100 Days of YARA – Day 48: gscript

This rule finds binaries compiled with gscript, a scriptable dropper.

I first encountered this playing CTFs. It is a very nice tool for offensive operations, allowing an attacker to bundle several payloads into one file. This enables attackers to move quickly and deploy a multitude of c2 channels on victim hosts.

Defending against this in a CTF setting was painful because the attackers were re-deploying all of their persistence a few minutes after it was removed by defenders. This led to many situations where we observed attackers utilizing persistence mechanisms that we thought had been removed.

Encountering this malware led me to some really fun research:

The next time I ran into gscript, I was able to intercept the payload, reverse engineer it enough to figure out what was being done and deal with it much more effectively.

rule gscript
{
	meta:
		description = "https://github.com/gen0cide/gscript"

	strings:
		$ = "github.com/gen0cide/gscript"

	condition:
		any of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 48: gscript”

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

One thought on “100 Days of YARA – Day 48: gscript”

Leave a Reply Cancel reply