1. Is there any way in Yara to count the no. of any characters repeated in the command line?
Below is the scenario i am trying to solve
https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/
Page 1 / 1
How about use of re.regex. For example lets say the field that contains the command line is "
target.process.command_line" we will condition it with $process.
re.regex($process.
target.process.command_line, /.*%.*%.*%.*%.*%.*/)
The above will match 5 or more uses of %, with anything before or after it. With further exclusions that should be applied based on your environment.
Optimized approach 😁
target.process.command_line = /(.*(\\^|\\$|\\%|\\+).*){5,}/
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.