Skip to content

Instantly share code, notes, and snippets.

View cbresponse's full-sized avatar

cbresponse

0 followers · 7 following
View GitHub Profile
@cbresponse
cbresponse / CyberChefOutput.txt
Created October 6, 2021 07:00
00000000 FC CLD
00000001 E882000000 CALL -FFFFFF78
00000006 60 PUSHA
00000007 89E5 MOV EBP,ESP
00000009 31C0 XOR EAX,EAX
0000000B 648B5030 MOV EDX,DWORD PTR FS:[EAX+30]
0000000F 8B520C MOV EDX,DWORD PTR [EDX+0C]
00000012 8B5214 MOV EDX,DWORD PTR [EDX+14]
00000015 8B7228 MOV ESI,DWORD PTR [EDX+28]
00000018 0FB74A26 MOVZX ECX,WORD PTR [EDX+26]
@cbresponse
cbresponse / omigod2.json
Created September 24, 2021 09:54
This file has been truncated, but you can view the full file.
{
"notice": {
"program": "/usr/local/sbin/laurel",
"action": "start",
"euid": 996,
"version": "0.1.2",
"config": {
"user": "_laurel",
"directory": "/var/log/laurel",
"auditlog": {
@cbresponse
cbresponse / Cobalt Strike - C2
Created September 19, 2021 07:17 — forked from MichaelKoczwara/Cobalt Strike - C2
Cobalt Strike/C2
{
"Ip": "42.193.225.116",
"Ports": ["42.193.225.116:22", "42.193.225.116:8888"],
"DefaultBeaconResponses": {
"http://42.193.225.116:8888/": "302/219"
},
"Jarm": "",
"Certificate": "",
"Beacons": null
}
@cbresponse
cbresponse / scanning_cobaltstrike_config.csv
Created September 16, 2021 17:20 — forked from svch0stz/scanning_cobaltstrike_config.csv
scanning_cobaltstrike_config.csv
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 5.
ip,port,time_scanned,arch,Beacon Type,Port,Polling,Jitter,Max DNS,C2 Server,User Agent,HTTP Method Path 2,Header 1,Header 2,Injection Process,Pipe Name,Year,Month,Day,DNS Idle,DNS Sleep,Method 1,Method 2,Spawn To,Proxy Hostname,Proxy Username,Proxy Password,Proxy Access Type,CreateRemoteThread,Watermark
185.20.186.108,443,1.62002E+12,x86,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,1359593325
185.20.186.108,443,1.62002E+12,x64,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\sysnative\rundll32.exe,,,,,,1359593325
213.202.211.246,80,1.62002E+12,x86,0 (HTTP),80,10000,5,,"213.202.211.246,/metro91/admin/1/ppptp.jpg",,/metro91/admin/1/secure.php,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,0
213.202.211.246,80,1.62002E+12,x64,0 (HTTP),80,10000,5,,"213.202.211.246,/metr
@cbresponse
cbresponse / Cobalt Strike Named Pipe Regex.csv
Created September 16, 2021 17:20 — forked from svch0stz/Cobalt Strike Named Pipe Regex.csv
Cobalt Strike Named Pipe Regex
Regex Source
MSSE-[0-9a-f]{3}-server Default Cobalt Strike Artifact Kit binaries
status_[0-9a-f]{2} Default psexec_psh
postex_ssh_[0-9a-f]{4} Default SSH beacon
msagent_[0-9a-f]{2} Default SMB beacon
postex_[0-9a-f]{4} Default Post Exploitation job (v4.2+)
mojo.5688.8052.183894939787088877[0-9a-f]{2} jquery-c2.4.2.profile
mojo.5688.8052.35780273329370473[0-9a-f]{2} jquery-c2.4.2.profile
wkssvc[0-9a-f]{2} jquery-c2.4.2.profile
ntsvcs[0-9a-f]{2} trick_ryuk.profile
@cbresponse
cbresponse / CobaltStrike_IPs.txt
Last active September 6, 2021 07:25
CobaltStrike_IPs
49.235.108.154
155.138.223.122
155.138.164.216
160.72.78.12
160.72.78.13
158.247.225.41
49.234.81.168
45.10.20.166
157.56.164.242
49.4.79.214
@cbresponse
cbresponse / Regex_For_All_KQL.csv
Created August 11, 2021 03:55
One stop regex
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.
Name Regex plural_name Description Rarity URL Tags
PGP Public Key ^(?:-----BEGIN PGP PUBLIC KEY BLOCK-----\n?(?:(?:(?:Version|Comment|MessageID|Hash|Charset):.*)\n?)*[a-zA-Z0-9\/\.\n\:\+\=]+-----END PGP PUBLIC KEY BLOCK-----)$ False 1 ["PGP"]
PGP Private Key ^(?:-----BEGIN PGP PRIVATE KEY BLOCK-----\n?(?:(?:(?:Version|Comment|MessageID|Hash|Charset):.*)\n?)*[a-zA-Z0-9\/\.\n\:\+\=]+-----END PGP PRIVATE KEY BLOCK-----)$ False 1 ["PGP"]
SSH RSA Public Key ^(ssh-rsa [A-Za-z0-9+/=]+ [^ \n]+)$ False 1 ["Credentials","SSH Public Key"]
SSH ECDSA Public Key ^(ecdsa-sha2-nistp[0-9]{3} [A-Za-z0-9+/=]+ [^ \n]+)$ False 1 ["Credentials","SSH Public Key"]
SSH ED25519 Public Key ^(ssh-ed25519 [A-Za-z0-9+/=]+ [^ \n]+)$ False 1 ["Credentials","SSH Public Key"]
Access-Control-Allow-Header (?i)^(Access-Control-Allow: [a-z0-9\-*])$ False Used for [#CAE4F1][link=https://en.wikipedia.org/wiki/Cross-origin_resource_sharing]Cross-Origin Resource Sharing (CORS)[/link][/#CAE4F1] 1 ["Networking","Website"]
TryHackMe Flag Form
@cbresponse
cbresponse / CISA_IPs.csv
Last active January 14, 2021 15:11
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
94.244.56.190
72.221.232.141
46.173.117.50
72.210.252.142
46.100.54.77
93.85.82.148
72.166.243.197
45.227.194.14
45.224.105.212
93.116.122.209
@cbresponse
cbresponse / CISA_IPs.xlsx
Created January 14, 2021 13:35
IP
94.244.56.190
72.221.232.141
46.173.117.50
72.210.252.142
46.100.54.77
93.85.82.148
72.166.243.197
45.227.194.14
45.224.105.212
@cbresponse
cbresponse / FalconHuntqueries.md
Created January 5, 2021 10:13 — forked from ag-michael/FalconHuntqueries.md
Falcon hunt queries

timestamp convert:


 convert ctime(timestamp/1000)

.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count <4 | sort – count