Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://thedfirreport.com/ | |
https://www.zerodayinitiative.com/blog/ | |
https://codewhitesec.blogspot.com/ | |
https://www.digitalshadows.com/blog-and-research/ | |
https://blog.talosintelligence.com/ | |
https://www.riskiq.com/blog/ | |
https://www.sekoia.io/en/blog-sekoia-io/ | |
https://www.nextron-systems.com/blog/ | |
https://www.microsoft.com/security/blog/ | |
https://blog.truesec.com/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# IMPORTANT! | |
# This gist has been transformed into a github repo | |
# You can find the most recent version there: | |
# https://github.com/Neo23x0/auditd | |
# ___ ___ __ __ | |
# / | __ ______/ (_) /_____/ / | |
# / /| |/ / / / __ / / __/ __ / | |
# / ___ / /_/ / /_/ / / /_/ /_/ / | |
# /_/ |_\__,_/\__,_/_/\__/\__,_/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<Annotations start="0" num="171" total="171"> | |
<Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag"> | |
<Label name="_cse_turlh5vi4xc"/> | |
<AdditionalData attribute="original_url" value="https://www.bussink.net/"/> | |
</Annotation> | |
<Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI"> | |
<Label name="_cse_turlh5vi4xc"/> | |
<AdditionalData attribute="original_url" value="https://thedfirreport.com/"/> | |
</Annotation> |
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
This Gist has been transfered into a Github Repo. You'll find the most recent version here.
When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.
- Revision 1.4, October 2020, applies to all YARA versions higher than 3.7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
WARNING: | |
the newest version of this rule is now hosted here: | |
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
*/ | |
/* | |
_____ __ __ ___ __ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
This is a Microsoft Sysmon configuation to be used on Windows server systems | |
v0.2.1 December 2016 | |
Florian Roth | |
The focus of this configuration is | |
- hacking activity on servers / lateral movement (bad admin, attacker) | |
It is not focussed on | |
- malware detection (execution) | |
- malware detection (network connections) |
NewerOlder