{"id":7043,"date":"2014-08-28T19:46:11","date_gmt":"2014-08-28T19:46:11","guid":{"rendered":"http:\/\/www.bsk-consulting.de\/?p=941"},"modified":"2023-02-02T17:22:34","modified_gmt":"2023-02-02T16:22:34","slug":"scan-system-files-manipulations-yara-inverse-matching-22","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/","title":{"rendered":"How to Scan for System File Manipulations with Yara (Part 2\/2)"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.19.5″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]As a follow up on my first article<\/a> about inverse matching yara rules I would like to add a tutorial on how to scan for system file manipulations using Yara and Powershell. The idea of inverse matching is that we do not scan for something malicious that we already know but for anomalies within the system files. Chad Tilbury from Crowdstrike related to this method in his article<\/a> describing a way to scan for this type of anomaly using their incident collection tool CrowdResponse. In my first article I described how we utilize this method in our incident response tool and promised a free solution based on available system tools.
\nThe yara rules used to apply this method require the name of the observed file. Yara allows the file name to be passed via an external variable like in the following listing.<\/p>\n

yara32.exe -d filename=iexplore.exe inverse-matching.yar iexplore.exe\n<\/pre>\n
But we have to define and pass this “filename” variable for every file we analyse while walking the directory tree.
\nSo – what do we do?
\nFirst – we need a powershell script that walks a directory tree and feeds\u00a0each file with an “.exe” extension together with the rule set and the file name as external variable to a yara32.exe. You could copy the script and paste it directly to the command line but I would recommend the following:
\nPrepare a folder with the following content:<\/p>\n
    \n
  1. The powershell script as listed\u00a0below – name it “inverse-scan.ps1”<\/li>\n
  2. The ruleset listed below as “inverse-matching.yar”<\/li>\n
  3. A version of Yara for Windows<\/li>\n
  4. A batch script\u00a0that invokes the powershell script with some parameters named “runit.bat”<\/li>\n<\/ol>\n
    The final result looks like this:<\/p>\n
    \"Yara
    Inverse Yara Matching Script Set<\/p><\/div>\n
    You can copy that folder to the target system, take it with you on a USB drive or provide a network share with its contents.
    \ninverse-scan.ps1<\/p>\n
    Get-ChildItem -Recurse -filter *.exe C:\\Windows 2> $null |\nForEach-Object { Write-Host -foregroundcolor \"green\" \"Scanning\"$_.FullName $_.Name; .\/yara32.exe -d filename=$_.Name inverse-matching.yar $_.FullName 2> $null }\n<\/pre>\n
    runit.bat<\/p>\n
    @ECHO OFF\npowershell -ExecutionPolicy ByPass -File .\/inverse-scan.ps1\n<\/pre>\n
    inverse-matching.yar<\/p>\n
    rule iexplore_ANOMALY {\n\tmeta:\n\t\tauthor = \"Florian Roth\"\n\t\tdescription = \"Abnormal iexplore.exe - typical strings not found in file\"\n\t\tdate = \"23\/04\/2014\"\n\t\tscore = 55\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$win2003_win7_u1 = \"IEXPLORE.EXE\" wide nocase\n\t\t$win2003_win7_u2 = \"Internet Explorer\" wide fullword\n\t\t$win2003_win7_u3 = \"translation\" wide fullword nocase\n\t\t$win2003_win7_u4 = \"varfileinfo\" wide fullword nocase\n\tcondition:\n\t\tnot ( $upd_magic at 0 ) and not 1 of ($win*) and filename matches \/iexplore\\.exe\/is\n}\nrule svchost_ANOMALY {\n\tmeta:\n\t\tauthor = \"Florian Roth\"\n\t\tdescription = \"Abnormal svchost.exe - typical strings not found in file\"\n\t\tdate = \"23\/04\/2014\"\n\t\tscore = 55\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$win2003_win7_u1 = \"svchost.exe\" wide nocase\n\t\t$win2003_win7_u3 = \"coinitializesecurityparam\" wide fullword nocase\n\t\t$win2003_win7_u4 = \"servicedllunloadonstop\" wide fullword nocase\n\t\t$win2000 = \"Generic Host Process for Win32 Services\" wide fullword\n\t\t$win2012 = \"Host Process for Windows Services\" wide fullword\n\tcondition:\n\t\tfilename matches \/svchost\\.