Discover and read the best of Twitter Threads about #Yara
Most recents (15)
1.Zeek: zeek.org : monitorea y analiza el tráfico de red en tiempo real, captura paquetes, registra eventos y genera alertas de actividad sospechosa. Ampliamente utilizado en la industria y en la investigación académica. #Zeek #seguridad #red
2.ClamAV: clamav.net :detectar y eliminar virus, malware y otras amenazas en archivos y mensajes de correo electrónico. Se utiliza a menudo en servidores de correo y sistemas de red para proteger contra amenazas de seguridad.#ClamAV #virus #seguridad #malware
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.
Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)
[1/20]
#Malware #RE
Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)
[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.
These characteristics make for good Yara rules 😁
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.
These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...
You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
1/ Windows Error Reporting (WER) can provide investigators with a wealth of data including:
• SHA1 hashes of crashed processes
• Snapshot of process trees at time of crash
• Loaded modules of crash
• Process minidumps
#DFIR #Threathunting
See 🧵 for new #Velociraptor artefact
• SHA1 hashes of crashed processes
• Snapshot of process trees at time of crash
• Loaded modules of crash
• Process minidumps
#DFIR #Threathunting
See 🧵 for new #Velociraptor artefact
2/ WER files are found in the following locations which include a range of information to typically address an application crash, however we can use it for investigation!
C:/Users/*/AppData/Local/Microsoft/Windows/WER
C:/ProgramData/Microsoft/Windows/WER
C:/Users/*/AppData/Local/Microsoft/Windows/WER
C:/ProgramData/Microsoft/Windows/WER
3/ The "Report.wer" file includes binary information and binary path. In Windows 10 and above the field "TaskAppId" contain the SHA1 hash of the process (similar to Amcache).
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
Il 5/11 su @NetflixIT il film sul caso #Yara di Pietro Valsecchi che dice al @Corriere "Gli innocentisti? Esistono come i NoVax"
NO! I NoVax sono contro la scienza,nel caso Yara è contro scienza chi accetta una prova Dna con rapporto ribaltato tra Dna nucleare e mitocondriale!!
NO! I NoVax sono contro la scienza,nel caso Yara è contro scienza chi accetta una prova Dna con rapporto ribaltato tra Dna nucleare e mitocondriale!!
Nella traccia che ha condannato Bossetti il Dna nucleare maggioritario è di Yara ma il mitocondriale maggioritario è di Bossetti e appare anche quello di una terza persona ignota ancora oggi
Per la scienza è una prova FARLOCCA per la giustizia no!
Per la scienza è una prova FARLOCCA per la giustizia no!
Non si sa se Bossetti è colpevole ma quella che l'ha condannato senza alcuna altra prova indiziaria (ZERO!!!) è una prova FALSA
Un bel caso nel quale la giustizia non ha fatto giustizia
Un bel caso nel quale la giustizia non ha fatto giustizia
#Sidewinder #APT
It seems that #Indian APTs have been raging war on #Pakistan with the same payloads over and over again. Meanwhile, Pakistani #Government and #Military is either helpless or over occupied. Following is another new sample that goes ages back.
It seems that #Indian APTs have been raging war on #Pakistan with the same payloads over and over again. Meanwhile, Pakistani #Government and #Military is either helpless or over occupied. Following is another new sample that goes ages back.
A variant of this sample has attributed to #Sidewinder #APT by Govt. of Pak. The #malware is deployed using the shared image in a #phishing email using a similar methodology to that of
2020-12-03:🔥 And ... [Major Discovery] 🤖"Persist, Brick, Profit -#TrickBot Offers New “#TrickBoot” UEFI-Focused Functionality"
🆕*First* Time Crimeware Group Pursued UEFI Firmware Exploitation | #YARA+IOCs in MISP JSON/CSV
@eclypsium | @IntelAdvanced
advanced-intel.com/post/persist-b…
🆕*First* Time Crimeware Group Pursued UEFI Firmware Exploitation | #YARA+IOCs in MISP JSON/CSV
@eclypsium | @IntelAdvanced
advanced-intel.com/post/persist-b…
📚:
1⃣TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable.
2⃣Historically, TrickBot actors have needed to evade and persist at the OS level - now a chance at UEFI level.
