| rule malware_karama_0 { | |
| meta: | |
| descrption = "Karma Ransomware" | |
| strings: | |
| $name = "KARMA" ascii wide nocase | |
| $trait_0 = {33 f6 0f b7 41 ?? 83 c1 02 8b d0 66 85 c0 75 da} | |
| $trait_1 = {0f b7 d0 66 83 fa 5c 74 10} | |
| condition: | |
| uint16(0) == 0x5a4d and | |
| uint32(uint32(0x3c)) == 0x00004550 and |
| from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML | |
| import sys | |
| import re | |
| vbaparser = VBA_Parser(sys.argv[1]) | |
| replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)" | |
| replace = re.compile(replace_regex, re.MULTILINE) | |
| regex_url = "http(s)?://[^,\"]+" |
| lookup = [ 90,132,6,69,174,203,232,243,87,254,166,61,94,65,8,208,51, | |
| 34,33,129,32,221,0,160,35,175,113,4,139,245,24,29,225,15, | |
| 101,9,206,66,120,62,195,55,202,143,100,50,224,172,222,145, | |
| 124,42,192,7,244,149,159,64,83,229,103,182,122,82,78,63,131, | |
| 75,201,130,114,46,118,28,241,30,204,183,215,199,138,16,121,26, | |
| 77,25,53,22,125,67,43,205,134,171,68,146,212,14,152,20,185, | |
| 155,167,36,27,60,226,58,211,240,253,79,119,209,163,12,72,128, | |
| 106,218,189,216,71,91,250,150,11,236,207,73,217,17,127,177,39, | |
| 231,197,178,99,230,40,54,179,93,251,220,168,112,37,246,176,156, | |
| 165,95,184,57,228,133,169,252,19,2,81,48,242,105,255,116,191,89, |
| import pandas as pd | |
| from datetime import datetime | |
| def get_availabilities(start, end, freq, weekmask=None, bhours=None, bstop=None, holidays=None): | |
| """ | |
| :param start: datetime | |
| :param end: datetime | |
| :param freq: int |
| // Substitution BOX, a lookup table to optimyze the substitution step | |
| pub type Sbox = [u8; 256]; | |
| // shift 8 bits left | |
| fn rot_l8(x: u8,shift: isize) -> u8 { | |
| // check that input is in bounds | |
| assert!(shift < 8); | |
| assert!(shift > -8); | |
| // actualy do it | |
| ((x) << (shift)) | ((x) >> (8 - (shift))) |
| #!/usr/bin/python | |
| import requests | |
| from socket import * | |
| from requests.packages.urllib3.contrib import pyopenssl as reqs | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| import argparse | |
| import ipaddress | |
| #import asyncio |
Cloud Security Orienteering: Checklist
by Rami McCarthy
via TL;DR sec
How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long term goals.
Based on the Cloud Security Orienteering methodology.
| #!/bin/bash | |
| # by d4rk3r | |
| # A smart way to search for a code | |
| # inside your git history whatever the branch you're | |
| # -- Setup : | |
| # -- After getting the bash script | |
| # chmod +x /path/to/gf.sh |
| IcedID Dropper: | |
| IcedID Dropper Analysis: | |
| IcedID Dropper URL: | |
| IcedID Loader Analysis: https://tria.ge/210726-trdt8nd4te | |
| IcedID Staging Server: feedbackfileweb.club | |
| IcedID Loader Project ID: 1394912167 | |
| IcedID Core Analysis: https://tria.ge/210726-a4jls9zgbs | |
| IcedID Core C2s: gsterangsic.buzz oscanonamik.club riderskop.top iserunifish.club |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
