| https://twitter.com/captainGeech42 | |
| Bluesky | https://bsky.app/profile/captaingee.ch |
Zander
- 118 Followers
- 298 Following
- 39 Posts
cybercrime connoisseur and second breakfast enthusiast | hax w/ OSUSEC
#100DaysOfYARA Days 22/23: Wrote a couple of rules based on an idea I stole from @stvemillertime
on looking for RWX memory allocations with VirtualAlloc by examining the argument setups before the call instructions
#100DaysOfYara Day 21 (little behind...): Let's look for people putting things on VT they shouldn't be ;)
after running a goodware hunt i think this is a trash idea but we'll see tomorrow))
#100DaysOfYara Day 20: Had an idea to look for PE files with a resource but don't overtly import the resource APIs via the IAT, an interesting hunting rule concept.
#100DaysOfYara Days 18/19: Little behind but have a couple rules here, one is an improvement on the exploit log prefixes inspired by a convo with @stvemillertime , and another looking for PEs with hacking forums in them, nothing legit there ;)
#100DaysOfYara Day 17: Only thing better than my exploit code is other people's exploit code, so wrote another rule to start trying to do more hunting on these. This one FPs a ton, will tune it another day, too tired rn
#100DaysOfYara Day 15: Wrote a quick rule to look for LNK files that run encoded PowerShell commands. Can't retrohunt the lnk module so this almost certainly hsa a lot of FP, but should be a good starting point. Requires yara-x (lnk.cmd_line_args).
https://github.com/100DaysofYARA/2024/pull/75/commits/b253540aaeb352b8c315e38fa89444443333bb75
#100DaysOfYara Day 14: Tired from Shmoocon so made a quick rule to look for @vertexproject Synapse nodes files #nodesoritdidnthappen ;)
#100DaysOfYara Day 13: I just learned that QEMU supports dynamically loaded plugins at runtime, so I wrote a hunting rule for these to start hunting for any malicious ones that may have been created.