{"id":1377,"date":"2015-12-22T08:23:24","date_gmt":"2015-12-22T08:23:24","guid":{"rendered":"https:\/\/www.bsk-consulting.de\/?p=1377"},"modified":"2022-10-04T18:14:11","modified_gmt":"2022-10-04T16:14:11","slug":"yara-rules-to-detect-uncommon-system-file-sizes","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/","title":{"rendered":"YARA Rules to Detect Uncommon System File Sizes"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on” da_disable_devices=”off|off|off”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.18.0″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]YARA is an awesome tool especially for incident responders and forensic investigators. In my scanners I use YARA for anomaly detection on files. I already created some articles on “Detecting System File Anomalies with YARA<\/a>” which focus on the expected contents of system files but today I would like to focus on the size of certain system files.
\nI did a statistical analysis in order to rate a suspicious “csrss.exe” file and noticed that the size of the malicious file was way beyond the typical file size. I thought that I should do this for other typically abused file names based on this blog post<\/a> by @hexacorn.
\nI used my VT Intelligence access and burned some searches to create this list.
\n

\"System

System Files and Sizes<\/p><\/div>
\nYou can find a spread sheet of this list here<\/a>. It can be edited by everyone.
\nI created some YARA rules that use the external variable<\/a> “filename” to work. LOKI<\/a> and THOR<\/a> use the “filename” and other external variables by default.
\nUPDATE 23.12.15 4:50pm:
\nI’ll update the list on the LOKI github page. For a current version of the YARA signatures visit this page<\/a>.<\/p>\n

\nrule Suspicious_Size_explorer_exe {\n    meta:\n        description = \"Detects uncommon file size of explorer.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"explorer.exe\"\n        and ( filesize < 1000KB or filesize > 3000KB )\n}\nrule Suspicious_Size_chrome_exe {\n    meta:\n        description = \"Detects uncommon file size of chrome.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"chrome.exe\"\n        and ( filesize < 500KB or filesize > 1300KB )\n}\nrule Suspicious_Size_csrss_exe {\n    meta:\n        description = \"Detects uncommon file size of csrss.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"csrss.exe\"\n        and ( filesize > 18KB )\n}\nrule Suspicious_Size_iexplore_exe {\n    meta:\n        description = \"Detects uncommon file size of iexplore.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"iexplore.exe\"\n        and ( filesize < 75KB or filesize > 910KB )\n}\nrule Suspicious_Size_firefox_exe {\n    meta:\n        description = \"Detects uncommon file size of firefox.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"firefox.exe\"\n        and ( filesize < 265KB or filesize > 910KB )\n}\nrule Suspicious_Size_java_exe {\n    meta:\n        description = \"Detects uncommon file size of java.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"java.exe\"\n        and ( filesize < 140KB or filesize > 900KB )\n}\nrule Suspicious_Size_lsass_exe {\n    meta:\n        description = \"Detects uncommon file size of lsass.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"lsass.exe\"\n        and ( filesize < 13KB or filesize > 45KB )\n}\nrule Suspicious_Size_svchost_exe {\n    meta:\n        description = \"Detects uncommon file size of svchost.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"svchost.exe\"\n        and ( filesize < 14KB or filesize > 40KB )\n}\nrule Suspicious_Size_winlogon_exe {\n    meta:\n        description = \"Detects uncommon file size of winlogon.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"winlogon.exe\"\n        and ( filesize < 279KB or filesize > 510KB )\n}\nrule Suspicious_Size_igfxhk_exe {\n    meta:\n        description = \"Detects uncommon file size of igfxhk.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-21\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"igfxhk.exe\"\n        and ( filesize < 200KB or filesize > 265KB )\n}\nrule Suspicious_Size_servicehost_dll {\n    meta:\n        description = \"Detects uncommon file size of servicehost.dll\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-23\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"servicehost.dll\"\n        and filesize > 150KB\n}\nrule Suspicious_Size_rundll32_exe {\n    meta:\n        description = \"Detects uncommon file size of rundll32.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-23\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"rundll32.exe\"\n        and ( filesize < 30KB or filesize > 60KB )\n}\nrule Suspicious_Size_taskhost_exe {\n    meta:\n        description = \"Detects uncommon file size of taskhost.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-23\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"taskhost.exe\"\n        and ( filesize < 45KB or filesize > 85KB )\n}\nrule Suspicious_Size_spoolsv_exe {\n    meta:\n        description = \"Detects uncommon file size of spoolsv.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-23\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"spoolsv.exe\"\n        and ( filesize < 50KB or filesize > 800KB )\n}\nrule Suspicious_Size_smss_exe {\n    meta:\n        description = \"Detects uncommon file size of smss.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-23\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"smss.exe\"\n        and ( filesize < 40KB or filesize > 140KB )\n}\nrule Suspicious_Size_wininit_exe {\n    meta:\n        description = \"Detects uncommon file size of wininit.exe\"\n        author = \"Florian Roth\"\n        score = 60\n        date = \"2015-12-23\"\n    condition:\n        uint16(0) == 0x5a4d\n        and filename == \"wininit.exe\"\n        and ( filesize < 90KB or filesize > 250KB )\n}\n<\/pre>\n
I ran this rule set over my goodware database and got only a few false positives. Feel free to use these rules wherever you like but please share new rules or statistical analyses on other system files.
