Skip to content

Instantly share code, notes, and snippets.

Avatar
🎯
Focusing

SwitHak SwitHak

🎯
Focusing
View GitHub Profile
View 20200109-TLP-WHITE_Destructive-Attack-DUSTMAN_Technical-Report_IOC.txt
# Host Indicator of Compromises (Comma separator used):
---
Name,MD5 Hash,SHA-1 Hash,SHA-256 Hash,Size (bytes),Type,Compilation Date
dustman.exe,8AFA8A59EEBF43EF223BE52E08FCDC67,E3AE32EBE8465C7DF1225A51234F13E8A44969CC,F07B0C79A8C88A5760847226AF277CF34AB5508394A58820DB4DB5A8D0340FC7,264704,64-bit EXE,Sun Dec 29 08:57:19 2019 (GMT+3)
elrawdsk.sys,993E9CB95301126DEBDEA7DD66B9E121,A7133C316C534D1331C801BBCD3F4C62141013A1,36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE6FEADD48EF448BF1B9E6C,24576,64-bit EXE,Sun Oct 14 10:43:19 2012(GMT+3)
assistant.sys,EAEA9CCB40C82AF8F3867CD0F4DD5E9D,7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,68288,64-bit EXE,Sat May 31 05:18:53 2008 (GMT+3)
agent.exe,F5F8160FE8468A77B6A495155C3DACEA,20D61C337653392EA472352931820DC60C37B2BC,44100C73C6E2529C591A10CD3668691D92DC0241152EC82A72C6E63DA299D3A2,116224,64-bit EXE,Sun Dec 29 08:56:27 2019 (GMT+3)
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
Last active March 18, 2020 22:18
.:AVAST TELEMETRY:. | Source: https://www.apklab.io/covid19 | Curated:Removed duplicates, extract domains to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-AVAST-20200318_FT_202003181642.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
20200318-IOC-AVAST-20200318_FT_202003181642
Separator: single comma [,]
|DOMAINS|
finland-coronavirus-map.netlify.com,coronavirus-traker.en.aptoide.com,coronavirus.marinhhs.org,www.info-coronavirus.be,coronavirus.utah.gov,coronavirus.dc.gov,coronavir.ru,covid19.min-saude.pt,getcoronavirusalert.com,coronavirus-status.s3.eu-central-1.amazonaws.com,coronavirus-daily-status.firebaseio.com,covid19japan.com,coronavirus.epidemixs.org,covid19.egreen.io,covid-19-lk-dev.firebaseio.com,coronaviruss.ir,coronavirus-d9a66.firebaseio.com,flutter-covid19.firebaseio.com,coronavirus-mask.com,coronavirus-tracker-api.herokuapp.com,coronavirus-a600f.firebaseio.com,coronavirusmap-eb48d.firebaseio.com,covid19.tfone.ir,covid-19-e9057.firebaseio.com,covid19-dd7f7.firebaseio.com,covid-19-healthlynked.firebaseio.com,coronavirus-statistics-710b6.firebaseio.com,covid-19-6538f.firebaseio.com,coronavirus-3ffb2.firebaseio.com,coronavirus-alert.firebaseio.com,micronekcovid19.blob.core.windows.net,covid-19-live-news-statistics.firebaseio.com
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
Created March 18, 2020 22:26
.:RISKIQ REPORT:. | Source: https://cdn.riskiq.com/wp-content/uploads/2020/03/COVID-19-Daily-Update-RiskIQ-i3_17-03-2020.pdf |Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RISKIQ-20200317-REPORT_CURATED.csv
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
20200318-IOC-RISKIQ-20200317-REPORT_CURATED
Separator: single comma [,], except for subjects ["]
|URLs|
http://coronavirus-guidelines.online,http://coronavirus0012.000webhostapp.com/,http://coronavirus2020covid-19.000webhostapp.com/,http://coronaviruscovid19-information.com/en/corona.apk,http://coronaviruscovid19-information.com/it/corona.apk,http://coronavirusnepal10.000webhostapp.com:443/,http://coronavirusnepal16.000webhostapp.com/,http://coronavirusnepal7.000webhostapp.com/,http://coronavirustest.ru/,http://drunkwhitekids.com/wordpress/wp-includes/theme-compat/coronavirus/,http://nepalcoronavirus2.000webhostapp.com/,http://raymondne.buzz:443/COVID-19PRECAUTIONS/toda/office.php,http://toyswithpizzazz.com.au/service/coronavirus,http://zep0de.com/COVID-19.zip,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailUniquea51c1d067cfe4e6696ca8147bb3c5d90.26sourceImagePreview.html,https://advancedaesthetics.ch/fkja/coronavirusutm.sourceutm.mediumcampaigncoronaemailuniquea51c1d067cf
@SwitHak
SwitHak / 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
Last active March 22, 2020 23:42
.:Recorded Future:. | Source: https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf | Curated: Removed duplicates, extract domains and subject to CSV format to be exploited
View 20200318-TLP-WHITE-IOC-RECORDEDFUTURE-20200318.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2. in line 1.
20200318-IOC-RECORDEDFUTURE-20200318
Separator: single comma [,]
|DOMAINS|
cdc-gov.org,Cdcgov.org,insiderppe.cloudapp.net,cloud-security.ggpht.ml,cloud-security.ggpht.ml
|EMAILS@|
Postmaster[@]mallinckrodt.xyz,brentpaul403[@]yandex.ru
@SwitHak
SwitHak / 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md
Created March 29, 2020 19:50
Translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...
View 20200329_TLP:WHITE_SANA-Video-subtitles_translation_RU->EN.md

