Discover and read the best of Twitter Threads about #100daysofyara
Most recents (4)
#100DaysofYARA More LNK fun with GOLDBACKDOOR! Padding commands with spaces is a common technique used in LNK files to hide the actual intent inside of the Properties box (see images for examples of padded vs not padded in the Target field 
LNK files store strings relevant to malware analysts, such as icon location and command line arguments, in unicode
This means we can look specifically for consecutive unicode spaces, which likely won't find general padding
github.com/100DaysofYARA/…
This means we can look specifically for consecutive unicode spaces, which likely won't find general padding
github.com/100DaysofYARA/…
Now, if we use the lovely LNK module from @BitsOfBinary, we can get a little bit more precise by looking for padding inside of the commandline field!
note this is not in standard-issue yara yet, but check out the PR: github.com/VirusTotal/yar…
github.com/100DaysofYARA/…
note this is not in standard-issue yara yet, but check out the PR: github.com/VirusTotal/yar…
github.com/100DaysofYARA/…
Righto. Lets talk about this data and how to use it. To start, I'm uploading a zip file of all samples as well to allow downloading in bulk. I'll also share out some more parts of this as we go. So, off we go...
🧵(1/14)
🧵(1/14)
For background, #CobaltStrike is an "adversary simulation tool" (pentesting tools vs malware sometimes are only philosophically different #FightMe). It is widely used for legitimate security testing, pre-ransomware operations and other malicious threat actors.
🧵(2/14)
🧵(2/14)
The files provide are called Beacon. It's the malware deployed and controlled by CobaltStrike. While the two names are commonly misused interchangeably (even by myself). @Mandiant did a solid write-up on names. mandiant.com/resources/defi…
🧵(3/14)
🧵(3/14)
Let's talk about shellcode for a bit, shall we?
It used to be that back in the day, it was difficult to write YARA signatures for shellcode
This was before the xor keyword or anything like that
It used to be that back in the day, it was difficult to write YARA signatures for shellcode
This was before the xor keyword or anything like that
It was very common for malware authors to encode their shellcode payloads using trivial transforms
Single-byte XOR was extremely common, and relatively effective (still is, truth be told)
Writing signatures for XOR encoded payloads sucked quite a bit
Single-byte XOR was extremely common, and relatively effective (still is, truth be told)
Writing signatures for XOR encoded payloads sucked quite a bit
Day 15 of #100DaysofYARA is all about named pipes! We'll be looking for both the \\.\pipe\ strings as well as common references to named and anonymous pipe methods and obfuscation methods. Lots malware fams use named pipes!
github.com/g-les/100Dayso…
github.com/g-les/100Dayso…
However, YARA is probably not the best way to keep track of these things on your network - check out Sysmon Event IDs 17 and 18!
@rpargman has some advice for using KQL to find some specific pipe names
@rpargman has some advice for using KQL to find some specific pipe names
and Splunk has some great blogs on monitoring them across the environment:
splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
