- Slides
- Video
Stuart McMurray:
set -eEu | |
set -o pipefail | |
trap 'echo "L$LINENO"; O70; exit -1' ERR | |
O54=4 | |
function O70() | |
{ | |
if [[ ! -z "${O57+x}" ]]; then | |
if [[ -f "${O57}" ]]; then | |
rm -f "${O57}" | |
fi |
Stuart McMurray:
#include "stdafx.h" | |
#include <Windows.h> | |
#include <fltuser.h> | |
#pragma comment(lib,"FltLib.lib") | |
/* | |
Author: Osanda Malith Jayathissa (@OsandaMalith) | |
Website: https://osandamalith.com | |
Description: Unloading a minifilter driver by calling the FilterUnload which is the Win32 equivalent of FltUnloadFilter. |
rule vba_hidden_from_editor { | |
strings: | |
$header_office = { D0 CF 11 E0 } | |
$has_macros = "\x0aDocument=" | |
$s1 = /\x0aDocument=.{3,1000}\x0d?\x0a\w{4,30}=(\{|"|[a-zA-Z])/ | |
$s2 = /\x0aDocument=This(Docume|Displa)[a-zA-Z](\x00.){10,}/ | |
condition: |
/* | |
WARNING: | |
the newest version of this rule is now hosted here: | |
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
*/ | |
/* | |
_____ __ __ ___ __ |
from datetime import datetime | |
import json, os, twitter, io, time | |
string_input_with_date = "01/01/2018" | |
file_name = 'tweet.js' | |
TWITTER_CONSUMER_KEY="" | |
TWITTER_CONSUMER_SECRET="" | |
TWITTER_ACCESS_TOKEN="" | |
TWITTER_ACCESS_TOKEN_SECRET="" |
default['sshd']['sshd_config']['AuthenticationMethods'] = 'publickey,keyboard-interactive:pam' | |
default['sshd']['sshd_config']['ChallengeResponseAuthentication'] = 'yes' | |
default['sshd']['sshd_config']['PasswordAuthentication'] = 'no' |
rule lnkfileoverRFC | |
{ | |
strings: | |
$header = {4c00 0000 0114 0200 0000} //lnk file header | |
$command = "C:\\Windows\\System32\\cmd.exe" fullword ascii //cmd is precursor to findstr | |
$command2 = {2F 00 63 00 20 00 66 00 69 00 6E 00 64 00 73 00 74 00 72} //findstr in hex | |
$base64 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD" ascii //some base64 filler, needed to work with routine | |
$cert = "l -decode" ascii //base64 decoder | |
condition: | |
filesize > 15KB and ($header at 0) and $command and $command2 and $cert and $base64 |