Improved certutil rule

2024-11-06 18:15:20 +00:00 · 2017-08-30 20:19:09 +02:00 · 2017-08-30 20:19:09 +02:00 · d3a90dfd17
commit d3a90dfd17
parent 76ebe6c67b
1 changed files with 26 additions and 0 deletions
--- a/yara/gen_mal_scripts.yar
+++ b/yara/gen_mal_scripts.yar
@ -57,3 +57,29 @@ rule JavaScript_Run_Suspicious {
      all of them
 }

+/* Certutil Rule Improved */
+
+private rule MSI {
+   strings:
+      $r1 = "SummaryInformation" wide
+   condition:
+      uint16(0) == 0xCFD0 and $r1
+}
+
+rule Certutil_Decode_OR_Download {
+   meta:
+      description = "Certutil Decode"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      score = 40
+      date = "2017-08-29"
+   strings:
+      $a1 = "certutil -decode " ascii wide
+      $a2 = "certutil  -decode " ascii wide
+      $a3 = "certutil.exe -decode " ascii wide
+      $a4 = "certutil.exe  -decode " ascii wide
+      $a5 = "certutil -urlcache -split -f http" ascii wide
+      $a6 = "certutil.exe -urlcache -split -f http" ascii wide
+   condition:
+      ( not MSI and filesize < 700KB and 1 of them )
+}