mirror of
https://github.com/pe3zx/my-infosec-awesome.git
synced 2024-06-28 06:32:11 +00:00
14 KiB
14 KiB
My Awesome
My curated list of awesome links, resources and tools
Articles
Malware Analysis
- CCleaner's backdoor analysis
- List of interesting Windows APIs used by malware
| WNetAddConnection | The WNetAddConnection function enables the calling application to connect a local device to a network resource. A successful connection is persistent, meaning that the system automatically restores the connection during subsequent logon operations. An example of malware that implement this function can be found below: |
Tools
AWS Security
Open source projects related to AWS security.
| airbnb/BinaryAlert | BinaryAlert: Serverless, Real-time & Retroactive Malware Detection |
| cloudsploit/scans | AWS security scanning checks |
| nccgroup/Scout2 | Security auditing tool for AWS environments |
| Netflix/security_monkey | Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. |
| Alfresco/prowler | Tool for AWS security assessment, auditing and hardening. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark. |
Binary Analysis
Binary analysis tools, including decompilers, deobfuscators, disassemblers, etc.
| fireeye/flare-floss | FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware. |
| katjahahn/PortEx | Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness |
| williballenthin/python-idb | Pure Python parser and analyzer for IDA Pro database files (.idb). |
Digital Forensics and Incident Response
Open source projects related to DFIR topic.
| Invoke-IR/PowerForensics | PowerForensics provides an all in one platform for live disk forensic analysis |
| nannib/Imm2Virtual | This is a GUI (for Windows 64 bit) for a procedure to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it, directly with VirtualBox, forensically proof. |
| nshalabi/SysmonTools | Utilities for Sysmon (Sysmon View and Sysmon Shell) |
| THIBER-ORG/userline | Query and report user logons relations from MS Windows Security Events |
| TryCatchHCF/DumpsterFire | "Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequence… |
Exploits
Interesting exploits. For research purpose only
>| CVE-2016-7255 | The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability." |
| CVE-2017-5123 | The `waitid` implementation in upstream kernels did not restrict the target destination to copy information results. This can allow local users to write to otherwise protected kernel memory, which can lead to privilege escalation. |
| CVE-2017-7089 | A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. Processing maliciously crafted web content may lead to universal cross site scripting. |
| CVE-2017-7115 | The exploit achieves R/W access to the host's physical memory. The password for the archive is "one_ring". This exploit has been tested on the iPhone 7, iOS 10.2 (14C92). To run the exploit against different devices or versions, the symbols must be adjusted. |
| CVE-2017-86464 | Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability." |
| CVE-2017-8759 | Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability." |
| CVE-2017-13082 | Access Points (APs) might contain a vulnerable implementation of the Fast BSS Transition (FT) handshake. More precisely, a retransmitted or replayed FT Reassociation Request may trick the AP into reinstalling the pairwise key. If the AP does not process retransmitted FT reassociation requests, or if it does not reinstall the pairwise key, it is not vulnerable. If it does reinstall the pairwise key, the effect is similar to the attack against the 4-way handshake, except that the AP instead of the client is now reinstalling a key. More precisely, the AP will subsequently reuse packet numbers when sending frames protected using TKIP, CCMP, or GCMP. This causes nonce reuse, voiding any security these encryption schemes are supposed to provide. Since the packet number is also used as a replay counter for received frames, frames sent *towards* the AP can also be replayed.
In contrast to the 4-way handshake and group key handshake, this is not an attack against the specification. That is, if the state machine as shown in Figure 13-15 of the 802.11-2016 standard is faithfully implemented, the AP will not reinstall the pairwise keys when receiving a retransmitted FT Reassociation Request. However, we found that many APs do process this frame and reinstall the pairwise key. > |
| FriendsOfPHP/security-advisories | The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption. |
| ScottyBauer/Android_Kernel_CVE_POCs | A list of my CVE's with POCs |
| spencerdodd/kernelpop | Kernel privilege escalation enumeration and exploitation framework |
| victims/victims-cve-db | This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources. |
| xairy/kernel-exploits | A bunch of proof-of-concept exploits for the Linux kernel |
Malware Analysis
Tools related to malware analysis, malware development (for research purpose) and malware sample finding
| adamkramer/rapid_env | Rapid deployment of Windows environment (files, registry keys, mutex etc) to facilitate malware analysis |
| Cryptam Document Scanner | Encrypted/obfuscated malicious document analyzer |
| quasar/QuasarRAT | Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you. |
Social Engineering
Tools related to social engineering attack and human hacking
| Undeadsec/EvilURL | An unicode domain phishing generator for IDN Homograph Attack |