This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Server.Enrichment.JsonLookup | |
| description: Allows pulling in JSON lists from an external URL to perform lookups against | |
| author: Whitney Champion (@shortstack) | |
| type: SERVER | |
| parameters: | |
| - name: LookupUrl | |
| type: string | |
| default: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Server.Monitor.Flows.Windows.EventLogs.Hayabusa | |
| author: Whitney Champion - bluesky @whit.zip, Eric Capuano - bluesky @eric.zip | |
| description: | | |
| This server monitoring artifact will automatically collect any KAPE triage artifacts, and send them for processing with Hayabusa. | |
| type: SERVER_EVENT | |
| parameters: | |
| - name: ArtifactNameRegex | |
| default: "Windows.KapeFiles.Targets" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Server.Process.Windows.EventLogs.Hayabusa | |
| author: Whitney Champion - bluesky @whit.zip, Eric Capuano - bluesky @eric.zip | |
| description: | | |
| Process evtx files server side with Hayabusa | |
| type: SERVER | |
| tools: | |
| - name: Hayabusa-Linux-3.3.0 | |
| url: https://github.com/Yamato-Security/hayabusa/releases/download/v3.3.0/hayabusa-3.3.0-lin-x64-musl.zip |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1 | foo | |
|---|---|---|
| 2 | bar |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "list": [ | |
| { "name": "dinesh" }, | |
| { "name": "richard" }, | |
| { "name": "gilfoyle" }, | |
| { "name": "erlich" }, | |
| { "name": "jared" }, | |
| { "name": "jian-yang" }, | |
| { "name": "monica" } | |
| ] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import grpc | |
| import app.libraries.pyvelociraptor | |
| from app.libraries.pyvelociraptor import api_pb2 | |
| from app.libraries.pyvelociraptor import api_pb2_grpc | |
| def query_endpoint_status(endpoint_id): | |
| status = query_vr( | |
| 'SELECT last_seen_at as last_seen FROM clients() WHERE client_id="%s"' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.Applications.LimaCharlieInstall | |
| author: Whitney Champion (@shortxstack) | |
| description: | | |
| This artifact installs the LimaCharlie EDR sensor. | |
| tools: | |
| - name: LimaCharlieBinary | |
| url: https://downloads.limacharlie.io/sensor/windows/64 | |
| serve_locally: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import time | |
| from datetime import datetime, timedelta | |
| import jwt | |
| import uuid | |
| from flask import Flask | |
| from config import Config |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| deploy_sysmon: | |
| detect: | |
| event: OS_SERVICES_REP | |
| op: and | |
| rules: | |
| - op: is platform | |
| name: windows | |
| - op: contains | |
| not: true | |
| case sensitive: false |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import yaml | |
| import requests | |
| url = "https://sigma.limacharlie.io/convert/rule" | |
| files = {'rule': open('sigma_rule.yml', 'rb').read()} | |
| headers = { | |
| "Content-Type": "application/x-www-form-urlencoded" |
NewerOlder