Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import hashlib | |
import re | |
def calculate_rule_hash(rule): | |
""" | |
Calculates a hash over the relevant YARA rule content (string contents, sorted condition) | |
Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara | |
:param rule: yara rule object | |
:return hash: generated hash | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import itertools | |
s = "cmd.exe" | |
list(map(''.join, itertools.product(*zip(s.upper(), s.lower())))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule SUSP_Netscaler_Forensic_Artefacts { | |
meta: | |
description = "Detects strings / forensic artefacts on exploited Netscaler systems" | |
author = "Florian Roth" | |
reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/" | |
date = "2020-01-14" | |
score = 70 | |
strings: | |
$ = "shell_command=\"whoami\"" ascii |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ################################################################################ | |
# IMPORTANT NOTE | |
# The most recent version of this POC rule can now be found in the main repository | |
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml | |
# ################################################################################ | |
# _____ __ __ ___ __ | |
# / ___/__ ___/ / / |/ /__ ___/ /__ | |
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_ | |
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Suspicious Keyboard Layout Load | |
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only | |
references: | |
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index | |
author: Florian Roth | |
date: 2019/10/12 | |
logsource: | |
product: windows | |
service: sysmon | |
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
WARNING: | |
the newest version of this rule is now hosted here: | |
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
*/ | |
/* | |
_____ __ __ ___ __ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import hashlib | |
import re | |
import plyara | |
# Florian Roth, Christian Burkard | |
# Version 3.0 | |
# January 2023 | |
# | |
# Known issues: fails in some cases in which 'private' rules are used |
Use Manage Search Engines in your browser to add these search engines. You can then use the 'keyword' in the URL bar to do a quick lookup. Find more details about managing your search engines in Chrome here.
e.g. Type
v dad8ebcbb5fa6721ccad45b81874e22c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Product Requirements | |
PRODUCT_REQUIREMENTS = { | |
"FireEyeAX": { | |
"maximum_version": "3.4.0", | |
"supported_modules": [], # assumption | |
"with_crypto": True, # assumption | |
}, | |
"FireEyeNX": { | |
"maximum_version": "3.4.0", | |
"supported_modules": [], # assumption |