Discover and read the best of Twitter Threads about #YARA

Most recents (15)

17 herramientas GRATUITAS de #hacking #ciberseguridad #gratis:
Va hilo 🧵
1.Zeek: zeek.org : monitorea y analiza el tráfico de red en tiempo real, captura paquetes, registra eventos y genera alertas de actividad sospechosa. Ampliamente utilizado en la industria y en la investigación académica. #Zeek #seguridad #red
2.ClamAV: clamav.net :detectar y eliminar virus, malware y otras amenazas en archivos y mensajes de correo electrónico. Se utiliza a menudo en servidores de correo y sistemas de red para proteger contra amenazas de seguridad.#ClamAV #virus #seguridad #malware
Read 25 tweets
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...

You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
Read 22 tweets
1/ Windows Error Reporting (WER) can provide investigators with a wealth of data including:
• SHA1 hashes of crashed processes
• Snapshot of process trees at time of crash
• Loaded modules of crash
• Process minidumps
#DFIR #Threathunting
See 🧵 for new #Velociraptor artefact
2/ WER files are found in the following locations which include a range of information to typically address an application crash, however we can use it for investigation!

C:/Users/*/AppData/Local/Microsoft/Windows/WER
C:/ProgramData/Microsoft/Windows/WER
3/ The "Report.wer" file includes binary information and binary path. In Windows 10 and above the field "TaskAppId" contain the SHA1 hash of the process (similar to Amcache).
Read 9 tweets
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
Read 6 tweets
Il 5/11 su @NetflixIT il film sul caso #Yara di Pietro Valsecchi che dice al @Corriere "Gli innocentisti? Esistono come i NoVax"
NO! I NoVax sono contro la scienza,nel caso Yara è contro scienza chi accetta una prova Dna con rapporto ribaltato tra Dna nucleare e mitocondriale!!
Nella traccia che ha condannato Bossetti il Dna nucleare maggioritario è di Yara ma il mitocondriale maggioritario è di Bossetti e appare anche quello di una terza persona ignota ancora oggi
Per la scienza è una prova FARLOCCA per la giustizia no!
Non si sa se Bossetti è colpevole ma quella che l'ha condannato senza alcuna altra prova indiziaria (ZERO!!!) è una prova FALSA
Un bel caso nel quale la giustizia non ha fatto giustizia
Read 4 tweets
#Sidewinder #APT

It seems that #Indian APTs have been raging war on #Pakistan with the same payloads over and over again. Meanwhile, Pakistani #Government and #Military is either helpless or over occupied. Following is another new sample that goes ages back.
A variant of this sample has attributed to #Sidewinder #APT by Govt. of Pak. The #malware is deployed using the shared image in a #phishing email using a similar methodology to that of Image
DOCX MD5: 2a6249bc69463921ada1e960e3eea589 Mech 8 ZIRC0N-TSIRK0N.doc
#Exploit: hashcheck[.]xyz/PY8997/yrql/plqs
RTF MD5: 7c11d5125c3fb167cca82ff8b539e3c7 plqs
#C2: sportfunk[.]xyz/topaz/foti
CVE-2017-11882 Image
Read 12 tweets
2020-12-03:🔥 And ... [Major Discovery] 🤖"Persist, Brick, Profit -#TrickBot Offers New “#TrickBoot” UEFI-Focused Functionality"

🆕*First* Time Crimeware Group Pursued UEFI Firmware Exploitation | #YARA+IOCs in MISP JSON/CSV

@eclypsium | @IntelAdvanced
advanced-intel.com/post/persist-b…
📚:

1⃣TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable.
2⃣Historically, TrickBot actors have needed to evade and persist at the OS level - now a chance at UEFI level.
3⃣Actors are going lower in the stack to avoid detection.
✅Evolution of criminal intent:

⚓️Deep persistence achieved via UEFI/BIOS level to survive long-term on the host

⚡️New Incident Response Paradigm Shift:

*Firmware integrity checks might be particularly important for device that is known to have been compromised by TrickBot.*
Read 4 tweets
🔥 #AdventOfReversing 1/24 🔥
Get dirty as soon as possible. Don't fall into thinking you are not ready. Sure, you will be confused by many things at first. That's fine! I used to confuse sections and segments when I started. Keep pushing, and things will become clear naturally.
🔥 #AdventOfReversing 2/24 🔥
Get used to (re)name *everything* in your disassembler. You might be able to mentally track data across registers and memory for small crackmes w/ easy control flow, but this does not scale at all. Unclutter your mind. Make your life easier.
🔥 #AdventOfReversing 3/24 🔥
You really want to have some programming foundations, but which languages? I mostly agree with this post by @MalwareTechBlog:

🐍 Python
🏗️ C
⚙️ ASM (different flavors: x86(-64) desktop, ARM mobile...)

