I hereby claim:
- I am tlansec on github.
- I am tlansec (https://keybase.io/tlansec) on keybase.
- I have a public key ASBn6NaQHKRGN-ymHfWx1epyZK7Q07E9UQlOXmsoZKuG-wo
To claim this, I am signing this object:
Tom Lancaster tlansec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| r = { | |
| 'url':'https://pypi.python.org', | |
| 'method' : "GET", | |
| "headers" : { | |
| "Host" : "totally-python.org", | |
| "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36" | |
| }, | |
| "verify" : True | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Add as an alias like: | |
| // alias entropy=yara /path/to/entropy.yar $* | |
| // Usage: | |
| // entropy file.bin | |
| import "console" | |
| import "math" | |
| rule entropy |
tlansec
/ entropy_functions.yar
Created
March 14, 2022 14:01
Generic rule for suspicious function names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "math" | |
| rule general_vba_high_entropy_function_names : General | |
| { | |
| meta: | |
| author = "threatintel@volexity.com" | |
| description = "Looks for VBA files containing function names that have been randomized based on their entropy." | |
| date = "2022-03-14" | |
| hash1 = "c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49" | |
| memory_suitable = 0 |
tlansec
/ externals_example.py
Created
February 21, 2022 10:08
Simple script to demo use of yara-python + externals
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple script to demo use of yara-python + externals | |
| # think of all the externals you could define! | |
| import os | |
| import sys | |
| import yara | |
| example_rule = ''' | |
| rule demo_externals | |
| { |
tlansec
/ pe_check.yar
Created
January 6, 2022 10:33
Use with -D flag to dump PE metadata about a file, I have an alias of "pe_yara=yara -D $*" so I can just run "pe_yara -D foo.bin"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule always_false | |
| { | |
| condition: | |
| false | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule general_win_runkey_casing_anomaly : General | |
| { | |
| meta: | |
| author = "threatintel@volexity.com" | |
| description = "Looks for files containing to a reference to the HKCU run key where the reference uses unusual casing." | |
| date = "2021-08-03" | |
| hash1 = "c20997c72508bc7340f4ec99fe9eb4f1ccde518e81bda66e7c86632f0748bffa" | |
| memory_suitable = 0 | |
| strings: |