Ever think "how do I find this FUD #golang #malware the #redteam use if EDR can't?" find / -size +5M -type f -executable -exec grep -Erl '\.go$' {} \; 2>/dev/null Finds docker, minio, a lot of benign, but important binaries. Also finds all those slivers and gscripts.

8:39 PM ยท Aug 21, 2021

2
10
0
33
For BSD: find / -size +5M -type f -perm +111 -exec grep -Erl '\.go$' {} \; 2>/dev/null
1
0
0
3
I'll throw in windows native, or PS native commands if someone really wants. I don't care as much about that domain.
0
0
0
0
Replying to @0xpookie @notdan
This isn't my area at all, so honest question (and a comment) - why the '-r' to grep in this case? Also, you may want to quote your {} substitution to prevent issues. And now I'm off to read about EDR...
1
0
0
0
Good catch - it's not needed! This sort of detection can be clumsily assembled while doing other things on a weekend. This is a tweet, and not a commit after all.
1
0
0
1