From 0a28b3e0cbfa87788ef9e0d929dc4d5387071a5a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 28 Jan 2021 12:34:53 +0100
Subject: [PATCH] SYS Driver negative matches

---
 yara/thor_inverse_matches.yar | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/yara/thor_inverse_matches.yar b/yara/thor_inverse_matches.yar
index 4962a47..af893df 100644
--- a/yara/thor_inverse_matches.yar
+++ b/yara/thor_inverse_matches.yar
@@ -14,6 +14,8 @@
 	Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/
 */
 
+import "pe"
+
 private rule WINDOWS_UPDATE_BDC
 {
 condition:
@@ -463,3 +465,19 @@ rule APT_SUSP_Solarwinds_Orion_Config_Anomaly_Dec20 {
       and $s1 
       and not $fp1
 }
+
+rule SUSP_System32_SYS_Driver_Jan21_1 {
+   meta:
+      description = "Detects a suspicious *.sys files in System32 folder apart from Microsoft's own drivers"
+      author = "Florian Roth"
+      reference = "https://twitter.com/richinseattle/status/1353983520973090816"
+      date = "2021-01-26"
+      score = 60
+      type = "file"
+      nodeepdive = 1
+   condition:
+      extension == ".sys" and 
+      filepath matches /^C:\\Windows\\System32$/i and
+      not filename matches /^win32/ and
+      pe.number_of_signatures < 1
+}