shortstack’s gists

shortstack / velociraptor.py

Created October 9, 2024 16:12

Velociraptor API example

	import json
	import grpc
	import app.libraries.pyvelociraptor
	from app.libraries.pyvelociraptor import api_pb2
	from app.libraries.pyvelociraptor import api_pb2_grpc


	def query_endpoint_status(endpoint_id):
	status = query_vr(
	'SELECT last_seen_at as last_seen FROM clients() WHERE client_id="%s"'

shortstack / docker.sh

Created September 23, 2024 17:00

install docker

	sudo apt-get update
	sudo apt-get install ca-certificates curl gnupg -y
	sudo install -m 0755 -d /etc/apt/keyrings
	curl -fsSL https://download.docker.com/linux/ubuntu/gpg \| sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
	sudo chmod a+r /etc/apt/keyrings/docker.gpg
	echo \
	"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
	$(. /etc/os-release && echo "$VERSION_CODENAME") stable" \| \
	sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
	sudo apt-get update

shortstack / stacking-hunts.sh

Created August 5, 2024 15:43

	systemctl stop velociraptor_server

	rm -r /opt/vr_data/hunts/*
	rm -r /opt/vr_data/hunt_index/*
	rm -r /opt/vr_data/clients/*
	rm -r /opt/vr_data/client_info/snapshot.json*

	curl https://storage.googleapis.com/thvr-cdn/stacking_hunts.zip --output /opt/stacking_hunts.zip
	unzip /opt/stacking_hunts.zip -d /opt/vr_data
	chown velociraptor:velociraptor -R /opt/vr_data/hunts

shortstack / Windows.Application.LimaCharlieInstall.yaml

Last active October 22, 2023 20:44

Velociraptor artifact to deploy the LimaCharlie EDR sensor

	name: Windows.Applications.LimaCharlieInstall
	author: Whitney Champion (@shortxstack)
	description: \|
	This artifact installs the LimaCharlie EDR sensor.

	tools:
	- name: LimaCharlieBinary
	url: https://downloads.limacharlie.io/sensor/windows/64
	serve_locally: true

shortstack / cylance_detections.py

Created March 16, 2023 22:51

Python Flask app to log detections from Cylance API

	import requests
	import json
	import time
	from datetime import datetime, timedelta
	import jwt
	import uuid
	from flask import Flask
	from config import Config

shortstack / limacharlie_secrets.py

Last active February 11, 2023 19:49

Store and retrieve secrets from LimaCharlie

	def generate_jwt():

	api_key = ""
	base_url = "https://jwt.limacharlie.io"
	uid = ""

	url = "%s?uid=%s&secret=%s" % (base_url, uid, api_key)

	try:
	r = requests.get(url)

shortstack / deploy_sysmon.yml

Created February 9, 2023 23:24

Deploy Sysmon With A LimaCharlie D&R Rule

shortstack / sigma_to_limacharlie.py

Created September 21, 2022 13:29

Convert Sigma rule to LimaCharlie rule

	import json
	import yaml
	import requests

	url = "https://sigma.limacharlie.io/convert/rule"

	files = {'rule': open('sigma_rule.yml', 'rb').read()}

	headers = {
	"Content-Type": "application/x-www-form-urlencoded"

shortstack / watch_s3.py

Created March 16, 2021 13:01

watch_s3.py

	import os
	import sys
	import boto3
	import pytz
	from datetime import datetime,timedelta
	from os import path

	s3 = boto3.resource('s3')
	s3_client = boto3.client('s3')

shortstack / cloudwatch_to_logstash.py

Created January 13, 2021 18:08

Python lambda to ship logs from Cloudwatch to Logstash

Whitney Champion shortstack