For anyone interested in Velociraptor hunting - just added a refactored Windows.Detection.Webhistory into DetectRaptor 🚀 This is useful for hunting across browser artefacts - covers Chrome, Edge and Firefox LINK: github.com/mgreen27/Det... #DFIR

Just added LolRMM project to DetectRaptor for Velociraptor. Expanded to look at installed applications, dns and running applications (process name and original/internal name of binaries on disk). github.com/mgreen27/Det... #dfir

This #100daysofyara shows but bad rules can be good when used correctly :) Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules. The screenshot shows VQL to dynamically generate a yara rule to preferred string size.

Todays #100daysofyara rule targets the CISA report for this Contec CMS8000 backdoor Rule: github.com/mgreen27/100...

#100daysofyara todays rule hits on a suspicious LNK executing mshta.exe using yara-x format. github.com/mgreen27/100...

Messing with a couple of anomaly rules for #100daysofyara 1. Packer related API strings and no import Rule: github.com/mgreen27/100... 2. Downloader related API strings and no import Rule: github.com/mgreen27/100...

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...

#100daysofyara todays rule finds kimsuky MSC payloads by unique Icon Index. In a previous rule I detected on a binary representation of pdf and was interested to understand how this may be generated.

#100daysofyara hunting inspired from a sample share from VT 1. Microsoft Teams without a MS cert 2. Detect cert metadata github.com/mgreen27/100... 3. Anomaly detection for PE files with large difference between physical and virtual size of a section github.com/mgreen27/100...

💡Interested in #memoryforensics ? Follow ✅ @volexity.com ✅ @volatilityfoundation.org ✅ @attrc.bsky.social ✅ @rmettig.bsky.social ✅ @nolaforensix.bsky.social ➡️ more to come!

#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection. Rule: github.com/mgreen27/100... VQL: github.com/mgreen27/100...

Todays #100daysofyara rule looks for a PE file with an unusual debug info type. Yara doesnt directly expose these debug structures so had to search for the RSDS header and find type field by offset. github.com/mgreen27/100...

This #100daysofyara rule looks for a PE with .reloc section and no relocation. github.com/mgreen27/100...

This #100daysofyara rule looking for a PE with unusual NumberofRVAandSizes attribute github.com/mgreen27/100...

#100daysofyara MSC files appear to store their icons inside a BinaryStorage field. Todays rule hits on a suspicious PDF icon. Rule: github.com/mgreen27/100...

#100daysofyara This rule detects PE files with SUBSYSTEM_WINDOWS_GUI and no Window API function import. Rule: github.com/mgreen27/100...

#100daysofyara more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try. Rule: github.com/mgreen27/100...

#100daysofyara sometimes simple rules work really well! In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform. Rule: github.com/mgreen27/100...

#100daysofyara continuing the LNK language theme. Todays rule hits ExtraData ConsoleDataBlock targeting less known Face Name field. In the example rule I’m targeting the Korean font gulimche - ive added a few other system fonts for reference. Rule: github.com/mgreen27/100...

#100daysofyara todays post is generic and looking at LNK files. Finding samples with specific attributes that may not be parsed (or dumped by yara-x) can be difficult. This rule finds LNK files with the rare in field CodePage language setting. Rules: github.com/mgreen27/100...

#100daysofyara todays post I do a simple search for payload and QEMU local dll files observed both in the zip and imports of the QEMU executable. I initially tried to do a fancy for loop looking at zip attributes but performance was terrible so simple strings wins the day! github.com/mgreen27/100...

crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.

Roses are red, the sky is blue — This week's #Metasploit wrap-up has Windows secrets dump improvements (and a JetBrains TeamCity login scanner, too!) We're bad at poetry but good at shells. Check out the latest. www.rapid7.com/blog/post/20...