#ThreatIntel
dce41d9d1da0084e7e44847b1b2b9fe0
Tied to @elastic reporting
https://t.co/m9hbgX4lkF
Mimicking @CrowdStrike Installer
Repo peakyblinders-team
This could be attributed to a cluster related to #APT34
#100DaysofYARA day 2 - one cluster in my portfolio, TA427 really likes to use password-protected ZIP files with an MSC file as the only embedded file (used to use .VBS files)
lets look for ZIPs that match those features!
https://t.co/QB7BIY0qzR
@stvemillertime Would make IPv6 start from 256.x.x.x ๐ where IPv4 ended
More secure application layer protocols implementation (BGP is still broken)
ICAP newer alternative for content inspection (we now got QUIC for god's sake)
#100DaysOfYARA#dailyyara
Always wanted to keep writing regex for perfect detections but would sacrifice performance
3 recommended things to enhance performance
- file header
- file size
- regex position
https://t.co/GJvHKWFFPe
I Hope @cyb3rops won't come after me for this.
@malmoeb#100DaysOfYARA#dailyyara
Interesting take on Cloudflared, this will get downloaded and bypass most ICAP configs, never seen APT3[3459] using it but gotta get ready for them kittens who are still hiding in MENA gov Exchange servers!
https://t.co/55tLqllabR
#dailyyara#100DaysofYARA
Back to Yara greatness, totally appreciate all the contributions
the following shows number of occurrences per matching string from a rule file
yara -ws rule.yar sample.exe | tail -n +2 | cut -d : -f 3- | sort | uniq -c | sort -rn
@ali_alwashali Hi Ali, always wanted to say thanks for the videos you posted on your YT channel
As for the terminal history, add this to /etc/bash.bashrc
export HISTCONTROL=ignoredups:ignorespace
source /etc/bash.bashrc
RonnieColemanYARAParser is a bulk analysis script that helps you use YARA/modules to build on-demand, customized views of file features from dozens or hundreds of files at once.
Updates to show match path, output to CSV etc
https://t.co/V1ZZSVuby9
#dailyyara#100DaysOfYARA2
#100DaysofYARA#dailyyara
Ransom path
$ = /[A-Za-z]:[\x2F\x5C][\x00-\x7F]{0,300}[Rr][Aa][Nn][Ss][Oo][Mm][\x00-\x7F]{0,300}\.(pdb|go)/ ascii
6bc2a7555122ccaddd5ae0497f3a3419
@stvemillertime it would be awesome if you'll create new Go paths ruleset just like the pdb ones!
Thanks @cyb3rops
I would suggest editing APT_HKTL_Wiper_WhisperGate_Stage3_Jan22
keepc $xc1 but remove $s1 and change filesize limit to at least 5MB to detect
b6563e61cdc02b6379efc51eb8792a43
#100DaysOfYARA#dailyyara
taking obfuscation detection to next level with yara
Ex: Ap0pD0at0a
{ 41 70 3? 70 44 3? 61 74 3? 61 }
Always use 3? for 0-9 range for numbers in ascii form
#100DaysOfYARA
I'm late to the party here,
I haven't seen good performing rules for ISO file detection, created the following to be the first match in condition:
condition: filesize > 60000 and uint32(0x8001) == 0x30304443 and uint8(0x8005) == 0x31