Skip to content

Instantly share code, notes, and snippets.

View ruppde's full-sized avatar

Arnim Rupp ruppde

102 followers · 156 following
View GitHub Profile
@smx-smx
smx-smx / XZ Backdoor Analysis
Last active February 26, 2025 01:17
[WIP] XZ Backdoor Analysis and symbol mapping
XZ Backdoor symbol deobfuscation. Updated as i make progress
@nasbench
nasbench / pwsh_dirty_words.yml
Last active March 19, 2025 19:57
List of suspicious strings used by PowerShell `SuspiciousContentChecker` function
# Source: System.Management.Automation.dll
# This list is used to determin if a ScriptBlock contains potential suspicious content
# If a match is found an automatic 4104 with a "warning" level is generated.
# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
- "Add-Type"
- "AddSecurityPackage"
- "AdjustTokenPrivileges"
- "AllocHGlobal"
- "BindingFlags"
- "Bypass"
@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active February 7, 2025 23:49
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active April 11, 2025 22:49
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@EvanMcBroom
EvanMcBroom / arnold.md
Last active March 24, 2025 12:49
IllBeBack - An Undocumented Function

IllBeBack - An Undocumented Function

Microsoft purchased the software Softricity SoftGrid in 2006 and renamed it to Microsoft Application Virtualization, or App-V for short. Windows shipped with several libraries in System32 and SysWOW64 to support App-V.

AppVTerminator.dll

One App-V library stands out from all the rest because it only has one exported function named IllBeBack... That's right! A library signed by Microsoft, with Terminator in the name, that only has a single callable function named IllBeBack.

@Neo23x0
Neo23x0 / help.md
Last active July 30, 2023 12:19
Offensive Research Guide to Help Defense Improve Detection

I've transformed this gist into a git repository.

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us

Logging

Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)