x_detection
CVE-2025-26465: Detect vulnerable OpenSSH
Description
🔒 Detect Vulnerable OpenSSH Configuration for CVE-2025-26465
This script examines your OpenSSH client to determine if it’s running a version vulnerable to CVE-2025-26465 and checks both global and user SSH configuration files for insecure settings (i.e. “VerifyHostKeyDNS” set to “yes” or “ask”).
🔍 How it works:
It runs ssh -V to extract the OpenSSH version and parses it into major, minor, and patch numbers.
The script compares the version against the vulnerable range (from 6.8p1 up to 9.9p1).
It scans /etc/ssh/ssh_config (and, if available, $HOME/.ssh/config) for any instance of “VerifyHostKeyDNS” set to “yes” or “ask”.
The script then outputs clear messages, indicating whether your client is at risk based on both version and configuration.
⚠️ Why it matters:
CVE-2025-26465 allows an attacker to perform a man-in-the-middle attack if an insecure setting is enabled. Detecting this misconfiguration is critical for preventing unauthorized interception or tampering of SSH sessions. This script helps ensure your infrastructure isn’t unknowingly exposing sensitive credentials.
CVE-2025-21418: Detect Windows EoP
🔒 Monitor AFD.sys for Suspicious Modifications
This PowerShell script continuously monitors the integrity of the AFD.sys driver—a critical Windows networking component—by checking its last modification date, size, SHA256 hash, and version. Any recent changes (within a defined threshold) trigger a warning, log the event, and optionally send an email alert.
🔍 How it works:
- File Verification:
The script first confirms that AFD.sys exists at its expected location. If not, it logs an error and exits, indicating a possible system integrity issue. - File Analysis:
It retrieves key details of the file including its last modification date, size, SHA256 hash, and version. It then compares the last modified timestamp against a specified threshold (e.g., modifications within the last 7 days). - Alerting & Logging:
If AFD.sys was modified recently, the script logs a warning with all the file details and displays the alert in the console. Optionally, it can also send an email notification. If no recent modifications are found, it logs a confirmation message noting the last modification date. - Exit Codes for Automation:
The script returns a specific exit code based on the status, allowing for integration into larger monitoring or automation frameworks.
⚠️ Why it matters:
AFD.sys is a crucial driver for Windows networking, and unexpected modifications can be a sign of malicious tampering or exploitation—potentially linked to vulnerabilities like CVE‑2025‑21418. By monitoring this file, administrators can quickly detect unauthorized changes, maintain system integrity, and respond to security incidents before they impact network operations.
CVE-2025-21181 - Denial of Service Vulnerability in Microsoft Message Queuing
PoC video
Description
❗ CVE-2025-21181 is a Denial of Service (DoS) vulnerability affecting Microsoft Message Queuing (MSMQ). Attackers can exploit this flaw by sending specially crafted network packets to an exposed MSMQ service, causing it to crash or become unresponsive.
ℹ️ This detection script helps identify whether a system is potentially vulnerable by checking the status of the MSMQ service:
Check MSMQ Installation:
Determines whether the MSMQ service (MSMQ) is installed on the system.
If the service is missing, the system is unlikely to be affected by CVE-2025-21181.
Evaluate MSMQ Service Status:
If MSMQ is installed, checks whether the service is actively running.
If the service is running, the system could be vulnerable, especially if security patches have not been applied.
If MSMQ is installed but not running, the system is not actively exposed, though it is still recommended to apply security updates.
✅ Running this detection script will allow you to quickly assess whether their system is at risk from CVE-2025-21181.
x_remediation
CVE-2025-26465: Mitigate vulnerable OpenSSH
Description
🔒 Mitigate CVE-2025-26465 with an Automated SSH Configuration Update
This mitigation script automatically secures your OpenSSH client by backing up and modifying the SSH configuration to disable the vulnerable “VerifyHostKeyDNS” option, protecting your SSH sessions from potential man-in-the-middle attacks.
🔍 How it works:
It first retrieves and checks your OpenSSH version to confirm it falls within the vulnerable range.
