Share this page!

Greg Lesnewich Profile picture
Twitter logo
Jan 5 3 tweets 3 min read
#100DaysofYARA More LNK fun with GOLDBACKDOOR! Padding commands with spaces is a common technique used in LNK files to hide the actual intent inside of the Properties box (see images for examples of padded vs not padded in the Target field Properties view of the GOLDBACKDOOR sample, highlighting thefull command after padding from the GOLDBACKDOOR sample
LNK files store strings relevant to malware analysts, such as icon location and command line arguments, in unicode

This means we can look specifically for consecutive unicode spaces, which likely won't find general padding

github.com/100DaysofYARA/…
Now, if we use the lovely LNK module from @BitsOfBinary, we can get a little bit more precise by looking for padding inside of the commandline field!

note this is not in standard-issue yara yet, but check out the PR: github.com/VirusTotal/yar…

github.com/100DaysofYARA/…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Greg Lesnewich

Greg Lesnewich Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @greglesnewich

Greg Lesnewich Profile picture
Jan 15, 2022
Day 15 of #100DaysofYARA is all about named pipes! We'll be looking for both the \\.\pipe\ strings as well as common references to named and anonymous pipe methods and obfuscation methods. Lots malware fams use named pipes!

github.com/g-les/100Dayso…
However, YARA is probably not the best way to keep track of these things on your network - check out Sysmon Event IDs 17 and 18!

@rpargman has some advice for using KQL to find some specific pipe names
and Splunk has some great blogs on monitoring them across the environment:

splunk.com/en_us/blog/sec…
splunk.com/en_us/blog/sec…
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(