It's a fast go-based scanner for Linux, Windows, and macOS that applies Sigma rules and outputs the matches as JSON.
git clone https://github.com/SigmaHQ/sigma.git
cd sigma
Florian Roth Neo23x0
Neo23x0
/ sigma_correlation_failed_login_success.yml
Last active
December 4, 2023 10:00
Sigma - Correlation Rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Correlation - Multiple Failed Logins Followed by Successful Login | |
| id: b180ead8-d58f-40b2-ae54-c8940995b9b6 | |
| status: experimental | |
| description: Detects multiple failed logins by a single user followed by a successful login of that user | |
| references: | |
| - https://reference.com | |
| author: Florian Roth (Nextron Systems) | |
| date: 2023/06/16 | |
| correlation: | |
| type: temporal |
My LinkTree
Neo23x0
/ nighthawk-blog-posts.md
Last active
August 1, 2023 21:53
Collection of Deleted Articles on MDSec's Nighthawk
by Proofpoint
by Austin Hudson
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -x | |
| hostname=$(hostname) | |
| source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1) | |
| geo=$(geoiplookup "$source") | |
| curl -X POST --silent --data "payload={\"text\": \":bust_in_silhouette: SYSTEM: $hostname USER: $USER SOURCE: $source GEO: $geo\"}" https://hooks.slack.com/services/XXXXXXXX_YOURHOOK_XXXXX > /dev/null |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://thedfirreport.com/ | |
| https://www.zerodayinitiative.com/blog/ | |
| https://codewhitesec.blogspot.com/ | |
| https://www.digitalshadows.com/blog-and-research/ | |
| https://blog.talosintelligence.com/ | |
| https://www.riskiq.com/blog/ | |
| https://www.sekoia.io/en/blog-sekoia-io/ | |
| https://www.nextron-systems.com/blog/ | |
| https://www.microsoft.com/security/blog/ | |
| https://blog.truesec.com/ |
Neo23x0
/ log4j_rce_detection.md
Last active
September 11, 2024 21:41
Log4j RCE CVE-2021-44228 Exploitation Detection
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
Neo23x0
/ minecraft-seus-shader.md
Last active
December 11, 2021 11:15
Minecraft with SEUS Shader - Guide
Guide by Florian Roth
https://www.minecraft.net/en-us/store/minecraft-java-edition/
I've transformed this gist into a git repository.
Whenever you research a certain vulnerability ask yourself these questions and please answer them for us
Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)
NewerOlder