Source: https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
Large amounts of RAM:
top
# C2 FQDNs | |
first seen fqdn | |
2019-12-11 23:37:10 updatemanagir.us | |
2019-12-20 17:51:05 cmdupdatewin.com | |
2019-12-26 18:03:27 scrservallinst.info | |
2020-01-10 00:33:57 winsystemupdate.com | |
2020-01-11 23:16:41 jomamba.best | |
2020-01-13 05:13:43 updatewinlsass.com | |
2020-01-16 11:38:53 winsysteminfo.com | |
2020-01-20 05:58:17 livecheckpointsrs.com |
import hashlib | |
import re | |
def calculate_rule_hash(rule): | |
""" | |
Calculates a hash over the relevant YARA rule content (string contents, sorted condition) | |
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara | |
:param rule: yara rule object | |
:return hash: generated hash | |
""" |
#!/bin/bash | |
sed 's/$/\/hostname/' | parallel --jobs=12 --pipe -N1000 \ | |
"curl -s -XPOST -H 'Content-Type: text/plain' --data-binary @- 'ipinfo.io/batch?token=$TOKEN&filter=1'" | \ | |
grep '"' | sed 's|/hostname||' | cut -d'"' -f2,4 | tr '"' '\t' |
function Prompt | |
{ | |
$FullUnicode = 'U+1F525' | |
$StrippedUnicode = $FullUnicode -replace 'U\+','' | |
$UnicodeInt = [System.Convert]::toInt32($StrippedUnicode,16) | |
$promptEmoji = [System.Char]::ConvertFromUtf32($UnicodeInt) | |
(Write-Host -NoNewline (Get-Date -Format "[HH:mm:ss]$promptEmoji")) | |
(Write-Host -NoNewline $env:USERNAME -ForegroundColor Red) |
#!/usr/bin/env python3 | |
import re | |
import sys | |
import subprocess | |
import glob | |
import base64 | |
import yaml | |
def dumpYaml(data): |
package main | |
/* | |
Example Go program with multiple .NET Binaries embedded | |
This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with: | |
$ go get -u github.com/gobuffalo/packr/packr | |
Place all your EXEs are in a "binaries" folder |
[{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}] |
# https://twitter.com/brsn76945860/status/1171233054951501824 | |
pip install mmh3 | |
----------------------------- | |
# python 2 | |
import mmh3 | |
import requests | |
response = requests.get('https://cybersecurity.wtf/favicon.ico') | |
favicon = response.content.encode('base64') |
rule XOREngine_HTTP | |
{ | |
meta: | |
author = "smiller" | |
description = "This looks for brute XOR of http:// in a PE." | |
ref = "578cb44b784125ebd58ecb458d51b23d" | |
strings: | |
$key_01 = { 69 75 75 71 3b 2e 2e } | |
$key_02 = { 6a 76 76 72 38 2d 2d } | |
$key_03 = { 6b 77 77 73 39 2c 2c } |
Source: https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
Large amounts of RAM:
top