Skip to content

Instantly share code, notes, and snippets.

View Neo23x0's full-sized avatar

Florian Roth Neo23x0

5.1k followers · 22 following
View GitHub Profile
@Neo23x0
Neo23x0 / sigma_correlation_failed_login_success.yml
Created October 4, 2023 07:35
Sigma - Correlation Rule
View sigma_correlation_failed_login_success.yml
title: Correlation - Multiple Failed Logins Followed by Successful Login
id: b180ead8-d58f-40b2-ae54-c8940995b9b6
status: experimental
description: Detects multiple failed logins by a single user followed by a successful login of that user
references:
- https://reference.com
author: Florian Roth (Nextron Systems)
date: 2023/06/16
correlation:
type: temporal
@Neo23x0
Neo23x0 / sigma-evtx-scan.md
Last active March 27, 2023 21:11
Guide to Use Sigma EVTX Checker
View sigma-evtx-scan.md

Guide to Use Nextron's Sigma EVTX Checker

It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.

Clone the Sigma Repository and cd into it

git clone https://github.com/SigmaHQ/sigma.git
cd sigma
@Neo23x0
Neo23x0 / link-tree.md
Created December 18, 2022 18:48
My Link List
View link-tree.md
@Neo23x0
Neo23x0 / nighthawk-blog-posts.md
Last active August 1, 2023 21:53
Collection of Deleted Articles on MDSec's Nighthawk
View nighthawk-blog-posts.md
@Neo23x0
Neo23x0 / send-to-slack.sh
Created September 11, 2022 21:22
Slack Hook - System Logon
View send-to-slack.sh
#!/bin/bash -x
hostname=$(hostname)
source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1)
geo=$(geoiplookup "$source")
curl -X POST --silent --data "payload={\"text\": \":bust_in_silhouette: SYSTEM: $hostname USER: $USER SOURCE: $source GEO: $geo\"}" https://hooks.slack.com/services/XXXXXXXX_YOURHOOK_XXXXX > /dev/null
@Neo23x0
Neo23x0 / cyber-security-blogs.txt
Created September 10, 2022 13:49
Cyber Security Blogs
View cyber-security-blogs.txt
https://thedfirreport.com/
https://www.zerodayinitiative.com/blog/
https://codewhitesec.blogspot.com/
https://www.digitalshadows.com/blog-and-research/
https://blog.talosintelligence.com/
https://www.riskiq.com/blog/
https://www.sekoia.io/en/blog-sekoia-io/
https://www.nextron-systems.com/blog/
https://www.microsoft.com/security/blog/
https://blog.truesec.com/
@Neo23x0
Neo23x0 / nvidia_cert_leak_vt_dorks.md
Created March 5, 2022 12:49
Samples Signed with NVIDIA Certs
View nvidia_cert_leak_vt_dorks.md
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active November 3, 2023 18:07
Log4j RCE CVE-2021-44228 Exploitation Detection
View log4j_rce_detection.md

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@Neo23x0
Neo23x0 / minecraft-seus-shader.md
Last active December 11, 2021 11:15
Minecraft with SEUS Shader - Guide
View minecraft-seus-shader.md
@Neo23x0
Neo23x0 / help.md
Last active July 30, 2023 12:19
Offensive Research Guide to Help Defense Improve Detection
View help.md

I've transformed this gist into a git repository.

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us

Logging

Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)