Yara gui

Author: g | 2025-04-24

★★★★☆ (4.5 / 2838 reviews)

Download arixcel accounts

yara-gui. Contribute to Mr-AnyThink/yara-gui development by creating an account on GitHub. yara-gui. Contribute to Mr-AnyThink/yara-gui development by creating an account on GitHub.

encrypt programs

Mr-AnyThink/yara-gui: yara-gui - GitHub

From resources, etc.).***Text/Binary Pattern Scanner** | [YARA]( | [Open Source] *Create descriptions of, and rules based on, textual or binary patterns. Excellent for creating custom rules for tasks like identifying resources in a game, game engine and version being used for a game, etc. See [YARA GUI]( for a Windows GUI front-end. Also, see [yarGen]( for a YARA rule generator.***Injector** | [Xenos]( | [Open Source] *A Windows DLL injector, based on the [Blackbone library]( | [Compiler Explorer]( | [Open Source] *Run compilers interactively from your web browser and interact with the assembly!***Memory Scanner/Tracer** | [PSR (Pointer Sequence Reverser)]( | [Open Source] *Traces instructions executed prior to reading/writing from/to the provided address of a data member or object, then highlights relevant instructions, identifies vtable pointers, and more. Relevant whitepaper [here]( Scanner/Data Structure Scanner** | [XenoScan]( | [Open Source] *Lua scriptable memory scanner written in C++. Supports complex scanning, custom structures, and automatic detection of complex structures (linked lists, binary tress, class instances, etc). Expandable with support for emulators. DEFCON Slides [here]( Libraries, Frameworks, Plugins/Add-ons/Extensions, Etc.Title/Link | Description---- | ----[Lighthouse]( | Code coverage plugin for IDA Pro. The plugin leverages IDA as a platform to map, explore, and visualize externally collected code coverage data when symbols or source may not be available for a given binary.[Kaitai Struct]( | A declarative language used to describe various binary data structures in files or memory (binary file formats, network stream packet formats, etc.). Allows for development of custom parsers for binary structures.[Frida]( | Allows you to inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Also provides custom, modifiable tools built on top of the Frida API. Beginner's tutorial [here]( | An open source, advanced memory forensics framework used for the extraction of digital artifacts from volatile memory (RAM) dumps. Great for exploring RAM dumps of running games![Rekall]( | A powerful memory analysis framework. Consider taking a look at [their memory analysis workshop]( which explains memory and memory analysis in great detail, as well as how to utilize their framework.[radare2]( | A portable reverse engineering framework that acts as a forensics tool, scriptable command line hex editor, binary analyzer, disassembler, debugger, and much more. An accompanying open source book on radare2 can be found [here]( | A suite of python libraries that let you load a binary and perform a whole host of tasks: Disassembly and intermediate-representation lifting, program instrumentation, symbolic execution, control-flow analysis, data-dependency analysis, value-set analysis (VSA), and more.[CeAutoAsm-x64dbg]( | An x64dbg plugin that allows users to execute Cheat Engine auto assembler scripts within x64dbg.[CEAutoAttach]( | An x64dbg add-on allowing you to automatically make Cheat Engine attach to a process.[SignatureScanner]( | A C++-based signature scanning library.[Hacklib]( | A C++ library for building applications that run as a shared library in another application. It provides general purpose functionality like pattern scanning, hooking, and laying out foreign classes. Additionally it contains some D3D and OpenGL drawing facilities and a cross-platform, high-performance, 3D-capable, transparent overlay.[Detours]( |

