java2yara
A minimal library to generate YARA rules from JAVA with maven support.
Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references. Interestingly, CLSIDs can be called (‘invoked’) with this command: rundll32.exe -sta {CLSID} Defensive recommendations – clean up artifacts after removal (e.g. unregister), monitor for suspicious events (e.g. rundll32.exe usage), and implement strong Application Whitelisting (AWL) policies/rules. Background Previously, I blogged about a DCOM lateral movement technique that took advantage of a missing file that was referenced in a registry Class Identifier (CLSID) subkey-value on Windows 2008/2012 hosts. After seeing the impact of that technique, the entire notion of COM (Component Object Model) & key-value path hijacking became even more fascinating to me. As such, I decided to revisit CSLIDs, LocalServer32, and InprocServer32 to (hopefully) uncover even more interesting findings. In this post, we will discuss: The purpose of CLSIDs, LocalServer32, and InprocServer32 A slight
A minimal library to generate YARA rules from JAVA with maven support.
YARA is a tool for identifying and classifying malware samples based on textual or binary patterns.
Java decompiler GUI tool for Procyon under Apache License.
Parse YARA rules into a dictionary representation.
A Python script that converts shellcode into a PE32 or PE32+ file.
A .NET wrapper for libyara that provides a simplified API for developing tools in C# and PowerShell.