signature-base
yara-python
Our great sponsors
signature-base | yara-python | |
---|---|---|
12 | 1 | |
2,329 | 623 | |
- | 2.1% | |
9.2 | 6.7 | |
7 days ago | about 1 month ago | |
YARA | C | |
GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
signature-base
-
Xzbot: Notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
> It doesn't matter.
To understand the exact behavior and extend of the backdoor, this does matter. An end to end proof of how it works is exactly what was needed.
> A way to check if servers are vulnerable is probably by querying the package manager
Yes, this has been know since the initial report + later discovering what exact strings are present for the payload.
https://github.com/Neo23x0/signature-base/blob/master/yara/b...
> Not very sophisticated, but it'll work.
Unfortunately, we live in a world with closed-servers and appliances - being able as a customer or pen tester rule out certain class of security issues without having the source/insights available is usually desirable.
- Exploit Outlook CVE-2023-23397 Yara - to detect .msg files exploiting CVE-2023-23397 in Microsoft Outlook
- OneNote Yara rule
-
New Exchange Zero Day rumours [29th September]
* Run the following YARA rules over your logs and aspx files in INSTALL_DIRECTORY/Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\ https://github.com/Neo23x0/signature-base/blob/master/yara/expl_proxyshell.yar
-
Nvidia Breach
If you have a Yara detection platform, Florian Roth’s rules should detect executables signed with this. https://github.com/Neo23x0/signature-base/blob/master/yara/gen_nvidia_leaked_cert.yar.
-
Evidence of a log4j attack found - Now what?
Uses these YARA rules to read JAR, LOG, and TXT files on the system, throwing warnings if any log4shell-looking payloads are found based on those various rules.
- Yara rule to detect ProxyToken exploitation
-
APT29 / NOBELIUM VirusTotal retro hunt results using 12 newly release Yara rules
Rules https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt29_nobelium_may21.yar
- What are the best FOSS YARA rules you would recommend to deploy?
yara-python
-
Pros and Cons of Rust for Cybersecurity
But, due to the young ecosystem, Rust isn't often the best choice for the 2nd category. There are exceptions: while working on a ROP exploitation CLI tool, I was surprised to find the top 3 fastest x86-64 disassemblers are all written in Rust. But other languages just have more mature security ecosystems. Python in particular has some amazing libraries like scapy and bindings for yara.
What are some alternatives?
malware-ioc - Indicators of Compromises (IOC) of our various investigations
awesome-yara - A curated list of awesome YARA rules, tools, and people.
Loki - Loki - Simple IOC and YARA Scanner
a-ray-grass - a-ray-grass is a yara module that provides support for DCSO-format bloom filters in yara. In the context of hashlookup, it allows quickly discard known files "pour séparer le grain de l'ivraie"
scapy - Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.
ThreatHunting - Tools for hunting for threats.
xgadget - Fast, parallel, cross-variant ROP/JOP gadget search for x86/x64 binaries.
reversinglabs-yara-rules - ReversingLabs YARA Rules
yara - The pattern matching swiss knife
audit-node-modules-with-yara - Audit Node Module folder with YARA rules to identify possible malicious packages hiding in node_moudles
disas-bench - X86 disassembler benchmark