Download nimo codec pack

GitHub - cyberfilth/YARA-Llama: A GUI for YARA

Decoders, rules, and the Active Response module on the Wazuh server.1. Edit the file /var/ossec/etc/decoders/local_decoder.xml and include the following decoders: wazuh-yara: yara_decoder wazuh-yara: (\S+) - Scan result: (\S+) (\S+) log_type, yara_rule, yara_scanned_file yara_decoder wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+) log_type, yara_rule, yara_scanned_file yara_decoder wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+) log_type, yara_rule, yara_scanned_file2. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following rules: 550 (?i)C:\\Users.+Downloads File modified in the Downloads folder. 554 (?i)C:\\Users.+Downloads File added to the Downloads folder. yara_decoder Yara grouping rule 100100 wazuh-yara: INFO - Scan result: Yara scan result: File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule) 100100 wazuh-yara: INFO - Successfully deleted: Active Response: Successfully removed "$(yara_scanned_file)". YARA rule: $(yara_rule) 100100 wazuh-yara: INFO - Error removing threat: Active Response: Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule) Where:Rule ID 100010 is triggered when a file is modified in the Downloads directory.Rule ID 100011 is triggered when a file is added to the Downloads directory.Rule ID 100100 is the base rule for detecting YARA events.Rule ID 100110 is triggered when YARA scans and detects a malicious file.Rule ID 100120 is triggered when the detected file has been successfully removed by the Wazuh active response module.Rule ID 100130 is triggered when the detected file is not removed successfully by Wazuh active response.3. Append the following configuration to the Wazuh server configuration file /var/ossec/etc/ossec.conf: yara yara.bat no yara local 100010,100011 4. Restart the Wazuh manager for the changes to take effect:# systemctl restart wazuh-managerVisualizing alerts on the Wazuh dashboardThe image below shows the alerts generated by the Wazuh dashboard when BLX stealer is dropped to the Downloads folder of the victim endpoint and executed. Perform the following steps to view the alerts on the Wazuh dashboard.1. Navigate to Threat intelligence > Threat Hunting.2. Click + Add filter. Then, filter for rule.id in the Field field.3. Filter for is one of in the Operator field.4. Filter for 553, 100010, 100011, 100110, 100120, and 100130 in the Values field.5. Click Save.ConclusionBLX Stealer, with its ability to steal valuable data, presents a serious threat to both organizations and individuals. Wazuh comes in as a solution to detect and respond to this malware.In this blog post, we showed how Wazuh combines real-time monitoring, and customizable rules to help security teams quickly spot BLX Stealer activity. By using these tools, organizations can take proactive measures to protect their systems and prevent sensitive information from being compromised.To learn more about Wazuh, please check out our documentation and blog posts.ReferencesCYFIRMA research – BLX Stealer.BLX Trojan Stealer – What It Is and How To Remove It.Wazuh documentation – Active response.

yara-gui/README.md at main Mr-AnyThink/yara-gui - GitHub

Craft more Semi-Auto Rifle ammo is a huge boon. Earning more parts ensures those weapons will only get better as the run progresses as well. However, being unable to craft Health Kits, an ability that every other character starts each run with, is a huge liability on higher difficulties. Inventory Hunting Pistol Semi-Auto Rifle Traits 50% More Parts 150% Max Health No Health Kit Recipe Semi-Auto Rifle Ammo Recipe Munitions Upgrade Branch 3 Abby – Close Combat Starting Weapons: Military Pistol, Hammer Abby tends to be a very strong pick for No Return almost solely because of a Trait that grants extra health when enemies are killed with melee attacks. The game mode's close quarters frequently devolve encounters into brawls, and being able to recoup the health lost in any failed dodges is incredibly helpful. Stealth killing an enemy grants health too, so wherever possible, getting through encounters as Abby quietly helps her stock up on supplies for the later rounds and boss fight. Inventory Military Pistol Hammer Traits Heal on Melee Kill Melee Upgrade Recipe Brawler Upgrade Branch 2 Yara – Teamwork Starting Weapon: Semi-Auto Pistol Yara's kit revolves entirely around her being paired with her younger brother, Lev. Normally, allies may be assigned at random for an encounter, but Yara always has Lev by her side. Her abilities are otherwise barebones, but the Ally Upgrade Branch eventually brings great results. It may take a little luck in Trading Post pulls for Yara to hold her own in deep runs on high difficulties, but leaning on Lev's help is an easy way to stay alive in No Return. Encounters that provide an ally to characters other than Yara will have a picture of said ally on the Encounter Board. Inventory Semi-Auto Pistol Traits Yara & Lev Pair Ally Upgrade Branch 1 Jesse – Resourceful Starting Weapons: Military Pistol (w/ Silencer), Pipe Bomb Jesse is the best character to use in No Return, and it's surprising he can be unlocked so quickly. His starting Military Pistol and single Pipe Bomb aren't necessarily incredible, but starting with a Silencer and the. yara-gui. Contribute to Mr-AnyThink/yara-gui development by creating an account on GitHub.

