Skip to content

Instantly share code, notes, and snippets.

Florian Roth Neo23x0

Block or report user

Report or block Neo23x0

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Neo23x0
Neo23x0 / get_fs_type.go
Created Jun 14, 2018
Get File System Type
View get_fs_type.go
package main
import (
"fmt"
"os"
"syscall"
)
func main() {
if len(os.Args) != 2 {
@Neo23x0
Neo23x0 / vpnfilter-ua.rule
Last active May 19, 2019
Suricata rule - VPNFilter User Agent
View vpnfilter-ua.rule
alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;)
@Neo23x0
Neo23x0 / send-logon-to-slack.sh
Last active Jan 9, 2018
Report user logons to a slack channel
View send-logon-to-slack.sh
#!/bin/bash
#
# Uses slack web hooks to report logons on SSH servers
# Webhooks: https://yourslack.slack.com/apps/A0F7XDUAZ-incoming-webhooks
# Add this script to /etc/profile or create a ~/.profile for a certain user
WEB_HOOK=your_slack_web_hook
hostname=$(hostname)
source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1)
geo=$(geoiplookup "$source")
@Neo23x0
Neo23x0 / OSX
Created Dec 12, 2017
Start Browsers Without Elliptic Curve Cipher Suites
View OSX
open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x000a,0xc013,0xc014,0xc02b,0xc02c,0xc02f,0xc030,0xcca8,0xcca9
@Neo23x0
Neo23x0 / audit.rules
Last active Nov 22, 2019
Linux Auditd Best Practice Configuration
View audit.rules
# IMPORTANT!
# This gist has been transformed into a github repo
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd
# ___ ___ __ __
# / | __ ______/ (_) /_____/ /
# / /| |/ / / / __ / / __/ __ /
# / ___ / /_/ / /_/ / / /_/ /_/ /
# /_/ |_\__,_/\__,_/_/\__/\__,_/
@Neo23x0
Neo23x0 / crime_petya_jun17.yar
Last active Jul 1, 2017
YARA Rule for Petya Ransomware - June 2017
View crime_petya_jun17.yar
I just pushed the rule to "signature-base"
https://github.com/Neo23x0/signature-base/blob/master/yara/crime_nopetya_jun17.yar
Some of the other rules are running in QS right now.
I'll update the 'crime_nopetya_jun17.yar' file frequently.
@Neo23x0
Neo23x0 / ms_ts_anomaly.yar
Created Jun 4, 2017
Microsoft Timestamp / Copyright Anomaly
View ms_ts_anomaly.yar
rule Microsoft_PE_Timestamp_Copyright_Anomaly {
meta:
description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-06-02"
score = 30
strings:
$a1 = "Copyright (C) Microsoft Corp. 19" wide
@Neo23x0
Neo23x0 / nmap-cmdline
Last active Apr 23, 2019
Nmap Scan Params for CVE-2017-0143 MS17-010 Scanning
View nmap-cmdline
# Scan for CVE-2017-0143 MS17-010
# The vulnerability used by WannaCry Ransomware
#
# 1. Use @calderpwn's script
# http://seclists.org/nmap-dev/2017/q2/79
#
# 2. Save it to Nmap NSE script directory
# Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
# OSX - /opt/local/share/nmap/scripts/
#
@Neo23x0
Neo23x0 / wannacry-vaccine.reg
Last active Oct 3, 2019
WannaCrypt Ransomware Immunisation
View wannacry-vaccine.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "
You can’t perform that action at this time.