Skip to content

Instantly share code, notes, and snippets.

Avatar

Florian Roth Neo23x0

View GitHub Profile
@Neo23x0
Neo23x0 / snippet_gen_yara_hash.py
Created Oct 10, 2020
YARA Rule Hash Used by Nextron Systems
View snippet_gen_yara_hash.py
import hashlib
import re
def calculate_rule_hash(rule):
"""
Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
:param rule: yara rule object
:return hash: generated hash
"""
@Neo23x0
Neo23x0 / get-casing.py
Created Jul 2, 2020
Get All Possible Variations of Casings for a String
View get-casing.py
import itertools
s = "cmd.exe"
list(map(''.join, itertools.product(*zip(s.upper(), s.lower()))))
@Neo23x0
Neo23x0 / shitrix_artefacts.yar
Last active Jan 14, 2020
Netscaler Forensic Artefacts
View shitrix_artefacts.yar
rule SUSP_Netscaler_Forensic_Artefacts {
meta:
description = "Detects strings / forensic artefacts on exploited Netscaler systems"
author = "Florian Roth"
reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/"
date = "2020-01-14"
score = 70
strings:
$ = "shell_command=\"whoami\"" ascii
@Neo23x0
Neo23x0 / gen_godmode_rule.yml
Last active Oct 17, 2020
God Mode Sigma Rule
View gen_godmode_rule.yml
# ################################################################################
# IMPORTANT NOTE
# The most recent version of this POC rule can now be found in the main repository
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
# ################################################################################
# _____ __ __ ___ __
# / ___/__ ___/ / / |/ /__ ___/ /__
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active Oct 26, 2020
Learning Aid - Top Base64 Encodings Table
View Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16)
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)
@Neo23x0
Neo23x0 / sysmon_suspicious_keyboard_layout_load.yml
Last active Sep 4, 2020
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
View sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
@Neo23x0
Neo23x0 / iddqd.yar
Last active Oct 13, 2020
IDDQD - Godmode YARA Rule
View iddqd.yar
/*
_____ __ __ ___ __
/ ___/__ ___/ / / |/ /__ ___/ /__
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__
\ / __ |/ , _/ __ | / , _/ // / / -_)
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
Florian Roth - v0.5.0 October 2019
@Neo23x0
Neo23x0 / yara-ops.py
Last active Jan 10, 2020
YARA Rule Hash Generator
View yara-ops.py
import hashlib
import re
import plyara
def calculate_rule_hash(rule):
"""
Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
:param rule: yara rule object
:return hash: generated hash
@Neo23x0
Neo23x0 / TI-Search-Shortcuts.md
Last active May 28, 2020
Search Engine Shortcuts
View TI-Search-Shortcuts.md

Search Engine Shortcuts

Use Manage Search Engines in your browser to add these search engines. You can then use the 'keyword' in the URL bar to do a quick lookup. Find more details about managing your search engines in Chrome here.

e.g. Type

v dad8ebcbb5fa6721ccad45b81874e22c
@Neo23x0
Neo23x0 / yara_product_req.py
Last active May 19, 2019
YARA Product Requirements
View yara_product_req.py
# Product Requirements
PRODUCT_REQUIREMENTS = {
"FireEyeAX": {
"maximum_version": "3.4.0",
"supported_modules": [], # assumption
"with_crypto": True, # assumption
},
"FireEyeNX": {
"maximum_version": "3.4.0",
"supported_modules": [], # assumption
You can’t perform that action at this time.