Tag Archives: detection

How to Write Simple but Sound Yara Rules – Part 3

It has been a while since I wrote „How to Write Simple but Sound Yara Rules – Part 2„. Since then I changed my rule creation method to generate more versatile rules that can also be used for in-memory detection. Furthermore new features were added to yarGen and yarAnalyzer. Binarly The most important feature of […]

Leave a comment Continue Reading →
System Files Typical File Size Detection with YARA

YARA Rules to Detect Uncommon System File Sizes

YARA is an awesome tool especially for incident responders and forensic investigators. In my scanners I use YARA for anomaly detection on files. I already created some articles on „Detecting System File Anomalies with YARA“ which focus on the expected contents of system files but today I would like to focus on the size of […]

Leave a comment Continue Reading →
Endpoint Attacker Detection

Synergetic Effects of Network and Host Based APT Detection

People often ask me if they still need our host based scanner THOR now that they have bought a network appliance that already checks all content that goes into and leaves their network. I normally answer that it is not a question of one solution versus another, but a combination of solutions to achieve the […]

2 Comments Continue Reading →
Yara Signatures

How to Write Simple but Sound Yara Rules – Part 2

Months ago I wrote a blog article on „How to write simple but sound Yara rules„. Since then the mentioned techniques and tools have improved. I’d like to give you a brief update on certain Yara features that I frequently use and tools that I use to generate and test my rules. (mehr …)

6 Comments Continue Reading →

Detect System File Manipulations with SysInternals Sysmon

SysInternals Sysmon is a powerful tool especially when it comes to anomaly detection. I recently developed a method to detect system file manipulations, which I would like to share with you. We know how to track processes with the standard Windows audit policy option „Audit process tracking“, but Sysmon messages contain much more information to […]

3 Comments Continue Reading →

APT Detection is About Metadata

People often ask me, why we changed the name of our scanner from „IOC“ to „APT“ scanner and if we did that only for marketing reasons. But don’t worry, this blog post is just as little a sales pitch as it is an attempt to create a new product class. I’ll show you why APT […]

1 Comment Continue Reading →
Yara Anomaly Scanner

How to Scan for System File Manipulations with Yara (Part 2/2)

As a follow up on my first article about inverse matching yara rules I would like to add a tutorial on how to scan for system file manipulations using Yara and Powershell. The idea of inverse matching is that we do not scan for something malicious that we already know but for anomalies within the […]

9 Comments Continue Reading →
IMG_4804_mod

Linux Sicherheit – Rootkits automatisch erkennen

Ein wichtiger Teil unserer Arbeit ist es, Risiken in IT-Systeme zu identifizieren, diese auszuschließen oder auf ein hinreichendes Niveau zu minimieren. Bei der Planung von Sicherheitsarchitekturen nimmt die Verwendung von automatisierten Malwarescannern schon lange einen elementaren Platz ein. Clientsysteme ohne Anti-Viren-Programm sind nahezu undenkbar. Ein anderes Bild zeigt sich jedoch, trotz eines erhöhen Schutzbedarfs, bei […]

Leave a comment Continue Reading →