Skip to content

Instantly share code, notes, and snippets.

Florian Roth Neo23x0

Block or report user

Report or block Neo23x0

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active Nov 12, 2019
Learning Aid - Top Base64 Encodings Table
View Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16)
TVq 📺 Television MZ MZ header
UEs 🏬 Upper East Side PK ZIP, Office documents
SUVY 🚙 SUV IEX PowerShell Invoke Expression
@Neo23x0
Neo23x0 / yara_performance_guidelines.md
Last active Nov 10, 2019
YARA Performance Guidelines
View yara_performance_guidelines.md

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.3, October 2019, applies to all YARA versions higher than 3.7

Faster / Resource Friendly Statements

  • Bad: Regular Expressions
@Neo23x0
Neo23x0 / audit.rules
Last active Nov 9, 2019
Linux Auditd Best Practice Configuration
View audit.rules
# IMPORTANT!
# This gist has been transformed into a github repo
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd
# ___ ___ __ __
# / | __ ______/ (_) /_____/ /
# / /| |/ / / / __ / / __/ __ /
# / ___ / /_/ / /_/ / / /_/ /_/ /
# /_/ |_\__,_/\__,_/_/\__/\__,_/
@Neo23x0
Neo23x0 / sysmon_suspicious_keyboard_layout_load.yml
Last active Nov 9, 2019
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
View sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
@Neo23x0
Neo23x0 / iddqd.yar
Last active Nov 8, 2019
IDDQD - Godmode YARA Rule
View iddqd.yar
/*
_____ __ __ ___ __
/ ___/__ ___/ / / |/ /__ ___/ /__
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__
\ / __ |/ , _/ __ | / , _/ // / / -_)
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
Florian Roth - v0.5.0 October 2019
@Neo23x0
Neo23x0 / stringex.sh
Last active Nov 7, 2019
String Extraction / ASCII and Wide by @RobertHaist
View stringex.sh
Linux
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n
macOS
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n
@Neo23x0
Neo23x0 / yara-ops.py
Last active Nov 7, 2019
YARA Rule Hash Generator
View yara-ops.py
import hashlib
import re
import plyara
def calculate_rule_hash(rule):
"""
Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
:param rule: yara rule object
:return hash: generated hash
@Neo23x0
Neo23x0 / annotations.xml
Last active Nov 7, 2019
Sources for APT Groups and Operations Search Engine
View annotations.xml
<?xml version="1.0" encoding="UTF-8" ?>
<Annotations start="0" num="138" total="138">
<Annotation about="*.401trg.pw/*" timestamp="0x00056c69af232729" href="Cg0qLjQwMXRyZy5wdy8qEKnOjPmajdsC">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="https://401trg.pw/" />
</Annotation>
<Annotation about="decalage.info/en/security*" timestamp="0x00056c678a15c50b" href="ChpkZWNhbGFnZS5pbmZvL2VuL3NlY3VyaXR5KhCLitfQ-IzbAg">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="https://decalage.info/en/security" />
</Annotation>
@Neo23x0
Neo23x0 / config-server.xml
Last active Nov 7, 2019
Sysmon Base Configuration - Windows Server
View config-server.xml
<!--
This is a Microsoft Sysmon configuation to be used on Windows server systems
v0.2.1 December 2016
Florian Roth
The focus of this configuration is
- hacking activity on servers / lateral movement (bad admin, attacker)
It is not focussed on
- malware detection (execution)
- malware detection (network connections)
@Neo23x0
Neo23x0 / config-client.xml
Last active Oct 22, 2019
Sysmon Base Configuration - Workstations
View config-client.xml
<!--
This is a Microsoft Sysmon configuration to be used on Windows workstations
v0.2.1 December 2016
Florian Roth (with the help and ideas of others)
The focus of this configuration is
- malware detection (execution)
- malware detection (network connections)
- exploit detection
It is not focussed on
You can’t perform that action at this time.