Since I'm a fan of efficient forensic analysis, I've created a YARA rule that detects downloads blocked by security solutions
- uses external var (works in LOKI & THOR)
@malmoeb's tweet
tweeter.jakobs.systems/malmoeb/status/1…
@virustotal query
virustotal.com/gui/search/fi…
github.com/Neo23x0/signature…
2/ But the best part was: the file was not an executable at all!
The proxy prevented the download due to the "Malicious Websites" category.
Within the error message from the proxy, the malicious domain was visible.
Another easy gained IOC to hunt for ðŸ¤
Show this thread
2
23
94
