Joy Dragon joydragon
joydragon
/ detect_strange_msi.yara
Last active
November 3, 2021 19:54
Yara de prueba para detectar patrones extraños de campaña de N40/Mekotio en Chile.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule detect_strange_msi { | |
| meta: | |
| author = "Ricardo Monreal (@joydragon)" | |
| description = "Yara de prueba para detectar patrones extraños de campaña de N40/Mekotio en Chile. Actualizada 2021-11-03" | |
| strings: | |
| // Hex que diga "Fichero", "TGR" o "Arquivo ... cargando" como parte del "Subject" | |
| $bytes_1 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 46 69 63 68 65 72 6f 00 1e } | |
| $bytes_2 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 54 47 52 00 1e } | |
| $bytes_3 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 41 72 71 75 69 76 6f 20 2e 2e 2e 20 63 61 72 67 61 6e 64 6f 00 00 00 00 1e } |
joydragon
/ check_confidence.py
Created
March 27, 2021 17:54
This is a script to listen to the ZMQ on your MISP project and validate the confidence level. Article about it on https://wordpress.com/post/finsin.cl/582
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/env python3 | |
| import json | |
| import logging | |
| import zmq | |
| import time | |
| import re | |
| from pymisp import ExpandedPyMISP | |
| #################################### |
joydragon
/ check_opentip.py
Last active
February 25, 2021 19:01
This is a script to query the Kaspersky OpenTIP, dunno if the "cym9cgwjk" header is going to expire, but you can get it from a normal connection to the platform. And sorry Kaspersky if you don't intend the platform to be used like this, I can remove this content
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # This is a script to query the Kaspersky OpenTIP | |
| # Dunno if the "cym9cgwjk" header is going to expire, but you can get it from a normal connection to the platform. | |
| # And sorry Kaspersky if you don't intend the platform to be used like this, I can remove this content | |
| import requests | |
| import sys | |
| from os import path | |
| cym9cgwjk = "G27TVJWVYdVHJW15auIG0v3ViYJJmqWi7leK4mPw/BgKEAAAAAAAAAAAAAD//y0H5/YSEB4pNeCdtYNFyD9vmrTrDIQY2azN0/su" |
joydragon
/ mailers.txt
Created
December 6, 2020 01:44
Git con IOC de Mailers PHP de correos de Phishing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| URIs: | |
| /isma.php | |
| /dug.php | |
| /rss.php | |
| /power2.php | |
| /mm.php | |
| IPs: | |
| 45.7.230.59 | |
| 45.7.230.85 |
joydragon
/ nginx_kibana.conf
Created
August 15, 2020 22:49
Archivo para configurar Kibana detrás de NGINX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream kibana { | |
| server 127.0.0.1:5601; | |
| keepalive 15; | |
| } | |
| server { | |
| listen 80 default_server; | |
| server_name _; | |
| location / { |
joydragon
/ nginx_elastic_restricted.conf
Created
August 15, 2020 22:24
Archivo para configurar Elasticsearch detrás de NGINX (puerto 19200)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream elasticsearch { | |
| server 127.0.0.1:19200; | |
| keepalive 15; | |
| } | |
| server { | |
| listen 9200; | |
| location / { | |
| limit_except GET POST PUT { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # MISP WEB SERVER CONFIGURATION | |
| server { | |
| server_name {{server_name}}; | |
| listen 443 ssl; | |
| root /var/www/MISP/app/webroot; | |
| index index.php; | |
| access_log /var/log/nginx/misp.access.log; | |
| error_log /var/log/nginx/misp.error.log; |