Michael shiftybitshiftr
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "hello i'm michael" |
shiftybitshiftr
/ solarwinds_sunburst_threathunting_queries.txt
Created
March 10, 2021 08:09
collection of EDR/SIEM queries based on FireEye, Microsoft, and other IOCs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --(Known) hashes of backdoored SolarWinds.Orion.Core.BusinessLayer.dll; Ref: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ | |
| Sha256 in ( "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b, eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed, c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77, ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc, d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af" ) | |
| --Known SUNBURST domains created by Subdomain Generation Algorithm; Ref: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | |
| URL In Contains AnyC |
shiftybitshiftr
/ Exchange-IIS-Log-Checker.ps1
Last active
January 10, 2022 11:57
Checks for known bad hashes and other log indicators listed in Microsoft/Volexity blog posts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Check this folder for asp files C:\inetpub\wwwroot\aspnet_client\system_web | |
| # Using SHA256 for file hash checking | |
| # Enable following line to see the progress step through this scripts. Not required for automation. | |
| # $VerbosePreference = "Continue" | |
| # "-RunAsAdministrator" Required - admin privileges needed to read log paths | |
| $KnownBadSHA256 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0","097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e","2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1","65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5","511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1","4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea","811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d","1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944" | |
| write-verbose "Checking C:\inetpub\wwwroot\aspnet_client for extra files" |
shiftybitshiftr
/ IIS-Log-HAFNIUM-IP-Checkers.ps1
Last active
March 10, 2021 08:12
Checks IIS logs for known bad IPs from Microsoft/Volexity blog post and internal IR efforts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $KnownBadIPs = "103.77.192.219", "104.140.114.110", "104.250.191.110", "108.61.246.56", "149.28.14.163", "157.230.221.198", "167.99.168.251", "185.250.151.72", "192.81.208.169", "203.160.69.66", "211.56.98.146", "5.254.43.18", "80.92.205.81", "165.232.154.116", "89.34.111.11", "86.105.18.116", "112.68.212.214", "124.46.192.149", "37.147.230.142", "61.78.141.128", "212.69.1.194", "88.157.2.183", "121.153.83.248", "60.246.26.200", "210.223.169.77", "183.173.113.166", "23.240.201.239", "118.218.186.184", "77.122.10.183", "46.101.232.43", "45.157.53.13", "110.39.192.162" | |
| $files = Get-ChildItem -Recurse "C:\inetpub\logs\LogFiles\*.log" | |
| foreach($file in $files) | |
| { | |
| Write-Host "Reading files" | |
| Write-Host $file.Name | |
| $ReadFile = Get-Content -Path $file | |
| foreach($BadIP in $KnownBadIPs) { |