General

  • This is the translation for the demo video of SANA, Russian project aiming to monitor Social Networks like Facebook, Twitter, VK, etc...

Translation

00:02 Основные объекты системы находятся в меню слева
	The main system objects are in the menu on the left.
  
00:05 Инфоповоды отслеживают возникновение необходимых сообщений
@SwitHak
SwitHak / 20190730-TLP-WHITE_URGENT11_VxWorks.MD
Last active June 5, 2020 08:12
Tracking vendors responses to URGENT/11 VxWorks vulnerabilities (Last updated: 2020-02-21 1019 UTC)
View 20190730-TLP-WHITE_URGENT11_VxWorks.MD

Advisory (URGENT/11)

UPDATE (2019-10-02 1241 UTC)

General

Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.

IP Stacks backstory

  • Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
  • Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.
@SwitHak
SwitHak / 20200716_TLP-WHITE_July-Patch-Priorities.md
Last active September 29, 2020 02:48
BlueTeam CheatSheet * July Patch Priorities * TW2LWIML | Last updated: 2020-07-31 0013 UTC
View 20200716_TLP-WHITE_July-Patch-Priorities.md

July Patch Priorities

Patching priority:

P1

  • SHITRIX-II (Critical, Exploited)
  • F5 BigIP (Critical, Exploited)
  • SAPRecon (Critical, Exploited)
  • ASA & FTD CVE-2020-3452 (High, Exploited)
  • SIGRed CVE-2020-1350 (Critical, Exploit available (DoS))
@SwitHak
SwitHak / 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md
Last active February 4, 2021 10:57
BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC
View 20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md

CVE-2020-11651 AKA SaltStack RCE

  • Currently no cool name, what are you doing @GossiTheDog ? ;)

General

  • A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
  • The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
  • there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
  • The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
  • We currently knows at least 5 victims, even big names are concerned.
  • This is not a drill or something you can patch later, act now.
@SwitHak
SwitHak / 20201222-TLP-WHITE_HOW-TO-detect-SolarWinds_events.md
Last active March 15, 2021 17:50
BlueTeam CheatSheet * SolarWinds Events* | Last updated: 2020-12-24 1334 UTC
View 20201222-TLP-WHITE_HOW-TO-detect-SolarWinds_events.md

SolarWinds Supply-chain Compromises

Detections

General

  • This section aims to provide the detections released by security companies to detect the malwares / files linked to SolarWinds supply-chain compromise events. We kindly remind you that this detections signatures could / will evolve in the next days, stays updated by checking the vendors resources to have the last information.

Warning

  • SolarWinds in a support article now removed, asked the organizations to exclude SolarWinds products paths of the anti-virus scans. If it is an understandable practice to not impact SolarWinds products functions, the following detections will not work if the installation paths exclusions are not removed first.

Security Products

@SwitHak
SwitHak / 20200730-TLP-WHITE_BootHole_CVE-2020-10713.md
Last active March 15, 2021 17:50
BlueTeam CheatSheet * BootHole * | Last updated: 2020-08-13 1957 UTC
View 20200730-TLP-WHITE_BootHole_CVE-2020-10713.md

CVE-2020-10713 AKA BootHole

  • Logo
  • Cool Name : BootHole

General

  • GRUB2 -> GRand Unified Bootloader version 2 -Don't hurry up on the patches, RedHat have some bug within and also test before production. -It's a cool vuln, cool name, cool logo, but take your time to test the patches, boot isn't something you patching every month, take care !
  • TBD