Find Turla SilentMoon implants with YARA.
100 Days of YARA – Day 38: pupy
Pupy is yet another open-source RAT/C2 framework. Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions …
100 Days of YARA – Day 37: PRISM
Find PRISM backdoors with YARA.
100 Days of YARA – Day 36: Sliver Adversary Emulation Framework
Find Sliver implants and servers with YARA.
100 Days of YARA – Day 35: nanomet
nanomet is another meterpreter stager, similar to TinyMet, written in C: https://github.com/kost/nanomet I have encountered this malware in real-life intrusions and at attack/defend CTFs. rule nanomet { meta: description = "https://github.com/kost/nanomet" strings: $a = "github.com/kost/nanomet" $b = "nanomet.exe" $c = "Available transports are as follows:" condition: all of them } YARA Rules Index
100 Days of YARA – Day 34: TinyMet
Find TinyMet with YARA.
100 Days of YARA – Day 33: Murmur Hash
Detect samples implementing MurmurHash using YARA.
100 Days of YARA – Day 32: Base64 Alphabet
Find binaries that likely implemented base64 using YARA.
100 Days of YARA – Day 31: PDB Paths
Find PE files with PDB pathways with YARA.
100 Days of YARA – Day 30: CRC32
Find programs implementing CRC32 with YARA.
100 Days of YARA – Day 29: MysterySnail
Find RATs belonging to the MysterySnail group with YARA.
100 Days of YARA – Day 28: pyinstaller
Find executables bundled with pyinstaller using YARA.
DMFR SECURITY 