Section 4.1: Malware Discovery Flashcards
Name the four tools used to detect anomalies inside a system.
Yara, Sigcheck, Capa, and DensityScout.
Describe how to use Yara and how can I create rules.
Yara runs by running [-C] followed by the rules file and then <file> where the rules file will run on. If running multiple signature files, they must be referenced by index to the same file being run. To compile a new rule, use yara64.exe.</file>
What is DensityScout and what does it do? Is output always malicious?
It scans a filesystem for compressed, encrypted, or packed files and tracks their entropy. Density that is less than 0.1 means its high on density making it an anomaly. Output isn’t always malicious so check the hashes for each file.
Command example for searching executables with high density:
Densityscout -pe -r -p -o results.txt C:\Windows\System32.
What is Sigcheck used for?
To check if images are digitally signed.
What does capa do?
It disassembles the binary code in search for well-known patterns. It can be used to reverse-engineer and the rules are written in YAML. It can connect to ATT&CK. It can also use malfind files from memory.
A simple capa command.
Capa.exe -f pe <file></file>
