I hereby claim:
- I am truekonrads on github.
- I am kklints (https://keybase.io/kklints) on keybase.
- I have a public key ASArmOzyFYREufom45Vo6KMR9xWDw-tesLFl4xjUcKaj1go
To claim this, I am signing this object:
Konrads Klints truekonrads
truekonrads
/ windows_registry_hex_to_datetime.py
Created
June 3, 2024 02:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decode_date_last_connected(hex_string): | |
| # Convert hex to bytes | |
| bytes_array = bytes.fromhex(hex_string) | |
| # Swap every 2-byte chunk to convert from little endian to big endian | |
| swapped_bytes = bytearray() | |
| for i in range(0, len(bytes_array), 2): | |
| swapped_bytes.extend(bytes_array[i:i+2][::-1]) | |
| # Convert each chunk from bytes to integer |
truekonrads
/ vt-bulk.py
Last active
November 17, 2022 03:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| try: | |
| import ujson as json | |
| except ImportError: | |
| import json | |
| import aiohttp, asyncio | |
| import logging | |
| logging.basicConfig( | |
| format="{'time':'%(asctime)s', 'name': '%(name)s', \ | |
| 'level': '%(levelname)s', 'message': '%(message)s'}" |
truekonrads
/ readaff4.py
Last active
July 3, 2022 15:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pyaff4 import data_store | |
| from pyaff4 import aff4_image | |
| from pyaff4 import lexicon | |
| from pyaff4 import rdfvalue | |
| from pyaff4 import zip | |
| import urllib.parse | |
| def getAff4Images(filepath): | |
| volume_path_urn = rdfvalue.URN.NewURNFromFilename(filepath) | |
| resolver = data_store.MemoryDataStore() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # To add a new cell, type '# %%' | |
| # To add a new markdown cell, type '# %% [markdown]' | |
| # %% | |
| from datetime import datetime | |
| from multiprocessing import Pool | |
| from lxml import etree | |
| from lxml.etree import XMLSyntaxError | |
| import logging | |
| import sys |
truekonrads
/ iistojson.py
Last active
August 13, 2020 09:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import urllib.parse | |
| try: | |
| import ujson as json | |
| except ImportError: | |
| import json | |
| import datetime | |
| import sys | |
| import re |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| import pprint | |
| pe = pefile.PE(r"D:\Training\AdditionalDLLs\Security\MsAuditE.dll") | |
| for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries: | |
| if entry.id == 11: | |
| actual_data = entry.directory.entries[0].directory.entries[0].data | |
| size = actual_data.struct.Size |
truekonrads
/ elasticsearch update fields.md
Created
July 24, 2017 13:55
Suppose you have a field which you have ingested as "text", but it is actually an IP address (sometimes). You would like to treat it as an IP address, but can't or won't re-create the index. Then do this:
$ curl -XPUT 'http://localhost:9200/myindex/logs/_mapping
{
"properties": {
"Network Information Network Address": {
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Convert evtx to json | |
| import Evtx.Evtx as evtx | |
| import sys | |
| import json | |
| def recursive_dict(element): | |
| # https://stackoverflow.com/questions/42925074/python-lxml-etree-element-to-json-or-dict | |
| t = element.tag |
truekonrads
/ parsehttp2datastreams.py
Last active
August 22, 2020 01:02
Retrieve a particular http2 stream for packet capture
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import pyshark | |
| import sys | |
| cap=pyshark.FileCapture(sys.argv[1]) | |
| targetstream=sys.argv[2] | |
| for p in cap: | |
| if "http2" in p: | |
| i=0 | |
| for s in p.http2.stream.all_fields: |
NewerOlder