John's content is really inspiring and his prowess in the field is something to behold. Quick question: How do I identify a malicious thread located in a memory dump file using memory forensics tools like volatility
I think Yara is a good tool to build an own antivirus client if you absolutely don't trust any existing AV solution or want a lightweight, dumbed-down, and customized AV.
@@newwindserver YARA can effectively detect certain types of variable obfuscation based on pattern occurrences or certain strings/operations/data surrounding certain functions. But in general, we levy different tools for this. YARA can and does support a large portion of antivirus solutions, but they're combined with other tools to perform the task.
Nice vide John! Quick question, how to do Yara rule scan for multiple hosts? for an example if we are looking for an signature in all the users endpoint then what will be the easier way to run it and pull that report? Thank you.
You can do this in a few ways-- if you want to scan hosts directly, something like Ansible is really going to prop up your SOC to distribute and establish any sort of scanning. We locally host our ruleset in a single location, and then pull that ruleset every time we perform a scan so we're operating on the most recent version. Ultimately, it's typically a matter of simply pulling a ruleset from a single consolidated location to ensure you're operating on an updated ruleset, and then invoking it across each machine.
I ran into problem when importing all rules recursively and detecting using python rules downloaded from same repo but I solved it by removing certain yar files that listed and acted like index to every other actual rule files
How much info do you have with Linux for people who absolutely hate "wind blows" Windows? I know a lot of beta tests are run on Linux, but most people with desktops dual boot their computer. Anything other than doing what I just did, post disparaging remarks, sorry, would help Thanks 👍
Even if all of your machines are Linux machines, Windows still has the biggest market share, so you still need to know how it works. You would be severely limiting yourself, otherwise.