Skip to content

Instantly share code, notes, and snippets.

Avatar
🎯
Focusing

SwitHak SwitHak

🎯
Focusing
View GitHub Profile
@SwitHak
SwitHak / 20201222-TLP-WHITE_HOW-TO-detect-SolarWinds_events.md
Last active Jan 27, 2021
BlueTeam CheatSheet * SolarWinds Events* | Last updated: 2020-12-24 1334 UTC
View 20201222-TLP-WHITE_HOW-TO-detect-SolarWinds_events.md

SolarWinds Supply-chain Compromises

Detections

General

  • This section aims to provide the detections released by security companies to detect the malwares / files linked to SolarWinds supply-chain compromise events. We kindly remind you that this detections signatures could / will evolve in the next days, stays updated by checking the vendors resources to have the last information.

Warning

  • SolarWinds in a support article now removed, asked the organizations to exclude SolarWinds products paths of the anti-virus scans. If it is an understandable practice to not impact SolarWinds products functions, the following detections will not work if the installation paths exclusions are not removed first.

Security Products

@SwitHak
SwitHak / 20200730-TLP-WHITE_BootHole_CVE-2020-10713.md
Last active Sep 29, 2020
BlueTeam CheatSheet * BootHole * | Last updated: 2020-08-13 1957 UTC
View 20200730-TLP-WHITE_BootHole_CVE-2020-10713.md

CVE-2020-10713 AKA BootHole

  • Logo
  • Cool Name : BootHole

General

  • GRUB2 -> GRand Unified Bootloader version 2 -Don't hurry up on the patches, RedHat have some bug within and also test before production. -It's a cool vuln, cool name, cool logo, but take your time to test the patches, boot isn't something you patching every month, take care !
  • TBD
@SwitHak
SwitHak / 20200716_TLP-WHITE_July-Patch-Priorities.md
Last active Sep 29, 2020
BlueTeam CheatSheet * July Patch Priorities * TW2LWIML | Last updated: 2020-07-31 0013 UTC
View 20200716_TLP-WHITE_July-Patch-Priorities.md

July Patch Priorities

Patching priority:

P1

  • SHITRIX-II (Critical, Exploited)
  • F5 BigIP (Critical, Exploited)
  • SAPRecon (Critical, Exploited)
  • ASA & FTD CVE-2020-3452 (High, Exploited)
  • SIGRed CVE-2020-1350 (Critical, Exploit available (DoS))
@SwitHak
SwitHak / 20200618-TLP-WHITE_Ripple20.md
Last active Sep 29, 2020
BlueTeam CheatSheet * Ripple20 * | Last updated: 2020-06-26 2121 UTC
View 20200618-TLP-WHITE_Ripple20.md

Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks

General

  • Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
  • These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
  • But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
  • Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
  • My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
  • This will not be an easy set of vulnerabilities to patch, sadly.
@SwitHak
SwitHak / 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md
Last active Feb 4, 2021
BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC
View 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md

CVE-2020-11651 AKA SaltStack RCE

  • Currently no cool name, what are you doing @GossiTheDog ? ;)

General

  • A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
  • The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
  • there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
  • The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
  • We currently knows at least 5 victims, even big names are concerned.
  • This is not a drill or something you can patch later, act now.
@SwitHak
SwitHak / 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md
Created Mar 29, 2020
Translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...
View 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md

General

  • This is the translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...

Translation

00:02 Основные объекты системы находятся в меню слева
	The main system objects are in the menu on the left.
  
00:05 Инфоповоды отслеживают возникновение необходимых сообщений
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
Last active Mar 22, 2020
.:Recorded Future:. | Source: https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf | Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
20200318-IOC-RECORDEDFUTURE-20200318
Separator: single comma [,]
|DOMAINS|
cdc-gov.org,Cdcgov.org,insiderppe.cloudapp.net,cloud-security.ggpht.ml,cloud-security.ggpht.ml
|EMAILS@|
Postmaster[@]mallinckrodt.xyz,brentpaul403[@]yandex.ru
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
Created Mar 18, 2020
.:RISKIQ REPORT:. | Source: https://cdn.riskiq.com/wp-content/uploads/2020/03/COVID-19-Daily-Update-RiskIQ-i3_17-03-2020.pdf |Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
20200318-IOC-RISKIQ-20200317-REPORT_CURATED
Separator: single comma [,], except for subjects ["]
|URLs|
http://coronavirus-guidelines.online,http://coronavirus0012.000webhostapp.com/,http://coronavirus2020covid-19.000webhostapp.com/,http://coronaviruscovid19-information.com/en/corona.apk,http://coronaviruscovid19-information.com/it/corona.apk,http://coronavirusnepal10.000webhostapp.com:443/,http://coronavirusnepal16.000webhostapp.com/,http://coronavirusnepal7.000webhostapp.com/,http://coronavirustest.ru/,http://drunkwhitekids.com/wordpress/wp-includes/theme-compat/coronavirus/,http://nepalcoronavirus2.000webhostapp.com/,http://raymondne.buzz:443/COVID-19PRECAUTIONS/toda/office.php,http://toyswithpizzazz.com.au/service/coronavirus,http://zep0de.com/COVID-19.zip,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailUniquea51c1d067cfe4e6696ca8147bb3c5d90.26sourceImagePreview.html,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailuniquea51c1d067cf
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
Last active Mar 18, 2020
.:AVAST TELEMETRY:. | Source: https://www.apklab.io/covid19 | Curated:Removed duplicates, extract domains to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
20200318-IOC-AVAST-20200318_FT_202003181642
Separator: single comma [,]
|DOMAINS|
finland-coronavirus-map.netlify.com,coronavirus-traker.en.aptoide.com,coronavirus.marinhhs.org,www.info-coronavirus.be,coronavirus.utah.gov,coronavirus.dc.gov,coronavir.ru,covid19.min-saude.pt,getcoronavirusalert.com,coronavirus-status.s3.eu-central-1.amazonaws.com,coronavirus-daily-status.firebaseio.com,covid19japan.com,coronavirus.epidemixs.org,covid19.egreen.io,covid-19-lk-dev.firebaseio.com,coronaviruss.ir,coronavirus-d9a66.firebaseio.com,flutter-covid19.firebaseio.com,coronavirus-mask.com,coronavirus-tracker-api.herokuapp.com,coronavirus-a600f.firebaseio.com,coronavirusmap-eb48d.firebaseio.com,covid19.tfone.ir,covid-19-e9057.firebaseio.com,covid19-dd7f7.firebaseio.com,covid-19-healthlynked.firebaseio.com,coronavirus-statistics-710b6.firebaseio.com,covid-19-6538f.firebaseio.com,coronavirus-3ffb2.firebaseio.com,coronavirus-alert.firebaseio.com,micronekcovid19.blob.core.windows.net,covid-19-live-news-statistics.firebaseio.com
@SwitHak
SwitHak / 20200312-TLP-WHITE_CVE-2020-0796.md
Last active Sep 29, 2020
BlueTeam CheatSheet * CVE-2020-0796 * SMBGhost | Last updated: 2020-03-18 1238 UTC
View 20200312-TLP-WHITE_CVE-2020-0796.md

CVE-2020-0796 AKA SMBGhost

General

  • A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
  • An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
  • To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
  • The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
  • Vulnerability was discovered by Microsoft Platform Security Assurance & Vulnerability Research team.

Affected products: