msuiche

/*
    Hunting Russian Intelligence “Snake” Malware

    The Snake implant is considered the most sophisticated cyber espionage tool designed and used by
    Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive
    targets.
*/

rule Windows_Snake_Malware {
    meta:

joswr1ght

Yule Log4Jack Help

Hi, Josh Wright here. I'm the technical director for the Holiday Hack Challenge. We don't normally break the 4th wall like this, but we think this Log4j vulnerability calls for special measures to give you the information you need to assess, identify, and mitigate this vulnerability.

In this challenge, Icky McGoop asks for your help in exploiting a Java Solr server at http://solrpower.kringlecastle.com:8983. This server is vulnerable to the Log4shell vulnerability. Your goal is to exploit the server and get a

SwitHak

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

• If you want to add a link, comment or send it to me
• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

• Royce Williams list sorted by vendors responses Royce List
• Very detailed list NCSC-NL
• The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List

gnremy

aaronst

# C2 FQDNs
first seen fqdn
2019-12-11 23:37:10	updatemanagir.us
2019-12-20 17:51:05	cmdupdatewin.com
2019-12-26 18:03:27	scrservallinst.info
2020-01-10 00:33:57	winsystemupdate.com
2020-01-11 23:16:41	jomamba.best
2020-01-13 05:13:43	updatewinlsass.com
2020-01-16 11:38:53	winsysteminfo.com
2020-01-20 05:58:17	livecheckpointsrs.com

forensicmatt

import os
import requests
import tempfile
import subprocess
import json


def main():
    win64_request = requests.get("https://api.github.com/repos/log2timeline/l2tbinaries/contents/win64")
    contents = json.loads(win64_request.text)

nikallass

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR'
    exit 1
fi

echo "Checking if there's SMB v3.11 in" $1 "..."

nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'

knavesec

#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

JohnLaTwC

let valid_logons = (OfficeActivity
    | where TimeGenerated > ago(30d)
    | where Operation == 'UserLoggedIn'
    | summarize by ClientIP);
let only_invalid_logons = (OfficeActivity
    | where TimeGenerated > ago(30d)
    | where Operation == 'UserLoginFailed'
    | summarize by ClientIP) 
    | join kind=anti (valid_logons) on ClientIP;
OfficeActivity