3⃣Actors are going lower in the stack to avoid detection.
1⃣TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable.
2⃣Historically, TrickBot actors have needed to evade and persist at the OS level - now a chance at UEFI level.
3⃣Actors are going lower in the stack to avoid detection.
✅Evolution of criminal intent:
⚓️Deep persistence achieved via UEFI/BIOS level to survive long-term on the host
⚡️New Incident Response Paradigm Shift:
*Firmware integrity checks might be particularly important for device that is known to have been compromised by TrickBot.*
⚓️Deep persistence achieved via UEFI/BIOS level to survive long-term on the host
⚡️New Incident Response Paradigm Shift:
*Firmware integrity checks might be particularly important for device that is known to have been compromised by TrickBot.*
🔥 #AdventOfReversing 1/24 🔥
Get dirty as soon as possible. Don't fall into thinking you are not ready. Sure, you will be confused by many things at first. That's fine! I used to confuse sections and segments when I started. Keep pushing, and things will become clear naturally.
Get dirty as soon as possible. Don't fall into thinking you are not ready. Sure, you will be confused by many things at first. That's fine! I used to confuse sections and segments when I started. Keep pushing, and things will become clear naturally.
🔥 #AdventOfReversing 2/24 🔥
Get used to (re)name *everything* in your disassembler. You might be able to mentally track data across registers and memory for small crackmes w/ easy control flow, but this does not scale at all. Unclutter your mind. Make your life easier.
Get used to (re)name *everything* in your disassembler. You might be able to mentally track data across registers and memory for small crackmes w/ easy control flow, but this does not scale at all. Unclutter your mind. Make your life easier.
🔥 #AdventOfReversing 3/24 🔥
You really want to have some programming foundations, but which languages? I mostly agree with this post by @MalwareTechBlog:
🐍 Python
🏗️ C
⚙️ ASM (different flavors: x86(-64) desktop, ARM mobile...)
Give it a read! 📰
malwaretech.com/2018/03/best-p…
You really want to have some programming foundations, but which languages? I mostly agree with this post by @MalwareTechBlog:
🐍 Python
🏗️ C
⚙️ ASM (different flavors: x86(-64) desktop, ARM mobile...)
Give it a read! 📰
malwaretech.com/2018/03/best-p…
Good morning from Labans farm in #Naivasha.
A hardworking farmer doing over 5 acres of bulb #onions. Investing in the resilience of such producers can make a long-lasting difference in our economy.
Get optimal yields with #YaraFertilizer
#MboleaNiYara #AgribusinessTalk254
1/3
A hardworking farmer doing over 5 acres of bulb #onions. Investing in the resilience of such producers can make a long-lasting difference in our economy.
Get optimal yields with #YaraFertilizer
#MboleaNiYara #AgribusinessTalk254
1/3
#Onions have low nutrient uptake efficiency due to their very shallow root system. This makes #fertilizer application a key component in their germination cycle. Try out the #Yara Onion nutrition program for optimal yields in your farm.
#AgribusinessTalk254 #MboleaNiYara
2/3
#AgribusinessTalk254 #MboleaNiYara
2/3
Transplanting: 100 kg/Acre of Yara Power + crop Boost 2L/Acre
4-5th leaf: YaraBella Sulfan 100kg /Acre + crop Boost .
5-7th leaf: YaraLiva Nitrabor 50kg/Acre + 50kg/Acre of Yara Winner + crop Boost 2L/Acre.
Bulb expansion: Yara Nitrabor + YaraMila Winner
#MboleaNiYara
3/3
4-5th leaf: YaraBella Sulfan 100kg /Acre + crop Boost .
5-7th leaf: YaraLiva Nitrabor 50kg/Acre + 50kg/Acre of Yara Winner + crop Boost 2L/Acre.
Bulb expansion: Yara Nitrabor + YaraMila Winner
#MboleaNiYara
3/3
Some very interesting XLLs in the wild (#blueteam take note!). Will link to some research in this thread. This one loads a payload from an embedded resource and displays a decoy message.
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041…
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041…
This XLL decodes a Base64 string using CryptStringToBinary and uses the Nt APIs to jump to it.
