Skip to content

Instantly share code, notes, and snippets.

@Neo23x0
Neo23x0 / yara_performance_guidelines.md
Last active September 4, 2024 09:14
YARA Performance Guidelines

This Gist has been transfered into a Github Repo. You'll find the most recent version here.

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.4, October 2020, applies to all YARA versions higher than 3.7
@gfoss
gfoss / PowerShell Command Line Logging
Last active August 4, 2023 18:02
Detect and alert on nefarious PowerShell command line activity
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions
Log Source Type:
MS Event Log for Win7/Win8/2008/2012 - PowerShell
Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
$LogCommandHealthEvent = $true
$LogCommandLifeCycleEvent = $true
@guitarrapc
guitarrapc / Get-EtwTraceProvider.ps1
Last active October 23, 2024 18:49
ETW (Event Tracing for Windows) Providers and their GUIDs for Windows 10 x64
#Requires -RunAsAdministrator
#Requires -Version 5.0
# requires Windows 10
Get-EtwTraceProvider | Select-Object SessionName, Guid | sort SessionName
# as Markdown
<#
#Requires -RunAsAdministrator
$result = Get-EtwTraceProvider | sort SessionName
$result | %{"|Name|GUID|";"|----|----|";}{"|$($_.SessionName)|$($_.Guid)|"}
#>
@Neo23x0
Neo23x0 / config-client.xml
Last active May 17, 2021 04:14
Sysmon Base Configuration - Workstations
<!--
This is a Microsoft Sysmon configuration to be used on Windows workstations
v0.2.1 December 2016
Florian Roth (with the help and ideas of others)
The focus of this configuration is
- malware detection (execution)
- malware detection (network connections)
- exploit detection
It is not focussed on
@Neo23x0
Neo23x0 / config-server.xml
Last active March 11, 2024 14:34
Sysmon Base Configuration - Windows Server
<!--
This is a Microsoft Sysmon configuation to be used on Windows server systems
v0.2.1 December 2016
Florian Roth
The focus of this configuration is
- hacking activity on servers / lateral movement (bad admin, attacker)
It is not focussed on
- malware detection (execution)
- malware detection (network connections)
@enigma0x3
enigma0x3 / Backdoor-Minimalist.sct
Last active May 4, 2024 18:03
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
<![CDATA[
@andrewkroh
andrewkroh / Microsoft-Windows-FileInfoMinifilter.txt
Last active January 7, 2022 11:08
Microsoft-Windows-FileInfoMinifilter Messages from Windows 2012 Server
Id : 1
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {, fi:FileNameCreate}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active October 1, 2024 18:37
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@netbiosX
netbiosX / Shellcode.cs
Created June 6, 2017 00:22
C# file that contains shellcode and bypasses AppLocker via Assembly Load
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
 
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@williballenthin
williballenthin / auto_shellcode_hashes.py
Last active November 5, 2023 22:12
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/EaHLv3yy7nGnh7mfHQ5DVy1LJ
import os
import sys
import logging
import pefile
import ucutils
import unicorn
import capstone
import argparse