# IP addresses and domains that have been observed in Log4j exploit attempts
134[.]209[.]26[.]39
199[.]217[.]117[.]92
pwn[.]af
188[.]120[.]246[.]215
kryptoslogic-cve-2021-44228[.]com
nijat[.]space
45[.]33[.]47[.]240
31[.]6[.]19[.]41
Security Research Team fox-srt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from dissect.cstruct import cstruct | |
| defender_def= """ | |
| struct QuarantineEntryFileHeader { | |
| CHAR MagicHeader[4]; | |
| CHAR Unknown[4]; | |
| CHAR _Padding[32]; | |
| DWORD Section1Size; | |
| DWORD Section2Size; | |
| DWORD Section1CRC; |
fox-srt
/ defender-1.c
Created
November 10, 2023 16:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| struct QuarantineEntrySection1 { | |
| CHAR Id[16]; | |
| CHAR ScanId[16]; | |
| QWORD Timestamp; | |
| QWORD ThreatId; | |
| DWORD One; | |
| CHAR DetectionName[]; | |
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Detection for Hook/ERMAC mobile malware | |
| alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Mobile Malware - Possible Hook/ERMAC HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; depth:5; content:".php/"; isdataat:!1,relative; fast_pattern; pcre:"/^\/php\/[a-z0-9]{1,21}\.php\/$/U"; classtype:trojan-activity; priority:1; threshold:type limit,track by_src,count 1,seconds 3600; metadata:ids suricata; metadata:created_at 2023-06-02; metadata:updated_at 2023-06-07; sid:21004440; rev:2;) | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Mobile Malware - Possible Hook Websocket Packet Observed (login)"; content:"|81|"; depth:1; byte_test:1,&,0x80,1; luajit:hook.lua; classtype:trojan-activity; priority:1; threshold:type limit,track by_src,count 1,seconds 3600; metadata:ids suricata; metadata:created_at 2023-06-02; metadata:updated_at 2023-06-07; sid:21004441; rev:2;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --[[ | |
| Author: FOX-SRT | |
| created_at: 2023-06-02 | |
| updated_at: 2023-06-07 | |
| revision: 2 | |
| Script to check for Hook-like websocket packets. | |
| For a websocket packet, the first two bytes of the TCP payload are part of the Websocket header. | |
| The next 4 bytes denote a XOR key that mask the remainder of the payload. |
fox-srt
/ cve-2022-36537.rules
Created
February 21, 2023 12:55
Snort & Suricata signatures for CVE-2022-36537, ZK Java Framework authentication bypass
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Detection for the exploitation of CVE-2022-36537 (ZK Java Framework) | |
| alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - CVE-2022-36537 Exploitation Attempt Observed"; flow:established, to_server; content:"POST"; http_method; content:"/zkau/upload"; http_uri; fast_pattern; content:"uuid="; http_uri; content:"sid="; http_uri; content:"dtid="; http_uri; content:"nextURI="; flowbits:set, fox.cve.2022-36537; threshold:type limit, track by_src, count 1, seconds 3600; classtype:web-application-attack; metadata:CVE 2022-36537; metadata:created_at 2023-01-13; priority:3; sid:21004354; rev:1;) | |
| alert tcp any any -> any any (msg:"FOX-SRT - Exploit - CVE-2022-36537 Possible Successful Exploitation Observed"; flow:established, from_server; flowbits:isset, fox.cve.2022-36537; content:"200"; http_stat_code; content:!"<title>Upload Result</title>"; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:web-application-attack; metadata:CVE 2022-36537; metadata:created_at 2023-01-13; priority:1; sid:21004355 |
fox-srt
/ godzilla_and_simplehttpserverwithupload.rules
Created
February 21, 2023 12:54
Snort & Suricata signatures for Godzilla Web shell variant and SimpleHTTPServerWithUpload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Detection for Godzilla webshell variant and SimpleHTTPServerWithUpload | |
| alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - Python SimpleHTTPServerWithUpload Observed"; flow:established, from_server; content:"Server: SimpleHTTPWithUpload/"; http_header; threshold: type limit, track by_dst, count 1, seconds 600; classtype:bad-unknown; metadata:created_at 2023-01-06; priority:2; sid:21004337; rev:1;) | |
| alert tcp any any -> any any (msg:"FOX-SRT - IOC - Godzilla Variant ZK Web Shell Request Observed"; flow:established, to_server; content:"/zkau/jquery"; http_uri; threshold:type limit, track by_dst, count 1, seconds 600; flowbits:set, fox.zkau.webshell; classtype:trojan-activity; metadata:created_at 2023-01-09; priority:3; sid:21004344; rev:1;) | |
| alert tcp any any -> any any (msg:"FOX-SRT - Webshell - Godzilla Variant ZK Web Shell Response Observed"; flow:established, from_server; flowbits:isset, fox.zkau.webshell; content:"200"; http_stat_code; threshold:type limit, track by_src, count 1, seconds 600; classty |
fox-srt
/ Driver.java
Created
February 20, 2023 16:45
Decompilation of malicious R1Soft MySQL driver backdoor (Godzilla Web shell variant)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Decompiled by Procyon v0.6.0 | |
| // | |
| package org.gjt.mm.mysql; | |
| import java.sql.DriverPropertyInfo; | |
| import java.sql.Connection; | |
| import java.util.Properties; | |
| import java.util.logging.Logger; |
fox-srt
/ citrix-adc-version-hashes.csv
Last active
May 16, 2024 12:57
Citrix ADC / Citrix NetScaler / Citrix Gateway version hashes - Updates now moved to GitHub repo: https://github.com/fox-it/citrix-netscaler-triage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rdx_en_date | rdx_en_stamp | vhash | version | |
|---|---|---|---|---|
| 2018-08-25 03:29:12 | 1535167752 | 12.1-49.23 | ||
| 2018-10-16 17:54:20 | 1539712460 | 12.1-49.37 | ||
| 2018-11-28 08:56:26 | 1543395386 | 26df0e65fba681faaeb333058a8b28bf | 12.1-50.28 | |
| 2019-01-18 17:41:34 | 1547833294 | d3b5c691a4cfcc6769da8dc4e40f511d | 12.1-50.31 | |
| 2019-02-13 06:11:52 | 1550038312 | 1ffe249eccc42133689c145dc37d6372 | ||
| 2019-02-27 09:30:02 | 1551259802 | 995a76005c128f4e89474af12ac0de66 | 12.1-51.16 | |
| 2019-03-25 22:37:08 | 1553553428 | d2bd166fed66cdf035a0778a09fd688c | 12.1-51.19 | |
| 2019-04-19 11:04:22 | 1555671862 | 489cadbd8055b1198c9c7fa9d34921b9 | ||
| 2019-05-13 17:41:47 | 1557769307 | 86b4b2567b05dff896aae46d6e0765bc | 13.0-36.27 |
fox-srt
/ log4shell-success.rules
Last active
April 8, 2022 19:05
Suricata Coverage for Successful Log4Shell Exploitation (CVE-2021-44228)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Detects possible successful exploitation of Log4j | |
| # JNDI LDAP/RMI Request to External | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Exploit - Possible Rogue JNDI LDAP Bind to External Observed (CVE-2021-44228)"; flow:established, to_server; dsize:14; content:"|02 01 03 04 00 80 00|"; offset:7; isdataat:!1, relative; threshold:type limit, track by_src, count 1, seconds 3600; classtype:bad-unknown; priority:1; metadata:created_at 2021-12-11; sid:21003738; rev:2;) | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Exploit - Possible Rogue JRMI Request to External Observed (CVE-2021-44228)"; flow:established, to_server; content:"JRMI"; depth:4; threshold:type limit, track by_src, count 1, seconds 3600; classtype:bad-unknown; priority:1; reference:url, https://docs.oracle.com/javase/9/docs/specs/rmi/protocol.html; metadata:created_at 2021-12-11; sid:21003739; rev:1;) | |
| # Detecting inbound java shortly after exploitation attempt | |
| alert tcp any any -> $HOME_NET any (msg: "FOX-SRT - Expl |
NewerOlder