📎virustotal.com/gui/file/5644a…
📎virustotal.com/gui/file/5644a…
Some links for research:
👋🌍github.com/edparcell/Hell…
🔙🚪labs.f-secure.com/archive/add-in…
📄gist.github.com/ryhanson/22722…
📎
🎁github.com/moohax/xllpoc
cc/ @buffaloverflow @moo_hax @ryHanson @FSecureLabs
👋🌍github.com/edparcell/Hell…
🔙🚪labs.f-secure.com/archive/add-in…
📄gist.github.com/ryhanson/22722…
📎
🎁github.com/moohax/xllpoc
cc/ @buffaloverflow @moo_hax @ryHanson @FSecureLabs
This change @DidierStevens talks about starts with a file discussed on twitter:
This started with a pentest Excel4 macro file by @spamv noticed by @malwrhunterteam:
🔗virustotal.com/gui/file/ccef6…
🧐
🔗virustotal.com/gui/file/ccef6…
🧐
I analyzed the file and submitted a #Yara rule to @cyb3rops signature repo:
github.com/Neo23x0/signat…
github.com/Neo23x0/signat…
N°1 mondial des engrais synthétiques, la firme norvégienne #Yara reste inconnue du grand public. Toujours +onéreux pour les paysans, ses engrais sont une source massive de #gazaeffetdeserre. L’entreprise est nominée au #PrixPinocchio «spécial agriculture». bastamag.net/multinationale…
Yara incarne:
➡️La domination de grandes firmes sur le monde agricole
➡️Les liens étroits entre #agriculture intensive et crise climatique
Ces engrais libèrent un puissant #gazaeffetdeserre qui représente presque la moitié des émissions de l'agriculture🇫🇷 selon @RACFrance
➡️La domination de grandes firmes sur le monde agricole
➡️Les liens étroits entre #agriculture intensive et crise climatique
Ces engrais libèrent un puissant #gazaeffetdeserre qui représente presque la moitié des émissions de l'agriculture🇫🇷 selon @RACFrance
Selon @corporateeurope, Yara a dépensé près de 12M d’€ en #lobbying à Bruxelles depuis 2010 pour éviter toute régulation contraignante de son impact climatique. En parallèle, elle a poussé sa propre «solution»: l’«agriculture climatiquement intelligente» bastamag.net/Comment-les-mu…
#InstallUtil payloads are still very popular for code execution and app whitelisting bypass.
Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5
virustotal.com/gui/file/1db94…
0/59 static detections.
So I'll share some rules!
👇👇
Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5
virustotal.com/gui/file/1db94…
0/59 static detections.
So I'll share some rules!
👇👇
Identify suspicious #InstallUtil code execution payloads with a syntax-based #Yara rule (gist.github.com/itsreallynick/…) from this thread () on a *pretty damn similar* sample 🧐
Also look closely at both samples' embedded PE information (Original/InternalName) 😉
Also look closely at both samples' embedded PE information (Original/InternalName) 😉
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.
Thread 1/n
Thread 1/n
The first file tested by the VT account is hexcalc.exe
0433aeff0ed2cdf5776856f2c37be975
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb
This led me to search for the original (shady) project from Github: github.com/azlan/WinHexCa…
and this indeed contains this initial hexcalc.exe
2/n
0433aeff0ed2cdf5776856f2c37be975
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb
This led me to search for the original (shady) project from Github: github.com/azlan/WinHexCa…
and this indeed contains this initial hexcalc.exe
2/n
They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
ae73fe66415edbfd5669ab567793536b
d7c7c9ef1c1725f497ef5feaa654fc2e
7feaa6255459dcba370252e8905a9a4a
ddc442bd5e5d157011ae79c48ee2189a
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
3/n
ae73fe66415edbfd5669ab567793536b
d7c7c9ef1c1725f497ef5feaa654fc2e
7feaa6255459dcba370252e8905a9a4a
ddc442bd5e5d157011ae79c48ee2189a
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
3/n
Malware techniques that started with Microsoft Office are finding their way to OpenOffice/LibreOffice StarBasic. Happy Hunting!🎯
Macro source: gist.github.com/JohnLaTwC/0d03…
#Yara rule: github.com/Neo23x0/signat…
Hashes: 👇👇👇
Macro source: gist.github.com/JohnLaTwC/0d03…
#Yara rule: github.com/Neo23x0/signat…
Hashes: 👇👇👇
