Skip to content

Instantly share code, notes, and snippets.

Florian Roth Neo23x0

Block or report user

Report or block Neo23x0

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Neo23x0
Neo23x0 / keybase.md
Created Oct 8, 2014
Keybase declaration
View keybase.md

Keybase proof

I hereby claim:

  • I am neo23x0 on github.
  • I am johngalt (https://keybase.io/johngalt) on keybase.
  • I have a public key whose fingerprint is 55CB FD26 19E9 BF9E 78C1 D582 FE04 247D 50D1 ACC8

To claim this, I am signing this object:

@Neo23x0
Neo23x0 / wpwatcher.py
Last active May 27, 2019
Wordpress Watcher - WPScan Vulnerabilty Scan on Wordpress Sites and Reporting
View wpwatcher.py
#!/usr/bin/env python
# -*- coding: iso-8859-1 -*-
# -*- coding: utf-8 -*-
#
# Wordpress Watcher
# Automating WPscan to scan and report vulnerable Wordpress sites
# Florian Roth
# v0.1
# March 2015
#
@Neo23x0
Neo23x0 / yara_performance_guidelines.md
Last active Nov 10, 2019
YARA Performance Guidelines
View yara_performance_guidelines.md

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.3, October 2019, applies to all YARA versions higher than 3.7

Faster / Resource Friendly Statements

  • Bad: Regular Expressions
@Neo23x0
Neo23x0 / config-client.xml
Last active Oct 22, 2019
Sysmon Base Configuration - Workstations
View config-client.xml
<!--
This is a Microsoft Sysmon configuration to be used on Windows workstations
v0.2.1 December 2016
Florian Roth (with the help and ideas of others)
The focus of this configuration is
- malware detection (execution)
- malware detection (network connections)
- exploit detection
It is not focussed on
@Neo23x0
Neo23x0 / config-server.xml
Last active Nov 7, 2019
Sysmon Base Configuration - Windows Server
View config-server.xml
<!--
This is a Microsoft Sysmon configuation to be used on Windows server systems
v0.2.1 December 2016
Florian Roth
The focus of this configuration is
- hacking activity on servers / lateral movement (bad admin, attacker)
It is not focussed on
- malware detection (execution)
- malware detection (network connections)
@Neo23x0
Neo23x0 / detect-dirtycow.sh
Last active Mar 29, 2017
One-Liner to Detect DirtyCOW Code
View detect-dirtycow.sh
#!/bin/bash
# - Matches on source and compiled code
# - Searches in user home directories by default
# - Detects certain strings in files smaller 300 kbyte
# - Does not print anything if nothing was found
# - Appends the file's time stamp of the files in question > good indicator to spot false positives
# - Should work on most Linux systems with bash
# Old version
# for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(strings -a "$f" 2> /dev/null | egrep "/proc/(self|%d)/(mem|maps)") != "" ]];then m=$(stat -c %y $f); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(egrep "/proc/(self|%d)/(mem|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
@Neo23x0
Neo23x0 / annotations.xml
Last active Nov 7, 2019
Sources for APT Groups and Operations Search Engine
View annotations.xml
<?xml version="1.0" encoding="UTF-8" ?>
<Annotations start="0" num="138" total="138">
<Annotation about="*.401trg.pw/*" timestamp="0x00056c69af232729" href="Cg0qLjQwMXRyZy5wdy8qEKnOjPmajdsC">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="https://401trg.pw/" />
</Annotation>
<Annotation about="decalage.info/en/security*" timestamp="0x00056c678a15c50b" href="ChpkZWNhbGFnZS5pbmZvL2VuL3NlY3VyaXR5KhCLitfQ-IzbAg">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="https://decalage.info/en/security" />
</Annotation>
@Neo23x0
Neo23x0 / pulggable.patch
Last active Jul 11, 2017
Wordpress CVE-2017-8295 WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day) Patch
View pulggable.patch
--- pluggable.php 2017-05-04 09:37:27.000000000 +0200
+++ pluggable_patched.php 2017-05-04 09:40:39.000000000 +0200
@@ -323,10 +323,7 @@
if ( !isset( $from_email ) ) {
// Get the site domain and get rid of www.
- $sitename = strtolower( $_SERVER['SERVER_NAME'] );
- if ( substr( $sitename, 0, 4 ) == 'www.' ) {
- $sitename = substr( $sitename, 4 );
- }
@Neo23x0
Neo23x0 / wannacry-vaccine.reg
Last active Oct 3, 2019
WannaCrypt Ransomware Immunisation
View wannacry-vaccine.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "
@Neo23x0
Neo23x0 / nmap-cmdline
Last active Apr 23, 2019
Nmap Scan Params for CVE-2017-0143 MS17-010 Scanning
View nmap-cmdline
# Scan for CVE-2017-0143 MS17-010
# The vulnerability used by WannaCry Ransomware
#
# 1. Use @calderpwn's script
# http://seclists.org/nmap-dev/2017/q2/79
#
# 2. Save it to Nmap NSE script directory
# Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
# OSX - /opt/local/share/nmap/scripts/
#
You can’t perform that action at this time.