This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Microsoft_PE_Timestamp_Copyright_Anomaly { | |
meta: | |
description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp" | |
author = "Florian Roth" | |
reference = "Internal Research" | |
date = "2017-06-02" | |
score = 30 | |
strings: | |
$a1 = "Copyright (C) Microsoft Corp. 19" wide |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I just pushed the rule to "signature-base" | |
https://github.com/Neo23x0/signature-base/blob/master/yara/crime_nopetya_jun17.yar | |
Some of the other rules are running in QS right now. | |
I'll update the 'crime_nopetya_jun17.yar' file frequently. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# IMPORTANT! | |
# This gist has been transformed into a github repo | |
# You can find the most recent version there: | |
# https://github.com/Neo23x0/auditd | |
# ___ ___ __ __ | |
# / | __ ______/ (_) /_____/ / | |
# / /| |/ / / / __ / / __/ __ / | |
# / ___ / /_/ / /_/ / / /_/ /_/ / | |
# /_/ |_\__,_/\__,_/_/\__/\__,_/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x000a,0xc013,0xc014,0xc02b,0xc02c,0xc02f,0xc030,0xcca8,0xcca9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Uses slack web hooks to report logons on SSH servers | |
# Webhooks: https://yourslack.slack.com/apps/A0F7XDUAZ-incoming-webhooks | |
# Add this script to /etc/profile or create a ~/.profile for a certain user | |
WEB_HOOK=your_slack_web_hook | |
hostname=$(hostname) | |
source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1) | |
geo=$(geoiplookup "$source") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"fmt" | |
"os" | |
"syscall" | |
) | |
func main() { | |
if len(os.Args) != 2 { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[^\x00-\x7E] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This GIST has been transformed into a Git repository and does not receive updates anymore | |
# | |
# Please visit the github repo to get a current list | |
# https://github.com/Neo23x0/ti-falsepositives/ | |
# Hashes that are often included in IOC lists but are false positives | |
HASH_WHITELIST = [ | |
# Empty file | |
'd41d8cd98f00b204e9800998ecf8427e', | |
'da39a3ee5e6b4b0d3255bfef95601890afd80709', |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Linux | |
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n | |
macOS | |
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n |