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\n}\nrule explorer_ANOMALY {\n\tmeta:\n\t\tauthor = \"Florian Roth\"\n\t\tdescription = \"Abnormal explorer.exe - typical strings not found in file\"\n\t\tdate = \"27\/05\/2014\"\n\t\tscore = 55\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$s1 = \"EXPLORER.EXE\" wide fullword\n\t\t$s2 = \"Windows Explorer\" wide fullword\n\tcondition:\n\t\tfilename matches \/explorer\\.exe\/is and not 1 of ($s*) and not ( $upd_magic at 0 )\n}\nrule sethc_ANOMALY {\n\tmeta:\n\t\tdescription = \"Sethc.exe has been replaced - Indicates Remote Access Hack RDP\"\n\t\tauthor = \"F. Roth\"\n\t\treference = \"http:\/\/www.emc.com\/collateral\/white-papers\/h12756-wp-shell-crew.pdf\"\n\t\tdate = \"2014\/01\/23\"\n\t\tscore = 70\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$s1 = \"stickykeys\" fullword nocase\n\t\t$s2 = \"stickykeys\" wide nocase\n\t\t$s3 = \"Control_RunDLL access.cpl\" wide fullword\n\t\t$s4 = \"SETHC.EXE\" wide fullword\n\tcondition:\n\t\tfilename matches \/sethc\\.exe\/ and not 1 of ($s*) and not ( $upd_magic at 0 )\n}\nrule Utilman_ANOMALY {\n\tmeta:\n\t\tauthor = \"Florian Roth\"\n\t\tdescription = \"Abnormal utilman.exe - typical strings not found in file\"\n\t\tdate = \"01\/06\/2014\"\n\t\tscore = 55\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$win7 = \"utilman.exe\" wide fullword\n\t\t$win2000 = \"Start with Utility Manager\" fullword wide\n\t\t$win2012 = \"utilman2.exe\" fullword wide\n\tcondition:\n\t\tfilename matches \/utilman\\.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\n}\nrule osk_ANOMALY {\n\tmeta:\n\t\tauthor = \"Florian Roth\"\n\t\tdescription = \"Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file\"\n\t\tdate = \"01\/06\/2014\"\n\t\tscore = 55\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$s1 = \"Accessibility On-Screen Keyboard\" wide fullword\n\t\t$s2 = \"\\\\oskmenu\" wide fullword\n\t\t$s3 = \"&About On-Screen Keyboard...\" wide fullword\n\t\t$s4 = \"Software\\\\Microsoft\\\\Osk\" wide\n\tcondition:\n\t\tfilename matches \/osk\\.exe\/is and not 1 of ($s*) and not ( $upd_magic at 0 )\n}\nrule magnify_ANOMALY {\n\tmeta:\n\t\tauthor = \"Florian Roth\"\n\t\tdescription = \"Abnormal magnify.exe (Magnifier) - typical strings not found in file\"\n\t\tdate = \"01\/06\/2014\"\n\t\tscore = 55\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$win7 = \"Microsoft Screen Magnifier\" wide fullword\n\t\t$win2000 = \"Microsoft Magnifier\" wide fullword\n\t\t$winxp = \"Software\\\\Microsoft\\\\Magnify\" wide\n\tcondition:\n\t\tfilename matches \/magnify\\.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\n}\nrule narrator_ANOMALY {\n\tmeta:\n\t\tauthor = \"Florian Roth\"\n\t\tdescription = \"Abnormal narrator.exe - typical strings not found in file\"\n\t\tdate = \"01\/06\/2014\"\n\t\tscore = 55\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$win7 = \"Microsoft-Windows-Narrator\" wide fullword\n\t\t$win2000 = \"&About Narrator...\" wide fullword\n\t\t$win2012 = \"Screen Reader\" wide fullword\n\t\t$winxp = \"Software\\\\Microsoft\\\\Narrator\"\n\t\t$winxp_en = \"SOFTWARE\\\\Microsoft\\\\Speech\\\\Voices\" wide\n\tcondition:\n\t\tfilename matches \/narrator\\.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\n}\nrule notepad_ANOMALY {\n\tmeta:\n\t\tauthor = \"Florian Roth\"\n\t\tdescription = \"Abnormal notepad.exe - typical strings not found in file\"\n\t\tdate = \"01\/06\/2014\"\n\t\tscore = 55\n\tstrings:\n\t\t$upd_magic = { 44 43 }\n\t\t$win7 = \"HELP_ENTRY_ID_NOTEPAD_HELP\" wide fullword\n\t\t$win2000 = \"Do you want to create a new file?\" wide fullword\n\t\t$win2003 = \"Do you want to save the changes?\" wide\n\t\t$winxp = \"Software\\\\Microsoft\\\\Notepad\" wide\n\tcondition:\n\t\tfilename matches \/notepad\\.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\n}\n<\/pre>\n
