100 Days of YARA – Day 43: EfsPotato

On January 31, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

EfsPotato has been observed in the wild in computer intrusions: https://pinboard.in/u:droberson/t:efspotato/ rule efspotato { meta: description = "EfsPotato privilege escalation exploit" reference = "https://github.com/zcgonvh/EfsPotato" strings: $efspotato = "EfsPotato" condition: uint16(0) == 0x5a4d and $efspotato } YARA Rules Index

100 Days of YARA – Day 42: ptrace

On January 30, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Find ELFs using ptrace with YARA.

100 Days of YARA – Day 41: nmap

On January 29, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

For reasons similar to masscan, it is worth investigating if Nmap is discovered on an unexpected host. rule nmap { meta: description = "Nmap network scanner" reference = "https://nmap.org" strings: $ = "Usage: nmap [Scan Type(s)] [Options] {target specification}" condition: all of them } YARA Rules Index

100 Days of YARA – Day 40: masscan

On January 28, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Find masscan with YARA.

100 Days of YARA – Day 39: SilentMoon

On January 27, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Find Turla SilentMoon implants with YARA.

100 Days of YARA – Day 38: pupy

On January 26, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Pupy is yet another open-source RAT/C2 framework. Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions …

Continue reading 100 Days of YARA – Day 38: pupy

100 Days of YARA – Day 37: PRISM

On January 25, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Find PRISM backdoors with YARA.

100 Days of YARA – Day 36: Sliver Adversary Emulation Framework

On January 24, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Find Sliver implants and servers with YARA.

100 Days of YARA – Day 35: nanomet

On January 23, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

nanomet is another meterpreter stager, similar to TinyMet, written in C: https://github.com/kost/nanomet I have encountered this malware in real-life intrusions and at attack/defend CTFs. rule nanomet { meta: description = "https://github.com/kost/nanomet" strings: $a = "github.com/kost/nanomet" $b = "nanomet.exe" $c = "Available transports are as follows:" condition: all of them } YARA Rules Index

100 Days of YARA – Day 34: TinyMet

On January 22, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Find TinyMet with YARA.

100 Days of YARA – Day 33: Murmur Hash

On January 21, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Detect samples implementing MurmurHash using YARA.

100 Days of YARA – Day 32: Base64 Alphabet

On January 20, 2022December 31, 2021 By DanielIn 100 days of Yara1 Comment

Find binaries that likely implemented base64 using YARA.

DMFR SECURITY

Category: 100 days of Yara