yara-gui/setup.sh at main Mr-AnyThink/yara-gui - GitHub

--pcap The md5/sha1/sha256 hash of the file whose network traffic dump you want to retrieve. Will save as hash.pcap --clusters A specific day for which we want to access the clustering details, example: 2013-09-10 --distribution-files Timestamps are just integer numbers where higher values mean more recent files. Both before and after parameters are optional, if they are not provided the oldest files in the queue are returned in timestamp ascending order. --distribution-urls Timestamps are just integer numbers where higher values mean more recent urls. Both before and after parameters are optional, if they are not provided the oldest urls in the queue are returned in timestamp ascending order.Distribution options: --before BEFORE File/Url option. Retrieve files/urls received before the given timestamp, in timestamp descending order. --after AFTER File/Url option. Retrieve files/urls received after the given timestamp, in timestamp ascending order. --reports Include the files' antivirus results in the response. Possible values are 'true' or 'false' (default value is 'false'). --limit LIMIT File/Url option. Retrieve limit file items at most (default: 1000). --allinfo will include the results for each particular URL scan (in exactly the same format as the URL scan retrieving API). If the parameter is not specified, each item returned will only contain the scanned URL and its detection ratio.Rules management options: --rules Manage VTI hunting rules, REQUIRED for rules management --list List names/ids of Yara rules stored on VT --create FILE Add a Yara rule to VT (File Name used as RuleName --update FILE Update a Yara rule on VT (File Name used as RuleName and must include RuleName --retro FILE Submit Yara rule to VT RetroHunt (File Name used as RuleName and must include RuleName --delete_rule DELETE_RULE Delete a Yara rule from VT (By Name) --share Shares rule with user --update_ruleset UPDATE_RULESET Ruleset name to update --disable DISABLE Disable a Yara rule from VT (By Name) --enable ENABLE Enable a Yara rule from VT (By Name)

yara-gui/indexWriter.py at main Mr-AnyThink/yara-gui - GitHub

Eventchannel7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:> Restart-Service -Name wazuhWazuh serverPerform the following steps to configure detection rules on the Wazuh server.1. Create a new file /var/ossec/etc/rules/blx_stealer.xml:# touch /var/ossec/etc/rules/blx_stealer.xml2. Edit the file /var/ossec/etc/rules/blx_stealer.xml and include the following detection rules for BLX stealer: 92200 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\temp.ps1 Possible BLX stealer activity detected: A rogue powershell script was dropped to system. T1105 92052 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\Windows\\\\System32\\\\cmd.exe powershell.exe -ExecutionPolicy Bypass -File Possible BLX stealer activity detected: Rogue powershell script execution. T1059.003 92213 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\decrypted_executable.exe Possible BLX stealer activity detected: Rogue executable was dropped to system. T1105 61613 (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\decrypted_executable.exe (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\decrypted_executable.exe Possible BLX stealer persistence activity detected: Rogue executable was copied to users' startup folder to establish persistence. T1547.001 Where:Rule 100300 is triggered when BLX drops a rogue PowerShell script, temp.ps1 to the infected system.Rule 100310 is triggered when BLX executes the temp.ps1 PowerShell script.Rule 100320 is triggered when BLX drops an executable, decrypted_executable.exe in the Temp folder.Rule 100330 is triggered when BLX copies the rogue executable to the user %Startup% folder for persistence.3. Restart the Wazuh manager service to apply the changes.# systemctl restart wazuh-managerVisualizing alerts on the Wazuh dashboardThe screenshot below shows the alerts generated on the Wazuh dashboard when we execute the BLX sample on the victim endpoints. Perform the following steps to view the alerts on the Wazuh dashboard.1. Navigate to Threat intelligence > Threat Hunting.2. Click + Add filter. Then, filter for rule.id in the Field field.3. Filter for is one of in the Operator field.4. Filter for 100300, 100310, 100320, and 100330 in the Values field.5. Click Save.YARA integrationYARA is an open source and multi-platform tool that identifies and classifies malware samples based on their textual or binary patterns. In this blog post, we use the Wazuh Active Response capability to automatically execute a YARA scan on files added or modified in the Downloads folder.Windows endpointTo download and install YARA, we require the following packages installed on the victim endpoint:Python v 3.13.0.Microsoft Visual C++ 2015 Redistributable.Note: Make sure to select the following checkboxes on the installer dialog box during Python installation: Use admin privileges when installing py.exe.Add Python.exe to PATH.After installing the above packages, perform the steps below to download the YARA executable:1. Launch PowerShell with administrative privilege and download YARA:> Invoke-WebRequest -Uri -OutFile v4.5.2-2326-win64.zip2. Extract the YARA executable:> Expand-Archive v4.5.2-2326-win64.zip3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara'> cp .\v4.5.2-2326-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara'Perform the steps below to download YARA rules:4. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility. This allows you to query thousands of handcrafted YARA and Sigma rules in different

