valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Minor changes

Browse Source
This commit is contained in:
Florian Roth 2017-01-31 18:47:29 +01:00
parent df58486639
commit 896b6eeb99
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
yara/apt_derusbi.yar
View File

@ -6,6 +6,13 @@
Identifier: Derusbi Dez 2015
*/
private rule PEFILE {
meta:
description = "Detects portable executable files in a fuzzy way only by detecting the MZ header and not checking for a PE header"
condition:
uint16(0) == 0x5A4D
}
rule derusbi_kernel
{
meta:
@ -17,9 +24,8 @@ rule derusbi_kernel
$token2 = "Wrod--$$$"
$cfg = "XXXXXXXXXXXXXXX"
$class = ".?AVPCC_BASEMOD@@"
$MZ = "MZ"
condition:
$MZ at 0 and $token1 and $token2 and $cfg and $class
PEFILE and $token1 and $token2 and $cfg and $class
}
rule derusbi_linux

13
yara/thor-hacktools.yar
View File

@ -17,6 +17,13 @@
*/
private rule PEFILE {
meta:
description = "Detects portable executable files in a fuzzy way only by detecting the MZ header and not checking for a PE header"
condition:
uint16(0) == 0x5A4D
}
/* WCE */
rule WindowsCredentialEditor
@ -2712,10 +2719,9 @@ rule CN_Portscan : APT
confidential = false
score = 70
strings:
$s1 = "MZ"
$s2 = "TCP 12.12.12.12"
condition:
($s1 at 0) and $s2
PEFILE and $s2
}
rule WMI_vbs : APT
@ -2822,11 +2828,10 @@ rule DarkComet_Keylogger_File
date = "25.07.14"
score = 50
strings:
$magic = "::"
$entry = /\n:: [A-Z]/
$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
condition:
($magic at 0) and #entry > 10 and #timestamp > 10
uint16(0) == 0x3A3A and #entry > 10 and #timestamp > 10
}
/* Mimikatz */