Module 5: File and Memory Hunting
Hunt at the file and memory level. Build YARA rules for hunting, stack file metadata for anomalies, decode encoded payloads, and analyze memory artifacts.
Lessons & Labs
Lesson 5.1 — YARA for Hunters
Building hunt-specific YARA rules vs detection rules. The three-lens indicator model, corpus testing, and _hunt vs _alert naming conventions.
Lab 5.1 — YARA Hunting Sweep
Build hunt-focused YARA rules targeting file characteristics from the lab scenarios. Test against malicious and benign corpora.
Lesson 5.2 — Stacking File Metadata
File frequency analysis, naming convention anomalies, path depth analysis, and creation time clustering. Finding the one suspicious file among thousands.
Lab 5.2 — File Metadata Stacking
Use Velociraptor to stack file metadata across the endpoint. Identify outliers by creation time, naming pattern, and file location.
Lesson 5.3 — Encoded Payload Identification
Detecting Base64, XOR, PowerShell -Enc, and certutil patterns in log data and on disk. Decoding techniques and evasion-aware hunting.
Lab 5.3 — Encoded Payload Analysis
Find and decode encoded payloads in shared Wazuh data. Trace the encoding chain from delivery to execution.
Lesson 5.4 — Memory Artifact Indicators
Process hollowing telemetry, injected thread signals, handle analysis, and RWX memory region detection. Hunting for fileless threats.