mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
47 lines
1.4 KiB
Plaintext
47 lines
1.4 KiB
Plaintext
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-07-10
|
|
Identifier: Hacking Attempts
|
|
Reference: https://blogs.rsa.com/wp-content/uploads/2017/07/Fig8-netstat_dropped_more.png
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule Recon_Commands_Windows_Gen1 {
|
|
meta:
|
|
description = "Detects a set of reconnaissance commands on Windows systems"
|
|
author = "Florian Roth"
|
|
reference = "Internal Research"
|
|
date = "2017-07-10"
|
|
score = 60
|
|
reference = "https://goo.gl/MSJCxP"
|
|
strings:
|
|
$s1 = "netstat -an" ascii
|
|
$s2 = "net view" ascii fullword
|
|
$s3 = "net user" ascii fullword
|
|
$s4 = "whoami" ascii
|
|
$s5 = "tasklist /v" ascii
|
|
$s6 = "systeminfo" ascii
|
|
$s7 = "net localgroup administrators" ascii
|
|
$s8 = "net user administrator" ascii
|
|
$s9 = "regedit -e " ascii
|
|
$s10 = "tasklist /svc" ascii
|
|
$s11 = "regsvr32 /s /u " ascii
|
|
$s12 = "CreateObject(\"WScript.Shell\").RegWrite" ascii
|
|
$s13 = "bitsadmin /rawreturn /transfer getfile" ascii
|
|
$s14 = "wmic qfe list full" ascii
|
|
$s15 = "schtasks.exe /create " ascii nocase
|
|
$s16 = "wmic share get" ascii
|
|
$s17 = "wmic nteventlog get" ascii
|
|
$s18 = "wevtutil cl " ascii
|
|
$s19 = "sc query type= service" ascii
|
|
$s20 = "arp -a " ascii
|
|
|
|
$fp1 = "avdapp.dll" fullword wide
|
|
condition:
|
|
filesize < 1000KB and 4 of them
|
|
and not 1 of ($fp*)
|
|
}
|