by Proofpoint
by Austin Hudson
by Proofpoint
by Austin Hudson
I've transformed this gist into a git repository.
Whenever you research a certain vulnerability ask yourself these questions and please answer them for us
Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)
https://thedfirreport.com/ | |
https://www.zerodayinitiative.com/blog/ | |
https://codewhitesec.blogspot.com/ | |
https://www.digitalshadows.com/blog-and-research/ | |
https://blog.talosintelligence.com/ | |
https://www.riskiq.com/blog/ | |
https://www.sekoia.io/en/blog-sekoia-io/ | |
https://www.nextron-systems.com/blog/ | |
https://www.microsoft.com/security/blog/ | |
https://blog.truesec.com/ |
# ################################################################################ | |
# IMPORTANT NOTE | |
# The most recent version of this POC rule can now be found in the main repository | |
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml | |
# ################################################################################ | |
# _____ __ __ ___ __ | |
# / ___/__ ___/ / / |/ /__ ___/ /__ | |
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_ | |
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__ |
#!/bin/bash | |
# - Matches on source and compiled code | |
# - Searches in user home directories by default | |
# - Detects certain strings in files smaller 300 kbyte | |
# - Does not print anything if nothing was found | |
# - Appends the file's time stamp of the files in question > good indicator to spot false positives | |
# - Should work on most Linux systems with bash | |
# Old version | |
# for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(strings -a "$f" 2> /dev/null | egrep "/proc/(self|%d)/(mem|maps)") != "" ]];then m=$(stat -c %y $f); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done; | |
for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(egrep "/proc/(self|%d)/(mem|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done; |
import hashlib | |
import re | |
def calculate_rule_hash(rule): | |
""" | |
Calculates a hash over the relevant YARA rule content (string contents, sorted condition) | |
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara | |
:param rule: yara rule object | |
:return hash: generated hash | |
""" |
import hashlib | |
import re | |
import plyara | |
# Florian Roth, Christian Burkard | |
# Version 3.0 | |
# January 2023 | |
# | |
# Known issues: fails in some cases in which 'private' rules are used |
My LinkTree
#!/usr/bin/env python | |
# -*- coding: iso-8859-1 -*- | |
# -*- coding: utf-8 -*- | |
# | |
# Wordpress Watcher | |
# Automating WPscan to scan and report vulnerable Wordpress sites | |
# Florian Roth | |
# v0.1 | |
# March 2015 | |
# |
#!/bin/bash -x | |
hostname=$(hostname) | |
source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1) | |
geo=$(geoiplookup "$source") | |
curl -X POST --silent --data "payload={\"text\": \":bust_in_silhouette: SYSTEM: $hostname USER: $USER SOURCE: $source GEO: $geo\"}" https://hooks.slack.com/services/XXXXXXXX_YOURHOOK_XXXXX > /dev/null |