Arnim Rupp ruppde

## XZ Backdoor Analysis
XZ Backdoor symbol deobfuscation. Updated as i make progress

## pwsh_dirty_words.yml
# Source: System.Management.Automation.dll
# This list is used to determin if a ScriptBlock contains potential suspicious content
# If a match is found an automatic 4104 with a "warning" level is generated.
# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
- "Add-Type"
- "AddSecurityPackage"
- "AdjustTokenPrivileges"
- "AllocHGlobal"
- "BindingFlags"
- "Bypass"

## 20211210-TLP-WHITE_LOG4J.md

      
              1 file
            
          
              94 forks
            
          
              765 comments
            
          
              1091 stars
            
          
                SwitHak
                / 20211210-TLP-WHITE_LOG4J.md
            
            
              Last active
              May 4, 2024 18:20
            
              
                BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC
              
          
    Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)
Errors, typos, something to say ?


If you want to add a link, comment or send it to me
Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources


Royce Williams list sorted by vendors responses Royce List
Very detailed list NCSC-NL
The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List


## log4j_rce_detection.md

      
              1 file
            
          
              72 forks
            
          
              70 comments
            
          
              512 stars
            
          
                Neo23x0
                / log4j_rce_detection.md
            
            
              Last active
              January 28, 2024 08:19
            
              
                Log4j RCE CVE-2021-44228 Exploitation Detection
              
          
    log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

  
## help.md

      
              1 file
            
          
              6 forks
            
          
              1 comment
            
          
              14 stars
            
          
                Neo23x0
                / help.md
            
            
              Last active
              July 30, 2023 12:19
            
              
                Offensive Research Guide to Help Defense Improve Detection
              
          
    I've transformed this gist into a git repository.

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us
Logging

Does the exploited service write a log? 

(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)
	# Source: System.Management.Automation.dll
	# This list is used to determin if a ScriptBlock contains potential suspicious content
	# If a match is found an automatic 4104 with a "warning" level is generated.
	# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
	- "Add-Type"
	- "AddSecurityPackage"
	- "AdjustTokenPrivileges"
	- "AllocHGlobal"
	- "BindingFlags"
	- "Bypass"