Florian Roth Neo23x0

## ms_ts_anomaly.yar

rule Microsoft_PE_Timestamp_Copyright_Anomaly {
   meta:
      description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2017-06-02"
      score = 30
   strings:
      $a1 = "Copyright (C) Microsoft Corp. 19" wide

## shitrix_artefacts.yar

rule SUSP_Netscaler_Forensic_Artefacts {
   meta:
      description = "Detects strings / forensic artefacts on exploited Netscaler systems"
      author = "Florian Roth"
      reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/"
      date = "2020-01-14"
      score = 70
    strings:
      $ = "shell_command=\"whoami\"" ascii

## fp-hashes.py
# This GIST has been transformed into a Git repository and does not receive updates anymore
#
# Please visit the github repo to get a current list
# https://github.com/Neo23x0/ti-falsepositives/

# Hashes that are often included in IOC lists but are false positives
HASH_WHITELIST = [
    # Empty file
    'd41d8cd98f00b204e9800998ecf8427e',
    'da39a3ee5e6b4b0d3255bfef95601890afd80709',

## nmap-cmdline
# Scan for CVE-2017-0143 MS17-010
# The vulnerability used by WannaCry Ransomware
#
# 1. Use @calderpwn's script
#    http://seclists.org/nmap-dev/2017/q2/79
#
# 2. Save it to Nmap NSE script directory
#    Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
#    OSX - /opt/local/share/nmap/scripts/
#

## get-casing.py
import itertools
s = "cmd.exe"
list(map(''.join, itertools.product(*zip(s.upper(), s.lower()))))

## sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
    product: windows
    service: sysmon
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'

## fix-sourcetree-git-secrets.sh
#!/bin/bash
#
# Fixes error:
# git: 'secrets' is not a git command. See 'git --help'.
#
# 1. Go to SourceTree preferences > Git > Use System Git
#    Select the system's git e.g. /usr/local/git/bin/git
# 2. Run this script
#    Adust the path if your system's git is located in a different folder
#    git-secrets must be linked in the same folder as the system's git binary

## wannacry-vaccine.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "

## config-client.xml
<!--
   This is a Microsoft Sysmon configuration to be used on Windows workstations
   v0.2.1 December 2016
   Florian Roth (with the help and ideas of others)

   The focus of this configuration is
   - malware detection (execution)
   - malware detection (network connections)
   - exploit detection
   It is not focussed on

## stringex.sh
Linux
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n

macOS
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n

	rule Microsoft_PE_Timestamp_Copyright_Anomaly {
	meta:
	description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp"
	author = "Florian Roth"
	reference = "Internal Research"
	date = "2017-06-02"
	score = 30
	strings:
	$a1 = "Copyright (C) Microsoft Corp. 19" wide

	rule SUSP_Netscaler_Forensic_Artefacts {
	meta:
	description = "Detects strings / forensic artefacts on exploited Netscaler systems"
	author = "Florian Roth"
	reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/"
	date = "2020-01-14"
	score = 70
	strings:
	$ = "shell_command=\"whoami\"" ascii
	# This GIST has been transformed into a Git repository and does not receive updates anymore
	#
	# Please visit the github repo to get a current list
	# https://github.com/Neo23x0/ti-falsepositives/

	# Hashes that are often included in IOC lists but are false positives
	HASH_WHITELIST = [
	# Empty file
	'd41d8cd98f00b204e9800998ecf8427e',
	'da39a3ee5e6b4b0d3255bfef95601890afd80709',
	# Scan for CVE-2017-0143 MS17-010
	# The vulnerability used by WannaCry Ransomware
	#
	# 1. Use @calderpwn's script
	# http://seclists.org/nmap-dev/2017/q2/79
	#
	# 2. Save it to Nmap NSE script directory
	# Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
	# OSX - /opt/local/share/nmap/scripts/
	#
	import itertools
	s = "cmd.exe"
	list(map(''.join, itertools.product(*zip(s.upper(), s.lower()))))
	title: Suspicious Keyboard Layout Load
	description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
	references:
	- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
	author: Florian Roth
	date: 2019/10/12
	logsource:
	product: windows
	service: sysmon
	definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
	#!/bin/bash
	#
	# Fixes error:
	# git: 'secrets' is not a git command. See 'git --help'.
	#
	# 1. Go to SourceTree preferences > Git > Use System Git
	# Select the system's git e.g. /usr/local/git/bin/git
	# 2. Run this script
	# Adust the path if your system's git is located in a different folder
	# git-secrets must be linked in the same folder as the system's git binary
	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
	"Debugger"="taskkill /F /IM "

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
	"Debugger"="taskkill /F /IM "

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
	"Debugger"="taskkill /F /IM "
	<!--
	This is a Microsoft Sysmon configuration to be used on Windows workstations
	v0.2.1 December 2016
	Florian Roth (with the help and ideas of others)

	The focus of this configuration is
	- malware detection (execution)
	- malware detection (network connections)
	- exploit detection
	It is not focussed on
	Linux
	(strings -a -td "$@" \| sed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 A \2/' ; strings -a -td -el "$@" \| sed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 W \2/') \| sort -n

	macOS
	(gstrings -a -td "$@" \| gsed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 A \2/' ; gstrings -a -td -el "$@" \| gsed 's/^\(\s[0-9][0-9]\) \(.\)$/\1 W \2/') \| sort -n