    Although the string descriptors list only some of the windows versions we’ve tested it against the following versions:
    \nWindows 2000
    \nWindows 2003 Server
    \nWindows 7 (x64)
    \nWindows 2008 R2
    \nWindows 2012
    \nWhat you get as result is a small anomaly scanner made completely with Windows tools and Yara. An administrator would just have to click the Batch file and run the script with admin rights. The following screenshot shows a scan on the Windows folder with a prepared malicious “iexplore.exe” in the subfolder “C:\\Windows\\AA_Testing”.<\/p>\n
    \"Yara
    Yara Inverse Matching Anomaly Scanner in Action<\/p><\/div>\n
    You could remove the section “Write-Host -foregroundcolor “green” “Scanning”$_.FullName $_.Name;” to show only the alerts or modify the script that it writes a log file.
    \nWe use all of these rules in our APT Scanner THOR<\/a> and added further rules matching 3rd party tools attackers tend to replace or rename.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    As a follow up on my first article about inverse matching yara rules I would like to add a tutorial on how to scan for system file manipulations using Yara and Powershell. The idea of inverse matching is that we do not scan for something malicious that we already know but for anomalies within the system files. Chad Tilbury from Crowdstrike related to this method in his article describing a way to scan for this type of anomaly using their incident collection tool CrowdResponse. In my first article I described how we utilize this method in our incident response tool and promised a free solution based on available system tools. The yara rules used to apply this method require the name of the observed file. Yara allows the file name to be passed via an external variable like in the following listing. yara32.exe -d filename=iexplore.exe inverse-matching.yar iexplore.exe But we have to define and pass this “filename” variable for every file we analyse while walking the directory tree. So – what do we do? First – we need a powershell script that walks a directory tree and feeds\u00a0each file with an “.exe” extension together with the rule set and the file […]<\/p>\n","protected":false},"author":1,"featured_media":944,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"As a follow up on my first article<\/a> about inverse matching yara rules I would like to add a tutorial on how to scan for system file manipulations using Yara and Powershell. The idea of inverse matching is that we do not scan for something malicious that we already know but for anomalies within the system files. Chad Tilbury from Crowdstrike related to this method in his article<\/a> describing a way to scan for this type of anomaly using their incident collection tool CrowdResponse. In my first article I described how we utilize this method in our incident response tool and promised a free solution based on available system tools.\r\nThe yara rules used to apply this method require the name of the observed file. Yara allows the file name to be passed via an external variable like in the following listing.\r\n[cc lang=\"perl\"]\r\nyara32.exe -d filename=iexplore.exe inverse-matching.yar iexplore.exe\r\n[\/cc]\r\nBut we have to define and pass this \"filename\" variable for every file we analyse while walking the directory tree.\r\nSo - what do we do?\r\nFirst - we need a powershell script that walks a directory tree and feeds\u00a0each file with an \".exe\" extension together with the rule set and the file name as external variable to a yara32.exe. You could copy the script and paste it directly to the command line but I would recommend the following:\r\nPrepare a folder with the following content:\r\n
