Matt Green
@mgreen27.bsky.social
Velociraptor@Rapid7. #DFIR, #CTI and research.
https://mgreen27.github.io
https://mgreen27.github.io
For anyone interested in Velociraptor hunting - just added a refactored Windows.Detection.Webhistory into DetectRaptor 🚀
This is useful for hunting across browser artefacts - covers Chrome, Edge and Firefox
LINK: github.com/mgreen27/Det...
#DFIR
This is useful for hunting across browser artefacts - covers Chrome, Edge and Firefox
LINK: github.com/mgreen27/Det...
#DFIR
May 2, 2025 at 6:46 AM
For anyone interested in Velociraptor hunting - just added a refactored Windows.Detection.Webhistory into DetectRaptor 🚀
This is useful for hunting across browser artefacts - covers Chrome, Edge and Firefox
LINK: github.com/mgreen27/Det...
#DFIR
This is useful for hunting across browser artefacts - covers Chrome, Edge and Firefox
LINK: github.com/mgreen27/Det...
#DFIR
Just added LolRMM project to DetectRaptor for Velociraptor.
Expanded to look at installed applications, dns and running applications (process name and original/internal name of binaries on disk).
github.com/mgreen27/Det...
#dfir
Expanded to look at installed applications, dns and running applications (process name and original/internal name of binaries on disk).
github.com/mgreen27/Det...
#dfir
March 6, 2025 at 6:25 AM
Just added LolRMM project to DetectRaptor for Velociraptor.
Expanded to look at installed applications, dns and running applications (process name and original/internal name of binaries on disk).
github.com/mgreen27/Det...
#dfir
Expanded to look at installed applications, dns and running applications (process name and original/internal name of binaries on disk).
github.com/mgreen27/Det...
#dfir
This #100daysofyara shows but bad rules can be good when used correctly :)
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
February 21, 2025 at 12:10 AM
This #100daysofyara shows but bad rules can be good when used correctly :)
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
Todays #100daysofyara rule targets the CISA report for this Contec CMS8000 backdoor
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
February 1, 2025 at 1:06 PM
Todays #100daysofyara rule targets the CISA report for this Contec CMS8000 backdoor
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
#100daysofyara todays rule hits on a suspicious LNK executing mshta.exe using yara-x format.
github.com/mgreen27/100...
github.com/mgreen27/100...
January 31, 2025 at 12:40 PM
#100daysofyara todays rule hits on a suspicious LNK executing mshta.exe using yara-x format.
github.com/mgreen27/100...
github.com/mgreen27/100...
Messing with a couple of anomaly rules for #100daysofyara
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
January 30, 2025 at 12:00 PM
Messing with a couple of anomaly rules for #100daysofyara
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...
Reposted by Matt Green
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Process Hollowing on Windows 11 24H2
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…
hshrzd.wordpress.com
January 26, 2025 at 11:55 PM
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
#100daysofyara todays rule finds kimsuky MSC payloads by unique Icon Index. In a previous rule I detected on a binary representation of pdf and was interested to understand how this may be generated.
January 27, 2025 at 11:53 AM
#100daysofyara todays rule finds kimsuky MSC payloads by unique Icon Index. In a previous rule I detected on a binary representation of pdf and was interested to understand how this may be generated.
#100daysofyara hunting inspired from a sample share from VT
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
January 24, 2025 at 12:46 PM
#100daysofyara hunting inspired from a sample share from VT
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...
Reposted by Matt Green
💡Interested in #memoryforensics ? Follow
✅ @volexity.com
✅ @volatilityfoundation.org
✅ @attrc.bsky.social
✅ @rmettig.bsky.social
✅ @nolaforensix.bsky.social
➡️ more to come!
✅ @volexity.com
✅ @volatilityfoundation.org
✅ @attrc.bsky.social
✅ @rmettig.bsky.social
✅ @nolaforensix.bsky.social
➡️ more to come!
November 20, 2024 at 6:58 PM
💡Interested in #memoryforensics ? Follow
✅ @volexity.com
✅ @volatilityfoundation.org
✅ @attrc.bsky.social
✅ @rmettig.bsky.social
✅ @nolaforensix.bsky.social
➡️ more to come!
✅ @volexity.com
✅ @volatilityfoundation.org
✅ @attrc.bsky.social
✅ @rmettig.bsky.social
✅ @nolaforensix.bsky.social
➡️ more to come!
#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
January 22, 2025 at 3:50 AM
#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...
Todays #100daysofyara rule looks for a PE file with an unusual debug info type. Yara doesnt directly expose these debug structures so had to search for the RSDS header and find type field by offset.
github.com/mgreen27/100...
github.com/mgreen27/100...
January 21, 2025 at 2:04 AM
Todays #100daysofyara rule looks for a PE file with an unusual debug info type. Yara doesnt directly expose these debug structures so had to search for the RSDS header and find type field by offset.
github.com/mgreen27/100...
github.com/mgreen27/100...
This #100daysofyara rule looks for a PE with .reloc section and no relocation.
github.com/mgreen27/100...
github.com/mgreen27/100...
