Skip to content

Instantly share code, notes, and snippets.

View SwitHak's full-sized avatar
🎯
Focusing

SwitHak SwitHak

🎯
Focusing
163 followers · 7 following
View GitHub Profile
@SwitHak
SwitHak / 20200109-TLP-WHITE_Destructive-Attack-DUSTMAN_Technical-Report_IOC.txt
Last active January 9, 2020 09:45
# Host Indicator of Compromises (Comma separator used):
---
Name,MD5 Hash,SHA-1 Hash,SHA-256 Hash,Size (bytes),Type,Compilation Date
dustman.exe,8AFA8A59EEBF43EF223BE52E08FCDC67,E3AE32EBE8465C7DF1225A51234F13E8A44969CC,F07B0C79A8C88A5760847226AF277CF34AB5508394A58820DB4DB5A8D0340FC7,264704,64-bit EXE,Sun Dec 29 08:57:19 2019 (GMT+3)
elrawdsk.sys,993E9CB95301126DEBDEA7DD66B9E121,A7133C316C534D1331C801BBCD3F4C62141013A1,36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE6FEADD48EF448BF1B9E6C,24576,64-bit EXE,Sun Oct 14 10:43:19 2012(GMT+3)
assistant.sys,EAEA9CCB40C82AF8F3867CD0F4DD5E9D,7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,68288,64-bit EXE,Sat May 31 05:18:53 2008 (GMT+3)
agent.exe,F5F8160FE8468A77B6A495155C3DACEA,20D61C337653392EA472352931820DC60C37B2BC,44100C73C6E2529C591A10CD3668691D92DC0241152EC82A72C6E63DA299D3A2,116224,64-bit EXE,Sun Dec 29 08:56:27 2019 (GMT+3)
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
Last active March 18, 2020 22:18
.:AVAST TELEMETRY:. | Source: https://www.apklab.io/covid19 | Curated:Removed duplicates, extract domains to CSV format to be exploited
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2 in line 1.
20200318-IOC-AVAST-20200318_FT_202003181642
Separator: single comma [,]
|DOMAINS|
finland-coronavirus-map.netlify.com,coronavirus-traker.en.aptoide.com,coronavirus.marinhhs.org,www.info-coronavirus.be,coronavirus.utah.gov,coronavirus.dc.gov,coronavir.ru,covid19.min-saude.pt,getcoronavirusalert.com,coronavirus-status.s3.eu-central-1.amazonaws.com,coronavirus-daily-status.firebaseio.com,covid19japan.com,coronavirus.epidemixs.org,covid19.egreen.io,covid-19-lk-dev.firebaseio.com,coronaviruss.ir,coronavirus-d9a66.firebaseio.com,flutter-covid19.firebaseio.com,coronavirus-mask.com,coronavirus-tracker-api.herokuapp.com,coronavirus-a600f.firebaseio.com,coronavirusmap-eb48d.firebaseio.com,covid19.tfone.ir,covid-19-e9057.firebaseio.com,covid19-dd7f7.firebaseio.com,covid-19-healthlynked.firebaseio.com,coronavirus-statistics-710b6.firebaseio.com,covid-19-6538f.firebaseio.com,coronavirus-3ffb2.firebaseio.com,coronavirus-alert.firebaseio.com,micronekcovid19.blob.core.windows.net,covid-19-live-news-statistics.firebaseio.com
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
Created March 18, 2020 22:26
.:RISKIQ REPORT:. | Source: https://cdn.riskiq.com/wp-content/uploads/2020/03/COVID-19-Daily-Update-RiskIQ-i3_17-03-2020.pdf |Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
20200318-IOC-RISKIQ-20200317-REPORT_CURATED
Separator: single comma [,], except for subjects ["]
|URLs|
http://coronavirus-guidelines.online,http://coronavirus0012.000webhostapp.com/,http://coronavirus2020covid-19.000webhostapp.com/,http://coronaviruscovid19-information.com/en/corona.apk,http://coronaviruscovid19-information.com/it/corona.apk,http://coronavirusnepal10.000webhostapp.com:443/,http://coronavirusnepal16.000webhostapp.com/,http://coronavirusnepal7.000webhostapp.com/,http://coronavirustest.ru/,http://drunkwhitekids.com/wordpress/wp-includes/theme-compat/coronavirus/,http://nepalcoronavirus2.000webhostapp.com/,http://raymondne.buzz:443/COVID-19PRECAUTIONS/toda/office.php,http://toyswithpizzazz.com.au/service/coronavirus,http://zep0de.com/COVID-19.zip,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailUniquea51c1d067cfe4e6696ca8147bb3c5d90.26sourceImagePreview.html,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailuniquea51c1d067cf
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
Last active March 22, 2020 23:42
.:Recorded Future:. | Source: https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf | Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2 in line 1.
20200318-IOC-RECORDEDFUTURE-20200318
Separator: single comma [,]
|DOMAINS|
cdc-gov.org,Cdcgov.org,insiderppe.cloudapp.net,cloud-security.ggpht.ml,cloud-security.ggpht.ml
|EMAILS@|
Postmaster[@]mallinckrodt.xyz,brentpaul403[@]yandex.ru
@SwitHak
SwitHak / 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md
Created March 29, 2020 19:50
Translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...