GitHub - cyberfilth/YARA-Llama: A GUI for YARA malware

Mimikatz execution. We can collect the required data with the following command.SilkETW.exe -t kernel -kk ImageLoad -ot file -p C:\Users\b33f\Desktop\mimikatz.jsonWith data in hand it is easy to sort, grep and filter for the properties we are interested in.YaraSilkETW includes Yara functionality to filter or tag event data. Again, this has obvious defensive capabilities but it can just as easily be used to augment your ETW research.In this example we will use the following Yara rule to detect Seatbelt execution in memory through Cobalt Strike's execute-assembly.rule Seatbelt_GetTokenInformation{ strings: $s1 = "ManagedInteropMethodName=GetTokenInformation" ascii wide nocase $s2 = "TOKEN_INFORMATION_CLASS" ascii wide nocase $s3 = /bool\(native int,valuetype \w+\.\w+\/\w+,native int,int32,int32&/ $s4 = "locals (int32,int64,int64,int64,int64,int32& pinned,bool,int32)" ascii wide nocase condition: all of ($s*)}We can start collecting .Net ETW data with the following command. The "-yo" option here indicates that we should only write Yara matches to disk!SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y C:\Users\b33f\Desktop\yara -yo matches -ot file -p C:\Users\b33f\Desktop\yara.jsonWe can see at runtime that our Yara rule was hit.Note also that we are only capturing a subset of the "Microsoft-Windows-DotNETRuntime" events (0x2038), specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.How to get SilkETW & SilkService?You can either download the source and compile it in Visual Studio. Please note that you can get the community edition of Visual Studio free of charge. Or you can grab the latest pre-built version from releases.Future WorkChangelogFor details on version specific changes, please refer to the Changelog.RoadMapOffer users the option to write trace data to disk as *.etl files.Offer users the option to write trace data to the Windows event log. (v0.5+)Offer users pre-compiled releases. (v0.6+)Create a separate instance (SilkService) which can be deployed as a service with a configuration file. (v0.7+)Suggestions welcome!

Release - YARA GUI by Dila

Hi. Today I installed the same Yara iso on a laptop I have:yara-osx-4.0.iso.Bluetooth doesn't work, when I go to close the system it doesn't close and a series of other errors.I have observed that when I installed Yara on the desktop computer it recognized the main disk as sda5, if I made a symbolic link to home of any file it did not recognize this disk as home, I had to make the symbolic link to /mnt/sda5.Even so, on the desktop computer everything worked perfectly with Yara.But when I installed Yara on the laptop it recognized the main disk as /mnt/sda1.And from here on all the problems come.I think the problem may be how Yara was compiled.Because it is very rare that with the same ISO on one computer it works perfectly and on another it has problems.I think that regardless of the hard drives that the computer has, the distribution should recognize the main disk as: /mnt/home . Because if it does not, that is where the problems will begin.This is not the first Puppy distribution where I have had the experience of shutting down the system and the screen goes black with the typical message like in this case: "fossapuppy64 shutdown" but it never ends up shutting down.Please "fmiguel" don't take this as criticism, it's just for you to keep in mind in case you can solve it.I think your Yara distribution is very good and I will continue using it.Greetings and thanks.. yara-gui. Contribute to Mr-AnyThink/yara-gui development by creating an account on GitHub. yara-gui. Contribute to Mr-AnyThink/yara-gui development by creating an account on GitHub.

