Florian Roth Neo23x0

## nighthawk-blog-posts.md

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              1 star
            
          
                Neo23x0
                / nighthawk-blog-posts.md
            
            
              Last active
              August 1, 2023 21:53
            
              
                Collection of Deleted Articles on MDSec's Nighthawk
              
          
    Removed Articles on MDSec's NightHawk

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice

by Proofpoint
https://web.archive.org/web/20221125224850/https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice
Studying "Next Generation Malware" - NightHawk’s Attempt At Obfuscate and Sleep

by Austin Hudson

  
## help.md

      
              1 file
            
          
              6 forks
            
          
              1 comment
            
          
              14 stars
            
          
                Neo23x0
                / help.md
            
            
              Last active
              July 30, 2023 12:19
            
              
                Offensive Research Guide to Help Defense Improve Detection
              
          
    I've transformed this gist into a git repository.

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us
Logging

Does the exploited service write a log? 

(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)

  
## cyber-security-blogs.txt
https://thedfirreport.com/
https://www.zerodayinitiative.com/blog/
https://codewhitesec.blogspot.com/
https://www.digitalshadows.com/blog-and-research/
https://blog.talosintelligence.com/
https://www.riskiq.com/blog/
https://www.sekoia.io/en/blog-sekoia-io/
https://www.nextron-systems.com/blog/
https://www.microsoft.com/security/blog/
https://blog.truesec.com/

## gen_godmode_rule.yml
# ################################################################################
# IMPORTANT NOTE
# The most recent version of this POC rule can now be found in the main repository
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
# ################################################################################
#    _____        __  __  ___        __
#   / ___/__  ___/ / /  |/  /__  ___/ /__
#  / (_ / _ \/ _  / / /|_/ / _ \/ _  / -_)
#  \___/\___/\_,_/ /_/  /_/\___/\_,_/\__/_
#    / __(_)__ ___ _  ___ _  / _ \__ __/ /__

## detect-dirtycow.sh
#!/bin/bash
# - Matches on source and compiled code
# - Searches in user home directories by default
# - Detects certain strings in files smaller 300 kbyte
# - Does not print anything if nothing was found
# - Appends the file's time stamp of the files in question > good indicator to spot false positives
# - Should work on most Linux systems with bash
# Old version
# for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(strings -a "$f" 2> /dev/null | egrep "/proc/(self|%d)/(mem|maps)") != "" ]];then m=$(stat -c %y $f); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(egrep "/proc/(self|%d)/(mem|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;

## snippet_gen_yara_hash.py
import hashlib
import re

def calculate_rule_hash(rule):
    """
    Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
    Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
    :param rule: yara rule object
    :return hash: generated hash
    """

## yara-ops.py
import hashlib
import re
import plyara

# Florian Roth, Christian Burkard
# Version 3.0
# January 2023
#
# Known issues: fails in some cases in which 'private' rules are used

## link-tree.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                Neo23x0
                / link-tree.md
            
            
              Created
              December 18, 2022 18:48
            
              
                My Link List
              
          
    My LinkTree
https://linktr.ee/cyb3rops

  
## wpwatcher.py
#!/usr/bin/env python
# -*- coding: iso-8859-1 -*-
# -*- coding: utf-8 -*-
#
# Wordpress Watcher
# Automating WPscan to scan and report vulnerable Wordpress sites
# Florian Roth
# v0.1
# March 2015
#

## send-to-slack.sh
#!/bin/bash -x
hostname=$(hostname)
source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1)
geo=$(geoiplookup "$source")
curl -X POST --silent --data "payload={\"text\": \":bust_in_silhouette: SYSTEM: $hostname USER: $USER SOURCE: $source GEO: $geo\"}" https://hooks.slack.com/services/XXXXXXXX_YOURHOOK_XXXXX > /dev/null
	https://thedfirreport.com/
	https://www.zerodayinitiative.com/blog/
	https://codewhitesec.blogspot.com/
	https://www.digitalshadows.com/blog-and-research/
	https://blog.talosintelligence.com/
	https://www.riskiq.com/blog/
	https://www.sekoia.io/en/blog-sekoia-io/
	https://www.nextron-systems.com/blog/
	https://www.microsoft.com/security/blog/
	https://blog.truesec.com/
	# ################################################################################
	# IMPORTANT NOTE
	# The most recent version of this POC rule can now be found in the main repository
	# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
	# ################################################################################
	# _____ __ __ ___ __
	# / ___/__ ___/ / / \|/ /__ ___/ /__
	# / (_ / _ \/ _ / / /\|_/ / _ \/ _ / -_)
	# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
	# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
	#!/bin/bash
	# - Matches on source and compiled code
	# - Searches in user home directories by default
	# - Detects certain strings in files smaller 300 kbyte
	# - Does not print anything if nothing was found
	# - Appends the file's time stamp of the files in question > good indicator to spot false positives
	# - Should work on most Linux systems with bash
	# Old version
	# for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(strings -a "$f" 2> /dev/null \| egrep "/proc/(self\|%d)/(mem\|maps)") != "" ]];then m=$(stat -c %y $f); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
	for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(egrep "/proc/(self\|%d)/(mem\|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
	import hashlib
	import re

	def calculate_rule_hash(rule):
	"""
	Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
	Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
	:param rule: yara rule object
	:return hash: generated hash
	"""
	import hashlib
	import re
	import plyara

	# Florian Roth, Christian Burkard
	# Version 3.0
	# January 2023
	#
	# Known issues: fails in some cases in which 'private' rules are used
	#!/usr/bin/env python
	# -- coding: iso-8859-1 --
	# -- coding: utf-8 --
	#
	# Wordpress Watcher
	# Automating WPscan to scan and report vulnerable Wordpress sites
	# Florian Roth
	# v0.1
	# March 2015
	#
	#!/bin/bash -x
	hostname=$(hostname)
	source=$(echo "$SSH_CONNECTION" \| cut -d' ' -f 1)
	geo=$(geoiplookup "$source")
	curl -X POST --silent --data "payload={\"text\": \":bust_in_silhouette: SYSTEM: $hostname USER: $USER SOURCE: $source GEO: $geo\"}" https://hooks.slack.com/services/XXXXXXXX_YOURHOOK_XXXXX > /dev/null