January 20, 2025 at 1:30 AM
This #100daysofyara rule looks for a PE with .reloc section and no relocation.
github.com/mgreen27/100...
github.com/mgreen27/100...
This #100daysofyara rule looking for a PE with unusual NumberofRVAandSizes attribute
github.com/mgreen27/100...
github.com/mgreen27/100...
January 18, 2025 at 11:53 AM
This #100daysofyara rule looking for a PE with unusual NumberofRVAandSizes attribute
github.com/mgreen27/100...
github.com/mgreen27/100...
#100daysofyara MSC files appear to store their icons inside a BinaryStorage field. Todays rule hits on a suspicious PDF icon.
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
January 16, 2025 at 11:23 AM
#100daysofyara MSC files appear to store their icons inside a BinaryStorage field. Todays rule hits on a suspicious PDF icon.
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
#100daysofyara This rule detects PE files with SUBSYSTEM_WINDOWS_GUI and no Window API function import.
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
January 15, 2025 at 10:46 AM
#100daysofyara This rule detects PE files with SUBSYSTEM_WINDOWS_GUI and no Window API function import.
Rule: github.com/mgreen27/100...
Rule: github.com/mgreen27/100...
#100daysofyara
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
January 14, 2025 at 12:24 PM
#100daysofyara
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.
Rule: github.com/mgreen27/100...
#100daysofyara sometimes simple rules work really well!
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
January 10, 2025 at 11:05 PM
#100daysofyara sometimes simple rules work really well!
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.
Rule: github.com/mgreen27/100...
#100daysofyara continuing the LNK language theme. Todays rule hits ExtraData ConsoleDataBlock targeting less known Face Name field.
In the example rule I’m targeting the Korean font gulimche - ive added a few other system fonts for reference.
Rule: github.com/mgreen27/100...
In the example rule I’m targeting the Korean font gulimche - ive added a few other system fonts for reference.
Rule: github.com/mgreen27/100...
January 8, 2025 at 9:24 AM
#100daysofyara continuing the LNK language theme. Todays rule hits ExtraData ConsoleDataBlock targeting less known Face Name field.
In the example rule I’m targeting the Korean font gulimche - ive added a few other system fonts for reference.
Rule: github.com/mgreen27/100...
In the example rule I’m targeting the Korean font gulimche - ive added a few other system fonts for reference.
Rule: github.com/mgreen27/100...
#100daysofyara todays post is generic and looking at LNK files. Finding samples with specific attributes that may not be parsed (or dumped by yara-x) can be difficult. This rule finds LNK files with the rare in field CodePage language setting.
Rules: github.com/mgreen27/100...
Rules: github.com/mgreen27/100...
January 7, 2025 at 10:19 AM
#100daysofyara todays post is generic and looking at LNK files. Finding samples with specific attributes that may not be parsed (or dumped by yara-x) can be difficult. This rule finds LNK files with the rare in field CodePage language setting.
Rules: github.com/mgreen27/100...
Rules: github.com/mgreen27/100...
#100daysofyara todays post I do a simple search for payload and QEMU local dll files observed both in the zip and imports of the QEMU executable.
I initially tried to do a fancy for loop looking at zip attributes but performance was terrible so simple strings wins the day!
github.com/mgreen27/100...
I initially tried to do a fancy for loop looking at zip attributes but performance was terrible so simple strings wins the day!
github.com/mgreen27/100...
January 6, 2025 at 11:44 AM
#100daysofyara todays post I do a simple search for payload and QEMU local dll files observed both in the zip and imports of the QEMU executable.
I initially tried to do a fancy for loop looking at zip attributes but performance was terrible so simple strings wins the day!
github.com/mgreen27/100...
I initially tried to do a fancy for loop looking at zip attributes but performance was terrible so simple strings wins the day!
github.com/mgreen27/100...
crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.
January 5, 2025 at 11:43 AM
crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.
Reposted by Matt Green
Roses are red, the sky is blue —
This week's #Metasploit wrap-up has Windows secrets dump improvements (and a JetBrains TeamCity login scanner, too!)
We're bad at poetry but good at shells. Check out the latest. www.rapid7.com/blog/post/20...
This week's #Metasploit wrap-up has Windows secrets dump improvements (and a JetBrains TeamCity login scanner, too!)
We're bad at poetry but good at shells. Check out the latest. www.rapid7.com/blog/post/20...
Metasploit Weekly Wrap-Up 11/22/2024 | Rapid7 Blog
www.rapid7.com
November 22, 2024 at 9:01 PM
Roses are red, the sky is blue —
This week's #Metasploit wrap-up has Windows secrets dump improvements (and a JetBrains TeamCity login scanner, too!)
We're bad at poetry but good at shells. Check out the latest. www.rapid7.com/blog/post/20...
This week's #Metasploit wrap-up has Windows secrets dump improvements (and a JetBrains TeamCity login scanner, too!)
We're bad at poetry but good at shells. Check out the latest. www.rapid7.com/blog/post/20...