Josh Rickard MSAdministrator

## EXT Signature Required!.eml
Received: from VE1P191MB0909.EURP191.PROD.OUTLOOK.COM (2603:10a6:800:148::14)
 by AM9P191MB1523.EURP191.PROD.OUTLOOK.COM with HTTPS; Tue, 5 Aug 2025
 19:33:44 +0000
Authentication-Results: spf=pass (sender IP is 52.101.69.94)
 smtp.mailfrom=suspiciousdomain.com; dkim=pass (signature was verified)
 header.d=randomcompany.onmicrosoft.com;dmarc=bestguesspass action=none
 header.from=suspiciousdomain.com;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of suspiciousdomain.com designates
 52.101.69.94 as permitted sender) receiver=protection.outlook.com;
 client-ip=52.101.69.94; helo=AM0PR83CU005.outbound.protection.outlook.com;

## Corporate HR Q4 Vacation Lists Out.eml
From: "TechCorp Organization Human Resource Management" <globalhrdesk@techcorp.com>
To: john.doe <john.doe@techcorp.com>
Subject: Corporate HR Q4 Vacation Lists Out
MIME-Version: 1.0
Date: Tue, 12 Aug 2025 09:15:29 +0000
Content-Type: multipart/mixed;
 boundary="gLE6ijStjjMh7F1gS1b4PXDhzv7UCZFff6x05TZT"

--gLE6ijStjjMh7F1gS1b4PXDhzv7UCZFff6x05TZT
Content-Type: text/html; charset=utf-8

## EXT Reminder Calendar.eml
X-MS-Exchange-Organization-InternalOrgSender: True
ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;
 b=GC0HfsWK6+gS/xFRDJFxhqWqH3nhk7iuT4u/vpkjvtFqCwuUg05Bb/0pQ+zogAwWZtfZnypR26G5eDO6q4xUlYQfmBkUkMJo68Y1DxdNYnuPg/EFF8nVV3l+ATil6AY9Nv4PKsBB2rP9WBEttBMAwKXaHvNo5sTnGx6wElWoAyvn/uS2iTHQWA/h/U6o4djIdXOuNF92kVCHtkU1zFotTnFnede6UolWid7xYGjHM5iQ+Z1q8z11B8wSih0Rh591eJw93oKMQCMneXS3wguocjqQUB8vBStGEnxxtikoZU5AIw9q4AG5z9K0nC90l58x63ZW1HhdCRfR50BL+GnXGg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=XoqdpFLLo6R1pUIAPjD9JPeh+M659/FDtct90ON+/J0=;
 b=FYgdkg+15tqWUO4AO/cbPanJFoWHRAj+vIbzOrar8lbw50b2To+klCQNzY5lUABYT2xGPj3P89030fgHPXSZgouKtFSvz2HGgldEG7BjElQ8LGHiIYK8I4oj1p17MclpBv8zBEgNvvke4svvPXnJO503Bjq5a5FvBCbzxtH72bSfuUDdXgX+lBFcar5WQucy1qarLgU0UCPrm7w+985XhmT1tMU

## PSAttck.psm1

$methods = @('Get-AttckTool', 'Get-AttckTechnique', 'Get-AttckTactic', 'Get-AttckMitigation', 'Get-AttckMalware', 'Get-AttckActor')

foreach ($method in $methods){
    $properties = @('Name', 'Id')
    foreach ($prop in $properties){
        ${"($method)NameScriptBlock"} = {
            param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)

            (& $method)."$prop".ForEach({

## download_malware_samples.py
import os
import requests
from bs4 import BeautifulSoup
import time
import re
import io
from zipfile import ZipFile


EXTENSION_LIST = [

## mitre_att&ck_json_data_format_explanation.md

      
              1 file
            
          
              1 fork
            
          
                0 comments
              
            
              9 stars
            
          
                MSAdministrator
                / mitre_att&ck_json_data_format_explanation.md
            
            
              Created
              March 1, 2020 03:53
            
              
                Explanation of the MITRE ATT&CK Data Format
              
          
    MITRE ATT&CK Data Format

The MITRE ATT&CK JSON file is a flat JSON structure which is difficult to parse.  To parse this JSON file, there are several different approaches but the type key is the, well, key!
The types within this JSON are the following (as well as the common wording used for this type):

attack-pattern (Techniques)
relationship (This is a unique type that contains relationships between types)
course-of-action (Mitigations)
identity (unused)


## iranian_apit_groups_possible_commands.md

      
              1 file
            
          
              36 forks
            
          
                0 comments
              
            
              97 stars
            
          
                MSAdministrator
                / iranian_apit_groups_possible_commands.md
            
            
              Last active
              December 5, 2025 00:25
            
              
                Iranian APT Groups & Possible Commands Used By These Groups
              
          
    Overview

The following content is generated using a preview release of Swimlane's pyattck.
This snippet of data is scoped to the following actor groups:

APT33
APT34
APT39
Charming Kitten


## Confirm-DateTimeFormatPattern.ps1
<#
.Synopsis
    Confirm if a date time format pattern is valid or not

.DESCRIPTION
    Confirm if a date time format pattern is valid or not
    based on the current culture on the machine that this function
    is being ran on