Download comodo backup 4.2.2.15

Yara X Gui Profiles - Facebook

6f 6e 65 5f 73 74 72 69 6e 67 } $str11 = { 49 63 4f 70 } $str12 = { 54 24 48 48 } $str13 = { 5c 24 30 48 } $str14 = { 5c 24 58 48 } $str15 = { 64 24 40 48 } $str16 = { 67 65 74 73 6f 63 6b 6f 70 74 } $str17 = { 73 74 72 65 73 73 20 74 68 65 20 47 43 20 63 6f 6d 70 61 63 74 6f 72 20 74 6f 20 66 6c 75 73 68 20 6f 75 74 20 62 75 67 73 20 28 69 6d 70 6c 69 65 73 20 2d 2d 66 6f 72 63 65 5f 6d 61 72 6b 69 6e 67 5f 64 65 71 75 65 5f 6f 76 65 72 66 6c 6f 77 73 29 } $str18 = { 74 24 38 48 } $str19 = { 74 24 60 48 } $blx_stealer_network = " ascii wide nocase $blx_stealer_network1 = " ascii wide nocase $blx_stealer_network2 = " ascii wide nocase $blx_stealer_hash1 = "8c4daf5e4ced10c3b7fd7c17c7c75a158f08867aeb6bccab6da116affa424a89" $blx_stealer_hash2 = "e74dac040ec85d4812b479647e11c3382ca22d6512541e8b42cf8f9fbc7b4af6" $blx_stealer_hash3 = "32abb4c0a362618d783c2e6ee2efb4ffe59a2a1000dadc1a6c6da95146c52881" $blx_stealer_hash4 = "5b46be0364d317ccd66df41bea068962d3aae032ec0c8547613ae2301efa75d6" condition: (all of ($str*) or any of ($blx_stealer_network*) or any of ($blx_stealer_hash*))}8. Edit the Wazuh agent file C:\Program Files (x86)\ossec-agent\ossec.conf and add the below configuration within the block to monitor the Downloads folders of all users in real-time:C:\Users\*\DownloadsNote: In this blog post, we monitor the Downloads folders of all users. However, you can configure other folders you intend to monitor.9. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder. The Wazuh active response module uses this file to perform YARA scans for malware detection and removal::: This script is meant to delete BLX Stealer and other malicious files matched by the YARA rules@echo offsetlocal enableDelayedExpansion:: Determine OS architecturereg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BITif %OS%==32BIT ( SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log")if %OS%==64BIT ( SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"):: Read input from OSSEC agentset input=for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do ( set input=%%a):: File paths for operationsset json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"set syscheck_file_path=echo %input% > %json_file_path%FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (SET syscheck_file_path=%%F)echo %syscheck_file_path% >> %log_file_path%:: Perform YARA scan on the detected filefor /f "delims=" %%a in ('powershell -command "& "%yara_exe_path%" "%yara_rules_path%" "%syscheck_file_path%""') do ( echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path% :: Deleting the scanned file. del /f "%syscheck_file_path%" echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%)exit /b10. Restart the Wazuh agent to apply the changes:> Restart-Service -Name wazuhWazuh serverPerform the following steps to configure custom

Actions oPensyLar/yara-gui - GitHub

And searching them quickly. We can use AppAnyRun to further analyze the heterogenous networks and execution behaviors of these acquired samples.We have identified another similar sample, which is an XLS document named “MONITIORING REPORT.xls” with the MD5 hash 5d7d2371668ad4a6484f76b0b6511961 (Figure 16). Let’s attempt to triage this newly discovered sample and qualify the relationship back to FIN11.Figure 16: VirusTotal execution report of 5d7d2371668ad4a6484f76b0b6511961Extracting interesting strings and indicators from this sample allows us to compare these artifacts against our own dynamic analysis. If we can’t access the original malware sample, but we have other indicators to hunt with, we could also pivot on various unique characteristics and attributes (e.g., imphash, vthash, pdb string, etc...) to discover related samples.Even without access to the sample, we can also use YARA to mine for similar malware samples. One such source to mine is using the mquery tool and their datasets offered via CERT.PL. To fast track the creation of a YARA rule, we leverage the FIN11 YARA rule provided within the FIN11 Mandiant Advantage report. Simply copy and paste the YARA rule into mquery page and select “Query” to perform the search (Figure 17). It may take some time, so be sure to check back later.Figure 17: mquery YARA rule hunting search for FIN11 malwareWithin our mquery search, we find a generic signature hit on Win32_Spoonbeard_1_beta for the MD5 hash 3c43d080b5badfdde7aff732c066d1b2. We associate this MD5 hash with another sandbox, app.any.run, at the following URL: seen in Figure 18, this sample was first uploaded on May 2, 2019, with an associated infection chain intact.Figure 18: AppAnyRun Execution Report on 3c43d080b5badfdde7aff732c066d1b2We now have a confident signature hit, but with different named detections on the malware family. This is a common challenge for threat analysts and researchers. However we have gained interesting information about the malware itself such as its execution behavior, encryption methods, dropped files, timelines and command and control server and beacon information. This is more than enough for us to pivot across our own datasets to hunt for previously seen activities and prepare to finalize our report.Once we are confident in our analysis, we can. yara-gui. Contribute to Mr-AnyThink/yara-gui development by creating an account on GitHub.

