Comments on: How to Scan for System File Manipulations with Yara (Part 2/2)

By: Joe

Joe — Mon, 08 May 2017 18:05:57 +0000

Thank you for this tutorial, it has been very helpful, especially to those of us who do not script regularly. I do have one question though, and I assume it is fairly simple…
I modified your script as follows:
Get-ChildItem -Recurse -filter *.* \\1.2.3.4\c$\ 2> $null |
ForEach-Object { Write-Host -foregroundcolor “green” “Scanning”$_.FullName $_.Name; ./yara64.exe -d filename=$_.Name ioc.yar $_.FullName 2> $null }
Get-ChildItem -Recurse -filter *.* \\1.2.3.5\c$\ 2> $null |
ForEach-Object { Write-Host -foregroundcolor “green” “Scanning”$_.FullName $_.Name; ./yara64.exe -d filename=$_.Name ioc.yar $_.FullName 2> $null }
My question is, how can I modify it so that it writes a log file for every host it scans, with the file only noting instances where the string(s) from ioc.yar are found?

By: YARA Rules to Detect Uncommon System File Sizes - BSK Consulting GmbH

YARA Rules to Detect Uncommon System File Sizes - BSK Consulting GmbH — Tue, 22 Dec 2015 08:23:28 +0000

[…] In my scanners I use YARA for anomaly detection on files. I already created some articles on „Detecting System File Anomalies with YARA“ which focus on the expected contents of system files but today I would like to focus on the […]

By: APT Detection is About Metadata - BSK Consulting GmbH

APT Detection is About Metadata - BSK Consulting GmbH — Tue, 10 Mar 2015 14:39:23 +0000

[…] content for a certain file name with the actual content of the file. I described this method in a blog article and Chad Tilbury from Crowdstrike described how to apply this method using their CrowdResponse […]

By: chrisg

chrisg — Fri, 29 Aug 2014 15:51:16 +0000

Yes, that did the trick! Thank you so much for your help.
.

By: Florian Roth

Florian Roth — Fri, 29 Aug 2014 15:46:30 +0000

In reply to chrisg.

Just copy the code again.
It should be:
… $_.FullName 2> $null } …

By: chrisg

chrisg — Fri, 29 Aug 2014 15:44:11 +0000

Sorry Florian, excuse my lack of knowledge, I am new to this. What exactly do you mean? Are you saying to switch the “&” with “>”?
Thanks for your help.

By: Florian Roth

Florian Roth — Fri, 29 Aug 2014 15:33:46 +0000

In reply to chrisg. There was a encoding problem with the “code colorer” plugin. It used the HTML representation of ">" instead of the actual symbol. I fixed that bug.

By: chrisg

chrisg — Fri, 29 Aug 2014 15:23:11 +0000

I am trying to test this out on a Win7 vm and for some reason I am getting an error when I run the batch file.
“Ampersand not allowed. The & operator is reserved for future use;..”
If I remove the & from the PS script it seems to run but looks it says “Error scanning 2gt file”.
Any idea how to correct this?
$_.FullName 2> $null }
Thanks in advance.

By: chris g

chris g — Fri, 29 Aug 2014 12:26:37 +0000

Awesome article. Thank you for sharing.

By: Inverse Yara Signature Matching - BSK Consulting GmbH

Inverse Yara Signature Matching - BSK Consulting GmbH — Fri, 29 Aug 2014 06:47:18 +0000

[…] Thanks to Chad for the back reference to our blog. I even created more rules that match on valid Windows system files and described a way to scan a system with Windows PowerShell. You can find the second part of my article here. […]