| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
Florian Roth Neo23x0
Neo23x0
/ Base64_CheatSheet.md
Last active
December 1, 2025 19:51
Learning Aid - Top Base64 Encodings Table
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IMPORTANT! | |
| # This gist has been transformed into a github repo | |
| # You can find the most recent version there: | |
| # https://github.com/Neo23x0/auditd | |
| # ___ ___ __ __ | |
| # / | __ ______/ (_) /_____/ / | |
| # / /| |/ / / / __ / / __/ __ / | |
| # / ___ / /_/ / /_/ / / /_/ /_/ / | |
| # /_/ |_\__,_/\__,_/_/\__/\__,_/ |
Neo23x0
/ log4j_rce_detection.md
Last active
October 4, 2025 08:06
Log4j RCE CVE-2021-44228 Exploitation Detection
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
Neo23x0
/ annotations.xml
Last active
September 23, 2025 12:16
Sources for APT Groups and Operations Search Engine
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <Annotations start="0" num="171" total="171"> | |
| <Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag"> | |
| <Label name="_cse_turlh5vi4xc"/> | |
| <AdditionalData attribute="original_url" value="https://www.bussink.net/"/> | |
| </Annotation> | |
| <Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI"> | |
| <Label name="_cse_turlh5vi4xc"/> | |
| <AdditionalData attribute="original_url" value="https://thedfirreport.com/"/> | |
| </Annotation> |
Neo23x0
/ yara_performance_guidelines.md
Last active
July 14, 2025 09:04
YARA Performance Guidelines
This Gist has been transfered into a Github Repo. You'll find the most recent version here.
When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.
- Revision 1.4, October 2020, applies to all YARA versions higher than 3.7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://thedfirreport.com/ | |
| https://www.zerodayinitiative.com/blog/ | |
| https://codewhitesec.blogspot.com/ | |
| https://www.digitalshadows.com/blog-and-research/ | |
| https://blog.talosintelligence.com/ | |
| https://www.riskiq.com/blog/ | |
| https://www.sekoia.io/en/blog-sekoia-io/ | |
| https://www.nextron-systems.com/blog/ | |
| https://www.microsoft.com/security/blog/ | |
| https://blog.truesec.com/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This GIST has been transformed into a Git repository and does not receive updates anymore | |
| # | |
| # Please visit the github repo to get a current list | |
| # https://github.com/Neo23x0/ti-falsepositives/ | |
| # Hashes that are often included in IOC lists but are false positives | |
| HASH_WHITELIST = [ | |
| # Empty file | |
| 'd41d8cd98f00b204e9800998ecf8427e', | |
| 'da39a3ee5e6b4b0d3255bfef95601890afd80709', |
Neo23x0
/ fortinet-domains.txt
Last active
February 17, 2025 09:45
FortiGate Dump Domains - Grouped by TLD and Sorted Alphabetically
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is a list of the domains used in the contact email addresses found in the Fortinet dump file as published by Belsen Group and analysed by Kevin Beaumont on Mastodon : https://cyberplace.social/@GossiTheDog/113834848200229959 | |
| Some of these domains may just be the domains of free email services or services providers working for the actual victims. | |
| AE | |
| ---------------------------------------------------------------------- | |
| acsllc.ae | |
| aisdubai.ae | |
| alhamra.ae | |
| alrayan.ae | |
| alshirawi.ae |
Neo23x0
/ mal_win_go_backorder_loader.yar
Last active
February 12, 2025 21:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule MAL_BACKORDER_LOADER_WIN_Go_Jan23 { | |
| meta: | |
| description = "Detects the BACKORDER loader compiled in GO which download and executes a second stage payload from a remote server." | |
| author = "Arda Buyukkaya (modified by Florian Roth)" | |
| date = "2025-01-23" | |
| reference = "EclecticIQ" | |
| score = 80 | |
| tags = "loader, golang, BACKORDER, malware, windows" | |
| hash = "70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8" | |
| strings: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Basic Shell Escapes | |
| rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e 'bash -c "bash 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e '/bin/bash -i' 127.0.0.1:/dev/null | |
| rsync -e 'dash -c "dash 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e '/bin/dash -i' 127.0.0.1:/dev/null | |
| rsync -e 'zsh -c "zsh 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e '/bin/zsh -i' 127.0.0.1:/dev/null | |
| rsync -e 'ksh -c "ksh 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e '/bin/ksh -i' 127.0.0.1:/dev/null |
NewerOlder