      \r\n\t
    1. The powershell script as listed\u00a0below - name it \"inverse-scan.ps1\"<\/li>\r\n\t
    2. The ruleset listed below as \"inverse-matching.yar\"<\/li>\r\n\t
    3. A version of Yara for Windows<\/li>\r\n\t
    4. A batch script\u00a0that invokes the powershell script with some parameters named \"runit.bat\"<\/li>\r\n<\/ol>\r\nThe final result looks like this:\r\n[caption id=\"attachment_943\" align=\"alignnone\" width=\"404\"]\"Yara<\/a> Inverse Yara Matching Script Set[\/caption]\r\nYou can copy that folder to the target system, take it with you on a USB drive or provide a network share with its contents.\r\ninverse-scan.ps1\r\n[cc lang=\"powershell\"]\r\nGet-ChildItem -Recurse -filter *.exe C:Windows 2> $null |\r\nForEach-Object { Write-Host -foregroundcolor \"green\" \"Scanning\"$_.FullName $_.Name; .\/yara32.exe -d filename=$_.Name inverse-matching.yar $_.FullName 2> $null }\r\n[\/cc]\r\nrunit.bat\r\n[cc lang=\"winbatch\"]\r\n@ECHO OFF\r\npowershell -ExecutionPolicy ByPass -File .\/inverse-scan.ps1\r\n[\/cc]\r\ninverse-matching.yar\r\n[cc lang=\"perl\"]\r\nrule iexplore_ANOMALY {\r\n\tmeta:\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdescription = \"Abnormal iexplore.exe - typical strings not found in file\"\r\n\t\tdate = \"23\/04\/2014\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$win2003_win7_u1 = \"IEXPLORE.EXE\" wide nocase\r\n\t\t$win2003_win7_u2 = \"Internet Explorer\" wide fullword\r\n\t\t$win2003_win7_u3 = \"translation\" wide fullword nocase\r\n\t\t$win2003_win7_u4 = \"varfileinfo\" wide fullword nocase\r\n\tcondition:\r\n\t\tnot ( $upd_magic at 0 ) and not 1 of ($win*) and filename matches \/iexplore.exe\/is\r\n}\r\nrule svchost_ANOMALY {\r\n\tmeta:\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdescription = \"Abnormal svchost.exe - typical strings not found in file\"\r\n\t\tdate = \"23\/04\/2014\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$win2003_win7_u1 = \"svchost.exe\" wide nocase\r\n\t\t$win2003_win7_u3 = \"coinitializesecurityparam\" wide fullword nocase\r\n\t\t$win2003_win7_u4 = \"servicedllunloadonstop\" wide fullword nocase\r\n\t\t$win2000 = \"Generic Host Process for Win32 Services\" wide fullword\r\n\t\t$win2012 = \"Host Process for Windows Services\" wide fullword\r\n\tcondition:\r\n\t\tfilename matches \/svchost.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\r\n}\r\nrule explorer_ANOMALY {\r\n\tmeta:\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdescription = \"Abnormal explorer.exe - typical strings not found in file\"\r\n\t\tdate = \"27\/05\/2014\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$s1 = \"EXPLORER.EXE\" wide fullword\r\n\t\t$s2 = \"Windows Explorer\" wide fullword\r\n\tcondition:\r\n\t\tfilename matches \/explorer.exe\/is and not 1 of ($s*) and not ( $upd_magic at 0 )\r\n}\r\nrule sethc_ANOMALY {\r\n\tmeta:\r\n\t\tdescription = \"Sethc.exe has been replaced - Indicates Remote Access Hack RDP\"\r\n\t\tauthor = \"F. Roth\"\r\n\t\treference = \"http:\/\/www.emc.com\/collateral\/white-papers\/h12756-wp-shell-crew.pdf\"\r\n\t\tdate = \"2014\/01\/23\"\r\n\t\tscore = 70\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$s1 = \"stickykeys\" fullword nocase\r\n\t\t$s2 = \"stickykeys\" wide nocase\r\n\t\t$s3 = \"Control_RunDLL access.cpl\" wide fullword\r\n\t\t$s4 = \"SETHC.EXE\" wide fullword\r\n\tcondition:\r\n\t\tfilename matches \/sethc.exe\/ and not 1 of ($s*) and not ( $upd_magic at 0 )\r\n}\r\nrule Utilman_ANOMALY {\r\n\tmeta:\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdescription = \"Abnormal utilman.exe - typical strings not found in file\"\r\n\t\tdate = \"01\/06\/2014\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$win7 = \"utilman.exe\" wide fullword\r\n\t\t$win2000 = \"Start with Utility Manager\" fullword wide\r\n\t\t$win2012 = \"utilman2.exe\" fullword wide\r\n\tcondition:\r\n\t\tfilename matches \/utilman.