Skip to content

Instantly share code, notes, and snippets.


darkquasar darkquasar

View GitHub Profile
darkquasar / annotations.xml
Created Feb 25, 2021 — forked from Neo23x0/annotations.xml
Sources for APT Groups and Operations Search Engine
View annotations.xml
<?xml version="1.0" encoding="UTF-8" ?>
<Annotations start="0" num="138" total="138">
<Annotation about="**" timestamp="0x00056c69af232729" href="Cg0qLjQwMXRyZy5wdy8qEKnOjPmajdsC">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="" />
<Annotation about="*" timestamp="0x00056c678a15c50b" href="ChpkZWNhbGFnZS5pbmZvL2VuL3NlY3VyaXR5KhCLitfQ-IzbAg">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="" />
darkquasar /
Last active Dec 10, 2019
Splunk Search to Weed Out Low Hanging Fruit and Out-Of-The-Box Pentest

Draft rule for a Splunk Search

Suspicious User Agents

You will not detect APTs with this but you will weed out low hanging fruit and not too savvy pentesters :)

user_agent IN ("burp" "" "qualys" "nexpose" "OpenVAS" "Nikto" "Meterpreter" "IceWeasel" "DirB" "Comodo" "Tripwire" "Retina" "MBSA" "ImmuniWeb" "Netsparker" "Acunetix" "Intruder" "WinHttp.WinHttpRequest" "nmap" "CVE" "base64" "eval" "ftp" "/script" "javascript" "alert" ) NOT (user_agent="google") | eval detection_description=if(like(user_agent,"%WinHttpRequest%"),"CScript or VBScript Call",detection_description) | eval detection_description=if(like(user_agent,"%Iceweasel%"),"Potentially Kali",detection_description) | eval detection_description=if(like(user_agent,"%Meterpreter%"),"Meterpreter",detection_description)

darkquasar / sysmon_suspicious_keyboard_layout_load.yml
Last active Oct 16, 2019 — forked from Neo23x0/sysmon_suspicious_keyboard_layout_load.yml
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
View sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
author: Florian Roth
date: 2019/10/12
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see'
darkquasar / JEWebDav.ps1
Created Feb 15, 2018
Simple WebDav Server in Powershell
View JEWebDav.ps1
Obtained from
Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback.
Read And Write Files Over WebDAV Proof Of Concept