Matthew Green mgreen27

## XProtect.yara
import "hash"

private rule Macho
{
    meta:
        description = "private rule to match Mach-O binaries"
    condition:
        uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca

}

## yara_performance_guidelines.md

      
              1 file
            
          
              26 forks
            
          
              1 comment
            
          
              118 stars
            
          
                Neo23x0
                / yara_performance_guidelines.md
            
            
              Last active
              April 30, 2024 10:39
            
              
                YARA Performance Guidelines
              
          
    This Gist has been transfered into a Github Repo.
You'll find the most recent version here.
YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7


## windows_hardening.cmd
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"

## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION


## Shellcode.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

## Backdoor-Minimalist.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		<![CDATA[


## RMM-detection.md

      
              3 files
            
          
              3 forks
            
          
              0 comments
            
          
              21 stars
            
          
                brokensound77
                / RMM-detection.md
            
            
              Last active
              March 23, 2024 18:04
            
              
                Detection Engineering: RMM analysis 
              
          
    Detecting RMM

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

if the software is not used in the envrionment

could it be legitimate by a random empoyee?
is it an attacker BYOL
even so, all occurrences could probably be considered suspicious


if it is used in the environment

is every use of it legitimate? Probably not


this also creates significant living off the land (LOL) opportunity


## Get-EtwTraceProvider.ps1
#Requires -RunAsAdministrator
#Requires -Version 5.0
# requires Windows 10
Get-EtwTraceProvider | Select-Object SessionName, Guid | sort SessionName
# as Markdown
<#
#Requires -RunAsAdministrator
$result = Get-EtwTraceProvider | sort SessionName
$result | %{"|Name|GUID|";"|----|----|";}{"|$($_.SessionName)|$($_.Guid)|"}
#>

## config-server.xml
<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.2.1 December 2016
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)

## CrowdStrike Savedsearches.conf
[POWERSHELL-DOWNLOAD-HUNT]
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
dispatchAs = user
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
search = FileName=powershell.exe (CommandLine=*DownloadFile* OR CommandLine=*invoke-webrequest*) | stats values(CommandLine) as "commands" by ComputerName
	import "hash"

	private rule Macho
	{
	meta:
	description = "private rule to match Mach-O binaries"
	condition:
	uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca

	}
	::
	::#######################################################################
	::
	:: Change file associations to protect against common ransomware attacks
	:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
	:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
	:: ---------------------
	ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION
	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!-- License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[
	#Requires -RunAsAdministrator
	#Requires -Version 5.0
	# requires Windows 10
	Get-EtwTraceProvider \| Select-Object SessionName, Guid \| sort SessionName
	# as Markdown
	<#
	#Requires -RunAsAdministrator
	$result = Get-EtwTraceProvider \| sort SessionName
	$result \| %{"\|Name\|GUID\|";"\|----\|----\|";}{"\|$($_.SessionName)\|$($_.Guid)\|"}
	#>
	<!--
	This is a Microsoft Sysmon configuation to be used on Windows server systems
	v0.2.1 December 2016
	Florian Roth

	The focus of this configuration is
	- hacking activity on servers / lateral movement (bad admin, attacker)
	It is not focussed on
	- malware detection (execution)
	- malware detection (network connections)
	[POWERSHELL-DOWNLOAD-HUNT]
	dispatch.earliest_time = -24h@h
	dispatch.latest_time = now
	dispatchAs = user
	display.general.type = statistics
	display.page.search.mode = verbose
	display.page.search.tab = statistics
	display.visualizations.charting.chart = bar
	display.visualizations.show = 0
	search = FileName=powershell.exe (CommandLine=DownloadFile OR CommandLine=invoke-webrequest) \| stats values(CommandLine) as "commands" by ComputerName