Matt Green's Avatar

Matt Green

@mgreen27

Velociraptor@Rapid7. #DFIR, #CTI and research. https://mgreen27.github.io

199
Followers 323
Following 26
Posts 18.11.2024
Joined
Posts Following

Latest posts by Matt Green @mgreen27

Post image

For anyone interested in Velociraptor hunting - just added a refactored Windows.Detection.Webhistory into DetectRaptor πŸš€

This is useful for hunting across browser artefacts - covers Chrome, Edge and Firefox

LINK: github.com/mgreen27/Det...

#DFIR

02.05.2025 06:46 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

Just added LolRMM project to DetectRaptor for Velociraptor.

Expanded to look at installed applications, dns and running applications (process name and original/internal name of binaries on disk).

github.com/mgreen27/Det...

#dfir

06.03.2025 06:25 πŸ‘ 5 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

github.com/Velocidex/ve...

21.02.2025 00:11 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

This #100daysofyara shows but bad rules can be good when used correctly :)
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.

The screenshot shows VQL to dynamically generate a yara rule to preferred string size.

21.02.2025 00:10 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

Todays #100daysofyara rule targets the CISA report for this Contec CMS8000 backdoor

Rule: github.com/mgreen27/100...

01.02.2025 13:06 πŸ‘ 2 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

#100daysofyara todays rule hits on a suspicious LNK executing mshta.exe using yara-x format.

github.com/mgreen27/100...

31.01.2025 12:40 πŸ‘ 4 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

Messing with a couple of anomaly rules for #100daysofyara
1. Packer related API strings and no import
Rule: github.com/mgreen27/100...
2. Downloader related API strings and no import
Rule: github.com/mgreen27/100...

30.01.2025 12:00 πŸ‘ 5 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Process Hollowing on Windows 11 24H2 Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...

26.01.2025 23:55 πŸ‘ 58 πŸ” 38 πŸ’¬ 0 πŸ“Œ 1
Post image Post image

#100daysofyara todays rule finds kimsuky MSC payloads by unique Icon Index. In a previous rule I detected on a binary representation of pdf and was interested to understand how this may be generated.

27.01.2025 11:53 πŸ‘ 4 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
VirusTotal VirusTotal

Can you see this list?: www.virustotal.com/gui/collecti...

26.01.2025 13:21 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

very cool!

25.01.2025 01:57 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

#100daysofyara hunting inspired from a sample share from VT
1. Microsoft Teams without a MS cert
2. Detect cert metadata
github.com/mgreen27/100...
3. Anomaly detection for PE files with large difference between physical and virtual size of a section
github.com/mgreen27/100...

24.01.2025 12:46 πŸ‘ 8 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0

πŸ’‘Interested in #memoryforensics ? Follow

βœ… @volexity.com
βœ… @volatilityfoundation.org
βœ… @attrc.bsky.social
βœ… @rmettig.bsky.social
βœ… @nolaforensix.bsky.social

➑️ more to come!

20.11.2024 18:49 πŸ‘ 53 πŸ” 23 πŸ’¬ 1 πŸ“Œ 0
Post image Post image Post image

#100daysofyara todays rule is detecting patched clr.dll in memory AmsiScanBuffer bypass. My @velocidex Windows.System.VAD artifact can be used to target clr.dll mapped sections for an easy detection.

Rule: github.com/mgreen27/100...
VQL: github.com/mgreen27/100...

22.01.2025 03:50 πŸ‘ 6 πŸ” 5 πŸ’¬ 0 πŸ“Œ 0
Post image

Todays #100daysofyara rule looks for a PE file with an unusual debug info type. Yara doesnt directly expose these debug structures so had to search for the RSDS header and find type field by offset.

github.com/mgreen27/100...

21.01.2025 02:04 πŸ‘ 4 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image

This #100daysofyara rule looks for a PE with .reloc section and no relocation.
github.com/mgreen27/100...

20.01.2025 01:30 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

This #100daysofyara rule looking for a PE with unusual NumberofRVAandSizes attribute
github.com/mgreen27/100...

18.01.2025 11:53 πŸ‘ 2 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

#100daysofyara MSC files appear to store their icons inside a BinaryStorage field. Todays rule hits on a suspicious PDF icon.

Rule: github.com/mgreen27/100...

16.01.2025 11:22 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image

#100daysofyara This rule detects PE files with SUBSYSTEM_WINDOWS_GUI and no Window API function import.

Rule: github.com/mgreen27/100...

15.01.2025 10:46 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
yara-x dump

yara-x dump

Post image

#100daysofyara
more yara-x > Dumping a RedCurl malware pe I saw Rich Header and thought I would give it a try.

Rule: github.com/mgreen27/100...

14.01.2025 12:24 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0

Sorry - I think I was wrong.
I just asked a friend who went through 482 - he said this part takes 2 weeks and was great. PR is another story though.

13.01.2025 06:29 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

I think you will find timeframe will be in months and not weeks.

13.01.2025 00:05 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

#100daysofyara sometimes simple rules work really well!
In an IR last week, we discovered and stopped an in progress exfil. This process rule detects the in memory renamed rclone - should be cross platform.

Rule: github.com/mgreen27/100...

10.01.2025 23:05 πŸ‘ 2 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

#100daysofyara continuing the LNK language theme. Todays rule hits ExtraData ConsoleDataBlock targeting less known Face Name field.

In the example rule I’m targeting the Korean font gulimche - ive added a few other system fonts for reference.
Rule: github.com/mgreen27/100...

08.01.2025 09:24 πŸ‘ 4 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

#100daysofyara todays post is generic and looking at LNK files. Finding samples with specific attributes that may not be parsed (or dumped by yara-x) can be difficult. This rule finds LNK files with the rare in field CodePage language setting.

Rules: github.com/mgreen27/100...

07.01.2025 10:19 πŸ‘ 10 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0
Post image

#100daysofyara todays post I do a simple search for payload and QEMU local dll files observed both in the zip and imports of the QEMU executable.
I initially tried to do a fancy for loop looking at zip attributes but performance was terrible so simple strings wins the day!
github.com/mgreen27/100...

06.01.2025 11:44 πŸ‘ 2 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
100daysofyara/2025/SUS_Renamed_QEMU_Jan25.yar at main Β· mgreen27/100daysofyara A scratchpad for 100daysofyara. Contribute to mgreen27/100daysofyara development by creating an account on GitHub.

Rule: github.com/mgreen27/100...

05.01.2025 11:45 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

crossposting here #100daysofyara continuing to explore yara-x today I tried to detect a renamed QEMU exe using pe attributes and a dynamic variable.

05.01.2025 11:43 πŸ‘ 7 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0
Preview
Metasploit Weekly Wrap-Up 11/22/2024 | Rapid7 Blog

Roses are red, the sky is blue β€”
This week's #Metasploit wrap-up has Windows secrets dump improvements (and a JetBrains TeamCity login scanner, too!)

We're bad at poetry but good at shells. Check out the latest. www.rapid7.com/blog/post/20...

22.11.2024 21:01 πŸ‘ 11 πŸ” 7 πŸ’¬ 0 πŸ“Œ 0