Yara Gui Tilde Profiles - Facebook

Formats, filter them, and write them to disk.> pip install valhallaAPI5. Create the file download_yara_rules.py and copy the following script into it:from valhallaAPI.valhalla import ValhallaAPIv = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")response = v.get_rules_text()with open('yara_rules.yar', 'w') as fh: fh.write(response)6. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder:> python download_yara_rules.py > mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules'>cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules'7. Edit the file C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following YARA rule to detect BLX stealer:rule BLX_Stealer_rule { meta: description = "Detects BLX Stealer malware" author = "Wazuh" date = "2024-11-01" reference = " strings: $str0 = { 20 20 20 20 70 6f 6c 69 63 79 2e 6d 61 6e 69 66 65 73 74 2e 61 73 73 65 72 74 49 6e 74 65 67 72 69 74 79 28 6d 6f 64 75 6c 65 55 52 4c 2c 20 63 6f 6e 74 65 6e 74 29 3b } $str1 = { 20 20 41 72 72 61 79 50 72 6f 74 6f 74 79 70 65 53 68 69 66 74 2c } $str2 = { 20 20 69 66 20 28 21 73 74 61 74 65 2e 6b 65 65 70 41 6c 69 76 65 54 69 6d 65 6f 75 74 53 65 74 29 } $str3 = { 20 20 72 65 74 75 72 6e 20 72 65 71 75 69 72 65 28 27 74 6c 73 27 29 2e 44 45 46 41 55 4c 54 5f 43 49 50 48 45 52 53 3b } $str4 = { 21 47 7e 79 5f 3b } $str5 = { 3f 52 65 64 75 63 65 53 74 61 72 74 40 42 72 61 6e 63 68 45 6c 69 6d 69 6e 61 74 69 6f 6e 40 63 6f 6d 70 69 6c 65 72 40 69 6e 74 65 72 6e 61 6c 40 76 38 40 40 41 45 41 41 3f 41 56 52 65 64 75 63 74 69 6f 6e 40 32 33 34 40 50 45 41 56 4e 6f 64 65 40 32 33 34 40 40 5a } $str6 = { 40 55 56 57 48 } $str7 = { 41 49 5f 41 44 44 52 43 4f 4e 46 49 47 } $str8 = { 44 24 70 48 } $str9 = { 45 56 50 5f 4d 44 5f 43 54 58 5f 73 65 74 5f 75 70 64 61 74 65 5f 66 6e } $str10 = { 46 61 69 6c 65 64 20 74 6f 20 64 65 73 65 72 69 61 6c 69 7a 65 20 64

Comments

User2914

From resources, etc.).***Text/Binary Pattern Scanner** | [YARA]( | [Open Source] *Create descriptions of, and rules based on, textual or binary patterns. Excellent for creating custom rules for tasks like identifying resources in a game, game engine and version being used for a game, etc. See [YARA GUI]( for a Windows GUI front-end. Also, see [yarGen]( for a YARA rule generator.***Injector** | [Xenos]( | [Open Source] *A Windows DLL injector, based on the [Blackbone library]( | [Compiler Explorer]( | [Open Source] *Run compilers interactively from your web browser and interact with the assembly!***Memory Scanner/Tracer** | [PSR (Pointer Sequence Reverser)]( | [Open Source] *Traces instructions executed prior to reading/writing from/to the provided address of a data member or object, then highlights relevant instructions, identifies vtable pointers, and more. Relevant whitepaper [here]( Scanner/Data Structure Scanner** | [XenoScan]( | [Open Source] *Lua scriptable memory scanner written in C++. Supports complex scanning, custom structures, and automatic detection of complex structures (linked lists, binary tress, class instances, etc). Expandable with support for emulators. DEFCON Slides [here]( Libraries, Frameworks, Plugins/Add-ons/Extensions, Etc.Title/Link | Description---- | ----[Lighthouse]( | Code coverage plugin for IDA Pro. The plugin leverages IDA as a platform to map, explore, and visualize externally collected code coverage data when symbols or source may not be available for a given binary.[Kaitai Struct]( | A declarative language used to describe various binary data structures in files or memory (binary file formats, network stream packet formats, etc.). Allows for development of custom parsers for binary structures.[Frida]( | Allows you to inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Also provides custom, modifiable tools built on top of the Frida API. Beginner's tutorial [here]( | An open source, advanced memory forensics framework used for the extraction of digital artifacts from volatile memory (RAM) dumps. Great for exploring RAM dumps of running games![Rekall]( | A powerful memory analysis framework. Consider taking a look at [their memory analysis workshop]( which explains memory and memory analysis in great detail, as well as how to utilize their framework.[radare2]( | A portable reverse engineering framework that acts as a forensics tool, scriptable command line hex editor, binary analyzer, disassembler, debugger, and much more. An accompanying open source book on radare2 can be found [here]( | A suite of python libraries that let you load a binary and perform a whole host of tasks: Disassembly and intermediate-representation lifting, program instrumentation, symbolic execution, control-flow analysis, data-dependency analysis, value-set analysis (VSA), and more.[CeAutoAsm-x64dbg]( | An x64dbg plugin that allows users to execute Cheat Engine auto assembler scripts within x64dbg.[CEAutoAttach]( | An x64dbg add-on allowing you to automatically make Cheat Engine attach to a process.[SignatureScanner]( | A C++-based signature scanning library.[Hacklib]( | A C++ library for building applications that run as a shared library in another application. It provides general purpose functionality like pattern scanning, hooking, and laying out foreign classes. Additionally it contains some D3D and OpenGL drawing facilities and a cross-platform, high-performance, 3D-capable, transparent overlay.[Detours]( |

