Skip to content

Instantly share code, notes, and snippets.

View roycewilliams's full-sized avatar
💭
:cheeeeeese:

Royce Williams roycewilliams

💭
:cheeeeeese:
View GitHub Profile
ossec-win32 used by Storm-0501
https://www.ossec.net/about/
OSQuery used by Storm-0501
https://www.osquery.io/
GitGuardian used by Scattered Spider*
https://www.gitguardian.com/
MAGNET RAM Capture used by Scattered Spider*
@adtac
adtac / README.md
Last active September 26, 2024 17:45
Using your Kindle as an e-ink monitor

3.5 fps, Paperwhite 3
@adtac_

step 1: jailbreak your Kindle

mobileread.com is your best resource here, follow the instructions from the LanguageBreak thread

I didn't really follow the LanguageBreak instructions because I didn't care about most of the features + I was curious to do it myself, but the LanguageBreak github repo was invaluable for debugging

@velzie
velzie / manifest-v2-chrome.md
Last active October 8, 2024 07:39
How to keep using adblockers on chrome and chromium

How to keep using adblockers on chrome and chromium

  1. google's manifest v3 has no analouge to the webRequestBlocking API, which is neccesary for (effective) adblockers to work
  2. starting in chrome version 127, the transition to mv3 will start cutting off the use of mv2 extensions alltogether
  3. this will inevitably piss of enterprises when their extensions don't work, so the ExtensionManifestV2Availability key was added and will presumably stay forever after enterprises complain enough

You can use this as a regular user, which will let you keep your mv2 extensions even after they're supposed to stop working

Linux

In a terminal, run:

@smx-smx
smx-smx / XZ Backdoor Analysis
Last active October 3, 2024 20:36
[WIP] XZ Backdoor Analysis and symbol mapping
XZ Backdoor symbol deobfuscation. Updated as i make progress
@q3k
q3k / hashes.txt
Last active October 3, 2024 05:12
liblzma backdoor strings extracted from 5.6.1 (from a built-in trie)
0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'
@thesamesam
thesamesam / xz-backdoor.md
Last active October 11, 2024 03:27
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

const NEW_CHARMAP = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20!\"#$%&'{([])}*+-.\\/0123456789:;,<=>?@EeAaUuOoIiFfGgHhJjLl|WwMmNnBbDdTtPpQqRrKkCcSsZzVvXxYy^_`~";
function get_new_char_code(old_char_code){
return NEW_CHARMAP.indexOf(String.fromCharCode(old_char_code));
}
function get_old_char_code(new_char_code){
return NEW_CHARMAP.charCodeAt(new_char_code);
}
RSA Private-Key: (6969 bit, 69 primes)
modulus:
01:01:a2:9e:47:bc:24:44:b8:5a:6d:ee:28:5a:e0:
66:13:46:f1:b6:33:54:91:86:c2:91:1c:5e:b9:4a:
7b:0f:b8:24:86:a1:66:5a:fd:0e:59:a1:bf:e8:8f:
7a:50:29:47:d5:6e:03:c4:50:1d:ac:38:7d:c3:30:
9a:5e:07:b8:1c:21:d8:c7:d1:91:b2:59:da:0d:66:
9d:99:12:51:9d:e4:04:f4:3b:30:b4:b9:96:91:4b:
4c:6f:73:e5:09:86:ee:d2:fa:5f:a1:98:0b:ba:05:
6e:ab:4d:c9:29:a8:b7:eb:06:84:f2:c4:46:a9:cd:
@malexmave
malexmave / ntstatus.csv
Last active November 16, 2023 15:04
There are a bunch of versions of the list of NTSTATUS codes online, but many of them are invalid CSVs. This one is cleaned so that it is accepted by Azure Sentinel for import as a Watchlist.
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
Return value;Return code;Description
0x00000000;STATUS_SUCCESS;The operation completed successfully.
0x00000000;STATUS_WAIT_0;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000001;STATUS_WAIT_1;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000002;STATUS_WAIT_2;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000003;STATUS_WAIT_3;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x0000003F;STATUS_WAIT_63;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000080;STATUS_ABANDONED;The caller attempted to wait for a mutex that has been abandoned.
0x00000080;STATUS_ABANDONED_WAIT_0;The call
Date,Details,Email Payload Type,Users Targeted
10/1/2023,FW: damaged Goods; xlam -> agenttesla continued to 10/9,Attachment,
10/2/2023,RE: SHIPPING DOCUMENT & PACKING LIST; r15 -> agenttesla,Attachment,2
10/2/2023,RE: CONFIRM REVISED PIURCHASE ORDER; zip -> formbook,Attachment,2
10/2/2023,Signed Purchase Order: PO/US/4509622207; zip -> formbook,Attachment,2
10/2/2023,Attachment name is Document.zip; zip -> agenttesla,Attachment,2
10/3/2023,RE: New Order; r15 -> agenttesla,Attachment,2
10/3/2023,Wrong Payment Information; zip -> agenttesla,Attachment,2
10/4/2023,RE: Status For September SOA; xls -> agenttesla continued to 10/5,Attachment,4
10/5/2023,Purchase Order - HOM-OS-20-23-813; r15 -> agenttesla,Attachment,2