https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
automine
/ extended_search_reporting.xml
Last active
September 11, 2020 13:32
Extended Search Reporting, v1.4 thanks to cerby on the Splunk Community Slack ([email protected])!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| You should use this: https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml |
ThinGuy
/ download_splunk.sh
Last active
December 2, 2024 21:41
Download latest Splunk Platform and Universal Forwarder files without having to login
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #TODO: Create exclude args for platforms | |
| download-splunk() { | |
| # Where to store the platform and forwarder packages | |
| local SPLUNK_BIN_DIR=/srv/splunk-platform | |
| local SPLUNK_UF_DIR=/srv/splunk-uf | |
| [[ -d ${SPLUNK_BIN_DIR} ]] || mkdir -p ${SPLUNK_BIN_DIR} | |
| [[ -d ${SPLUNK_UF_DIR} ]] || mkdir -p ${SPLUNK_UF_DIR} |
mattifestation
/ SysmonEventGUIDParser.ps1
Last active
April 23, 2025 13:16
Extracts fields from sysmon process and logon GUIDs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| $Epoch = Get-Date '01/01/1970' | |
| # Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/ | |
| $StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName | |
| $TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone) | |
| # Parse out all the LogonGUID fields for sysmon ProcessCreate events | |
| Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [WinEventLog:Security] | |
| #Returns most of the space savings XML would provide | |
| SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g | |
| SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g | |
| SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g | |
| SEDCMD-clean3-blank_ipv6 = s/::ffff://g | |
| SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g | |
| SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g | |
| SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g | |
| SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g |
schrodyn
/ yara_fn.py
Created
August 19, 2016 06:20
— forked from williballenthin/yara_fn.py
generate a yara rule that matches the basic blocks of the current function in IDA Pro
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| IDAPython script that generates a YARA rule to match against the | |
| basic blocks of the current function. It masks out relocation bytes | |
| and ignores jump instructions (given that we're already trying to | |
| match compiler-specific bytes, this is of arguable benefit). | |
| If python-yara is installed, the IDAPython script also validates that | |
| the generated rule matches at least one segment in the current file. | |
| author: Willi Ballenthin <william.ballenthin@fireeye.com> |
williballenthin
/ yara_fn.py
Last active
December 4, 2020 05:25
generate a yara rule that matches the basic blocks of the current function in IDA Pro
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| IDAPython script that generates a YARA rule to match against the | |
| basic blocks of the current function. It masks out relocation bytes | |
| and ignores jump instructions (given that we're already trying to | |
| match compiler-specific bytes, this is of arguable benefit). | |
| If python-yara is installed, the IDAPython script also validates that | |
| the generated rule matches at least one segment in the current file. | |
| author: Willi Ballenthin <william.ballenthin@fireeye.com> |
zmwangx
/ # Official Windows VM download URL archive.md
Last active
November 15, 2025 02:46
Official Windows VM download URL archive, from https://dev.modern.ie/tools/vms/mac/ — scratch that — https://developer.microsoft.com/en-us/microsoft-edge/api/tools/vms/
v-p-b
/ Skeptics_Guide_to_Security_Cons.md
Last active
January 23, 2020 13:43
Skeptics Guide to Security Conferences
- Anonymous - Script kiddies. Also see: Slacktivism
- Advanced - More advanced than the products the presenter sells
- APT - "Fancy name for shit you have in your network and didn't notice for a while"
- China - Because why not? Also see: Attribution Dice
This is a collection of snippets, not a comprehensive guide. I suggest you start with Operational PGP.
Here is an incomplete list of things that are different from other approaches:
- I don't use keyservers. Ever.
- Yes, I use Gmail instead of some bespoke hipster freedom service
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| Description | |
| """ | |
| from argparse import ArgumentParser | |
| import logging | |
| import os | |
| import sys | |
| from somewhere import main |
NewerOlder