Security on Clean Techhttp://www.lineon.fr/categories/security/Recent content in Security on Clean TechHugoenWed, 01 Apr 2026 00:00:00 +0000Building a Threat Intel CLI Tool in Rusthttp://www.lineon.fr/posts/rust-cli-threat-intel/Wed, 01 Apr 2026 00:00:00 +0000http://www.lineon.fr/posts/rust-cli-threat-intel/<p>Python is the default language for security tooling, but Rust offers compelling advantages for CLI tools that need to be fast, distributable as a single binary, and safe by default. Here&rsquo;s how I built a threat intelligence lookup tool in Rust.</p> <h2 id="the-goal">The goal</h2> <p>A single binary that:</p> <ul> <li>Accepts an IP, domain, or hash as input</li> <li>Queries VirusTotal, AbuseIPDB, and Shodan in parallel</li> <li>Outputs a unified JSON report</li> </ul> <h2 id="project-setup">Project setup</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cargo init threat-lookup </span></span><span class="line"><span class="cl"><span class="nb">cd</span> threat-lookup </span></span><span class="line"><span class="cl">cargo add reqwest --features json,rustls-tls </span></span><span class="line"><span class="cl">cargo add tokio --features full </span></span><span class="line"><span class="cl">cargo add serde --features derive </span></span><span class="line"><span class="cl">cargo add serde_json </span></span><span class="line"><span class="cl">cargo add clap --features derive </span></span></code></pre></div><h2 id="cli-argument-parsing-with-clap">CLI argument parsing with Clap</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-rust" data-lang="rust"><span class="line"><span class="cl"><span class="k">use</span><span class="w"> </span><span class="n">clap</span>::<span class="n">Parser</span><span class="p">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="cp">#[derive(Parser, Debug)]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="cp">#[command(name = </span><span class="s">&#34;threat-lookup&#34;</span><span class="cp">)]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="cp">#[command(about = </span><span class="s">&#34;Query threat intel APIs for IOCs&#34;</span><span class="cp">)]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="nc">Args</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sd">/// The indicator to look up (IP, domain, or hash) </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">indicator</span>: <span class="nb">String</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sd">/// Output format </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="cp">#[arg(short, long, default_value = </span><span class="s">&#34;json&#34;</span><span class="cp">)]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">format</span>: <span class="nb">String</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sd">/// Verbose output </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="cp">#[arg(short, long)]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">verbose</span>: <span class="kt">bool</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">}</span><span class="w"> </span></span></span></code></pre></div><h2 id="parallel-api-queries-with-tokio">Parallel API queries with Tokio</h2> <p>The key advantage of Rust here is safe, zero-cost concurrency. All three API calls happen simultaneously:</p>Writing Effective YARA Rules for Cobalt Strike Beacon Detectionhttp://www.lineon.fr/posts/yara-rules-for-cobalt-strike/Sat, 28 Mar 2026 00:00:00 +0000http://www.lineon.fr/posts/yara-rules-for-cobalt-strike/<p>Cobalt Strike remains one of the most prevalent post-exploitation frameworks used by both red teams and threat actors. Detecting its beacons through YARA rules is a fundamental skill for any SOC analyst or threat hunter.</p> <h2 id="understanding-beacon-artifacts">Understanding beacon artifacts</h2> <p>Cobalt Strike beacons leave identifiable patterns in both their staged and stageless payloads. The key areas to target are:</p> <ol> <li><strong>Configuration blocks</strong> — the beacon stores its config in a predictable structure</li> <li><strong>Sleep mask routines</strong> — the obfuscation applied during sleep cycles</li> <li><strong>Named pipe patterns</strong> — default pipe names are a common indicator</li> </ol> <h2 id="a-basic-detection-rule">A basic detection rule</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">rule CobaltStrike_Beacon_Config </span></span><span class="line"><span class="cl">{ </span></span><span class="line"><span class="cl"> meta: </span></span><span class="line"><span class="cl"> description = &#34;Detects Cobalt Strike beacon configuration block&#34; </span></span><span class="line"><span class="cl"> author = &#34;SOC Team&#34; </span></span><span class="line"><span class="cl"> date = &#34;2026-03&#34; </span></span><span class="line"><span class="cl"> severity = &#34;high&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> strings: </span></span><span class="line"><span class="cl"> $config_header = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 ?? ?? } </span></span><span class="line"><span class="cl"> $default_pipe = &#34;\\\\.\\pipe\\msagent_&#34; ascii wide </span></span><span class="line"><span class="cl"> $watermark = { 00 09 00 02 00 04 } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> condition: </span></span><span class="line"><span class="cl"> uint16(0) == 0x5A4D and </span></span><span class="line"><span class="cl"> filesize &lt; 1MB and </span></span><span class="line"><span class="cl"> ($config_header or $default_pipe) and </span></span><span class="line"><span class="cl"> $watermark </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><h2 id="hunting-in-memory">Hunting in memory</h2> <p>For in-memory detection, you&rsquo;ll want rules that match against the decrypted beacon configuration. Use a tool like <code>pe-sieve</code> or <code>BeaconEye</code> to dump process memory first, then scan:</p>