Last week we conducted the second episode of our “Threat Hunting with VirusTotal” open training session, where we covered YARA services at VirusTotal. We focused on practical aspects of YARA rules providing real life examples of infamous malware and historical APT attacks. You can find the video recording on Brighttalk and Youtube, as well PDF version of the slides, where you can quickly copy-paste interesting rule patterns and explore attached documentation links.
As in our previous session we received lots of inquiries that we decided to cover separately in this blog post.
As in our previous session we received lots of inquiries that we decided to cover separately in this blog post.
1. Can you explain a bit more on the water mark usage in docs. How can we hunt using this? Also, how can we create a watermark as well?
As a quick example, here is the article describing the process of adding an invisible watermark in a PDF document. You can deploy a Livehunt YARA rule detecting this watermark and be notified every time your document is uploaded to VirusTotal.
As a quick example, here is the article describing the process of adding an invisible watermark in a PDF document. You can deploy a Livehunt YARA rule detecting this watermark and be notified every time your document is uploaded to VirusTotal.
2. Do you have tools helping you write YARA rules to find more easily nested item properties and syntax linting?
Recently we introduced a new YARA editor with pop-up suggestions, rule templates and new syntax highlighting, it’s live on both Retrohunt and Livehunt, check it out!
Also you can leverage VT Diff to help you find the most relevant entities to detect.
This article has been indexed from VirusTotal BlogRead the original article: