aarontp
commented
1 month ago Was talking with @wajihyassine about some possibilities for this task. Not sure yet how we would want to run this as running it on every binary would create a lot of noise, so we probably want to filter this down to some interesting subset of binaries. Here are some options:
- Any binary flagged by YARA rules
- Any binary in /tmp, /home or other paths commonly used by malware or not commonly used by system binaries.
- Any binary flagged by LLM analyzer? (not sure if any of the current artifacts analyzed by the LLM analyzer cover binaries, but we could update that)
This might also be another interesting tool to run on the same subset of binaries: https://github.com/mandiant/capa
And just for reference, here is the tool some of these others are based on: https://github.com/mandiant/flare-floss
A Job based on https://www.fireeye.com/blog/threat-research/2019/09/open-sourcing-stringsifter.html would be nice (and easy).