Skip to content

Instantly share code, notes, and snippets.

Florian Roth Neo23x0

Block or report user

Report or block Neo23x0

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Neo23x0
Neo23x0 / iddqd.yar
Last active Jul 14, 2019
IDDQD - Godmode YARA Rule
View iddqd.yar
/*
_____ __ __ ___ __
/ ___/__ ___/ / / |/ /__ ___/ /__
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__
\ / __ |/ , _/ __ | / , _/ // / / -_)
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
Florian Roth - v0.4 May 2019
@Neo23x0
Neo23x0 / yara-ops.py
Last active May 19, 2019
YARA Rule Hash Generator
View yara-ops.py
import hashlib
import re
import plyara
def calculate_rule_hash(rule):
"""
Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
:param rule: yara rule object
:return hash: generated hash
@Neo23x0
Neo23x0 / TI-Search-Shortcuts.md
Last active May 19, 2019
Search Engine Shortcuts
View TI-Search-Shortcuts.md

Search Engine Shortcuts

Use Manage Search Engines in your browser to add these search engines. You can then use the 'keyword' in the URL bar to do a quick lookup. Find more details about managing your search engines in Chrome here.

e.g. Type

v dad8ebcbb5fa6721ccad45b81874e22c
@Neo23x0
Neo23x0 / yara_product_req.py
Last active May 19, 2019
YARA Product Requirements
View yara_product_req.py
# Product Requirements
PRODUCT_REQUIREMENTS = {
"FireEyeAX": {
"maximum_version": "3.4.0",
"supported_modules": [], # assumption
"with_crypto": True, # assumption
},
"FireEyeNX": {
"maximum_version": "3.4.0",
"supported_modules": [], # assumption
@Neo23x0
Neo23x0 / thor-ts-converter.py
Created Oct 31, 2018
THOR Timestamp Injector (adds year to old SYSLOG format and create RFC3339 timestamp)
View thor-ts-converter.py
#!/bin/python3
import os
import sys
import argparse
import logging
import re
import platform
MONTHS = {
View fix-sourcetree-git-secrets.sh
#!/bin/bash
#
# Fixes error:
# git: 'secrets' is not a git command. See 'git --help'.
#
# 1. Go to SourceTree preferences > Git > Use System Git
# Select the system's git e.g. /usr/local/git/bin/git
# 2. Run this script
# Adust the path if your system's git is located in a different folder
# git-secrets must be linked in the same folder as the system's git binary
@Neo23x0
Neo23x0 / stringex.sh
Last active Jul 7, 2019
String Extraction / ASCII and Wide by @RobertHaist
View stringex.sh
Linux
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n
macOS
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n
@Neo23x0
Neo23x0 / fp-hashes.py
Last active May 19, 2019
Typical False Positive Hashes
View fp-hashes.py
# This GIST has been transformed into a Git repository and does not receive updates anymore
#
# Please visit the github repo to get a current list
# https://github.com/Neo23x0/ti-falsepositives/
# Hashes that are often included in IOC lists but are false positives
HASH_WHITELIST = [
# Empty file
'd41d8cd98f00b204e9800998ecf8427e',
'da39a3ee5e6b4b0d3255bfef95601890afd80709',
@Neo23x0
Neo23x0 / get_fs_type.go
Created Jun 14, 2018
Get File System Type
View get_fs_type.go
package main
import (
"fmt"
"os"
"syscall"
)
func main() {
if len(os.Args) != 2 {
You can’t perform that action at this time.