Skip to content

Instantly share code, notes, and snippets.


SwitHak SwitHak

View GitHub Profile
SwitHak /
Last active Apr 23, 2022
BlueTeam CheatSheet * Spring4Shell* | Last updated: 2022-04-16 1722 UTC
SwitHak /
Last active Jun 28, 2022
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
SwitHak /
Last active Mar 15, 2021
BlueTeam CheatSheet * SolarWinds Events* | Last updated: 2020-12-24 1334 UTC

SolarWinds Supply-chain Compromises



  • This section aims to provide the detections released by security companies to detect the malwares / files linked to SolarWinds supply-chain compromise events. We kindly remind you that this detections signatures could / will evolve in the next days, stays updated by checking the vendors resources to have the last information.


  • SolarWinds in a support article now removed, asked the organizations to exclude SolarWinds products paths of the anti-virus scans. If it is an understandable practice to not impact SolarWinds products functions, the following detections will not work if the installation paths exclusions are not removed first.

Security Products

SwitHak /
Last active Mar 15, 2021
BlueTeam CheatSheet * BootHole * | Last updated: 2020-08-13 1957 UTC

CVE-2020-10713 AKA BootHole

  • Logo
  • Cool Name : BootHole


  • GRUB2 -> GRand Unified Bootloader version 2 -Don't hurry up on the patches, RedHat have some bug within and also test before production. -It's a cool vuln, cool name, cool logo, but take your time to test the patches, boot isn't something you patching every month, take care !
  • TBD
SwitHak /
Last active Sep 29, 2020
BlueTeam CheatSheet * July Patch Priorities * TW2LWIML | Last updated: 2020-07-31 0013 UTC

July Patch Priorities

Patching priority:


  • SHITRIX-II (Critical, Exploited)
  • F5 BigIP (Critical, Exploited)
  • SAPRecon (Critical, Exploited)
  • ASA & FTD CVE-2020-3452 (High, Exploited)
  • SIGRed CVE-2020-1350 (Critical, Exploit available (DoS))
SwitHak /
Last active Apr 28, 2022
BlueTeam CheatSheet * Ripple20 * | Last updated: 2020-06-26 2121 UTC

Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks


  • Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
  • These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
  • But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
  • Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
  • My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
  • This will not be an easy set of vulnerabilities to patch, sadly.
SwitHak /
Last active Feb 4, 2021
BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC

CVE-2020-11651 AKA SaltStack RCE

  • Currently no cool name, what are you doing @GossiTheDog ? ;)


  • A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
  • The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
  • there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
  • The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
  • We currently knows at least 5 victims, even big names are concerned.
  • This is not a drill or something you can patch later, act now.
SwitHak / 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->
Created Mar 29, 2020
Translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...
View 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->


  • This is the translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...


00:02 Основные объекты системы находятся в меню слева
	The main system objects are in the menu on the left.
00:05 Инфоповоды отслеживают возникновение необходимых сообщений
SwitHak / 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
Last active Mar 22, 2020
.:Recorded Future:. | Source: | Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
Separator: single comma [,]
SwitHak / 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
Created Mar 18, 2020
.:RISKIQ REPORT:. | Source: |Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
Separator: single comma [,], except for subjects ["]