mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 10:05:18 +00:00
44 lines
1.5 KiB
Plaintext
44 lines
1.5 KiB
Plaintext
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-10-02
|
|
Identifier: Red Sails
|
|
Reference: https://github.com/BeetleChunks/redsails
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule redSails_EXE {
|
|
meta:
|
|
description = "Detects Red Sails Hacktool by WinDivert references"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://github.com/BeetleChunks/redsails"
|
|
date = "2017-10-02"
|
|
hash1 = "7a7861d25b0c038d77838ecbd5ea5674650ad4f5faf7432a6f3cfeb427433fac"
|
|
strings:
|
|
$s1 = "bWinDivert64.dll" fullword ascii
|
|
$s2 = "bWinDivert32.dll" fullword ascii
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 6000KB and all of them )
|
|
}
|
|
|
|
rule redSails_PY {
|
|
meta:
|
|
description = "Detects Red Sails Hacktool - Python"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://github.com/BeetleChunks/redsails"
|
|
date = "2017-10-02"
|
|
hash1 = "6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661"
|
|
hash2 = "5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e"
|
|
strings:
|
|
$x1 = "Gained command shell on host" fullword ascii
|
|
$x2 = "[!] Received an ERROR in shell()" fullword ascii
|
|
$x3 = "Target IP address with backdoor installed" fullword ascii
|
|
$x4 = "Open backdoor port on target machine" fullword ascii
|
|
$x5 = "Backdoor port to open on victim machine" fullword ascii
|
|
condition:
|
|
1 of them
|
|
}
|