Give it a read! 📰
malwaretech.com/2018/03/best-p…
Read 19 tweets
Good morning from Labans farm in #Naivasha.

A hardworking farmer doing over 5 acres of bulb #onions. Investing in the resilience of such producers can make a long-lasting difference in our economy.

Get optimal yields with #YaraFertilizer

#MboleaNiYara #AgribusinessTalk254
1/3
#Onions have low nutrient uptake efficiency due to their very shallow root system. This makes #fertilizer application a key component in their germination cycle. Try out the #Yara Onion nutrition program for optimal yields in your farm.

#AgribusinessTalk254 #MboleaNiYara

2/3
Transplanting: 100 kg/Acre of Yara Power + crop Boost 2L/Acre

4-5th leaf: YaraBella Sulfan 100kg /Acre + crop Boost .

5-7th leaf: YaraLiva Nitrabor 50kg/Acre + 50kg/Acre of Yara Winner + crop Boost 2L/Acre.

Bulb expansion: Yara Nitrabor + YaraMila Winner

#MboleaNiYara
3/3
Read 3 tweets
Some very interesting XLLs in the wild (#blueteam take note!). Will link to some research in this thread. This one loads a payload from an embedded resource and displays a decoy message.
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041… ImageImageImageImage
This XLL decodes a Base64 string using CryptStringToBinary and uses the Nt APIs to jump to it.
📎virustotal.com/gui/file/5644a… ImageImageImage
Read 13 tweets
This change @DidierStevens talks about starts with a file discussed on twitter:
I analyzed the file and submitted a #Yara rule to @cyb3rops signature repo:
github.com/Neo23x0/signat… Image
Read 8 tweets
N°1 mondial des engrais synthétiques, la firme norvégienne #Yara reste inconnue du grand public. Toujours +onéreux pour les paysans, ses engrais sont une source massive de #gazaeffetdeserre. L’entreprise est nominée au #PrixPinocchio «spécial agriculture». bastamag.net/multinationale…
Yara incarne:
➡️La domination de grandes firmes sur le monde agricole
➡️Les liens étroits entre #agriculture intensive et crise climatique

Ces engrais libèrent un puissant #gazaeffetdeserre qui représente presque la moitié des émissions de l'agriculture🇫🇷 selon @RACFrance Image
Selon @corporateeurope, Yara a dépensé près de 12M d’€ en #lobbying à Bruxelles depuis 2010 pour éviter toute régulation contraignante de son impact climatique. En parallèle, elle a poussé sa propre «solution»: l’«agriculture climatiquement intelligente» bastamag.net/Comment-les-mu…
Read 4 tweets
#InstallUtil payloads are still very popular for code execution and app whitelisting bypass.

Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5
virustotal.com/gui/file/1db94…
0/59 static detections.
So I'll share some rules!
👇👇 ImageImage
Identify suspicious #InstallUtil code execution payloads with a syntax-based #Yara rule (gist.github.com/itsreallynick/…) from this thread () on a *pretty damn similar* sample 🧐

Also look closely at both samples' embedded PE information (Original/InternalName) 😉 Image
👋 hello @rapid7 red team btw

Or as I know you, #UNC1769.
You all do some really cool stuff. Keep it up! See you on the field!

Please try not to get as mad at me for putting some VT payloads on Twitter (like, no need to upload a bunch of aggressively-named files this time 😅)
Read 4 tweets
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.

Thread 1/n
The first file tested by the VT account is hexcalc.exe
0433aeff0ed2cdf5776856f2c37be975
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb

This led me to search for the original (shady) project from Github: github.com/azlan/WinHexCa…
and this indeed contains this initial hexcalc.exe

2/n
They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
ae73fe66415edbfd5669ab567793536b
d7c7c9ef1c1725f497ef5feaa654fc2e
7feaa6255459dcba370252e8905a9a4a
ddc442bd5e5d157011ae79c48ee2189a
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
3/n
Read 9 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!