Discover and read the best of Twitter Threads about #100DaysofYARA

Most recents (4)

#100DaysofYARA More LNK fun with GOLDBACKDOOR! Padding commands with spaces is a common technique used in LNK files to hide the actual intent inside of the Properties box (see images for examples of padded vs not padded in the Target field Properties view of the GOLDBACKDOOR sample, highlighting thefull command after padding from the GOLDBACKDOOR sample
LNK files store strings relevant to malware analysts, such as icon location and command line arguments, in unicode

This means we can look specifically for consecutive unicode spaces, which likely won't find general padding

github.com/100DaysofYARA/…
Now, if we use the lovely LNK module from @BitsOfBinary, we can get a little bit more precise by looking for padding inside of the commandline field!

note this is not in standard-issue yara yet, but check out the PR: github.com/VirusTotal/yar…

github.com/100DaysofYARA/…
Read 3 tweets
Righto. Lets talk about this data and how to use it. To start, I'm uploading a zip file of all samples as well to allow downloading in bulk. I'll also share out some more parts of this as we go. So, off we go...

🧵(1/14)
For background, #CobaltStrike is an "adversary simulation tool" (pentesting tools vs malware sometimes are only philosophically different #FightMe). It is widely used for legitimate security testing, pre-ransomware operations and other malicious threat actors.

🧵(2/14)
The files provide are called Beacon. It's the malware deployed and controlled by CobaltStrike. While the two names are commonly misused interchangeably (even by myself). @Mandiant did a solid write-up on names. mandiant.com/resources/defi…

🧵(3/14)
Read 14 tweets
Let's talk about shellcode for a bit, shall we?

It used to be that back in the day, it was difficult to write YARA signatures for shellcode

This was before the xor keyword or anything like that
It was very common for malware authors to encode their shellcode payloads using trivial transforms

Single-byte XOR was extremely common, and relatively effective (still is, truth be told)

Writing signatures for XOR encoded payloads sucked quite a bit
Our friends @wxs and @plusvic helpfully added the 'xor' keyword to YARA a while back

This is great! It makes writing "normal" signatures for shellcode a bit easier

However, some of you may recall a little tool called Plug-X
Read 17 tweets
Day 15 of #100DaysofYARA is all about named pipes! We'll be looking for both the \\.\pipe\ strings as well as common references to named and anonymous pipe methods and obfuscation methods. Lots malware fams use named pipes!

github.com/g-les/100Dayso…
However, YARA is probably not the best way to keep track of these things on your network - check out Sysmon Event IDs 17 and 18!

@rpargman has some advice for using KQL to find some specific pipe names
and Splunk has some great blogs on monitoring them across the environment:

splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
Read 10 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!