The script backs up the global configuration file (typically /etc/ssh/ssh_config) to ensure you have a recovery point.
It then searches for any instance of “VerifyHostKeyDNS” set to “yes” or “ask” and modifies those lines to “no”.
The update is applied seamlessly so you can verify that the vulnerability is mitigated without manual edits.
⚠️ Why it matters:
By automatically disabling the risky DNS-based host key verification setting, this script prevents attackers from exploiting CVE-2025-26465 to impersonate SSH servers. Keeping your SSH configuration secure is essential to safeguard sensitive data and maintain the integrity of remote management sessions.
CVE-2025-21418: Mitigate Windows EoP
Description
🔒 Mitigate CVE‑2025‑21418 with PowerShell Hardening
This PowerShell script is designed to reduce the risk posed by CVE‑2025‑21418—an AFD.sys vulnerability that could allow privilege escalation—without disabling critical network functions. Instead of turning off the driver, the script enforces system-level hardening measures such as setting DEP to AlwaysOn, ensuring your system is up-to-date with the latest patches, and applying a sample firewall rule.
🔍 How it works:
Enforce DEP AlwaysOn:
The script first checks for administrative privileges and then uses the bcdedit command to set the system’s DEP (Data Execution Prevention) mode to AlwaysOn. This forces all processes to mark non-executable memory regions, making it far more difficult for injected malicious code to run.
⚠️ Why it matters:
CVE‑2025‑21418 exploits a flaw in AFD.sys that could allow attackers to escalate privileges via code injection. By enforcing DEP AlwaysOn, the script ensures that any injected code in non-executable memory areas is blocked, significantly lowering the risk of exploitation. Coupled with regular updates and a tightened firewall, this layered mitigation strategy helps protect your system without the disruptive side effects of disabling essential network services.
CVE-2025-21181 - Denial of Service Vulnerability in Microsoft Message Queuing - Mitigation Script
PoC video
Description
❗ CVE-2025-21181 is a Denial of Service (DoS) vulnerability affecting Microsoft Message Queuing (MSMQ). Attackers can exploit this flaw by sending specially crafted network packets to an exposed MSMQ service, causing it to crash or become unresponsive.
ℹ️ This mitigation script helps reduce exposure to CVE-2025-21181 by disabling MSMQ to prevent exploitation:
Stop the MSMQ Service:
Checks whether MSMQ is installed and running.
If MSMQ is active, stops the service to prevent immediate exposure.
Disable MSMQ to Prevent Restart:
Sets the MSMQ service startup type to "Disabled" to ensure it does not restart automatically.
Outputs a message indicating that a system reboot may be required for changes to take full effect.
Error Handling and Warnings:
If an error occurs during the process, the script alerts the user and advises ensuring administrative privileges.
Warns that disabling MSMQ may impact applications relying on the service.
✅ Running this mitigation script helps you proactively reduce your system's exposure to CVE-2025-21181 by disabling MSMQ where it is not needed.
x_ops
Rotate Log Files Based on Size
Description
This script checks the size of a specified log file and rotates it if it exceeds a defined maximum size (10 MB by default). When the log file size exceeds the limit, it renames the current log file with a timestamp and creates a new, empty log file. Usage:
-> Set the Log File Path: Update the LOG_FILE variable to point to the log file you want to monitor.
-> Set the Maximum Size: The MAX_SIZE variable defines the maximum allowed log file size in bytes. Adjust this value as needed.
Detect Linux Failed Sudo attempts
Description
**🔐 Detecting Failed Sudo Attempts on Linux Systems**
This script scans the system logs for failed sudo attempts where a user is **not** in the sudoers group, highlighting unauthorized access attempts. It uses `journalctl` to fetch logs, filters out the relevant sudo errors, and extracts essential details such as:
- 📅 **Date**
- 👤 **User**
- 💻 **Attempted Command**
The results are presented in a clean and structured format, helping administrators quickly identify potential security concerns related to improper sudo usage. Perfect for maintaining a secure environment 🔒!