2025-04-05
User4988

Decoders, rules, and the Active Response module on the Wazuh server.1. Edit the file /var/ossec/etc/decoders/local_decoder.xml and include the following decoders: wazuh-yara: yara_decoder wazuh-yara: (\S+) - Scan result: (\S+) (\S+) log_type, yara_rule, yara_scanned_file yara_decoder wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+) log_type, yara_rule, yara_scanned_file yara_decoder wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+) log_type, yara_rule, yara_scanned_file2. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following rules: 550 (?i)C:\\Users.+Downloads File modified in the Downloads folder. 554 (?i)C:\\Users.+Downloads File added to the Downloads folder. yara_decoder Yara grouping rule 100100 wazuh-yara: INFO - Scan result: Yara scan result: File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule) 100100 wazuh-yara: INFO - Successfully deleted: Active Response: Successfully removed "$(yara_scanned_file)". YARA rule: $(yara_rule) 100100 wazuh-yara: INFO - Error removing threat: Active Response: Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule) Where:Rule ID 100010 is triggered when a file is modified in the Downloads directory.Rule ID 100011 is triggered when a file is added to the Downloads directory.Rule ID 100100 is the base rule for detecting YARA events.Rule ID 100110 is triggered when YARA scans and detects a malicious file.Rule ID 100120 is triggered when the detected file has been successfully removed by the Wazuh active response module.Rule ID 100130 is triggered when the detected file is not removed successfully by Wazuh active response.3. Append the following configuration to the Wazuh server configuration file /var/ossec/etc/ossec.conf: yara yara.bat no yara local 100010,100011 4. Restart the Wazuh manager for the changes to take effect:# systemctl restart wazuh-managerVisualizing alerts on the Wazuh dashboardThe image below shows the alerts generated by the Wazuh dashboard when BLX stealer is dropped to the Downloads folder of the victim endpoint and executed. Perform the following steps to view the alerts on the Wazuh dashboard.1. Navigate to Threat intelligence > Threat Hunting.2. Click + Add filter. Then, filter for rule.id in the Field field.3. Filter for is one of in the Operator field.4. Filter for 553, 100010, 100011, 100110, 100120, and 100130 in the Values field.5. Click Save.ConclusionBLX Stealer, with its ability to steal valuable data, presents a serious threat to both organizations and individuals. Wazuh comes in as a solution to detect and respond to this malware.In this blog post, we showed how Wazuh combines real-time monitoring, and customizable rules to help security teams quickly spot BLX Stealer activity. By using these tools, organizations can take proactive measures to protect their systems and prevent sensitive information from being compromised.To learn more about Wazuh, please check out our documentation and blog posts.ReferencesCYFIRMA research – BLX Stealer.BLX Trojan Stealer – What It Is and How To Remove It.Wazuh documentation – Active response.

