Skip to content

Instantly share code, notes, and snippets.

@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active September 11, 2024 21:41
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
139.60.161.62
{"x64": {"md5": "76ea371a846882c14e1203da09dc6e11", "sha1": "208e53753c6435dcb02001d8a8c8f62fbb4ce79c", "time": 1618902720340.7, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/", "Port": 443, "Beacon Type": "8 (HTTPS)", "Method 2": "GET", "Jitter": 20, "Header 2": "", "DNS Idle": "8.8.8.8", "HTTP Method Path 2": "\/OWA\/", "Max DNS": 235, "Header 1": "", "Method 1": "GET", "User Agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "Polling": 30000, "Pipe Name": ""}, "sha256": "2f256a1b4af0453ae3b7468528e9a21bd767d1b4c8fd86f655e29b5f177215bb"}, "x86": {"md5": "8082ddcf750b84602c0ad0eeff6625c3", "sha1": "f9b4bb659d6c348d1fe8f6c5155831d4b91b8bce", "time": 1618902717665.6, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/"
@MSAdministrator
MSAdministrator / mitre_att&ck_json_data_format_explanation.md
Created March 1, 2020 03:53
Explanation of the MITRE ATT&CK Data Format

MITRE ATT&CK Data Format

The MITRE ATT&CK JSON file is a flat JSON structure which is difficult to parse. To parse this JSON file, there are several different approaches but the type key is the, well, key!

The types within this JSON are the following (as well as the common wording used for this type):

  • attack-pattern (Techniques)
  • relationship (This is a unique type that contains relationships between types)
  • course-of-action (Mitigations)
  • identity (unused)
@Neo23x0
Neo23x0 / gen_godmode_rule.yml
Last active March 6, 2023 19:07
God Mode Sigma Rule
# ################################################################################
# IMPORTANT NOTE
# The most recent version of this POC rule can now be found in the main repository
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
# ################################################################################
# _____ __ __ ___ __
# / ___/__ ___/ / / |/ /__ ___/ /__
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
@Neo23x0
Neo23x0 / iddqd.yar
Last active August 1, 2024 09:08
IDDQD - Godmode YARA Rule
/*
WARNING:
the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/
/*
_____ __ __ ___ __
@zbetcheckin
zbetcheckin / Google_dorks
Created August 25, 2016 22:24
Some google dorks useful in footprinting
Replace 'X' with the domain name of your choice
# Back link
link:X -site:X
# Sub domain
site:X -site:www.X
# Url
inurl:X -site:X
@atcuno
atcuno / gist:3425484ac5cce5298932
Last active November 8, 2024 00:20
HowTo: Privacy & Security Conscious Browsing

The purpose of this document is to make recommendations on how to browse in a privacy and security conscious manner. This information is compiled from a number of sources, which are referenced throughout the document, as well as my own experiences with the described technologies.

I welcome contributions and comments on the information contained. Please see the How to Contribute section for information on contributing your own knowledge.

Table of Contents