#100daysofYARA - day 12
VirusTotal uses CAPE sandbox to identify many malware families and determine if they can extract the malware's configuration. Since they use CAPE, we can often see their logic. Today, we'll suggest edits to a rule for AgentTesla.
Rule at end.
1/10
#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
#100DaysofYara - day 10
There are a few lines of thinking around automatic YARA generation. I'm exploring these as part of this challenge. Today's we'll look at MCRIT.
MCRIT asks what do we learn by comparing samples? Can we find functions unique to the family?
rule at end
1/5
#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
#100DaysofYARA - Day 8
For many years, many attackers tried to keep their binaries small. However, the others found the opposite works too: extremely large binaries can cause problems with analysis.
What can be done about these large executables?
Rule at end
1/6
#100DaysofYARA - Day 7
@malwrhunterteam identified a suspicious file signed by "Xiamen Jialan Guang Information Technology Service Co., Ltd."
While we have a pretty good idea it'll be abused, it hasn't been yet.
So, lets watch for it to be abused.
Rule at end
1/5
#100DaysofYARA - Day 6
In December and again in January, an unknown actor replaced the download on EmEditor's website with a malicious installer. Each time, the download was a trojan installer with a valid code-signing signature.
How can we detect this?
Rule at end
1/6
#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
#100DaysofYARA - Day 4
One heavy user of code-signing certificates is Rhysida Ransomware.
In June, I created a YARA rule focusing on their malware to help me find and report their certificates. To do so, I had to create a YARA rule on the Rich PE Header.
Rule at end
1/7
#100DaysofYARA - Day 3
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
#100DaysofYARA - Day 2
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
@squiblydoo nice to see #100DaysofYARA on this site ๐
First day of #100daysOfYara
This YARA rule detects a technique used in #TrashAgent malware. The malware has a hard-coded list of apps to check for on the system. This YARA looks for the way they parse the list.
In the image, the list is demarcated with "nepo"
rule at end
1/7
I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.
E.g. IL code patterns, method signature definitions, GUIDs, compressed length
#GDATATechblog #100DaysOfYara
https://www.gdatasoftware.com/blog/2025/04/38145-yara-signatures-net-malware
๐ค Since the #100daysofYARA challenge started, I decided to release my YARA cheat sheet version 2, extracted from my book Visual Threat Intelligence!
I hope you will find it useful! Have fun ๐
And if you like this one you might like the full book: https://store.securitybreak.io/threatintel
๐คฉ 2024 My Personal Rewind: What a Year!!
My rewind couldnโt fit into the post, so I wrote a blog!
Here are some highlights, but I recommend checking out the blog for more details and personal insights! ๐
๐ January:
I started strong with #100DaysofYARA, released YaraToolkit, a tool for all things YARA, and DocYara, a RAG agent for YARA projects. I traveled to DC to present on Threat Intelligence + GenAI at the CTI Summit SANS Instituteโone of the top talks of the year!
๐ป February:
I presented at Jupyterthon, launched the Juniverse (catalog for InfoSec Jupyter notebooks), and released the ISOON Leak Investigation with GenAI capabilities for exploring leaked data.
๐ฌ March:
I created the MSTICpy GPT to assist with MSTICpy tasks. I spent a weekend analyzing the XZ Backdoor, creating 2 graphics to explain the threat during chaos, with over 1M views ๐โ it was featured by media, podcasts, and YouTube channels.
๐ฅ April:
We released the Unprotect Coin to reward top contributors with Jean-Pierre Lesueur and Loรฏs Marcinkowski ๐ดโโ ๏ธ
๐๏ธ May:
I discussed the XZ Backdoor analysis on the Microsoft Threat Intelligence Podcast hosted by Sherrod DeGrippo and appeared on Andre Camillo's youtube channel to talk GenAI + Threat Intelligence.
๐ June:
I taught the Blue Team Arsenal with Roberto Rodriguez (GenAI + Python for CTI) at x33fcon, amazing feedback! My book, Visual Threat Intelligence, won the Bronze Award ๐ฅ Foreword Reviews for Technology & Science.
๐ July:
My XZ Backdoor work was featured in PagedOut Zine from Gynvael Coldwindโan honor as a longtime fan of the zine.
