Florian Roth Neo23x0

## snippet_gen_yara_hash.py
import hashlib
import re

def calculate_rule_hash(rule):
    """
    Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
    Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
    :param rule: yara rule object
    :return hash: generated hash
    """

## get-casing.py
import itertools
s = "cmd.exe"
list(map(''.join, itertools.product(*zip(s.upper(), s.lower()))))

## shitrix_artefacts.yar

rule SUSP_Netscaler_Forensic_Artefacts {
   meta:
      description = "Detects strings / forensic artefacts on exploited Netscaler systems"
      author = "Florian Roth"
      reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/"
      date = "2020-01-14"
      score = 70
    strings:
      $ = "shell_command=\"whoami\"" ascii

## gen_godmode_rule.yml
# ################################################################################
# IMPORTANT NOTE
# The most recent version of this POC rule can now be found in the main repository
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
# ################################################################################
#    _____        __  __  ___        __
#   / ___/__  ___/ / /  |/  /__  ___/ /__
#  / (_ / _ \/ _  / / /|_/ / _ \/ _  / -_)
#  \___/\___/\_,_/ /_/  /_/\___/\_,_/\__/_
#    / __(_)__ ___ _  ___ _  / _ \__ __/ /__

## Base64_CheatSheet.md

      
              1 file
            
          
              43 forks
            
          
              6 comments
            
          
              263 stars
            
          
                Neo23x0
                / Base64_CheatSheet.md
            
            
              Last active
              March 10, 2024 09:15
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Base64 Patterns - Learning Aid


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)


## sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
    product: windows
    service: sysmon
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'

## iddqd.yar
/*
WARNING:

the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/


/*
      _____        __  __  ___        __

## yara-ops.py
import hashlib
import re
import plyara

# Florian Roth, Christian Burkard
# Version 3.0
# January 2023
#
# Known issues: fails in some cases in which 'private' rules are used

## TI-Search-Shortcuts.md

      
              1 file
            
          
              6 forks
            
          
              1 comment
            
          
              19 stars
            
          
                Neo23x0
                / TI-Search-Shortcuts.md
            
            
              Last active
              February 18, 2022 13:00
            
              
                Search Engine Shortcuts
              
          
    Search Engine Shortcuts

Use Manage Search Engines in your browser to add these search engines.
You can then use the 'keyword' in the URL bar to do a quick lookup. Find more details about managing your search engines in Chrome here.
e.g.
Type
v dad8ebcbb5fa6721ccad45b81874e22c


## yara_product_req.py
# Product Requirements
PRODUCT_REQUIREMENTS = {
    "FireEyeAX": {
        "maximum_version": "3.4.0",
        "supported_modules": [],  # assumption
        "with_crypto": True,  # assumption
    },
    "FireEyeNX": {
        "maximum_version": "3.4.0",
        "supported_modules": [],  # assumption
	import hashlib
	import re

	def calculate_rule_hash(rule):
	"""
	Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
	Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
	:param rule: yara rule object
	:return hash: generated hash
	"""
	import itertools
	s = "cmd.exe"
	list(map(''.join, itertools.product(*zip(s.upper(), s.lower()))))

	rule SUSP_Netscaler_Forensic_Artefacts {
	meta:
	description = "Detects strings / forensic artefacts on exploited Netscaler systems"
	author = "Florian Roth"
	reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/"
	date = "2020-01-14"
	score = 70
	strings:
	$ = "shell_command=\"whoami\"" ascii
	# ################################################################################
	# IMPORTANT NOTE
	# The most recent version of this POC rule can now be found in the main repository
	# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml
	# ################################################################################
	# _____ __ __ ___ __
	# / ___/__ ___/ / / \|/ /__ ___/ /__
	# / (_ / _ \/ _ / / /\|_/ / _ \/ _ / -_)
	# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
	# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
	title: Suspicious Keyboard Layout Load
	description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
	references:
	- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
	author: Florian Roth
	date: 2019/10/12
	logsource:
	product: windows
	service: sysmon
	definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
	/*
	WARNING:

	the newest version of this rule is now hosted here:
	https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
	*/


	/*
	_____ __ __ ___ __
	import hashlib
	import re
	import plyara

	# Florian Roth, Christian Burkard
	# Version 3.0
	# January 2023
	#
	# Known issues: fails in some cases in which 'private' rules are used
	# Product Requirements
	PRODUCT_REQUIREMENTS = {
	"FireEyeAX": {
	"maximum_version": "3.4.0",
	"supported_modules": [], # assumption
	"with_crypto": True, # assumption
	},
	"FireEyeNX": {
	"maximum_version": "3.4.0",
	"supported_modules": [], # assumption