mrz-secops-offsec jonz-secops

Base64 Patterns - Learning Aid

Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16)
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)

This section aims to provide the detections released by security companies to detect the malwares / files linked to SolarWinds supply-chain compromise events. We kindly remind you that this detections signatures could / will evolve in the next days, stays updated by checking the vendors resources to have the last information.

SolarWinds in a support article now removed, asked the organizations to exclude SolarWinds products paths of the anti-virus scans. If it is an understandable practice to not impact SolarWinds products functions, the following detections will not work if the installation paths exclusions are not removed first.

	# Run cvemap with our desired flags and output to json
	# I needed to run this with cvemap version 0.0.2 as 0.0.3 broke the ability to pipe to a file for whatever reason
	.\cvemap.exe -severity=critical -severity=high -es '> 0.01' -poc=true -l 1000 -json > new_vulns.json

	# Paths to the JSON files
	$newJsonFilePath = "new_vulns.json"
	$databaseJsonFilePath = "cve_database.json"

	# Read the newly fetched JSON file
	$newJsonContent = Get-Content -Path $newJsonFilePath \| ConvertFrom-Json

	# Here are some domains I block to interfere with DNS-over-HTTPS, so that my own DNS-based security schemes work.
	# If you're going to be doing this, you should probably block all outbound 53, 853, and 5353 on your network,
	# except from your own internal DNS resolver (eg. pihole)
	#
	# Data from https://github.com/curl/curl/wiki/DNS-over-HTTPS

	one.one.one.one
	canadianshield.cira.ca
	doh.dns.sb
	dnsforge.de

	From self[at]sungpae.com Mon Nov 8 16:59:48 2021
	Date: Mon, 8 Nov 2021 16:59:48 -0600
	From: Sung Pae <self[at]sungpae.com>
	To: [email protected]
	Subject: Permissive forwarding rule leads to unintentional exposure of
	containers to external hosts
	Message-ID: <YYmr4l1isfH9VQCn@SHANGRILA>
	MIME-Version: 1.0
	Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="QR1yLfEBO/zgxYVA"

	/*
	* Clean all the detected metadata properties from Word, Excel,
	* PowerPoint, PDF, and other documents using C#
	*/
	using (Metadata metadata = new Metadata("filePath/document.pdf"))
	{
	var affected = metadata.Sanitize();
	metadata.Save("filePath/output.pdf");
	}

	# Add these contents to ~/.config/fish/config.fish
	# If using Brew, config.fish is located in /usr/local/Cellar/fish/[version]/etc/fish/
	# Generally recommend using the installer from https://fishshell.com instead of brew
	# to avoid version updates overwriting the config file

	# Start or re-use a gpg-agent.
	gpgconf --launch gpg-agent

	# Ensure that GPG Agent is used as the SSH agent
	set -e SSH_AUTH_SOCK

	<!DOCTYPE NETSCAPE-Bookmark-file-1>
	<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
	<TITLE>Bookmarks</TITLE>
	<H1>Bookmarks</H1>
	<DL><p>
	<dt><a href="https://splunkbase.splunk.com/">Splunkbase</a>
	<dt><a href="https://git.io/splhighlighter">Splunk Highlighter</a>
	<dt><a href="http://regex101.com/">regex101.com</a>
	<dt><a href="http://strftime.net/">strftime.net</a>
	<DT><H3 ADD_DATE="1551742873" LAST_MODIFIED="1553513798">.Conf Files</H3>