bump

Forensics/Volatility.md

@@ -3,6 +3,7 @@
 Search through collected volatile memory dumps, volume and VM images.
 Volatility and Volatility 3 have a different syntax. The older one has  
 higher malware hunting abilities.  
+Always check both of the versions if you are not sure about how the file was dumped.
 
 * [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
 * [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
@@ -27,6 +28,18 @@ volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
 ```sh
 volatility -f <file.iso> --profile <OSprofile> shellbags
 ```
+* Scan network
+```sh
+volatility -f <file.iso> --profile <OSprofile> netscan
+```
+* Scan files
+```sh
+volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
+```
+* Dump files
+```sh
+volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
+```
 
 ### Volatility3 
 

Miscellaneous/Exploit Mitigation.md

@@ -0,0 +1,44 @@
+# Exploit Mitigation
+
+> All User Input is Evil
+
+## Web Mitigations
+
+### Uploads
+
+* Validate the following
+    * Content-Type
+    * File Extension
+    * Magic File Number
+    * Maximum File Size
+* Rename the file randomly
+* Scan for Malware
+* Use Path objects instead of Strings
+* Save uploads outside of the web root
+
+### Database SQLi 
+
+* Typecasting of variables inserted
+* Prepared Statements
+
+### HTML5 Input & Forms
+
+* An `<input>` field can provide a pattern which checks for regex. In a free text field regex is not sufficient, therefore whitelist allowed characters.
+* Use `type` attribute of `<input>` to set the type of the values
+* Requirements on the inputs can be done in the following ways of `required <attributes>`:
+    * `minlength`
+    * `maxlength`
+    * `size`
+    * `min`
+    * `max`
+    * `pattern`
+
+### PHP Input Backend
+
+* `htmlentities()` escapes characters
+```sh
+$name = htmlentities($_GET['name'], ENT_QUOTES | ENT_HTML5, "UTF-8")
+```
+* Use HTMLPurifier
+* Use `intval()` to typecast, e.g. ids
+```

Miscellaneous/Sigma Rules.md

@@ -0,0 +1,30 @@
+# Sigma Rules
+
+An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
+* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
+
+
+## Fields
+
+A minimal configuration should contain at least the following fields
+* title
+* id
+* status
+* description
+* logsource
+* detection
+
+Additional fields may be
+* falsePostivives
+* levels
+* tags
+
+## Transform Modifiers
+
+A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
+
+## Tools
+
+* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
+* [pySigma](https://github.com/SigmaHQ/pySigma)
+* [Uncoder.io](https://uncoder.io/)

Reverse Engineering/Firmware.md

@@ -1,6 +1,7 @@
 # Reversing Firmware
 
 ## Tools
+
 * binwalk
 * unlzma
 * tar
@@ -10,15 +11,30 @@
     ./fat.py <firmware>
     ```
 * [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
+* Squashfs
 
 ## Usage
+
 * Check image via `strings`
 * Check CRC via `cksum -a crc <image>`
 * Use `binwalk` to extract. There are to methods
     * `-e` extract by offset
     * `--dd=".*"` by file extension
 
+### Mount Squashfs
+
+Extract the filesystem of a firmware image
+
+* Use `squashfs-tools`
+* Extract via binwalk and
+```sh
+unsquashfs <SquashFS image>
+mksquashfs squashfs-root filesystem.squashfs
+mount filesystem.squashfs /mtn/squash
+```
+
 ### Mount JFFS2 File
+
 * Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
 ```sh
 rm -rf /dev/mtdblock0
@@ -32,4 +48,5 @@ mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
 ```
 
 ## Tips & Tricks
+
 * Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)