This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Microsoft_PE_Timestamp_Copyright_Anomaly { | |
meta: | |
description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp" | |
author = "Florian Roth" | |
reference = "Internal Research" | |
date = "2017-06-02" | |
score = 30 | |
strings: | |
$a1 = "Copyright (C) Microsoft Corp. 19" wide |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule SUSP_Netscaler_Forensic_Artefacts { | |
meta: | |
description = "Detects strings / forensic artefacts on exploited Netscaler systems" | |
author = "Florian Roth" | |
reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/" | |
date = "2020-01-14" | |
score = 70 | |
strings: | |
$ = "shell_command=\"whoami\"" ascii |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This GIST has been transformed into a Git repository and does not receive updates anymore | |
# | |
# Please visit the github repo to get a current list | |
# https://github.com/Neo23x0/ti-falsepositives/ | |
# Hashes that are often included in IOC lists but are false positives | |
HASH_WHITELIST = [ | |
# Empty file | |
'd41d8cd98f00b204e9800998ecf8427e', | |
'da39a3ee5e6b4b0d3255bfef95601890afd80709', |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Scan for CVE-2017-0143 MS17-010 | |
# The vulnerability used by WannaCry Ransomware | |
# | |
# 1. Use @calderpwn's script | |
# http://seclists.org/nmap-dev/2017/q2/79 | |
# | |
# 2. Save it to Nmap NSE script directory | |
# Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/ | |
# OSX - /opt/local/share/nmap/scripts/ | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import itertools | |
s = "cmd.exe" | |
list(map(''.join, itertools.product(*zip(s.upper(), s.lower())))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Suspicious Keyboard Layout Load | |
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only | |
references: | |
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index | |
author: Florian Roth | |
date: 2019/10/12 | |
logsource: | |
product: windows | |
service: sysmon | |
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Fixes error: | |
# git: 'secrets' is not a git command. See 'git --help'. | |
# | |
# 1. Go to SourceTree preferences > Git > Use System Git | |
# Select the system's git e.g. /usr/local/git/bin/git | |
# 2. Run this script | |
# Adust the path if your system's git is located in a different folder | |
# git-secrets must be linked in the same folder as the system's git binary |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe] | |
"Debugger"="taskkill /F /IM " | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe] | |
"Debugger"="taskkill /F /IM " | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe] | |
"Debugger"="taskkill /F /IM " |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
This is a Microsoft Sysmon configuration to be used on Windows workstations | |
v0.2.1 December 2016 | |
Florian Roth (with the help and ideas of others) | |
The focus of this configuration is | |
- malware detection (execution) | |
- malware detection (network connections) | |
- exploit detection | |
It is not focussed on |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Linux | |
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n | |
macOS | |
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n |