Tag Archives: detect
Endpoint Attacker Detection

Synergetic Effects of Network and Host Based APT Detection

People often ask me if they still need our host based scanner THOR now that they have bought a network appliance that already checks all content that goes into and leaves their network. I normally answer that it is not a question of one solution versus another, but a combination of solutions to achieve the […]

2 Comments Continue Reading →

APT Detection is About Metadata

People often ask me, why we changed the name of our scanner from „IOC“ to „APT“ scanner and if we did that only for marketing reasons. But don’t worry, this blog post is just as little a sales pitch as it is an attempt to create a new product class. I’ll show you why APT […]

1 Comment Continue Reading →
Signature Matching sethc.exe

Inverse Yara Signature Matching (Part 1/2)

During our investigations we encountered situations in which attackers replaced valid system files with other system files to achieve persistence and establish a backdoor on the systems. The most frequently used method was the replacement of the „sethc.exe“ with the valid command line „cmd.exe“ to establish a backdoor right in logon screen by pressing shift […]

1 Comment Continue Reading →

Howto detect Ebury SSH Backdoor

Die folgende Yara Signatur kann für die Erkennung der Ebury SSH Backdoor verwendet werden. rule Ebury_SSHD_Malware_Linux { meta: description = "Ebury Malware" author = "Florian Roth" hash = "4a332ea231df95ba813a5914660979a2" strings: $s0 = "keyctl_set_reqkey_keyring" fullword $s1 = "recursive_session_key_scan" fullword $s2 = "keyctl_session_to_parent" fullword $s3 = "keyctl_assume_authority" fullword $s4 = "keyctl_get_security_alloc" fullword $s5 = "keyctl_instantiate_iov" fullword $s6 […]

Leave a comment Continue Reading →