Skip to content

Instantly share code, notes, and snippets.

Avatar

darkquasar darkquasar

View GitHub Profile
@darkquasar
darkquasar / annotations.xml
Created Feb 25, 2021 — forked from Neo23x0/annotations.xml
Sources for APT Groups and Operations Search Engine
View annotations.xml
<?xml version="1.0" encoding="UTF-8" ?>
<Annotations start="0" num="138" total="138">
<Annotation about="*.401trg.pw/*" timestamp="0x00056c69af232729" href="Cg0qLjQwMXRyZy5wdy8qEKnOjPmajdsC">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="https://401trg.pw/" />
</Annotation>
<Annotation about="decalage.info/en/security*" timestamp="0x00056c678a15c50b" href="ChpkZWNhbGFnZS5pbmZvL2VuL3NlY3VyaXR5KhCLitfQ-IzbAg">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="https://decalage.info/en/security" />
</Annotation>
@darkquasar
darkquasar / splunk_suspicious_user_agent.md
Last active Dec 10, 2019
Splunk Search to Weed Out Low Hanging Fruit and Out-Of-The-Box Pentest
View splunk_suspicious_user_agent.md

Draft rule for a Splunk Search

Suspicious User Agents

You will not detect APTs with this but you will weed out low hanging fruit and not too savvy pentesters :)

user_agent IN ("burp" "burpcollaborator.net" "qualys" "nexpose" "OpenVAS" "Nikto" "Meterpreter" "IceWeasel" "DirB" "Comodo" "Tripwire" "Retina" "MBSA" "ImmuniWeb" "Netsparker" "Acunetix" "Intruder" "WinHttp.WinHttpRequest" "nmap" "CVE" "base64" "eval" "ftp" "/script" "javascript" "alert" ) NOT (user_agent="google") | eval detection_description=if(like(user_agent,"%WinHttpRequest%"),"CScript or VBScript Call",detection_description) | eval detection_description=if(like(user_agent,"%Iceweasel%"),"Potentially Kali",detection_description) | eval detection_description=if(like(user_agent,"%Meterpreter%"),"Meterpreter",detection_description)

@darkquasar
darkquasar / sysmon_suspicious_keyboard_layout_load.yml
Last active Oct 16, 2019 — forked from Neo23x0/sysmon_suspicious_keyboard_layout_load.yml
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
View sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
@darkquasar
darkquasar / JEWebDav.ps1
Created Feb 15, 2018
Simple WebDav Server in Powershell
View JEWebDav.ps1
<#
Obtained from https://github.com/re4lity/subTee-gits-backups/blob/master/JEWebDav.ps1
#>
<#
.SYNOPSIS
Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback.
Read And Write Files Over WebDAV Proof Of Concept