Comments for Nextron Systems

Comment on How to Write Simple but Sound Yara Rules – Part 3 by Florian Roth

Florian Roth — Tue, 31 Oct 2017 09:21:53 +0000

In reply to Murad. The default maximum file size is 10MB. Use the parameter "-fs 15" to process your file. (see the help)

Comment on How to Write Simple but Sound Yara Rules – Part 3 by Murad

Murad — Tue, 31 Oct 2017 08:07:39 +0000

Hi Florian,
I have tried yarGen but I have a case that it does not produce any rule for some malwares, I tried many compinations of paramaters however no use, the sample is Artemis: InstallBC201401.exe# MD5: caff801a280d42dbd1ad6b1266d3c43a# SHA1: 08b9f5874ad1dc3ee1093c9cd08737645f33f13f# SHA256: 834d1dbfab8330ea5f1844f6e905ed0ac19d1033ee9a9f1122ad2051c56783dc

Comment on How to Scan for System File Manipulations with Yara (Part 2/2) by Joe

Joe — Mon, 08 May 2017 18:05:57 +0000

Thank you for this tutorial, it has been very helpful, especially to those of us who do not script regularly. I do have one question though, and I assume it is fairly simple…
I modified your script as follows:
Get-ChildItem -Recurse -filter *.* \\1.2.3.4\c$\ 2> $null |
ForEach-Object { Write-Host -foregroundcolor “green” “Scanning”$_.FullName $_.Name; ./yara64.exe -d filename=$_.Name ioc.yar $_.FullName 2> $null }
Get-ChildItem -Recurse -filter *.* \\1.2.3.5\c$\ 2> $null |
ForEach-Object { Write-Host -foregroundcolor “green” “Scanning”$_.FullName $_.Name; ./yara64.exe -d filename=$_.Name ioc.yar $_.FullName 2> $null }
My question is, how can I modify it so that it writes a log file for every host it scans, with the file only noting instances where the string(s) from ioc.yar are found?

Comment on Synergetic Effects of Network and Host Based APT Detection by Mitch Impey

Mitch Impey — Fri, 17 Feb 2017 10:36:02 +0000

If endpoints were always static and never left the network, then we could have a discussion. However, we know thi sis not the case, so the dual approach is required and assuming even greater importance day by day.

Comment on How to Fall Victim to Advanced Persistent Threats by Mitch Impey

Mitch Impey — Fri, 17 Feb 2017 10:32:37 +0000

Excellent article. Thank you all 🙂

Comment on How to Write Simple but Sound Yara Rules – Part 2 by Florian Roth

Florian Roth — Sun, 12 Jun 2016 12:31:21 +0000

In reply to Udit Gupta. The hash is meant as a reference to an actual sample on which the rule is based. It means that you can get this sample and test the rule against it.

Comment on How to Write Simple but Sound Yara Rules – Part 2 by Udit Gupta

Udit Gupta — Thu, 09 Jun 2016 19:41:02 +0000

Thanks a lot for this wonderful writeup… i had a query: the ‘hash’ value inside the rule under the heading ‘meta’, is it the hash of the file we are running our rule against ? What is the significance of including hash in yara rule ?

Comment on How to Write Simple but Sound Yara Rules by Florian Roth

Florian Roth — Thu, 28 Apr 2016 18:53:26 +0000

In reply to Ryan.

Try using 7zip
http://www.7-zip.org/download.html

Comment on How to Write Simple but Sound Yara Rules by Ryan

Ryan — Thu, 28 Apr 2016 17:54:42 +0000

Hi Florian,
How do I unzip the db.zip.001 files on Windows? I’ve tried removing the numbers from the file names and unzipping, but the file is not recognized as a zipped archive.
Thanks!

Comment on How to Write Simple but Sound Yara Rules – Part 2 by How to Write Simple but Sound Yara Rules – Part 3 - BSK Consulting GmbH

How to Write Simple but Sound Yara Rules – Part 3 - BSK Consulting GmbH — Fri, 15 Apr 2016 11:04:21 +0000

[…] has been a while since I wrote „How to Write Simple but Sound Yara Rules – Part 2„. Since then I changed my rule creation method to generate more versatile rules that can also […]