jwmcgettigan

#!/usr/bin/env python3

# Copyright © 2023 Justin McGettigan
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software
# and associated documentation files (the “Software”), to deal in the Software without
# restriction, including without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or

h4x0r-dz

(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k

SwitHak

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

• If you want to add a link, comment or send it to me
• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

• Royce Williams list sorted by vendors responses Royce List
• Very detailed list NCSC-NL
• The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List

gnremy

Neo23x0

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

michelep

You can achieve this by setting the policy id in the /etc/filebeat/wazuh-template.json file (on the Wazuh nodes) and then reloading the template. For example, let's say that you have created your ISM policy on Elasticsearch with id wazuh-index-state-policy,

Edit the wazuh-template.json file.

Add the line "opendistro.index_state_management.policy_id": "wazuh-index-state-policy" inside the settingsobject:
            
"opendistro" : {
          "index_state_management" : {
            "policy_id" : "hot_warm_delete_workflow"
          }

Chaz6

Custom Secure Boot configuration while deploying a new Virtual Machine

The Secure Boot configuration is stored in NVRAM. If the NVRAM contains no Secure Boot configuration (a freshly deployed VM, or a VM for which the .nvram file has been deleted from the datastore), the Secure Boot configuration will be reset to the defaults described in the UEFI Specification (the variables named PKDefault, KEKDefault, dbDefault and dbxDefault). You can use advanced VM config options to control those defaults, through which you can pre-populate the Secure Boot configuration before the VM is first powered on.

If you want to deploy the certificates as part of the VM's configuration, copy the DER-encoded certificate into the VM's directory and add the following advanced VM config options:

uefi.secureBoot.dbDefault.file0 = "custom-cert.der"

where "custom-cert.der" is the name of the DER-encoded certificate file within the VM's directory. You can repeat that for file1, file2, file3, etc., to add multiple certificate

jamesdeluk

$log_file = 'sysmon-checks.log'

$items = @(
    "C:\Windows\Sysmon64.exe",
    "C:\Windows\SysmonDrv.sys",
    "HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64",
    "HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv",
    "HKLM:\SYSTEM\ControlSet001\Services\Sysmon64",
    "HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv",
    "HKLM:\SYSTEM\ControlSet002\Services\Sysmon64",

darrenjrobinson

Function DelegatedAuthN {
    <#
    .SYNOPSIS
Authenticate to Azure AD (using Delegated Auth) and receieve Access and Refresh Tokens.

.DESCRIPTION
Authenticate to Azure AD (using Delegated Auth) and receieve Access and Refresh Tokens.

.PARAMETER tenantID

jdhitsolutions

#requires -version 5.1
#requires -module GroupPolicy,ActiveDirectory

Function Get-GPLink {
<#
.Synopsis
Get Group Policy Object links
.Description
This command will display the links to existing Group Policy objects. You can filter for enabled or disabled links. The default user domain is queried although you can specify an alternate domain and/or a specific domain controller. There is no provision for alternate credentials.