I’ve collected some interesting samples for an internal YARA rule creation training session with our interns. With this blog post, I'll also share 3 new premium feed YARA rules by pushing them to the Open Source signature-base repo. What are the the preliminary...
SPARK Core – Free IOC and YARA Scanning
It is done! Our new free scanner SPARK Core has been released. After weeks of planning, development and testing, we're proud to provide the community with a new and powerful multi-platform scanner. SPARK Core is a reduced version of our successful scanner SPARK. The...
THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning
The new THOR version 8.44 comes with some interesting new features. TLS/SSL Syslog Transmission THOR version 8.44.0 supports the Syslog log transmission in an SSL/TLS encrypted form. Just set the value "TCPTLS" as protocol in the 4th position of the target definition....
Write YARA Rules to Detect Embedded EXE Files in OLE Objects
This is the first blog post published on our new website. If you followed my blog on www.bsk-consulting.de you should consider subscribing to the RSS feed of this blog or the "Nextron Systems Newsletter". This is one of the YARA related blog posts showcasing a special...
How to Write Simple but Sound Yara Rules – Part 3
It has been a while since I wrote "How to Write Simple but Sound Yara Rules - Part 2". Since then I changed my rule creation method to generate more versatile rules that can also be used for in-memory detection. Furthermore new features were added to yarGen and...
YARA Rules to Detect Uncommon System File Sizes
YARA is an awesome tool especially for incident responders and forensic investigators. In my scanners I use YARA for anomaly detection on files. I already created some articles on "Detecting System File Anomalies with YARA" which focus on the expected contents of...
How to Write Simple but Sound Yara Rules – Part 2
Months ago I wrote a blog article on "How to write simple but sound Yara rules". Since then the mentioned techniques and tools have improved. I'd like to give you a brief update on certain Yara features that I frequently use and tools that I use to generate and test...
How to Write Simple but Sound Yara Rules
During the last 2 years I wrote approximately 2000 Yara rules based on samples found during our incident response investigations. A lot of security professionals noticed that Yara provides an easy and effective way to write custom rules based on strings or byte...
How to Scan for System File Manipulations with Yara (Part 2/2)
As a follow up on my first article about inverse matching yara rules I would like to add a tutorial on how to scan for system file manipulations using Yara and Powershell. The idea of inverse matching is that we do not scan for something malicious that we already know...
Inverse Yara Signature Matching (Part 1/2)
During our investigations we encountered situations in which attackers replaced valid system files with other system files to achieve persistence and establish a backdoor on the systems. The most frequently used method was the replacement of the "sethc.exe" with the...
Signatur für Windows 0-day EPATHOBJ Exploit
Am gestrigen Tage wurde eine 0-day Schwachstelle am Microsoft Windows Betriebssystem bekannt, die für sich allein betrachtet bereits als schwerwiegend betrachtet wird, in Zusammenhang mit den uns bekannten Angreifer-Werkzeugen wie dem Windows Credential Editor...