.EXAMPLE 1

## Get-TargetedWinEvent.ps1
function Get-TargetedWinEvent {

    <#
    .SYNOPSIS
        Searches Windows logs for events related to specific Event IDs or EventData.Data values
    .DESCRIPTION
        Searches Windows logs for events related to specific Event IDs or EventData.Data values
        Supports searching offline/exported evt/evtx files as well as online machines
    .PARAMETER SearchTerm
        EventData.Data property value to search for

## Setup-NewComputer.ps1

# Set your PowerShell execution policy
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force


function Invoke-ComputerSetup {
    [CmdletBinding(DefaultParameterSetName='Parameter Set 1',
                   SupportsShouldProcess=$true,
                   PositionalBinding=$false,
	Received: from VE1P191MB0909.EURP191.PROD.OUTLOOK.COM (2603:10a6:800:148::14)
	by AM9P191MB1523.EURP191.PROD.OUTLOOK.COM with HTTPS; Tue, 5 Aug 2025
	19:33:44 +0000
	Authentication-Results: spf=pass (sender IP is 52.101.69.94)
	smtp.mailfrom=suspiciousdomain.com; dkim=pass (signature was verified)
	header.d=randomcompany.onmicrosoft.com;dmarc=bestguesspass action=none
	header.from=suspiciousdomain.com;compauth=pass reason=109
	Received-SPF: Pass (protection.outlook.com: domain of suspiciousdomain.com designates
	52.101.69.94 as permitted sender) receiver=protection.outlook.com;
	client-ip=52.101.69.94; helo=AM0PR83CU005.outbound.protection.outlook.com;
	From: "TechCorp Organization Human Resource Management" <globalhrdesk@techcorp.com>
	To: john.doe <john.doe@techcorp.com>
	Subject: Corporate HR Q4 Vacation Lists Out
	MIME-Version: 1.0
	Date: Tue, 12 Aug 2025 09:15:29 +0000
	Content-Type: multipart/mixed;
	boundary="gLE6ijStjjMh7F1gS1b4PXDhzv7UCZFff6x05TZT"

	--gLE6ijStjjMh7F1gS1b4PXDhzv7UCZFff6x05TZT
	Content-Type: text/html; charset=utf-8
	X-MS-Exchange-Organization-InternalOrgSender: True
	ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;
	b=GC0HfsWK6+gS/xFRDJFxhqWqH3nhk7iuT4u/vpkjvtFqCwuUg05Bb/0pQ+zogAwWZtfZnypR26G5eDO6q4xUlYQfmBkUkMJo68Y1DxdNYnuPg/EFF8nVV3l+ATil6AY9Nv4PKsBB2rP9WBEttBMAwKXaHvNo5sTnGx6wElWoAyvn/uS2iTHQWA/h/U6o4djIdXOuNF92kVCHtkU1zFotTnFnede6UolWid7xYGjHM5iQ+Z1q8z11B8wSih0Rh591eJw93oKMQCMneXS3wguocjqQUB8vBStGEnxxtikoZU5AIw9q4AG5z9K0nC90l58x63ZW1HhdCRfR50BL+GnXGg==
	ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
	s=arcselector10001;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
	bh=XoqdpFLLo6R1pUIAPjD9JPeh+M659/FDtct90ON+/J0=;
	b=FYgdkg+15tqWUO4AO/cbPanJFoWHRAj+vIbzOrar8lbw50b2To+klCQNzY5lUABYT2xGPj3P89030fgHPXSZgouKtFSvz2HGgldEG7BjElQ8LGHiIYK8I4oj1p17MclpBv8zBEgNvvke4svvPXnJO503Bjq5a5FvBCbzxtH72bSfuUDdXgX+lBFcar5WQucy1qarLgU0UCPrm7w+985XhmT1tMU

	$methods = @('Get-AttckTool', 'Get-AttckTechnique', 'Get-AttckTactic', 'Get-AttckMitigation', 'Get-AttckMalware', 'Get-AttckActor')

	foreach ($method in $methods){
	$properties = @('Name', 'Id')
	foreach ($prop in $properties){
	${"($method)NameScriptBlock"} = {
	param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)

	(& $method)."$prop".ForEach({
	import os
	import requests
	from bs4 import BeautifulSoup
	import time
	import re
	import io
	from zipfile import ZipFile


	EXTENSION_LIST = [
	<#
	.Synopsis
	Confirm if a date time format pattern is valid or not

	.DESCRIPTION
	Confirm if a date time format pattern is valid or not
	based on the current culture on the machine that this function
	is being ran on

	.EXAMPLE 1
	function Get-TargetedWinEvent {

	<#
	.SYNOPSIS
	Searches Windows logs for events related to specific Event IDs or EventData.Data values
	.DESCRIPTION
	Searches Windows logs for events related to specific Event IDs or EventData.Data values
	Supports searching offline/exported evt/evtx files as well as online machines
	.PARAMETER SearchTerm
	EventData.Data property value to search for

	# Set your PowerShell execution policy
	Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force



	function Invoke-ComputerSetup {
	[CmdletBinding(DefaultParameterSetName='Parameter Set 1',
	SupportsShouldProcess=$true,
	PositionalBinding=$false,