๐ฆพ August:
We taught our training at BlackHat and I presented at Defcon about my XZ Backdoor analysis on the War Stories main stageโover 500 attendees (maybe more) in the room! ๐คฏ
๐ September:
I released FabricUI and I was a finalist for the SANS Difference Maker Award. I also appeared on Yaniv Hoffman YouTube channel to discuss Defcon and Blackhat.
๐ October:
I received my signed copy of Evasive Malware by Kyle Cucci, which I reviewed and was featured in.
๐จ November:
I presented at BSides Gold Coast, Hack.Sydney, and BSides Melbourne, where we introduced a 3D-printing village. I launched the Unprotect Project Scanner with Jean-Pierre Lesueur and joined Ricki Burke for a career cybersecurity webinar. I also published a blog on building a GenAI CTI assistant with MCP, ORKL and Claude.
๐ December:
I launched the GenAI x SEC Calendar, to share daily, code, experiments and tools for practical GenAI applications in cybersecurity. The feedback was overwhelming!
Thank you all for your continuous feedback and engagement, please have a look to the blog for all the links! I am also sharing the screenshot of my personal reflexion which couldn't fit in! ๐
โก๏ธ Blog: https://blog.securitybreak.io/2024-personal-rewind-what-a-year-8f2850e2fa0e
๐ GenAI x Sec Advent #17
We already covered RAG and Agents. Let's talk today about blending both of them! ๐
Earlier this year, for the #100DaysOfYARA I built YaraToolkit, a website for all things YARA and I also created DocYara. ๐ค
DocYara is a GenAI agent powered by a RAG packed with the YARA documentation and selected blogposts. DocYara can help you in the process of crafting YARA rules, refining it or optimizing it.
๐ It's free! You can check it out here on my website: https://yaratoolkit.securitybreak.io
I'm also dropping the slides from my presentations at
@HCKSYD
and Bsides Gold Coast where I presented these tools!
And hereโs a friendly reminder: #100DaysOfYARA kicks off in January. Maybe itโs time for me to update DocYara with automatic rule deployments as we already discussed! ๐
In search for some inspiration, I scrolled through https://www.garykessler.net/library/file_sigs.html and font files piqued my interest. I'll start with a generic rule for the OpenType font format. It is, as one might expect starting with "Open" and all, a registered trademark of Microsoft. This signature matches on the file magic and then puts some sensible boundaries in place that I've observed in font files on my local installation.
```
rule OpenTypeFontFile {
meta:
description = "Generic signature for the OpenType font format, excludes some unexpected but valid files to reduce false-positive rate"
author = "@larsborn"
date = "2024-03-10"
reference = "https://en.wikipedia.org/wiki/OpenType"
example_hash = "09bcc57b0f2b1518758831018922eadb2b3f279b56d13e1ba9aae04c1927a763"
DaysofYARA = "26/100"
condition:
uint32be(0) == 0x4f54544f // OTTO
and 4 < uint16be(4) and uint16be(4) < 100 // sensible range for table count
and uint16be(6) & 0xf == 0 // search range is often divisible by 16
}
```
#100DaysofYARA might have gotten missed but Lab52 had a cool report on a new loader for Turla's (TA420 ๐) Kazuar family
lets look for it by honing in on code in the export functions used for thread suspension, loading into mem, and DLL name style
https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/
Kotlin is a programming language designed to completely interoperate with JAVA and the JVM. It is often used within Android applications and this rule matches on the file name `DebugProbesKt.bin` within an Android application which seems to be characteristic for Kotlin.
```
rule AndroidKotlinDebugProbesKt {
meta:
description = "Kotlin artifact needed to enable the builtin support for coroutines debugger in IDEA (DebugProbesKt.bin)"
author = "@larsborn"
date = "2024-02-18"
reference = "TODO"
example_hash = "158a19eb94aa2f3e2f459db69ee10276c73b945dd6c5f8fc223cf2d85e2b5e33"
DaysofYARA = "25/100"
strings:
$constant = "kotlin/coroutines/jvm/internal/DebugProbesKt"
condition:
uint32be(0) == 0xcafebabe
and uint16be(6) & 0xff >= 43 // major version
and 3 < uint16be(8) and uint16be(8) <= 3000 // sane constant pool count bounds
and uint16be(11) == 44 // length of first constant
and for all i in ( 1 .. uint16be(11) ) : ( // first constant printable
0x20 <= (uint16be(11 + i) & 0xff) and (uint16be(11 + i) & 0xff) < 127
)
and $constant at 13
}
```
