Florian Roth Neo23x0

## config-server.xml
<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.2.1 December 2016
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)

## Base64_CheatSheet.md

      
              1 file
            
          
              43 forks
            
          
              6 comments
            
          
              263 stars
            
          
                Neo23x0
                / Base64_CheatSheet.md
            
            
              Last active
              March 10, 2024 09:15
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Base64 Patterns - Learning Aid


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)


## sigma-evtx-scan.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              12 stars
            
          
                Neo23x0
                / sigma-evtx-scan.md
            
            
              Last active
              February 10, 2024 08:54
            
              
                Guide to Use Sigma EVTX Checker
              
          
    Guide to Use Nextron's Sigma EVTX Checker

It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.
Clone the Sigma Repository and cd into it

git clone https://github.com/SigmaHQ/sigma.git
cd sigma

  
## log4j_rce_detection.md

      
              1 file
            
          
              72 forks
            
          
              70 comments
            
          
              512 stars
            
          
                Neo23x0
                / log4j_rce_detection.md
            
            
              Last active
              January 28, 2024 08:19
            
              
                Log4j RCE CVE-2021-44228 Exploitation Detection
              
          
    log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

  
## iddqd.yar
/*
WARNING:

the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/


/*
      _____        __  __  ___        __

## audit.rules
# IMPORTANT!
# This gist has been transformed into a github repo
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd

#      ___             ___ __      __
#     /   | __  ______/ (_) /_____/ /
#    / /| |/ / / / __  / / __/ __  /
#   / ___ / /_/ / /_/ / / /_/ /_/ /
#  /_/  |_\__,_/\__,_/_/\__/\__,_/

## nvidia_cert_leak_vt_dorks.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              6 stars
            
          
                Neo23x0
                / nvidia_cert_leak_vt_dorks.md
            
            
              Created
              March 5, 2022 12:49
            
              
                Samples Signed with NVIDIA Certs
              
          
    VT Dorks to Find Samples Signed with Leaked NVIDIA Certificates

References:
https://twitter.com/cyb3rops/status/1499514240008437762
https://twitter.com/GossiTheDog/status/1499781976835993600
More background:
https://twitter.com/FuzzySec/status/1499462430275084307
All files signed with the certificates


## sigma_correlation_failed_login_success.yml
title: Correlation - Multiple Failed Logins Followed by Successful Login
id: b180ead8-d58f-40b2-ae54-c8940995b9b6
status: experimental
description: Detects multiple failed logins by a single user followed by a successful login of that user
references:
    - https://reference.com
author: Florian Roth (Nextron Systems)
date: 2023/06/16
correlation:
    type: temporal

## annotations.xml
<?xml version="1.0" encoding="UTF-8"?>
<Annotations start="0" num="171" total="171">
  <Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
    <Label name="_cse_turlh5vi4xc"/>
    <AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
  </Annotation>
  <Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
    <Label name="_cse_turlh5vi4xc"/>
    <AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
  </Annotation>

## yara_performance_guidelines.md

      
              1 file
            
          
              26 forks
            
          
              1 comment
            
          
              117 stars
            
          
                Neo23x0
                / yara_performance_guidelines.md
            
            
              Last active
              September 18, 2023 02:28
            
              
                YARA Performance Guidelines
              
          
    This Gist has been transfered into a Github Repo.
You'll find the most recent version here.
YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7
	<!--
	This is a Microsoft Sysmon configuation to be used on Windows server systems
	v0.2.1 December 2016
	Florian Roth

	The focus of this configuration is
	- hacking activity on servers / lateral movement (bad admin, attacker)
	It is not focussed on
	- malware detection (execution)
	- malware detection (network connections)
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
	/*
	WARNING:

	the newest version of this rule is now hosted here:
	https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
	*/


	/*
	_____ __ __ ___ __
	# IMPORTANT!
	# This gist has been transformed into a github repo
	# You can find the most recent version there:
	# https://github.com/Neo23x0/auditd

	# ___ ___ __ __
	# / \| __ ______/ (_) /_____/ /
	# / /\| \|/ / / / __ / / __/ __ /
	# / ___ / /_/ / /_/ / / /_/ /_/ /
	# /_/ \|_\__,_/\__,_/_/\__/\__,_/
	title: Correlation - Multiple Failed Logins Followed by Successful Login
	id: b180ead8-d58f-40b2-ae54-c8940995b9b6
	status: experimental
	description: Detects multiple failed logins by a single user followed by a successful login of that user
	references:
	- https://reference.com
	author: Florian Roth (Nextron Systems)
	date: 2023/06/16
	correlation:
	type: temporal
	<?xml version="1.0" encoding="UTF-8"?>
	<Annotations start="0" num="171" total="171">
	<Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
	<Label name="_cse_turlh5vi4xc"/>
	<AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
	</Annotation>
	<Annotation about=".thedfirreport.com/" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
	<Label name="_cse_turlh5vi4xc"/>
	<AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
	</Annotation>