This list is no longer updated, thus the information is no longer reliable.
You can see the latest version (from october 2022) here
theevilbit
/ get_apple_oss.sh
Last active
April 25, 2022 04:32
Download All Apple OSS Tarballs from Github
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| : ' | |
| You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs: | |
| https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api | |
| https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token | |
| ' | |
| APPLE_OSS_DIR="all_apple_oss_archives" | |
| APPLE_OSS_REPO_FILE="all_apple_oss_repo_names.txt" |
blotus
/ log4j_exploitation_attempts_crowdsec.md
Last active
December 29, 2023 12:24
IPs exploiting the log4j2 CVE-2021-44228 detected by the crowdsec community
vikas891
/ ExtractAllScripts.ps1
Last active
March 27, 2024 09:12
A PowerShell script to re-construct a suspicious .PS1 from script-blocks recorded in Event ID 4104
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Usage: | |
| # | |
| #NOTE: The script expects an argument which is the full File Path of the EVTX file. | |
| # | |
| #C:\>ExtractAllScripts.ps1 | |
| #The default behavior of the script is to assimilate and extract every script/command to disk. | |
| # | |
| #C:\ExtractAllScripts -List | |
| #This will only list Script Block IDs with associated Script Names(if logged.) | |
| # |
SwitHak
/ 20211210-TLP-WHITE_LOG4J.md
Last active
April 18, 2024 11:20
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC
Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)
- If you want to add a link, comment or send it to me
- Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
- Royce Williams list sorted by vendors responses Royce List
- Very detailed list NCSC-NL
- The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
Neo23x0
/ log4j_rce_detection.md
Last active
January 28, 2024 08:19
Log4j RCE CVE-2021-44228 Exploitation Detection
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
wdormann
/ noappinstaller.reg
Last active
December 14, 2021 00:30
Prevent the ability to click on a ms-appinstaller: URI for the current user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Classes\ms-appinstaller] | |
| "URL Protocol"=- |
Samirbous
/ EQL hunt for Potential Macro on close
Created
November 16, 2021 14:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1s | |
| [process where event.action : "creation_event" and | |
| process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe") and | |
| not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and | |
| process.args_count >= 2) | |
| ] by process.parent.entity_id | |
| [process where event.action : "termination_event" and | |
| process.name : ("winword.exe", "excel.exe", "powerpnt.exe") and | |
| process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe") | |
| ] by process.entity_id |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use std::net::ToSocketAddrs; | |
| use std::sync::mpsc::channel; | |
| fn main() { | |
| std::env::set_var("LOCALDOMAIN", "1"); | |
| let mut threads = vec![]; | |
| let (tx, rx) = channel(); |
unrealwill
/ collisionLSH.py
Created
August 8, 2021 10:20
Proof of Concept : generating collisions on a neural perceptual hash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import tensorflow as tf #We need tensorflow 2.x | |
| import numpy as np | |
| #The hashlength in bits | |
| hashLength = 256 | |
| def buildModel(): | |
| #we can set the seed to simulate the fact that this network is known and doesn't change between runs | |
| #tf.random.set_seed(42) | |
| model = tf.keras.Sequential() |
0xmachos
/ macOS-IR-Forensics.md
Last active
February 28, 2024 13:11
If someone wants to learn MacOS IR/forensics what’s the best resource for that?