Skip to content

Instantly share code, notes, and snippets.

Avatar

Florian Roth Neo23x0

View GitHub Profile
@Neo23x0
Neo23x0 / nvidia_cert_leak_vt_dorks.md
Created Mar 5, 2022
Samples Signed with NVIDIA Certs
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active Jul 14, 2022
Log4j RCE CVE-2021-44228 Exploitation Detection
View log4j_rce_detection.md

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@Neo23x0
Neo23x0 / minecraft-seus-shader.md
Last active Dec 11, 2021
Minecraft with SEUS Shader - Guide
View minecraft-seus-shader.md
@Neo23x0
Neo23x0 / help.md
Last active Dec 11, 2021
Offensive Research Guide to Help Defense Improve Detection
View help.md

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us

Logging

Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)

Does a system service write a log?
(e.g. check with tail -f /var/log/messages)

@Neo23x0
Neo23x0 / snippet_gen_yara_hash.py
Created Oct 10, 2020
YARA Rule Hash Used by Nextron Systems
View snippet_gen_yara_hash.py
import hashlib
import re
def calculate_rule_hash(rule):
"""
Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
:param rule: yara rule object
:return hash: generated hash
"""
@Neo23x0
Neo23x0 / get-casing.py
Created Jul 2, 2020
Get All Possible Variations of Casings for a String
View get-casing.py
import itertools
s = "cmd.exe"
list(map(''.join, itertools.product(*zip(s.upper(), s.lower()))))
@Neo23x0
Neo23x0 / shitrix_artefacts.yar
Last active Jan 14, 2020
Netscaler Forensic Artefacts
View shitrix_artefacts.yar
rule SUSP_Netscaler_Forensic_Artefacts {
meta:
description = "Detects strings / forensic artefacts on exploited Netscaler systems"
author = "Florian Roth"
reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/"
date = "2020-01-14"
score = 70
strings:
$ = "shell_command=\"whoami\"" ascii
@Neo23x0
Neo23x0 / gen_godmode_rule.yml
Last active Mar 8, 2022
God Mode Sigma Rule
View gen_godmode_rule.yml
# ################################################################################
# IMPORTANT NOTE
# The most recent version of this POC rule can now be found in the main repository
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
# ################################################################################
# _____ __ __ ___ __
# / ___/__ ___/ / / |/ /__ ___/ /__
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active Aug 4, 2022
Learning Aid - Top Base64 Encodings Table
View Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16)
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)
@Neo23x0
Neo23x0 / sysmon_suspicious_keyboard_layout_load.yml
Last active Sep 4, 2020
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
View sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'