General

  • This is the translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...

Translation

00:02 Основные объекты системы находятся в меню слева
	The main system objects are in the menu on the left.
  
00:05 Инфоповоды отслеживают возникновение необходимых сообщений
@SwitHak
SwitHak / 20190730-TLP-WHITE_URGENT11_VxWorks.MD
Last active June 5, 2020 08:12
Tracking vendors responses to URGENT/11 VxWorks vulnerabilities (Last updated: 2020-02-21 1019 UTC)

Advisory (URGENT/11)

UPDATE (2019-10-02 1241 UTC)

General

Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.

IP Stacks backstory

  • Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
  • Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.
@SwitHak
SwitHak / 20200716_TLP-WHITE_July-Patch-Priorities.md
Last active September 29, 2020 02:48
BlueTeam CheatSheet * July Patch Priorities * TW2LWIML | Last updated: 2020-07-31 0013 UTC

July Patch Priorities

Patching priority:

P1

  • SHITRIX-II (Critical, Exploited)
  • F5 BigIP (Critical, Exploited)
  • SAPRecon (Critical, Exploited)
  • ASA & FTD CVE-2020-3452 (High, Exploited)
  • SIGRed CVE-2020-1350 (Critical, Exploit available (DoS))
@SwitHak
SwitHak / 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md
Last active February 4, 2021 10:57
BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC

CVE-2020-11651 AKA SaltStack RCE

  • Currently no cool name, what are you doing @GossiTheDog ? ;)

General

  • A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
  • The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
  • there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
  • The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
  • We currently knows at least 5 victims, even big names are concerned.
  • This is not a drill or something you can patch later, act now.
@SwitHak
SwitHak / 20200312-TLP-WHITE_CVE-2020-0796.md
Last active February 21, 2023 11:19
BlueTeam CheatSheet * CVE-2020-0796 * SMBGhost | Last updated: 2020-03-18 1238 UTC

CVE-2020-0796 AKA SMBGhost

General

  • A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
  • An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
  • To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
  • The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
  • Vulnerability was discovered by Microsoft Platform Security Assurance & Vulnerability Research team.

Affected products:

@SwitHak
SwitHak / 20220909-TLP-WHITE_Albania-July-2022.md
Last active March 18, 2023 20:53
GEOPOLITICS * Albania July 2022 * | Last updated: 2022-09-19 11535 UTC

Offensive Cyber Operation against Albania networks by Iran

General

  • An offensive cyber operation against Albania government & medias networks occured the 15th July weekend.
  • Quickly the AKSHI announced they were forced to disconnect public services & government websites from Internet.
  • Mandiant cyber security company in a blog post attributed the activity to LIKELY an iranian threat actor.
  • Albania Prime Minister offcially attributed the offensive cyber operation gainst its country to Iran.
  • Albania government severed the diplomatic relationship with Iran the 7th September with immediate effect.
  • Iran embassy personnel must leave the country.
  • Nota: The response to this event depends, some says they're supportive of the Iran attribution, some not.