We're thrilled to announce an exciting collaboration with our esteemed partner, Mjolnir Security. Immerse yourself in their renowned “Blue Team Incident Response Training” taking place from the 23rd to the 26th of October. This four-day intensive program promises a...
On March 29, 2023 CrowdStrike detected malicious activity, originating from a legitimate, signed binary called 3CXDesktopApp. The binary is part of a softphone system developed by 3CX.The observed malicious activity consisted of beaconing to infrastructure controlled...
We've been working on a legacy version of our scanner THOR 10 for a while and started our closed BETA, which is available to all current customers on special request. The THOR legacy version does not include the following modules/features: Module: Eventlog scanning...
We are proud to announce a groundbreaking new scan mode named "Thunderstorm" that we've integrated into preview builds of the upcoming THOR version 10.6. This mode of operation turns THOR into a RESTful web service that is able to process thousands of samples per...
With this post, we would like to demonstration the YARA rule creation process for the so-called "threat hunting" rule category that we use in VALHALLA. We noticed that many interested parties thought that "threat hunting" YARA rules are just rules with lower scores...
A long time ago I've noticed that there is no single best YARA rule for a given sample, but different best solutions depending on the user's requirements and use case. I noticed that I often create 2 to 3 YARA rules for a single sample that I process, while each of...
As previously announced our YARA rule packs and feeds will be available in March/April 2019. We've put a lot of effort into a internal system named "Mjolnir" that parses, normalizes, filters, tags and automatically modifies our rule base, which contains more than 9000...
Working in incident response or malware analysis, you may have come across compromised and sometimes revoked certificates used to sign malware of different types. Often threat groups use stolen certificates to sign their malware. I'd like to show you an easy way to...
I’ve collected some interesting samples for an internal YARA rule creation training session with our interns. With this blog post, I'll also share 3 new premium feed YARA rules by pushing them to the Open Source signature-base repo. What are the the preliminary...
This is the first blog post published on our new website. If you followed my blog on www.bsk-consulting.de you should consider subscribing to the RSS feed of this blog or the "Nextron Systems Newsletter". This is one of the YARA related blog posts showcasing a special...
It has been a while since I wrote "How to Write Simple but Sound Yara Rules - Part 2". Since then I changed my rule creation method to generate more versatile rules that can also be used for in-memory detection. Furthermore new features were added to yarGen and...
YARA is an awesome tool especially for incident responders and forensic investigators. In my scanners I use YARA for anomaly detection on files. I already created some articles on "Detecting System File Anomalies with YARA" which focus on the expected contents of...