John has officially summited Mt Yara! Congrats John on completing #100DaysofYARA well done
Not just providing rules but insight into how and why you wrote them is setting a great example our little community 😄
I hope you’ve learned as much as you taught
#100DaysofYARA tons of tasty info can be pulled from Macho headers, especially Load commands! Lets get a generic count of LOAD_DYLIB commands to quantify the amount of external libraries are used - no idea if any # is suspicious
github.com/100DaysofYARA/…
#100DaysofYARA day 100 - roundup: bitsofbinary.github.io/yara/2023/04/1…
We made it to day 100! I'm very happy that I managed to do a post each day.
I covered the LNK module, use of modifiers, YARA performance basics, command line options, and a case study with AcidBox.
Day20 of #100DaysofYARA : Use Case 4 for the THOR-Lite room done on Try Hack Me, only Use Case 5 remains! Custom rule for Use Case 4 - github.com/vert1c4l/100_D…
It's interesting that your analysis ended up here as well. I was looking at this for #100daysofyara and ended up getting there with my colleagues' (Daniel Mayer ) sentiment 'I see pdb, it goes in rule'
I love that Greg Lesnewich is going hard on MachO for #100DaysofYARA
I'm learning more every day!
Congrats to John & Daniel Stinson for completing the 💯 Days of #YARA challenge!
Started by Greg Lesnewich, the #100DaysofYARA challenge encourages participants to share one YARA rule each 📆 day for the first 100 days of the year ➡️ hubs.ly/Q01PV8D00
Thanks for Greg Lesnewich for kicking this off, along with everyone who's added to the #100DaysofYARA community the last 2 years: John, Super Sheep (@[email protected]), Silas, Steve YARA Synapse Miller, Daniel Mayer, Wesley Shields, French, [email protected] and surely more!
Day 💯 of #100DaysofYARA : When started on Jan 1st I had no idea I was going to do any YARA rules in 2023 let along a 100 day streak🔥
There were lots of macOS/Mach-O rules, file fats, and more. Check out this summary post: shellcromancer.io/posts/100-days…
#100DaysOfYara rules git repo about to get a live demo on OALabs twitch stream over unpac.me data.
Day 86 of #100DaysofYARA : The MacStealer malware we wrote a signature for yesterday includes lots of .pyc python-byte code. Got more familiar with that format today, writing a rule and analyzing it. 🧵
YARA: github.com/shellcromancer…
Smoke loader seen recently with this pdb 'C:\\yeya-valuruzer rucetofalumo p.pdb'. If you've seen it too, I'd love to chat. #100daysofyara
Dropped my latest post on NPPSPY! ft. Rob Dray Agha Grzegorz Tworek SnapAttack
malwareguy.tech/Hunts/nppspy.h…
#ENVTuber #VTuber EN #VTuber #ThreatHunting #Malware #ReverseEngineering #DigitalForensics #IncidentResponse #Malware Hunting #100DaysofYARA
One of the most incredible analysts in the #ThreatIntel space - John - has just completed the #100DaysofYARA challenge with an awesome blog to go along with it. You cannot learn enough from this man, please for your benefit check it out!
bitsofbinary.github.io
The #100DaysofYARA crew slayed it this year: big hustles fm Greg Lesnewich Daniel Stinson John Wesley Shields Super Sheep (@[email protected]) French Silas Cutler Daniel Mayer Jeremy Brown Malvidin Colin Cowie👨🏼💻| @[email protected] @tlan Josh Stroschein Alex Hegyi Paul Melson vertic4l & more. Props y'all.
YARA rules.
Day 8️⃣6️⃣ of #100DaysofYARA : The MacStealer malware we wrote a signature for yesterday includes lots of .pyc python-byte code. Got more familiar with that format today, writing a rule and analyzing it. 🧵
YARA: github.com/shellcromancer…
I like #100DaysOfYARA drive-bys
Here's one
rule MurmurHash_x86
{
strings:
$v = {69 ?? 51 2d 9e cc c1 ?? 0f 69 ?? 93 35 87 1b}
condition:
any of them
}
Shoutout to Greg Lesnewich for organising #100DaysofYARA , and for everyone who has contributed this year, including Daniel Stinson, Super Sheep (@[email protected]), Daniel Mayer, Wesley Shields, French, Steve YARA Synapse Miller, and more!
Super Sheep (@[email protected]) so where did we land? well - strings, which were low effort, yielded the same results as ~20 minutes or so of analysis in disassembly. This was not an 'expected' outcome - this was just a live tweeting of my process of how and why decisions get made in my YARA journey
Playing with suspicious Windows driver usage ideas & unintentionally made a rule that found drivers in the rsrc section so I thought I'd post it. Most of the matches are boring & seemingly from ~2009 ¯\_(ツ)_/¯ gist.github.com/schrodyn/9d8eb… #100DaysOfYara