Karib0u
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
coolaj86
/ ChatGPT-Dan-Jailbreak.md
Last active
April 25, 2024 15:17
notareverser
/ yara-rules-for-libraries.txt
Created
February 25, 2022 14:13
Brief treatise on the tradeoffs between YARA rules made from strings, code, and data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Today for #100DaysOfYARA I want to further explore one of my favorite topics | |
| "How to reliably detect libraries", or how to identify that a particular program has linked or otherwise included a particular library. | |
| Detecting libraries (especially ones written in C) pose unique challenges compared to malware, to include: | |
| - libraries tend to be platform/architecture nonspecific | |
| - compilerisms overwhelm otherwise decent signal | |
| - copy/pasta and groupthink across libraries |
notareverser
/ code-signatures.treatise.txt
Created
February 15, 2022 16:22
A brief treatise on code-based YARA signatures
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Today for #100DaysOfYARA I want to dive in to some of the dirty secrets of creating/maintaining code-based YARA signatures | |
| Let's use SQLite3 as an example. Go get the source here (I prefer the amalgamation): | |
| https://sqlite.org/download.html | |
| I would like to reliably detect when a file is using SQLite. I often look at Windows executables, so I'm going to first concentrate on x86 programs that use this library. The easiest way to find them is to first concentrate on cleartext strings. In this case, I'm gonna pop over to VirusTotal and search for an easily-identifiable string: | |
| content: "failed to allocate %u bytes of memory" type:pe |
notareverser
/ generate-stackstrings-yara.py
Last active
May 14, 2022 17:15
Script to generate stackstrings YARA signatures for common implementation patterns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys, string, struct | |
| def strByByte(_strval): | |
| strval = bytearray(_strval.encode()) | |
| for s in strval: yield s | |
| def strByDword(_strval): | |
| strval = bytearray(_strval.encode()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule general_win_runkey_casing_anomaly : General | |
| { | |
| meta: | |
| author = "threatintel@volexity.com" | |
| description = "Looks for files containing to a reference to the HKCU run key where the reference uses unusual casing." | |
| date = "2021-08-03" | |
| hash1 = "c20997c72508bc7340f4ec99fe9eb4f1ccde518e81bda66e7c86632f0748bffa" | |
| memory_suitable = 0 | |
| strings: |
Neo23x0
/ log4j_rce_detection.md
Last active
January 28, 2024 08:19
Log4j RCE CVE-2021-44228 Exploitation Detection
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
g-les
/ 100_days_of_yara.yar
Last active
September 26, 2022 01:01
100 Days of YARA to be updated with rules & ideas as the year progresses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Goals for #100DaysofYARA: | |
| better understanding of bitwise operators | |
| use math module beyond general entropy of a section / resource | |
| position specific things beyond what PE module tells us | |
| do some funky stuff with hashing | |
| */ |
ander94lakx
/ yara_linux_install.sh
Last active
May 3, 2023 00:39
YARA install script for linux systems (with crypto support
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download YARA (Modify if a different version is needed) | |
| wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.1.2.tar.gz | |
| tar -zxf yara-4.1.2.tar.gz | |
| cd yara-4.1.2 | |
| ./bootstrap.sh | |
| # Prerequisites | |
| sudo apt install automake libtool make gcc pkg-config libssl-dev | |
| # Build with make |
tothi
/ usbgadget_razer.sh
Created
August 22, 2021 09:52
Razer USB gadget on Android for Local Privilege Escalation on Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID | |
| # devices for triggering the vulnerable Windows Driver installer | |
| # credits for the Windows Driver install vuln: @j0nh4t | |
| # | |
| # https://twitter.com/j0nh4t/status/1429049506021138437 | |
| # https://twitter.com/an0n_r0/status/1429263450748895236 | |
| # | |
| # the script was developed & tested on Android LineageOS 18.1 |
NewerOlder