Florian Roth Neo23x0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Microsoft_PE_Timestamp_Copyright_Anomaly { | |
| meta: | |
| description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp" | |
| author = "Florian Roth" | |
| reference = "Internal Research" | |
| date = "2017-06-02" | |
| score = 30 | |
| strings: | |
| $a1 = "Copyright (C) Microsoft Corp. 19" wide |
Neo23x0
/ crime_petya_jun17.yar
Last active
July 1, 2017 00:53
YARA Rule for Petya Ransomware - June 2017
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I just pushed the rule to "signature-base" | |
| https://github.com/Neo23x0/signature-base/blob/master/yara/crime_nopetya_jun17.yar | |
| Some of the other rules are running in QS right now. | |
| I'll update the 'crime_nopetya_jun17.yar' file frequently. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IMPORTANT! | |
| # This gist has been transformed into a github repo | |
| # You can find the most recent version there: | |
| # https://github.com/Neo23x0/auditd | |
| # ___ ___ __ __ | |
| # / | __ ______/ (_) /_____/ / | |
| # / /| |/ / / / __ / / __/ __ / | |
| # / ___ / /_/ / /_/ / / /_/ /_/ / | |
| # /_/ |_\__,_/\__,_/_/\__/\__,_/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x000a,0xc013,0xc014,0xc02b,0xc02c,0xc02f,0xc030,0xcca8,0xcca9 |
Neo23x0
/ send-logon-to-slack.sh
Last active
January 9, 2018 14:47
Report user logons to a slack channel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Uses slack web hooks to report logons on SSH servers | |
| # Webhooks: https://yourslack.slack.com/apps/A0F7XDUAZ-incoming-webhooks | |
| # Add this script to /etc/profile or create a ~/.profile for a certain user | |
| WEB_HOOK=your_slack_web_hook | |
| hostname=$(hostname) | |
| source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1) | |
| geo=$(geoiplookup "$source") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "os" | |
| "syscall" | |
| ) | |
| func main() { | |
| if len(os.Args) != 2 { |
Neo23x0
/ gist:4dffdbbc08595436f95a2d9dd06af6b2
Created
June 19, 2018 14:36
Regex - Non-ASCII Characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [^\x00-\x7E] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This GIST has been transformed into a Git repository and does not receive updates anymore | |
| # | |
| # Please visit the github repo to get a current list | |
| # https://github.com/Neo23x0/ti-falsepositives/ | |
| # Hashes that are often included in IOC lists but are false positives | |
| HASH_WHITELIST = [ | |
| # Empty file | |
| 'd41d8cd98f00b204e9800998ecf8427e', | |
| 'da39a3ee5e6b4b0d3255bfef95601890afd80709', |
Neo23x0
/ stringex.sh
Last active
August 13, 2021 13:56
String Extraction / ASCII and Wide by @RobertHaist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Linux | |
| (strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n | |
| macOS | |
| (gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n |