Yara signature definition

How to Write Simple but Sound Yara Rules

During the last 2 years I wrote approximately 2000 Yara rules based on samples found during our incident response investigations. A lot of security professionals noticed that Yara provides an easy and effective way to write custom rules based on strings or byte sequences found in their samples and allows them as end user to […]

5 Comments Continue Reading →

Sysmon Example Config XML

Sysmon is a powerful monitoring tool for Windows systems. Is is not possible to unleash all its power without using the configuration XML, which allows you to include or exclude certain event types or events generated by a certain process. Use the configuration to exclude high volume sources or event types of less interest (e.g. […]

1 Comment Continue Reading →

Critical Zero Day Vulnerability – Kerberos Service – CVE-2014-6324

(please find below the English version of the blog post) Wir informieren Sie hiermit über eine kritische Zero-Day-Lücke im Kerberos Dienst aller Microsoft Windows Server Versionen. Schwachstelle Die als CVE-2014-6324 bekannt gewordene Schwachstelle im Kerberos Dienst aller Windows Versionen ermöglicht es einem Angreifer mit einem umprivilegierten Domänen-Konto seine Rechte auf ein beliebiges anderes Konto in der […]

Leave a comment Continue Reading →
DLL in Sandbox

Smart DLL execution for Malware Analysis in Sandbox Systems

While analysing several suspicious DLL files I noticed that some of these files (which were obviously malicious) didn’t perform their malicious activity unless a certain function was triggered. The malware used a registry entry to execute a certain function that is exported by the DLL called „InstallM“. I had to run „rundll32.exe malware.dll,InstallM“ to trigger […]

3 Comments Continue Reading →

Bash Schwachstelle CVE-2014-6271 Shell Shock erkennen

Dieser Artikel enthält Information dazu, wie Sie die bash Schwachstelle CVE-2014-6271 Shell Shock erkennen und behandeln können. Betroffene Systeme Grundsätzlich sind alle Systeme betroffen, die eine “bash” einsetzen, also Linux Unix AIX Solaris HPUX D.h. auch viele Embedded Systems, Network Devices, Appliances Die Remote Ausnutzung der Schwachstelle bedarf aber eines remote erreichbaren Dienstes, der in […]

Leave a comment Continue Reading →

Check Point Remote Access Client Auto Deployment

Setting up a client-to-site VPN using the Check Point (CP) Remote Access Client is a common scenario in CP infrastructures. As the central gateway is set up the Remote Access Client is started, connected to the gateway using valid user credentials, the gateway fingerprint needs to be verified and accepted on the first connection attempt […]

Leave a comment Continue Reading →
Yara Anomaly Scanner

How to Scan for System File Manipulations with Yara (Part 2/2)

As a follow up on my first article about inverse matching yara rules I would like to add a tutorial on how to scan for system file manipulations using Yara and Powershell. The idea of inverse matching is that we do not scan for something malicious that we already know but for anomalies within the […]

10 Comments Continue Reading →
Signature Matching sethc.exe

Inverse Yara Signature Matching (Part 1/2)

During our investigations we encountered situations in which attackers replaced valid system files with other system files to achieve persistence and establish a backdoor on the systems. The most frequently used method was the replacement of the „sethc.exe“ with the valid command line „cmd.exe“ to establish a backdoor right in logon screen by pressing shift […]

1 Comment Continue Reading →
Telekom E-Mail mit dem Betreff: RechnungOnline Monat Mai 2014

Trojaner Warnung: Telekom E-Mail Betreff: RechnungOnline Monat Mai 2014, Buchungskonto: 2962325641

Es tobt derzeit wieder eine neue Phishing Welle. Zahlreiche Mails mit Telekom Rechnungen oder Vodafone Rechnung (EXE in ZIP) werden derzeit in hauptsächliche deutsche Postfächer geliefert. Betreff ist „Telekom E-Mail mit dem Betreff: RechnungOnline Monat Mai 2014, Buchungskonto: 2962325641“ oder „Ihre Rechnung vom 14.05.2014 steht als PDF bereit“. Erkennungsrate liegt wieder einmal unter 5%. Die […]

Leave a comment Continue Reading →

Howto detect Ebury SSH Backdoor

Die folgende Yara Signatur kann für die Erkennung der Ebury SSH Backdoor verwendet werden. rule Ebury_SSHD_Malware_Linux { meta: description = "Ebury Malware" author = "Florian Roth" hash = "4a332ea231df95ba813a5914660979a2" strings: $s0 = "keyctl_set_reqkey_keyring" fullword $s1 = "recursive_session_key_scan" fullword $s2 = "keyctl_session_to_parent" fullword $s3 = "keyctl_assume_authority" fullword $s4 = "keyctl_get_security_alloc" fullword $s5 = "keyctl_instantiate_iov" fullword $s6 […]

Leave a comment Continue Reading →