Find PE files with PDB pathways with YARA.
100 Days of YARA – Day 30: CRC32
Find programs implementing CRC32 with YARA.
100 Days of YARA – Day 29: MysterySnail
Find RATs belonging to the MysterySnail group with YARA.
100 Days of YARA – Day 28: pyinstaller
Find executables bundled with pyinstaller using YARA.
100 Days of YARA – Day 27: LOKI2
LOKI2 is an old backdoor released in Phrack Magazine in 1997. This tool is still somewhat novel even in 2021, providing a shell over the ICMP protocol. http://phrack.org/issues/49/6.htmlhttp://phrack.org/issues/51/6.html A few years ago, I read an article that highlighted this tool's use by the Turla group that piqued my interest. Due to this tool running over …
100 Days of YARA – Day 26: Merlin C2
Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go. This C2 software offers some unique features such as operating over the QUIC protocol and compatibility with the Mythic Framework.https://github.com/Ne0nd0g/merlin I encountered this C2 while playing Pros versus Joes CTF. rule merlin { meta: description = "https://github.com/Ne0nd0g/merlin" strings: $a = "github.com/Ne0nd0g/merlin" …
100 Days of YARA – Day 25: Hive Ransomware Obfuscated Strings
Detect the golang-based string obfuscation library implemented by Hive Ransomware with YARA.
100 Days of YARA – Day 24: Run Keys
Find samples containing registry run key pathways with YARA.
100 Days of YARA – Day 23: socat
Detect socat with YARA.
100 Days of YARA – Day 22: Parent Process ID Spoofing
Find samples that may have implemented parent process id spoofing with YARA.
100 Days of YARA – Day 21: DCRat
Detect DCRat with YARA.
100 Days of YARA – Day 20: xmrig
Find xmrig with YARA.