silence-is-best
silence-is-best
/ gist:60994e87c9c19afe71dfbd84da07666a
Created
September 1, 2021 17:23
Dridex opendir
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://ajwinledlights.com/images/product/ballast/ | |
| https://decorasales.com/data1/images/ | |
| https://ivanjezler.com/scripts/fontawesome-free-5.14.0-web/svgs/brands/ | |
| https://offersloot.com/wp-content/themes/couponhut/demo-content/demo-1/ | |
| https://shreejitextiles.co.in/img/p1/ | |
| https://supreemsurgicals.com/vendors/revolution/fonts/revicons/ |
silence-is-best
/ gist:ea0efbdefcf3eba8e3537ffa8bc375cf
Created
September 1, 2021 15:38
August 2021 Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Details,Email Payload Type,Users Targeted | |
| 8/1/2021,DHL Express Courier Pickup Confirmation PRG210802065655; rar -> xloader,Attachment,4 | |
| 8/2/2021,Re: Purchase Order from Flow Solution Sdn Bhd; doc -> avemaria,Attachment,4 | |
| 8/2/2021,Re: Follett: Nugget Ice Machines - Ice Dispensers for Coffee Applications - Ice Bagging Systems; zip -> doc -> bazaloader,Attachment,16 | |
| 8/2/2021,Subject starts with COVID-19; xlsm -> rustybuer continued to 8/4,Attachment,7 | |
| 8/3/2021,DHL Shipment Notification; zip -> xloader,Attachment,2 | |
| 8/3/2021,Subjects contain DocuSign, DEAPA.COM .com sender; link -> hancitor,Link,5812 | |
| 8/3/2021,Attachment name is p.o contract #007676.r01; r01 -> xloader continued to 08/06,Attachment,4 | |
| 8/4/2021,OOCL Arrival Notice At Final Destination: OOLU2032308386 | COSCO IT- 047E; zip -> agenttesla,Attachment,3 | |
| 8/4/2021,Attachment names start with scan_|details-|document_; docx -> dridex,Attachment,4 |
silence-is-best
/ gist:e20eef5fcbca7d24974c31154f8fffac
Created
August 12, 2021 20:44
StealBit suricata snort
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert tcp any any -> any $HTTP_PORTS (msg:"Stealbit Data Exfil"; flow:to_server,established; content:"POST"; http_method; content:"&filesize="; content:"&framesize="; content:"&framenum="; content:"&filecrc="; content:"&filename="; content:"&pcname="; classtype:trojan-activity; sid:20166338; rev:3; metadata:created_at 2021_08_12;) |
silence-is-best
/ gist:71b21301e13d564cd467e3977af64ed1
Created
August 10, 2021 20:07
More dridex open directories
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://bentoecompanhia.seusite.jp/res/emailtemplates/ | |
| https://crm.saleseos.com/assets_rectangular/js/plugins/editors/ace/ | |
| https://elearning.thegurukulonline.com/class_8/Computer/ | |
| https://essennvalves.in/essennvalves.in/plugins/material-design-iconic-font/css/ | |
| https://glasstryon.com/webcamjs/flash/com/adobe/images/ | |
| https://impelzone.com/img/intro-carousel/ | |
| https://ishaninfocom.com/images/Newimage/ | |
| https://multiangle.prodesigners.uk/v2/js/main/ | |
| https://nyshajewels.in/images/Jewels/ | |
| https://pikton.in/Explore/dds/css/ |
silence-is-best
/ gist:5ad67a155c221d95a1aa19c272c73478
Created
August 9, 2021 14:08
More dridex opendir
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://investigacion.seguridadypc.com.mx/wp-includes/sodium_compat/namespaced/Core/ChaCha20/ | |
| http://assettagger.saleseos.com/Classes/PHPExcel/Shared/JAMA/examples/ | |
| http://maasaifarms.com/wp-content/plugins/all-in-one-wp-migration/lib/controller/ | |
| http://pompeevfx.in/scripts/ | |
| http://rupinis.club/amcerp/public/integration/select2/css/ | |
| http://za.schoolplus.pk/availability/condition/completion/lang/en/ | |
| botnet 22201 | |
| 103.75.201.2:443 |
silence-is-best
/ gist:3dc296449c19dea695fb1a2de663218d
Last active
October 25, 2021 11:10
An Open Letter to CorySecurity regarding CobaltStrike
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Team, | |
| In light of recent understanding in the use of your product, Cobaltstrike, in ransomware engagements I've felt compelled to write this. I'm not going to flower this up, so I'll jump right to it. | |
| What I'm asking for: | |
| For CoreSecurity to evaluate the human cost versus the company profits of CobaltStrike. | |
| For CoreSecurity to at least internally acknowledge that CobaltStrike is now an integral part of the ransomware ecosystem. | |
| For CoreSecurity to provide assistance to incident responders. | |
| For CoreSecurity to implement additional controls and mitigations (suggestions below) on CobaltStirke. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:3333 --user=8BVAmx5gUCZENoA6QM26MS7rtdvkKQGjz3KdzP3RM1vrAoWycnk7cSMZBUBXUFgJCxWES1myqaHvUYqnwjJnf2Au2crY2Vm --pass=FckISRAIL --cpu-max-threads-hint=60 --cinit-idle-wait=5 --cinit-idle-cpu=100 | |
| https://sanctam.net:58899/assets/txt/resource_url.php?type=xmrig |
silence-is-best
/ gist:a3845bb05b3f9a5e2f357f414b39e23a
Created
August 6, 2021 11:12
Raw zip snort suricata sig
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert tcp any any -> any !$HTTP_PORTS (msg:"Zip header over non-http port"; flow:established,to_server; content:"|50 4b 03 04|"; fast_pattern; within:4; reference:url,twitter.com/3xp0rtblog/status/1423531282676559875; classtype:trojan-activity; sid:20166337; rev:1; metadata:created_at 2021_08_06;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @ECHO OFF | |
| SETLOCAL EnableDelayedExpansion | |
| :ETHERNET | |
| SET adapterName= | |
| FOR /F "tokens=* delims=:" %%a IN ('IPCONFIG ^| FIND /I "ETHERNET ADAPTER"') DO ( | |
| SET adapterName=%%a |
silence-is-best
/ gist:a4e12583614cde614a72154c1ac6ca79
Created
August 4, 2021 17:07
RustyBuer docm cchef
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'),'%7D,',',true,false,true,false)Find_/_Replace(%7B'option':'Simple%20string','string':')'%7D,',',true,false,true,false)Remove_whitespace(true,true,true,true,true,false)From_Decimal('Comma',false)From_Base64('A-Za-z0-9%2B/%3D',true)Decode_text('UTF-16LE%20(1200)')From_Base64('A-Za-z0-9%2B/%3D',true)Decode_text('UTF-16LE%20(1200)') |