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\r\n}\r\nrule osk_ANOMALY {\r\n\tmeta:\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdescription = \"Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file\"\r\n\t\tdate = \"01\/06\/2014\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$s1 = \"Accessibility On-Screen Keyboard\" wide fullword\r\n\t\t$s2 = \"\\oskmenu\" wide fullword\r\n\t\t$s3 = \"&About On-Screen Keyboard...\" wide fullword\r\n\t\t$s4 = \"Software\\Microsoft\\Osk\" wide\r\n\tcondition:\r\n\t\tfilename matches \/osk.exe\/is and not 1 of ($s*) and not ( $upd_magic at 0 )\r\n}\r\nrule magnify_ANOMALY {\r\n\tmeta:\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdescription = \"Abnormal magnify.exe (Magnifier) - typical strings not found in file\"\r\n\t\tdate = \"01\/06\/2014\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$win7 = \"Microsoft Screen Magnifier\" wide fullword\r\n\t\t$win2000 = \"Microsoft Magnifier\" wide fullword\r\n\t\t$winxp = \"Software\\Microsoft\\Magnify\" wide\r\n\tcondition:\r\n\t\tfilename matches \/magnify.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\r\n}\r\nrule narrator_ANOMALY {\r\n\tmeta:\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdescription = \"Abnormal narrator.exe - typical strings not found in file\"\r\n\t\tdate = \"01\/06\/2014\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$win7 = \"Microsoft-Windows-Narrator\" wide fullword\r\n\t\t$win2000 = \"&About Narrator...\" wide fullword\r\n\t\t$win2012 = \"Screen Reader\" wide fullword\r\n\t\t$winxp = \"Software\\Microsoft\\Narrator\"\r\n\t\t$winxp_en = \"SOFTWARE\\Microsoft\\Speech\\Voices\" wide\r\n\tcondition:\r\n\t\tfilename matches \/narrator.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\r\n}\r\nrule notepad_ANOMALY {\r\n\tmeta:\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdescription = \"Abnormal notepad.exe - typical strings not found in file\"\r\n\t\tdate = \"01\/06\/2014\"\r\n\t\tscore = 55\r\n\tstrings:\r\n\t\t$upd_magic = { 44 43 }\r\n\t\t$win7 = \"HELP_ENTRY_ID_NOTEPAD_HELP\" wide fullword\r\n\t\t$win2000 = \"Do you want to create a new file?\" wide fullword\r\n\t\t$win2003 = \"Do you want to save the changes?\" wide\r\n\t\t$winxp = \"Software\\Microsoft\\Notepad\" wide\r\n\tcondition:\r\n\t\tfilename matches \/notepad.exe\/is and not 1 of ($win*) and not ( $upd_magic at 0 )\r\n}\r\n[\/cc]\r\nAlthough the string descriptors list only some of the windows versions we've tested it against the following versions:\r\nWindows 2000\r\nWindows 2003 Server\r\nWindows 7 (x64)\r\nWindows 2008 R2\r\nWindows 2012\r\nWhat you get as result is a small anomaly scanner made completely with Windows tools and Yara. An administrator would just have to click the Batch file and run the script with admin rights. The following screenshot shows a scan on the Windows folder with a prepared malicious \"iexplore.exe\" in the subfolder \"C:WindowsAA_Testing\".\r\n[caption id=\"attachment_944\" align=\"alignnone\" width=\"620\"]\"Yara<\/a> Yara Inverse Matching Anomaly Scanner in Action[\/caption]\r\nYou could remove the section \"Write-Host -foregroundcolor \"green\" \"Scanning\"$_.FullName $_.Name;\" to show only the alerts or modify the script that it writes a log file.\r\nWe use all of these rules in our APT Scanner THOR<\/a> and added further rules matching 3rd party tools attackers tend to replace or rename.","_et_gb_content_width":"","footnotes":""},"categories":[316,255,264,269,47],"tags":[448,6,449,450,13,451,257,300,452,9,117,7,453,173,137,100,48],"class_list":["post-7043","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apt","category-command-line","category-tool","category-tutorial","category-yara","tag-anomaly","tag-apt","tag-attack","tag-batch","tag-detection","tag-files","tag-hacker","tag-intrusion-detection","tag-powershell","tag-response","tag-scan","tag-scanner","tag-script","tag-system","tag-tool","tag-windows","tag-yara"],"yoast_head":"\nScan