This gist is not updated anymore.
Updated data: https://github.com/jipegit/IncidentsMindMaps/tree/main/SOLORIGATE_SUNBURST
Jean-Philippe jipegit
jipegit
/ SOLORIGATE_SUNBURST_TEARDROP.md
Last active
December 22, 2020 16:30
SOLORIGATE SUNBURST TEARDROP
| Type | Location | Documentation |
|---|---|---|
| Kernel/Sytem Extensions | /System/Library/Extensions/ /Library/Extensions/ /Extra/Extensions/ |
https://developer.apple.com/fr/support/kernel-extensions/ /Extra/Extensions/ is deprecated |
| Launch Daemons | /System/Library/LaunchDaemons/ /Library/LaunchDaemons/ /Users/*/Library/LaunchDaemons/ |
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html |
| Launch Agents | /System/Library/LaunchAgents/ /Library/LaunchAgents/ /Users/*/Library/LaunchAgents/ |
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html |
| Startup Items | /System/Library/StartupItems//Library/ |
jipegit
/ NtfsLastAccessUpdate_rules.md
Last active
April 3, 2024 20:08
Ntfs Last Access Update rules by Windows version
The table below contains the default/most probable observed behaviour depending on Windows version. Be sure to read the notes regarding Windows 7 and Windows 10.
Always verify the value of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate during triage.
| NTFS Last Access Update | |
|---|---|
| XP | ✔️ |
| M | A | C | B | D* | A* | Type | |
|---|---|---|---|---|---|---|---|
| FAT | X | X | X | wFatDate (16bits) wFatTime (16bits) | |||
| NTFS | X | X | X | X | FILETIME structure Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 | ||
| EXT2/3 | X | X | X | X | Unix EPOCH, a 32-bit value representing the number of seconds that have elapsed since January 1, 1970 | ||
| Ext4 | X | X | X | X | X | Unix EPOCH, a 64-bit value representing the number of nanoseconds that have elapsed since January 1, 1970 | |
| XFS | X | X | X | X | Unix EPOCH, a 64-bit value representing the numb |
jipegit
/ gist:3da9fa7e47eeee44450a9bb0958d377e
Created
September 10, 2019 14:29
IoC extracted from volexity.com blog post Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date | |
| 2019-09-02 | |
| References | |
| https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/ | |
| Artifacts | |
| Filesystem | |
| /data/data/com.android.browser/loader | |
| /data/data/com.android.browser/loader.log |
jipegit
/ Quick and Dirty iOS IoC from Google P0 blog posts
Last active
August 30, 2019 15:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Quick and Dirty iOS Exploits/Implant IoC from Google Project Zero blog posts | |
| Date | |
| 2019-08-30 | |
| References | |
| https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html | |
| https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-1.html | |
| https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-2.html | |
| https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-3.html |
jipegit
/ gist:be02145756f78f08342dc220f6a707db
Last active
July 5, 2017 19:57
Petya / Petrwrap / NotPetya / Nyetya / EternalPetya Technical blog posts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2017-03-14 https://securelist.com/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/77762/ | |
| 2017-05-23 https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/ (likey related to the same campaign) | |
| 2017-06-27 https://securelist.com/schroedingers-petya/78870/ | |
| 2017-06-27 https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/ | |
| 2017-06-27 http://blog.trendmicro.com/trendlabs-security-intelligence/large-scale-ransomware-attack-progress-hits-europe-hard/ | |
| 2017-06-27 https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ | |
| 2017-06-27 http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html | |
| 2017-06-27 https://blog.comae.io/byata-enhanced-wannacry-a3ddd6c8dabb | |
| 2017-06-28 https://www.govcert.admin.ch/blog/32/notes-about-the-notpetya-ransomware | |
| 2017-06-28 https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/ |