Skip to content

Instantly share code, notes, and snippets.

View Habib0x0's full-sized avatar
🎯
Focusing

Habib0x Habib0x0

🎯
Focusing
View GitHub Profile
@Habib0x0
Habib0x0 / centos8-9.sh
Last active July 27, 2023 14:29 — forked from yodermk/centos8-9.sh
Commands to live-upgrade CentOS Streams 8 -> 9
#
yum upgrade
reboot
dnf install epel-release
dnf install rpmconf
dnf install yum-utils
rpmconf -a # answer "n" to both things
package-cleanup --leaves
package-cleanup --orphans
dnf install https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-stream-release-9.0-12.el9.noarch.rpm https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-stream-repos-9.0-12.el9.noarch.rpm https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-gpg-keys-9.0-12.el9.noarch.rpm
title: Suspicious msdt.exe execution - Office Exploit
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b
status: experimental
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation.
references:
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://twitter.com/MalwareJake/status/1531019243411623939
author: 'Matthew Brennan'
tags:
- attack.execution
@Habib0x0
Habib0x0 / zenbot_strategy.md
Created November 16, 2019 18:56 — forked from abelardojarab/zenbot_strategy.md
zenbot strategy

Current strategy

$  ./zenbot.sh trade gdax.eth-USD --trend_ema 20 -period 7m --max_slippage_pct 0.48 --poll_trades 6000 --order_poll_time 6000 --order_adjust_time 6000 --oversold_rsi_periods=1000 --oversold_rsi=1000 --rsi_periods=1100 --neutral_rate=0.1 --max_sell_loss_pct=0.85 --max_buy_loss_pct=5 --buy_pct=100 --sell_pct=100 --selector gdax.eth-usd  --markup_sell_pct 0.25  --markdown_buy_pct 0.00  --reset-profit

The role of buy & sell percentages (PCT)

@Habib0x0
Habib0x0 / setuid-root-backdoor.md
Created July 3, 2019 21:39 — forked from dergachev/setuid-root-backdoor.md
How to use setuid to install a root backdoor.

Why You Can't Un-Root a Compromised Machine

Let's say somebody temporarily got root access to your system, whether because you "temporarily" gave them sudo rights, they guessed your password, or any other way. Even if you can disable their original method of accessing root, there's an infinite number of dirty tricks they can use to easily get it back in the future.

While the obvious tricks are easy to spot, like adding an entry to /root/.ssh/authorized_keys, or creating a new user, potentially via running malware, or via a cron job. I recently came across a rather subtle one that doesn't require changing any code, but instead exploits a standard feature of Linux user permissions system called setuid to subtly allow them to execute a root shell from any user account from the system (including www-data, which you might not even know if compromised).

If the "setuid bit" (or flag, or permission mode) is set for executable, the operating system will run not as the cur

@Habib0x0
Habib0x0 / README.md
Created March 24, 2018 05:06 — forked from hofmannsven/README.md
My simply MySQL Command Line Cheatsheet