Skip to content

Commit

Permalink
Updated docs with new tools and bumped version to 8.5.2
Browse files Browse the repository at this point in the history
  • Loading branch information
dcode committed Nov 29, 2022
1 parent f378503 commit 1d4bcd3
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
15 changes: 15 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ The current list of tools are:
- `url-encode`, a tool to encode common character or all special characters to urlencoded strings
- `zlib-compress`, a tool to perform zlib compression/deflation on the command line
- `zlib-decompress`, a tool to perform zlib decompression/inflation on the command line
- `zlib-deflate`, an alias for zlib-compress
- `zlib-decompress`, an alias for zlib-decompress
- `unmap-pe`, processes a PE binary, removing the memory mapping. Useful for analyzing process memory dumps

## Installation

Expand Down Expand Up @@ -152,3 +155,15 @@ $ lucene-query --since 'now-12M' 'dns.question.name: puerto2547.duckdns.org' -c
| jq '._source.agent.id' -r | sort -u
ec82f608-3d1b-4651-900e-b970c68bbeef
```

Extract a single binary using Elastic Defend integration with
[optional sample collection](https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack) enabled.
Note that additional shell scripting would be needed to loop over a set of results.

```shell
eql-query 'process where ?process.Ext.memory_region.bytes_compressed_present == true' \
--size 1 \
--fields 'process.Ext.memory_region.bytes_compressed' | \
jq -r '.process.Ext.memory_region.bytes_compressed' | \
base64 -d | zlib-decompress > captured_sample.bin
```
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[tool.poetry]
name = "thrunting-tools"
version = "8.5.1"
version = "8.5.2"
description = "A collection of utilities to help with threat hunting on the command line."
authors = ["Derek Ditch <dcode@users.noreply.github.com>"]
license = "Apache-2.0"
Expand Down

0 comments on commit 1d4bcd3

Please # to comment.