (suspicious process execution, unusual browser data

@joswr1ght
joswr1ght / apple_notes_to_markdown.py
Created December 9, 2025 16:56
Convert Apple Notes Data on MacOS to Markdown
#!/usr/bin/env python3
# /// script
# requires-python = '>=3.10'
# dependencies = []
# ///
"""
Convert Apple Notes from NoteStore.sqlite to Markdown files.
Written with Claude Code, 2025-12-09 Joshua Wright
@joswr1ght
joswr1ght / irplaybook.txt
Created November 10, 2025 19:16
AI Prompt to Generate Incident Response Playbooks
# Role and Objective/Task
You are an expert-level cybersecurity incident response analyst. Your task is to leverage best practice guidance to assist users in developing incident response playbooks that guide users through complex analysis tasks following an observed Event of Interest (EOI).
# Instructions
Assist the user in developing an incident response playbook for the supplied EOI.
Ask questions when the answer is needed to create a high-quality playbook. These questions could include information about IT infrastructure and systems, existing defense mechanisms, existing organizational policies, and organizational information. If the user provides insufficient detail, ask targeted, technical follow-up questions to clarify the EOI, affected platforms, and org environment before proceeding.
@joswr1ght
joswr1ght / network_activity.py
Created October 17, 2025 17:34
Generate a visual of network activity using Matplotlib
#!/usr/bin/env python3
# /// script
# dependencies = [
# "matplotlib",
# "numpy",
# ]
# ///
"""
===============================================
Network Activity Timeline from CSV Data
@joswr1ght
joswr1ght / index.php
Created September 11, 2025 23:28
Simple PHP Script to Log Request Data (aka "Cookie Catcher")
<html>
<?php
file_put_contents("cookies.log", json_encode(array(
"GET"=>$_GET,
"POST"=>$_POST,
"headers"=>getallheaders()))."\n",
FILE_APPEND);
?>
</html>
@joswr1ght
joswr1ght / webauthn-assertion-relay.js
Created August 25, 2025 17:59
Relay WebAuthn/Passkey Helper Code
/*
* WebAuthn Assertion Relay Helper
*
* Usage:
* 1. From your attacker session at https://target-rp.tgt/login,
* capture the "publicKey" JSON challenge the RP sends.
* 2. Send that JSON blob (as text) to the victim browser console as publicKeyJSON.
* 3. Paste this helper, then call: getAssertion(publicKeyJSON).
* 4. Copy the printed output (JSON with base64url fields) back
* to your attacker machine.
@joswr1ght
joswr1ght / gist:cf8283844e644faee1f53d33a220e842
Last active August 4, 2025 18:09
ClickHouse Analysis of Repeated Usernames with Password Disclosure from COMB List
```
### Create a table to store breach credentials with support for statistical sampling
Mac.localdomain :) CREATE TABLE credentials (
username String,
password String
) ENGINE = MergeTree()
ORDER BY (username, cityHash64(username))
SAMPLE BY cityHash64(username);
@joswr1ght
joswr1ght / gist:728e271956ca7e0084fc1270e6374dbd
Created May 4, 2025 12:42
Callie Sparkes
I'm sorry to say that Callie Sparkes is not a real person.
Also, she has a terrible password.
Headshot by thispersondoesnotexist.com.
For getting to this page though, I will impart some wisdom that may be useful for the CTF.
A common persistence mechanism on Windows is to deploy a service that runs a process automatically.
You can use `Get-Service` from PowerShell to get a list of services.
Alternatively, you can run `sc query` to list services from a Command Prompt.