2025-04-24
User1130

--pcap The md5/sha1/sha256 hash of the file whose network traffic dump you want to retrieve. Will save as hash.pcap --clusters A specific day for which we want to access the clustering details, example: 2013-09-10 --distribution-files Timestamps are just integer numbers where higher values mean more recent files. Both before and after parameters are optional, if they are not provided the oldest files in the queue are returned in timestamp ascending order. --distribution-urls Timestamps are just integer numbers where higher values mean more recent urls. Both before and after parameters are optional, if they are not provided the oldest urls in the queue are returned in timestamp ascending order.Distribution options: --before BEFORE File/Url option. Retrieve files/urls received before the given timestamp, in timestamp descending order. --after AFTER File/Url option. Retrieve files/urls received after the given timestamp, in timestamp ascending order. --reports Include the files' antivirus results in the response. Possible values are 'true' or 'false' (default value is 'false'). --limit LIMIT File/Url option. Retrieve limit file items at most (default: 1000). --allinfo will include the results for each particular URL scan (in exactly the same format as the URL scan retrieving API). If the parameter is not specified, each item returned will only contain the scanned URL and its detection ratio.Rules management options: --rules Manage VTI hunting rules, REQUIRED for rules management --list List names/ids of Yara rules stored on VT --create FILE Add a Yara rule to VT (File Name used as RuleName --update FILE Update a Yara rule on VT (File Name used as RuleName and must include RuleName --retro FILE Submit Yara rule to VT RetroHunt (File Name used as RuleName and must include RuleName --delete_rule DELETE_RULE Delete a Yara rule from VT (By Name) --share Shares rule with user --update_ruleset UPDATE_RULESET Ruleset name to update --disable DISABLE Disable a Yara rule from VT (By Name) --enable ENABLE Enable a Yara rule from VT (By Name)

2025-04-19
User8211

Eventchannel7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:> Restart-Service -Name wazuhWazuh serverPerform the following steps to configure detection rules on the Wazuh server.1. Create a new file /var/ossec/etc/rules/blx_stealer.xml:# touch /var/ossec/etc/rules/blx_stealer.xml2. Edit the file /var/ossec/etc/rules/blx_stealer.xml and include the following detection rules for BLX stealer: 92200 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\temp.ps1 Possible BLX stealer activity detected: A rogue powershell script was dropped to system. T1105 92052 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\Windows\\\\System32\\\\cmd.exe powershell.exe -ExecutionPolicy Bypass -File Possible BLX stealer activity detected: Rogue powershell script execution. T1059.003 92213 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\decrypted_executable.exe Possible BLX stealer activity detected: Rogue executable was dropped to system. T1105 61613 (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\decrypted_executable.exe (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\decrypted_executable.exe Possible BLX stealer persistence activity detected: Rogue executable was copied to users' startup folder to establish persistence. T1547.001 Where:Rule 100300 is triggered when BLX drops a rogue PowerShell script, temp.ps1 to the infected system.Rule 100310 is triggered when BLX executes the temp.ps1 PowerShell script.Rule 100320 is triggered when BLX drops an executable, decrypted_executable.exe in the Temp folder.Rule 100330 is triggered when BLX copies the rogue executable to the user %Startup% folder for persistence.3. Restart the Wazuh manager service to apply the changes.# systemctl restart wazuh-managerVisualizing alerts on the Wazuh dashboardThe screenshot below shows the alerts generated on the Wazuh dashboard when we execute the BLX sample on the victim endpoints. Perform the following steps to view the alerts on the Wazuh dashboard.1. Navigate to Threat intelligence > Threat Hunting.2. Click + Add filter. Then, filter for rule.id in the Field field.3. Filter for is one of in the Operator field.4. Filter for 100300, 100310, 100320, and 100330 in the Values field.5. Click Save.YARA integrationYARA is an open source and multi-platform tool that identifies and classifies malware samples based on their textual or binary patterns. In this blog post, we use the Wazuh Active Response capability to automatically execute a YARA scan on files added or modified in the Downloads folder.Windows endpointTo download and install YARA, we require the following packages installed on the victim endpoint:Python v 3.13.0.Microsoft Visual C++ 2015 Redistributable.Note: Make sure to select the following checkboxes on the installer dialog box during Python installation: Use admin privileges when installing py.exe.Add Python.exe to PATH.After installing the above packages, perform the steps below to download the YARA executable:1. Launch PowerShell with administrative privilege and download YARA:> Invoke-WebRequest -Uri -OutFile v4.5.2-2326-win64.zip2. Extract the YARA executable:> Expand-Archive v4.5.2-2326-win64.zip3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara'> cp .\v4.5.2-2326-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara'Perform the steps below to download YARA rules:4. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility. This allows you to query thousands of handcrafted YARA and Sigma rules in different

2025-04-21

Add Comment