\n
\"Yara
False Positives<\/p><\/div>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
YARA is an awesome tool especially for incident responders and forensic investigators. In my scanners I use YARA for anomaly detection on files. I already created some articles on “Detecting System File Anomalies with YARA” which focus on the expected contents of system files but today I would like to focus on the size of certain system files. I did a statistical analysis in order to rate a suspicious “csrss.exe” file and noticed that the size of the malicious file was way beyond the typical file size. I thought that I should do this for other typically abused file names based on this blog post by @hexacorn. I used my VT Intelligence access and burned some searches to create this list. You can find a spread sheet of this list here. It can be edited by everyone. I created some YARA rules that use the external variable “filename” to work. LOKI and THOR use the “filename” and other external variables by default. UPDATE 23.12.15 4:50pm: I’ll update the list on the LOKI github page. For a current version of the YARA signatures visit this page. rule Suspicious_Size_explorer_exe { meta: description = “Detects uncommon file size of explorer.exe” author = “Florian […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"YARA is an awesome tool especially for incident responders and forensic investigators. In my scanners I use YARA for anomaly detection on files. I already created some articles on \"Detecting System File Anomalies with YARA<\/a>\" which focus on the expected contents of system files but today I would like to focus on the size of certain system files.\r\nI did a statistical analysis in order to rate a suspicious \"csrss.exe\" file and noticed that the size of the malicious file was way beyond the typical file size. I thought that I should do this for other typically abused file names based on this blog post<\/a> by @hexacorn.\r\nI used my VT Intelligence access and burned some searches to create this list.\r\n[caption id=\"attachment_1395\" align=\"alignnone\" width=\"180\"]\"System System Files and Sizes[\/caption]\r\nYou can find a spread sheet of this list here<\/a>. It can be edited by everyone.\r\nI created some YARA rules that use the external variable<\/a> \"filename\" to work. LOKI<\/a> and THOR<\/a> use the \"filename\" and other external variables by default.\r\nUPDATE 23.12.15 4:50pm:\r\nI'll update the list on the LOKI github page. For a current version of the YARA signatures visit this page<\/a>.\r\n[cc lang=\"javascript\"]\r\nrule Suspicious_Size_explorer_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of explorer.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"explorer.exe\"\r\n        and ( filesize < 1000KB or filesize > 3000KB )\r\n}\r\nrule Suspicious_Size_chrome_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of chrome.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"chrome.exe\"\r\n        and ( filesize < 500KB or filesize > 1300KB )\r\n}\r\nrule Suspicious_Size_csrss_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of csrss.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"csrss.exe\"\r\n        and ( filesize > 18KB )\r\n}\r\nrule Suspicious_Size_iexplore_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of iexplore.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"iexplore.exe\"\r\n        and ( filesize < 75KB or filesize > 910KB )\r\n}\r\nrule Suspicious_Size_firefox_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of firefox.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"firefox.exe\"\r\n        and ( filesize < 265KB or filesize > 910KB )\r\n}\r\nrule Suspicious_Size_java_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of java.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"java.exe\"\r\n        and ( filesize < 140KB or filesize > 900KB )\r\n}\r\nrule Suspicious_Size_lsass_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of lsass.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"lsass.exe\"\r\n        and ( filesize < 13KB or filesize > 45KB )\r\n}\r\nrule Suspicious_Size_svchost_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of svchost.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"svchost.exe\"\r\n        and ( filesize < 14KB or filesize > 40KB )\r\n}\r\nrule Suspicious_Size_winlogon_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of winlogon.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"winlogon.exe\"\r\n        and ( filesize < 279KB or filesize > 510KB )\r\n}\r\nrule Suspicious_Size_igfxhk_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of igfxhk.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-21\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"igfxhk.exe\"\r\n        and ( filesize < 200KB or filesize > 265KB )\r\n}\r\nrule Suspicious_Size_servicehost_dll {\r\n    meta:\r\n        description = \"Detects uncommon file size of servicehost.dll\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-23\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"servicehost.dll\"\r\n        and filesize > 150KB\r\n}\r\nrule Suspicious_Size_rundll32_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of rundll32.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-23\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"rundll32.exe\"\r\n        and ( filesize < 30KB or filesize > 60KB )\r\n}\r\nrule Suspicious_Size_taskhost_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of taskhost.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-23\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"taskhost.exe\"\r\n        and ( filesize < 45KB or filesize > 85KB )\r\n}\r\nrule Suspicious_Size_spoolsv_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of spoolsv.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-23\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"spoolsv.exe\"\r\n        and ( filesize < 50KB or filesize > 800KB )\r\n}\r\nrule Suspicious_Size_smss_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of smss.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-23\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"smss.exe\"\r\n        and ( filesize < 40KB or filesize > 140KB )\r\n}\r\nrule Suspicious_Size_wininit_exe {\r\n    meta:\r\n        description = \"Detects uncommon file size of wininit.exe\"\r\n        author = \"Florian Roth\"\r\n        score = 60\r\n        date = \"2015-12-23\"\r\n    condition:\r\n        uint16(0) == 0x5a4d\r\n        and filename == \"wininit.exe\"\r\n        and ( filesize < 90KB or filesize > 250KB )\r\n}\r\n[\/cc]\r\nI ran this rule set over my goodware database and got only a few false positives. Feel free to use these rules wherever you like but please share new rules or statistical analyses on other system files.\r\n[caption id=\"attachment_1379\" align=\"alignleft\" width=\"595\"]\"Yara<\/a> False Positives[\/caption]","_et_gb_content_width":"","footnotes":""},"categories":[34,87,32,264,269,47],"tags":[524,6,525,13,451,526,124,62,527,173,48],"class_list":["post-1377","post","type-post","status-publish","format-standard","hentry","category-loki","category-security-monitoring","category-thor","category-tool","category-tutorial","category-yara","tag-anomaly-anomalies","tag-apt","tag-common","tag-detection","tag-files","tag-filesize","tag-malware","tag-rules","tag-statistics","tag-system","tag-yara"],"yoast_head":"\nYARA Rules to Detect Uncommon System File Sizes - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"YARA Rules to Detect Uncommon System File Sizes\",\"datePublished\":\"2015-12-22T08:23:24+00:00\",\"dateModified\":\"2022-10-04T16:14:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/\"},\"wordCount\":378,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"anomaly. anomalies\",\"apt\",\"common\",\"detection\",\"files\",\"filesize\",\"malware\",\"Rules\",\"statistics\",\"system\",\"YARA\"],\"articleSection\":[\"LOKI\",\"Security Monitoring\",\"THOR\",\"Tool\",\"Tutorial\",\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/\",\"name\":\"YARA Rules to Detect Uncommon System File Sizes - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2015-12-22T08:23:24+00:00\",\"dateModified\":\"2022-10-04T16:14:11+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"YARA Rules to Detect Uncommon System File Sizes - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"YARA Rules to Detect Uncommon System File Sizes","datePublished":"2015-12-22T08:23:24+00:00","dateModified":"2022-10-04T16:14:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/"},"wordCount":378,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["anomaly. anomalies","apt","common","detection","files","filesize","malware","Rules","statistics","system","YARA"],"articleSection":["LOKI","Security Monitoring","THOR","Tool","Tutorial","YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/","url":"https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/","name":"YARA Rules to Detect Uncommon System File Sizes - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2015-12-22T08:23:24+00:00","dateModified":"2022-10-04T16:14:11+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2015\/12\/22\/yara-rules-to-detect-uncommon-system-file-sizes\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=1377"}],"version-history":[{"count":8,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1377\/revisions"}],"predecessor-version":[{"id":14696,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1377\/revisions\/14696"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=1377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=1377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=1377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}