for System File Manipulations with Yara and Powershell<\/title>\n<meta name=\"description\" content=\"How to Scan for System File Manipulations with Yara using Windows Powershell\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"How to Scan for System File Manipulations with Yara (Part 2\/2)\",\"datePublished\":\"2014-08-28T19:46:11+00:00\",\"dateModified\":\"2023-02-02T16:22:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/\"},\"wordCount\":603,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/08\/ishot-140828-213401.png\",\"keywords\":[\"anomaly\",\"apt\",\"attack\",\"batch\",\"detection\",\"files\",\"Hacker\",\"intrusion detection\",\"powershell\",\"response\",\"scan\",\"scanner\",\"script\",\"system\",\"tool\",\"windows\",\"YARA\"],\"articleSection\":[\"APT\",\"Command Line\",\"Tool\",\"Tutorial\",\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/\",\"name\":\"Scan for System File Manipulations with Yara and Powershell\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/08\/ishot-140828-213401.png\",\"datePublished\":\"2014-08-28T19:46:11+00:00\",\"dateModified\":\"2023-02-02T16:22:34+00:00\",\"description\":\"How to Scan for System File Manipulations with Yara using Windows Powershell\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#primaryimage\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/08\/ishot-140828-213401.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/08\/ishot-140828-213401.png\",\"width\":673,\"height\":328,\"caption\":\"Yara Inverse Matching Anomaly Scanner in Action\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Scan for System File Manipulations with Yara and Powershell","description":"How to Scan for System File Manipulations with Yara using Windows Powershell","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"How to Scan for System File Manipulations with Yara (Part 2\/2)","datePublished":"2014-08-28T19:46:11+00:00","dateModified":"2023-02-02T16:22:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/"},"wordCount":603,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/08\/ishot-140828-213401.png","keywords":["anomaly","apt","attack","batch","detection","files","Hacker","intrusion detection","powershell","response","scan","scanner","script","system","tool","windows","YARA"],"articleSection":["APT","Command Line","Tool","Tutorial","YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/","url":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/","name":"Scan for System File Manipulations with Yara and Powershell","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#primaryimage"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/08\/ishot-140828-213401.png","datePublished":"2014-08-28T19:46:11+00:00","dateModified":"2023-02-02T16:22:34+00:00","description":"How to Scan for System File Manipulations with Yara using Windows Powershell","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/2014\/08\/28\/scan-system-files-manipulations-yara-inverse-matching-22\/#primaryimage","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/08\/ishot-140828-213401.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/08\/ishot-140828-213401.png","width":673,"height":328,"caption":"Yara Inverse Matching Anomaly Scanner in Action"},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=7043"}],"version-history":[{"count":5,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7043\/revisions"}],"predecessor-version":[{"id":15937,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7043\/revisions\/15937"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media\/944"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=7043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=7043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=7043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}