Max Altgelt

@securityfreax @cyb3rops @bh4b3sh @SecurePeacock Could I ask which ETW provider you are using? I've tried DISK_FILE_IO, but it doesn't include named pipes, only "normal" files.

@cyb3rops @bh4b3sh @SecurePeacock You can monitor named pipes via file events. Just monitor file create, delete and change events for \\.\pipe\ and you are good to go. I hope this helps.

Reminder, you can only hunt for Named Pipes if you collect the logs.

@wxs @cyb3rops I'm currently testing on a list of a few hundred golang executables we already had, with cross-checking the results of the Golang and C implementations. That's helpful so far, but we'll need more work on tests as we move out of draft stage.

First peek on our imphash equivalent called gimphash for Go binaries You can see that - we're able to group related samples - the hashes are specific enough I'm looking forward sharing the specification (draft) & a C as well as Go implementation of my colleague ASAP

@invisig0th @cyb3rops Currently we sort the imports. I'll need to run some tests to check if the order in which the packages appear in the pclntab is deterministic. If it is, not sorting sounds like a good idea.

@cyb3rops Do the Go imports retain ordering that is a function of their order in the source/build similar to PEs or do they get normalized? Source/build oriented ordering was a critical characteristic to making sure imphash sufficiently differentiated binaries with similar functionality :)

@gero_aka_red @cyb3rops Try running thor-lite-util upgrade --force, that should update thor-lite to the latest version (where that bug is fixed) and download the newest signatures.

@cyb3rops maybe? :)

@thor_scanner Is there a problem with updating thor lite? I get an error "Received version 21.8.21-102047 is older than installed version 21.8.9-155823"