Skip to content

Instantly share code, notes, and snippets.

@Neo23x0
Last active July 30, 2023 12:19
Show Gist options
  • Save Neo23x0/684c8807d3872b6c7045e0498b28f2fe to your computer and use it in GitHub Desktop.
Save Neo23x0/684c8807d3872b6c7045e0498b28f2fe to your computer and use it in GitHub Desktop.
Offensive Research Guide to Help Defense Improve Detection

I've transformed this gist into a git repository.


Whenever you research a certain vulnerability ask yourself these questions and please answer them for us

Logging

Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)

Does a system service write a log?
(e.g. check with tail -f /var/log/messages)

Does it write an event in that log for an exploitation attempt?

Does additional logging/configuration requires enabling? (e.g. access logs need to be configured to include uri_query)

Does it write an event in case of successful exploitation?

Does that log line contain specific values that shouldn't normally appear in similar log lines?
(e.g. empty source address, uncommon characters)

Please include an example log line

Other Traces

Does exploitation generate other events that are directly caused by my actions? (e.g. user login)

Does exploitation create temporary files? (e.g. an XML in a temp folder)

Provide Help

Could you provide simple shell commands to check if someone has previously expolited that vulnerability?
(e.g. egrep "specific-url" /var/log/service.log, zgrep "specific-url" /var/log/service/*.gz)

Could you provide a quick fix that can block explots until the vendor provides a solution?
(e.g. add line in server-side script to drop all requests that contain ":;" in their User-Agent field)

@ruppde
Copy link

ruppde commented Jan 20, 2023

sounds like the specification sheet for a future tool ;)

run tool
run exploit
run tool
upload zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment