PowerShell Inside a Certificate? – Part 3

In the first part of this series, we explained the internal structure of certificates and how this knowledge can help us detect fake certificates. In this part, we will provide different rules that you can use in your organization to detect these certificates. YARA This is the YARA rule that started this research: This YARA … Continue reading PowerShell Inside a Certificate? – Part 3

PowerShell Inside a Certificate? – Part 2

In our previous blogpost, we developed a method to detect certificate files that do not contain a real certificate. Trojanized certificates like these are often not detected by AV and IDS. Although we found all kinds of payloads, fake certificates containing a Windows executable appear to be the most common. In this post we will … Continue reading PowerShell Inside a Certificate? – Part 2

PowerShell Inside a Certificate? – Part 1

With the help of a specifically crafted YARA rule developed by NVISO analysts, we found multiple certificate files (.crt) that do not contain a certificate, but instead a malicious PowerShell script. In this blog post, we explain how we crafted this YARA rule. Certificates Certificate files in Windows can have different extensions, like .cer and … Continue reading PowerShell Inside a Certificate? – Part 1

Using binsnitch.py to detect files touched by malware

Yesterday, we released binsnitch.py - a tool you can use to detect unwanted changes to the file sytem. The tool and documentation is available here: https://github.com/NVISO-BE/binsnitch. Binsnitch can be used to detect silent (unwanted) changes to files on your system. It will scan a given directory recursively for files and keep track of any changes it detects, based … Continue reading Using binsnitch.py to detect files touched by malware

Developing complex Suricata rules with Lua – part 2

In part 1 we showed a Lua program to have Suricata detect PDF documents with obfuscated /JavaScript names. In this second part we provide some tips to streamline the development of such programs. When it comes to developing Lua programs, Suricata is not the best development environment. The "write code & test"-cycle with Suricata can … Continue reading Developing complex Suricata rules with Lua – part 2

Developing complex Suricata rules with Lua – part 1

The Suricata detection engine supports rules written in the embeddable scripting language Lua. In this post we give a PoC Lua script to detect PDF documents with name obfuscation. One of the elements that make up a PDF, is a name. A name is a reserved word that starts with character / followed by alphanumerical characters. Example: /JavaScript. … Continue reading Developing complex Suricata rules with Lua – part 1