Skip to content

Instantly share code, notes, and snippets.

🎯
Focusing

SwitHak SwitHak

🎯
Focusing
Block or report user

Report or block SwitHak

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@SwitHak
SwitHak / 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md
Created Mar 29, 2020
Translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...
View 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md

General

  • This is the translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...

Translation

00:02 Основные объекты системы находятся в меню слева
	The main system objects are in the menu on the left.
  
00:05 Инфоповоды отслеживают возникновение необходимых сообщений
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
Last active Mar 22, 2020
.:Recorded Future:. | Source: https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf | Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
20200318-IOC-RECORDEDFUTURE-20200318
Separator: single comma [,]
|DOMAINS|
cdc-gov.org,Cdcgov.org,insiderppe.cloudapp.net,cloud-security.ggpht.ml,cloud-security.ggpht.ml
|EMAILS@|
Postmaster[@]mallinckrodt.xyz,brentpaul403[@]yandex.ru
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
Created Mar 18, 2020
.:RISKIQ REPORT:. | Source: https://cdn.riskiq.com/wp-content/uploads/2020/03/COVID-19-Daily-Update-RiskIQ-i3_17-03-2020.pdf |Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
20200318-IOC-RISKIQ-20200317-REPORT_CURATED
Separator: single comma [,], except for subjects ["]
|URLs|
http://coronavirus-guidelines.online,http://coronavirus0012.000webhostapp.com/,http://coronavirus2020covid-19.000webhostapp.com/,http://coronaviruscovid19-information.com/en/corona.apk,http://coronaviruscovid19-information.com/it/corona.apk,http://coronavirusnepal10.000webhostapp.com:443/,http://coronavirusnepal16.000webhostapp.com/,http://coronavirusnepal7.000webhostapp.com/,http://coronavirustest.ru/,http://drunkwhitekids.com/wordpress/wp-includes/theme-compat/coronavirus/,http://nepalcoronavirus2.000webhostapp.com/,http://raymondne.buzz:443/COVID-19PRECAUTIONS/toda/office.php,http://toyswithpizzazz.com.au/service/coronavirus,http://zep0de.com/COVID-19.zip,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailUniquea51c1d067cfe4e6696ca8147bb3c5d90.26sourceImagePreview.html,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailuniquea51c1d067cf
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
Last active Mar 18, 2020
.:AVAST TELEMETRY:. | Source: https://www.apklab.io/covid19 | Curated:Removed duplicates, extract domains to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
20200318-IOC-AVAST-20200318_FT_202003181642
Separator: single comma [,]
|DOMAINS|
finland-coronavirus-map.netlify.com,coronavirus-traker.en.aptoide.com,coronavirus.marinhhs.org,www.info-coronavirus.be,coronavirus.utah.gov,coronavirus.dc.gov,coronavir.ru,covid19.min-saude.pt,getcoronavirusalert.com,coronavirus-status.s3.eu-central-1.amazonaws.com,coronavirus-daily-status.firebaseio.com,covid19japan.com,coronavirus.epidemixs.org,covid19.egreen.io,covid-19-lk-dev.firebaseio.com,coronaviruss.ir,coronavirus-d9a66.firebaseio.com,flutter-covid19.firebaseio.com,coronavirus-mask.com,coronavirus-tracker-api.herokuapp.com,coronavirus-a600f.firebaseio.com,coronavirusmap-eb48d.firebaseio.com,covid19.tfone.ir,covid-19-e9057.firebaseio.com,covid19-dd7f7.firebaseio.com,covid-19-healthlynked.firebaseio.com,coronavirus-statistics-710b6.firebaseio.com,covid-19-6538f.firebaseio.com,coronavirus-3ffb2.firebaseio.com,coronavirus-alert.firebaseio.com,micronekcovid19.blob.core.windows.net,covid-19-live-news-statistics.firebaseio.com
@SwitHak
SwitHak / 20200312-TLP-WHITE_CVE-2020-0796.md
Last active Mar 19, 2020
BlueTeam CheatSheet * CVE-2020-0796 * SMBGhost | Last updated: 2020-03-18 1238 UTC
View 20200312-TLP-WHITE_CVE-2020-0796.md

CVE-2020-0796 AKA SMBGhost

General

  • A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
  • An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
  • To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
  • The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
  • Vulnerability was discovered by Microsoft Platform Security Assurance & Vulnerability Research team.

Affected products:

@SwitHak
SwitHak / 20200114-TLP-WHITE_CVE-2020-0601.md
Last active Mar 19, 2020
BlueTeam CheatSheet * CVE-2020-0601 * crypt32.dll | Last updated: 2020-01-21 1817 UTC
View 20200114-TLP-WHITE_CVE-2020-0601.md

CVE-2020-0601 AKA ChainOfFools OR CurveBall

General

  • Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
  • The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
  • The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.

Vulnerability explanation

  • NSA description:
  • NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.
View 20200109-TLP-WHITE_Destructive-Attack-DUSTMAN_Technical-Report_IOC.txt
# Host Indicator of Compromises (Comma separator used):
---
Name,MD5 Hash,SHA-1 Hash,SHA-256 Hash,Size (bytes),Type,Compilation Date
dustman.exe,8AFA8A59EEBF43EF223BE52E08FCDC67,E3AE32EBE8465C7DF1225A51234F13E8A44969CC,F07B0C79A8C88A5760847226AF277CF34AB5508394A58820DB4DB5A8D0340FC7,264704,64-bit EXE,Sun Dec 29 08:57:19 2019 (GMT+3)
elrawdsk.sys,993E9CB95301126DEBDEA7DD66B9E121,A7133C316C534D1331C801BBCD3F4C62141013A1,36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE6FEADD48EF448BF1B9E6C,24576,64-bit EXE,Sun Oct 14 10:43:19 2012(GMT+3)
assistant.sys,EAEA9CCB40C82AF8F3867CD0F4DD5E9D,7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,68288,64-bit EXE,Sat May 31 05:18:53 2008 (GMT+3)
agent.exe,F5F8160FE8468A77B6A495155C3DACEA,20D61C337653392EA472352931820DC60C37B2BC,44100C73C6E2529C591A10CD3668691D92DC0241152EC82A72C6E63DA299D3A2,116224,64-bit EXE,Sun Dec 29 08:56:27 2019 (GMT+3)
@SwitHak
SwitHak / 20190730-TLP-WHITE_URGENT11_VxWorks.MD
Last active Feb 21, 2020
Tracking vendors responses to URGENT/11 VxWorks vulnerabilities (Last updated: 2020-02-21 1019 UTC)
View 20190730-TLP-WHITE_URGENT11_VxWorks.MD

Advisory (URGENT/11)

UPDATE (2019-10-02 1241 UTC)

General

Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.

IP Stacks backstory

  • Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
  • Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.
@SwitHak
SwitHak / 20190618-TLP-WHITE-TCPSACK.MD
Last active Nov 7, 2019
Tracking vendors responses to TCP SACK vulnerabilities
View 20190618-TLP-WHITE-TCPSACK.MD
You can’t perform that action at this time.