- Generate the file:
$ awk 'BEGIN { for(c=0;c<10000000;c++) printf "<p>LOL</p>" }' > 100M.html
$ (for I in `seq 1 100`; do cat 100M.html; done) | pv | gzip -9 > 10G.boomgz
- Check it is indeed good:
ep3p
/ Suspicious ASNs.kql
Created
October 14, 2022 09:03
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| union SigninLogs, AADNonInteractiveUserSignInLogs | |
| | where AutonomousSystemNumber in (33438, 25369, 62240, 9009, 60068, 40676, 8100) | |
| | summarize | |
| min(TimeGenerated), | |
| max(TimeGenerated), | |
| ResultTypes = make_set(ResultType), | |
| IPAddresses = make_set(IPAddress), | |
| ASNs = make_set(AutonomousSystemNumber), | |
| AppDisplayNames = make_set(AppDisplayName), | |
| ClientAppUsed = make_set_if(ClientAppUsed, isnotempty(ClientAppUsed)), |
awakecoding
/ Get-RdpLogonEvent.ps1
Created
September 7, 2022 01:20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-RdpLogonEvent | |
| { | |
| [CmdletBinding()] | |
| param( | |
| [Int32] $Last = 10 | |
| ) | |
| $RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{ | |
| LogName='Security' | |
| ProviderName='Microsoft-Windows-Security-Auditing' |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Purp1eW0lf
/ Pull_logs_and_zip.ps1
Created
February 17, 2022 00:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| # Set variables | |
| $DesktopPath = [Environment]::GetFolderPath("Desktop") | |
| $basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
| $remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
shipilev
/ jndi-response.md
Last active
February 6, 2022 17:12
ChuckFrey
/ RansomwareExtensions.md
Last active
February 19, 2026 14:18
Possible file extensions to open with notepad.exe to reduce the risk of ransomware executing
For modern Windows 10 & 11 systems that do not support the legacy GPO approach, test the following for your environment.
To target the Classic (Win32) Notepad (C:\Windows\System32\notepad.exe) instead of the Microsoft Store version, you must use the Applications\notepad.exe ProgID.
File Name: SecurityAssociations.xml
<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
mgraeber-rc
/ EventDiff.ps1
Created
May 28, 2021 14:45
Display only new event log events - I refer to this as event log differential analysis
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Log the time prior to executing the action. | |
| # This will be used as parth of an event log XPath filter. | |
| $DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc) | |
| # Do the thing now that you want to see potential relevant events surface... | |
| $null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly | |
| # Allow a moment to allow events to populate | |
| Start-Sleep -Seconds 5 |
stevemk14ebr
/ stpgetargtype_dump.json
Created
April 11, 2021 18:15
DTrace's StpGetArgType accesses a metadata table that stores complete arg type information for every syscall.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| [ | |
| "NtLockProductActivationKeys", | |
| [ | |
| "UInt32 *", | |
| "UInt32 *" | |
| ] | |
| ], | |
| [ | |
| "NtLockProductActivationKeys", |
MichaelKoczwara
/ Cobalt Strike servers April 2021
Last active
April 15, 2024 16:38
Cobalt Strike servers April 2021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 178.62.115.135 | |
| 167.99.197.196 | |
| 138.68.131.250 | |
| 195.206.181.141 | |
| 193.29.13.201 | |
| 5.61.61.49 | |
| 139.59.172.170 | |
| 46.101.63.124 | |
| 206.189.121.65 | |
| 46.101.47.102 |
silence-is-best
/ gist:23c495e22eb391d89054c74e8b069236
Created
January 4, 2021 15:51
Dec 2020 Malspam Campaigns
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Details,Email Payload Type,Users Targeted | |
| 12/1/2020,Balance Payment; pdf -> agenttesla,Attachment,2 | |
| 12/1/2020,All subjects contain DocuSign floydnicholsonsc.com sender; link -> hancitor -> ficker,Link,8257 | |
| 12/2/2020,All subjects contain DocuSign frankstaropoli.com sender; link -> hancitor -> ficker,Link,4810 | |
| 12/2/2020,Subjects Invoice <digits>; xlsm|xls -> dridex,Attachment,117 | |
| 12/2/2020,Re:Re: New Purchase Order-030220- SMART SOURCING INC; link -> agenttesla,Link,5 | |
| 12/2/2020,Re: Re: Proforma PI-08598; gz -> remcos,Attachment,3 | |
| 12/3/2020,All subjects contain DocuSign freitasforcongress.com sender; link -> hancitor -> ficker,Link,6047 | |
| 12/3/2020,BALANCE PAYMENT; z -> agenttesla,Attachment,4 | |
| 12/3/2020,RE: Payment Advice; z -> agenttesla,Attachment,4 |
NewerOlder