It has been a while since I wrote „How to Write Simple but Sound Yara Rules – Part 2„. Since then I changed my rule creation method to generate more versatile rules that can also be used for in-memory detection. Furthermore new features were added to yarGen and yarAnalyzer. Binarly The most important feature of […]
Tag Archives: yara
YARA Rules to Detect Uncommon System File Sizes
YARA is an awesome tool especially for incident responders and forensic investigators. In my scanners I use YARA for anomaly detection on files. I already created some articles on „Detecting System File Anomalies with YARA“ which focus on the expected contents of system files but today I would like to focus on the size of […]
How to Write Simple but Sound Yara Rules – Part 2
Months ago I wrote a blog article on „How to write simple but sound Yara rules„. Since then the mentioned techniques and tools have improved. I’d like to give you a brief update on certain Yara features that I frequently use and tools that I use to generate and test my rules. (mehr …)
How to Write Simple but Sound Yara Rules
During the last 2 years I wrote approximately 2000 Yara rules based on samples found during our incident response investigations. A lot of security professionals noticed that Yara provides an easy and effective way to write custom rules based on strings or byte sequences found in their samples and allows them as end user to […]
How to Scan for System File Manipulations with Yara (Part 2/2)
As a follow up on my first article about inverse matching yara rules I would like to add a tutorial on how to scan for system file manipulations using Yara and Powershell. The idea of inverse matching is that we do not scan for something malicious that we already know but for anomalies within the […]
Inverse Yara Signature Matching (Part 1/2)
During our investigations we encountered situations in which attackers replaced valid system files with other system files to achieve persistence and establish a backdoor on the systems. The most frequently used method was the replacement of the „sethc.exe“ with the valid command line „cmd.exe“ to establish a backdoor right in logon screen by pressing shift […]
Signatur für Windows 0-day EPATHOBJ Exploit
Am gestrigen Tage wurde eine 0-day Schwachstelle am Microsoft Windows Betriebssystem bekannt, die für sich allein betrachtet bereits als schwerwiegend betrachtet wird, in Zusammenhang mit den uns bekannten Angreifer-Werkzeugen wie dem Windows Credential Editor allerdings als kritisch für jede größere Microsoft Windows Domänen-Infrastruktur angesehen werden muss. Die im heise Artikel „Google-Forscher veröffentlicht Zero-Day-Exploit für Windows“ […]
Request a THOR Trial
White Papers
 |
APT Scanner THOR White Paper (DE) (PDF 1 MB) |
|
APT Scanner THOR White Paper (EN) (PDF 1 MB) |
|
APT Scanner THOR Slides (EN) (PDF 1.3 MB) |
|
THOR Cheat Sheet (PDF 0.07 MB) |
|
Splunk Übersicht (PDF 0.4 MB) |
|
Flyer der Hackerabwehr Schulung (PDF 0,5 MB) |
