| # This is a Python script that let you arrange | |
| # files into a folder for each extension. Actually | |
| # I lied, this script is not about file extension | |
| # but about a file's mime type. So, in case there | |
| # are files that has no extension this script can | |
| # predict what the file's extension could be. | |
| # However, the only requirement is that file need | |
| # to be able to be read by the computer's OS. For | |
| # example image files usually has no problem with | |
| # this script also with other media files. But, |
| ########## | |
| # Tweaked Win10 Initial Setup Script | |
| # Primary Author: Disassembler <disassembler@dasm.cz> | |
| # Primary Author Source: https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| # Tweaked Source: https://gist.github.com/alirobe/7f3b34ad89a159e6daa1/ | |
| # | |
| # If you're a power user looking to tweak your machinea, or doing larger roll-out.. | |
| # Use the @Disassembler0 script instead. It'll probably be more up-to-date than mine: | |
| # https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| # |
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log| /* | |
| WARNING: | |
| the newest version of this rule is now hosted here: | |
| https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
| */ | |
| /* | |
| _____ __ __ ___ __ |
| # IMPORTANT! | |
| # This gist has been transformed into a github repo | |
| # You can find the most recent version there: | |
| # https://github.com/Neo23x0/auditd | |
| # ___ ___ __ __ | |
| # / | __ ______/ (_) /_____/ / | |
| # / /| |/ / / / __ / / __/ __ / | |
| # / ___ / /_/ / /_/ / / /_/ /_/ / | |
| # /_/ |_\__,_/\__,_/_/\__/\__,_/ |
| Environment Variable | Path |
|---|---|
%ALLUSERSPROFILE% |
C:\Documents and Settings\All Users |
%APPDATA% |
C:\Documents and Settings{username}\Application Data |
%COMMONPROGRAMFILES% |
C:\Program Files\Common Files |
%COMMONPROGRAMFILES(x86)% |
C:\Program Files (x86)\Common Files |
| name: Custom.Winlogbeat.Deploy | |
| description: | | |
| Quick and dirty way to deploy Winlogbeat via Velociraptor | |
| # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT | |
| type: CLIENT | |
| parameters: | |
| - name: binaryURL | |
| default: http://url.to/winlogbeat.exe | |
| - name: installPath | |
| default: C:\Program Files\winlogbeat |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <Annotations start="0" num="171" total="171"> | |
| <Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag"> | |
| <Label name="_cse_turlh5vi4xc"/> | |
| <AdditionalData attribute="original_url" value="https://www.bussink.net/"/> | |
| </Annotation> | |
| <Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI"> | |
| <Label name="_cse_turlh5vi4xc"/> | |
| <AdditionalData attribute="original_url" value="https://thedfirreport.com/"/> | |
| </Annotation> |
| Regex | Source | |
|---|---|---|
| MSSE-[0-9a-f]{3}-server | Default Cobalt Strike Artifact Kit binaries | |
| status_[0-9a-f]{2} | Default psexec_psh | |
| postex_ssh_[0-9a-f]{4} | Default SSH beacon | |
| msagent_[0-9a-f]{2} | Default SMB beacon | |
| postex_[0-9a-f]{4} | Default Post Exploitation job (v4.2+) | |
| mojo.5688.8052.183894939787088877[0-9a-f]{2} | jquery-c2.4.2.profile | |
| mojo.5688.8052.35780273329370473[0-9a-f]{2} | jquery-c2.4.2.profile | |
| wkssvc[0-9a-f]{2} | jquery-c2.4.2.profile | |
| ntsvcs[0-9a-f]{2} | trick_ryuk.profile |