valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

False Positive 'Tools_termsrv'

Browse Source
This commit is contained in:
Florian Roth 2017-08-31 22:19:14 +02:00
parent c7dc0ceae4
commit d2f0457c9a
1 changed files with 0 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
yara/gen_cn_hacktools.yar
View File

@ -463,24 +463,6 @@ rule MarathonTool_2 {
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule Tools_termsrv {
meta:
description = "Chinese Hacktool Set - file termsrv.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "294a693d252f8f4c85ad92ee8c618cebd94ef247"
strings:
$s1 = "Iv\\SmSsWinStationApiPort" fullword ascii
$s2 = " TSInternetUser " fullword wide
$s3 = "KvInterlockedCompareExchange" fullword ascii
$s4 = " WINS/DNS " fullword wide
$s5 = "winerror=%1" fullword wide
$s6 = "TermService " fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1150KB and all of them
}
rule scanms_scanms {
meta:
description = "Chinese Hacktool Set - file scanms.exe"