Skip to content

Instantly share code, notes, and snippets.

View Neo23x0's full-sized avatar

Florian Roth Neo23x0

View GitHub Profile
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active February 21, 2024 21:28
Learning Aid - Top Base64 Encodings Table
View Base64_CheatSheet.md

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)
@Neo23x0
Neo23x0 / sigma-evtx-scan.md
Last active February 10, 2024 08:54
Guide to Use Sigma EVTX Checker
View sigma-evtx-scan.md

Guide to Use Nextron's Sigma EVTX Checker

It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.

Clone the Sigma Repository and cd into it

git clone https://github.com/SigmaHQ/sigma.git
cd sigma
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active January 28, 2024 08:19
Log4j RCE CVE-2021-44228 Exploitation Detection
View log4j_rce_detection.md

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@Neo23x0
Neo23x0 / iddqd.yar
Last active January 18, 2024 13:04
IDDQD - Godmode YARA Rule
View iddqd.yar
/*
WARNING:
the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/
/*
_____ __ __ ___ __
@Neo23x0
Neo23x0 / audit.rules
Last active January 13, 2024 14:12
Linux Auditd Best Practice Configuration
View audit.rules
# IMPORTANT!
# This gist has been transformed into a github repo
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd
# ___ ___ __ __
# / | __ ______/ (_) /_____/ /
# / /| |/ / / / __ / / __/ __ /
# / ___ / /_/ / /_/ / / /_/ /_/ /
# /_/ |_\__,_/\__,_/_/\__/\__,_/
@Neo23x0
Neo23x0 / config-server.xml
Last active December 18, 2023 13:10
Sysmon Base Configuration - Windows Server
View config-server.xml
<!--
This is a Microsoft Sysmon configuation to be used on Windows server systems
v0.2.1 December 2016
Florian Roth
The focus of this configuration is
- hacking activity on servers / lateral movement (bad admin, attacker)
It is not focussed on
- malware detection (execution)
- malware detection (network connections)
@Neo23x0
Neo23x0 / nvidia_cert_leak_vt_dorks.md
Created March 5, 2022 12:49
Samples Signed with NVIDIA Certs
@Neo23x0
Neo23x0 / sigma_correlation_failed_login_success.yml
Last active December 4, 2023 10:00
Sigma - Correlation Rule
View sigma_correlation_failed_login_success.yml
title: Correlation - Multiple Failed Logins Followed by Successful Login
id: b180ead8-d58f-40b2-ae54-c8940995b9b6
status: experimental
description: Detects multiple failed logins by a single user followed by a successful login of that user
references:
- https://reference.com
author: Florian Roth (Nextron Systems)
date: 2023/06/16
correlation:
type: temporal
@Neo23x0
Neo23x0 / annotations.xml
Last active October 22, 2023 12:14
Sources for APT Groups and Operations Search Engine
View annotations.xml
<?xml version="1.0" encoding="UTF-8"?>
<Annotations start="0" num="171" total="171">
<Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
<Label name="_cse_turlh5vi4xc"/>
<AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
</Annotation>
<Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
<Label name="_cse_turlh5vi4xc"/>
<AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
</Annotation>
@Neo23x0
Neo23x0 / yara_performance_guidelines.md
Last active September 18, 2023 02:28
YARA Performance Guidelines
View yara_performance_guidelines.md

This Gist has been transfered into a Github Repo. You'll find the most recent version here.

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.4, October 2020, applies to all YARA versions higher than 3.7