TheHermit kevthehermit

## CVE-2023-49103-tags.csv

          
            Docker Tag
            Version
            PHP Info Response

            
              owncloud/server:10.13.3
              10.13.3
              False

            
              owncloud/server:10
              10
              False

            
              owncloud/server:10.13
              10.13
              False

            
              owncloud/server:10.12.2
              10.12.2
              False

            
              owncloud/server:10.12
              10.12
              False

            
              owncloud/server:10.13.3-rc.2
              10.13.3-rc.2
              False

            
              owncloud/server:10.13.2
              10.13.2
              False

            
              owncloud/server:10.13.3-rc.2-amd64
              10.13.3-rc.2-amd64
              False

            
              owncloud/server:10.13.2-amd64
              10.13.2-amd64
              False

## detection.yml
title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
    - https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
logsource:

## uhppote.nse
-- The Head
local match = require "match"
local nmap = require "nmap"
local stdnse = require "stdnse"
local shortport = require "shortport"

description = [[
    This script will scan for UHPPOTE Controllers and dump details
]]

## 31017.xml
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-SMBClient" Guid="{988c59c5-0a1c-45b6-a555-0c62276e327d}" />
  <EventID>31017</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x200000000000080</Keywords>
  <TimeCreated SystemTime="2021-06-30T11:01:31.025306200Z" />

## netgear_analytics.json
"routerHardware": {
        "productFamily": "router",
        "modelName": "xr500",
        "stage": "prod",
        "deviceInfo": {
            "macAddress": "REDACTED BY ME",
            "serialNumber": "REDACTED BY ME"
        },
        "eventType": 1,
        "timeStamp": {

## omg_extract.py
import re
import argparse
import esptool
from esptool import ESPLoader
from io import StringIO
import sys


MODE_PATTERN = b'MODE ([1-2])\x00'
SSID_PATTERN = b'SSID (.*)\x00PASS'

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                kevthehermit
                / keybase.md
            
            
              Created
              October 7, 2014 19:40
            
          
    Keybase proof

I hereby claim:

I am kevthehermit on github.
I am thehermit (https://keybase.io/thehermit) on keybase.
I have a public key whose fingerprint is 86C1 F5F7 B484 91D1 0397  7635 850A 2E18 861A 9E54

To claim this, I am signing this object:

  
## gist:d521193f593a487ee472
This is the pipal output of the Fake Origin Dump.
Read about it here - http://www.slashgear.com/origin-not-hacked-ea-confirms-false-alarm-13333575/
Get pipal here -https://github.com/digininja/pipal

Dates

Months
january = 47 (0.0%)
february = 16 (0.0%)
march = 118 (0.01%)
Docker Tag	Version	PHP Info Response
owncloud/server:10.13.3	10.13.3	False
owncloud/server:10	10	False
owncloud/server:10.13	10.13	False
owncloud/server:10.12.2	10.12.2	False
owncloud/server:10.12	10.12	False
owncloud/server:10.13.3-rc.2	10.13.3-rc.2	False
owncloud/server:10.13.2	10.13.2	False
owncloud/server:10.13.3-rc.2-amd64	10.13.3-rc.2-amd64	False
owncloud/server:10.13.2-amd64	10.13.2-amd64	False
	title: Sysmon Office MSDT
	id: c95ed569-5da4-48b3-9698-5e429964556c
	description: Detects MSDT Exploit Attempts
	status: experimental
	author: kevthehermit
	date: 2022/05/30
	references:
	- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
	- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
	logsource:
	-- The Head
	local match = require "match"
	local nmap = require "nmap"
	local stdnse = require "stdnse"
	local shortport = require "shortport"

	description = [[
	This script will scan for UHPPOTE Controllers and dump details
	]]
	<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
	- <System>
	<Provider Name="Microsoft-Windows-SMBClient" Guid="{988c59c5-0a1c-45b6-a555-0c62276e327d}" />
	<EventID>31017</EventID>
	<Version>0</Version>
	<Level>2</Level>
	<Task>0</Task>
	<Opcode>0</Opcode>
	<Keywords>0x200000000000080</Keywords>
	<TimeCreated SystemTime="2021-06-30T11:01:31.025306200Z" />
	"routerHardware": {
	"productFamily": "router",
	"modelName": "xr500",
	"stage": "prod",
	"deviceInfo": {
	"macAddress": "REDACTED BY ME",
	"serialNumber": "REDACTED BY ME"
	},
	"eventType": 1,
	"timeStamp": {
	import re
	import argparse
	import esptool
	from esptool import ESPLoader
	from io import StringIO
	import sys


	MODE_PATTERN = b'MODE ([1-2])\x00'
	SSID_PATTERN = b'SSID (.*)\x00PASS'
	This is the pipal output of the Fake Origin Dump.
	Read about it here - http://www.slashgear.com/origin-not-hacked-ea-confirms-false-alarm-13333575/
	Get pipal here -https://github.com/digininja/pipal

	Dates

	Months
	january = 47 (0.0%)
	february = 16 (0.0%)
	march = 118 (0.01%)