Since the yara64.exe that we use also supports scanning of files and process memory, I'd like to add scans of the image files and process memory of every parent that we can find in the process tree ( I know that process trees can be broken and unreliable - still, I'd like to add it)
The invocation for the image files in the process tree would be:
yara.exe -r [ruleset] [ImageFilePath]
The invocation to scan a certain process memory is:
We could use the rules from our signature-base repository. They are mostly battle tested and should produce false positives on process memory.
Notes:
when using more than a handful of rules it would be necessary to concatenate all rules before applying them to avoid a loop over hundreds of rules AND to make use of the advantages of the Aho–Corasick algorithm used internally by YARA
Since the yara64.exe that we use also supports scanning of files and process memory, I'd like to add scans of the image files and process memory of every parent that we can find in the process tree ( I know that process trees can be broken and unreliable - still, I'd like to add it)
The invocation for the image files in the process tree would be:
The invocation to scan a certain process memory is:
https://yara.readthedocs.io/en/latest/commandline.html
We could use the rules from our signature-base repository. They are mostly battle tested and should produce false positives on process memory.
Notes: