cbresponse’s gists

cbresponse / Regex_For_All_KQL.csv

Created August 11, 2021 03:55

One stop regex

We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.

	Name Regex plural_name Description Rarity URL Tags
	PGP Public Key ^(?:-----BEGIN PGP PUBLIC KEY BLOCK-----\n?(?:(?:(?:Version\|Comment\|MessageID\|Hash\|Charset):.)\n?)[a-zA-Z0-9\/\.\n\:\+\=]+-----END PGP PUBLIC KEY BLOCK-----)$ False 1 ["PGP"]
	PGP Private Key ^(?:-----BEGIN PGP PRIVATE KEY BLOCK-----\n?(?:(?:(?:Version\|Comment\|MessageID\|Hash\|Charset):.)\n?)[a-zA-Z0-9\/\.\n\:\+\=]+-----END PGP PRIVATE KEY BLOCK-----)$ False 1 ["PGP"]
	SSH RSA Public Key ^(ssh-rsa [A-Za-z0-9+/=]+ [^ \n]+)$ False 1 ["Credentials","SSH Public Key"]
	SSH ECDSA Public Key ^(ecdsa-sha2-nistp[0-9]{3} [A-Za-z0-9+/=]+ [^ \n]+)$ False 1 ["Credentials","SSH Public Key"]
	SSH ED25519 Public Key ^(ssh-ed25519 [A-Za-z0-9+/=]+ [^ \n]+)$ False 1 ["Credentials","SSH Public Key"]
	Access-Control-Allow-Header (?i)^(Access-Control-Allow: [a-z0-9\-*])$ False Used for [#CAE4F1][link=https://en.wikipedia.org/wiki/Cross-origin_resource_sharing]Cross-Origin Resource Sharing (CORS)[/link][/#CAE4F1] 1 ["Networking","Website"]
	TryHackMe Flag Form

cbresponse / CobaltStrike_IPs.txt

Last active September 6, 2021 07:25

CobaltStrike_IPs

cbresponse / Cobalt Strike Named Pipe Regex.csv

Created September 16, 2021 17:20 — forked from svch0stz/Cobalt Strike Named Pipe Regex.csv

Cobalt Strike Named Pipe Regex

	Regex	Source
	MSSE-[0-9a-f]{3}-server	Default Cobalt Strike Artifact Kit binaries
	status_[0-9a-f]{2}	Default psexec_psh
	postex_ssh_[0-9a-f]{4}	Default SSH beacon
	msagent_[0-9a-f]{2}	Default SMB beacon
	postex_[0-9a-f]{4}	Default Post Exploitation job (v4.2+)
	mojo.5688.8052.183894939787088877[0-9a-f]{2}	jquery-c2.4.2.profile
	mojo.5688.8052.35780273329370473[0-9a-f]{2}	jquery-c2.4.2.profile
	wkssvc[0-9a-f]{2}	jquery-c2.4.2.profile
	ntsvcs[0-9a-f]{2}	trick_ryuk.profile

cbresponse / scanning_cobaltstrike_config.csv

Created September 16, 2021 17:20 — forked from svch0stz/scanning_cobaltstrike_config.csv

scanning_cobaltstrike_config.csv

We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 5.

	ip,port,time_scanned,arch,Beacon Type,Port,Polling,Jitter,Max DNS,C2 Server,User Agent,HTTP Method Path 2,Header 1,Header 2,Injection Process,Pipe Name,Year,Month,Day,DNS Idle,DNS Sleep,Method 1,Method 2,Spawn To,Proxy Hostname,Proxy Username,Proxy Password,Proxy Access Type,CreateRemoteThread,Watermark
	185.20.186.108,443,1.62002E+12,x86,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,1359593325
	185.20.186.108,443,1.62002E+12,x64,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\sysnative\rundll32.exe,,,,,,1359593325
	213.202.211.246,80,1.62002E+12,x86,0 (HTTP),80,10000,5,,"213.202.211.246,/metro91/admin/1/ppptp.jpg",,/metro91/admin/1/secure.php,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,0
	213.202.211.246,80,1.62002E+12,x64,0 (HTTP),80,10000,5,,"213.202.211.246,/metr

cbresponse / Cobalt Strike - C2

Created September 19, 2021 07:17 — forked from MichaelKoczwara/Cobalt Strike - C2

Cobalt Strike/C2

cbresponse / omigod2.json

Created September 24, 2021 09:54

This file has been truncated, but you can view the full file.

	{
	"notice": {
	"program": "/usr/local/sbin/laurel",
	"action": "start",
	"euid": 996,
	"version": "0.1.2",
	"config": {
	"user": "_laurel",
	"directory": "/var/log/laurel",
	"auditlog": {

cbresponse / CyberChefOutput.txt

Created October 6, 2021 07:00