valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c5737c7c37
signature-base/yara/gen_mal_scripts.yar
Florian Roth d3a90dfd17 Improved certutil rule
2017-08-30 20:19:09 +02:00

86 lines
2.3 KiB
Plaintext
Raw Blame History

/* Various rules - see the references */
rule PS_AMSI_Bypass {
meta:
description = "Detects PowerShell AMSI Bypass"
author = "Florian Roth"
reference = "https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1"
date = "2017-07-19"
score = 70
strings:
$s1 = ".GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static')." ascii nocase
condition:
1 of them
}
rule JS_Suspicious_Obfuscation_Dropbox {
meta:
description = "Detects PowerShell AMSI Bypass"
author = "Florian Roth"
reference = "https://twitter.com/ItsReallyNick/status/887705105239343104"
date = "2017-07-19"
score = 70
strings:
$x1 = "j\"+\"a\"+\"v\"+\"a\"+\"s\"+\"c\"+\"r\"+\"i\"+\"p\"+\"t\""
$x2 = "script:https://www.dropbox.com" ascii
condition:
2 of them
}
rule JS_Suspicious_MSHTA_Bypass {
meta:
description = "Detects MSHTA Bypass"
author = "Florian Roth"
reference = "https://twitter.com/ItsReallyNick/status/887705105239343104"
date = "2017-07-19"
score = 70
strings:
$s1 = "mshtml,RunHTMLApplication" ascii
$s2 = "new ActiveXObject(\"WScript.Shell\").Run(" ascii
$s3 = "/c start mshta j" ascii nocase
condition:
2 of them
}
rule JavaScript_Run_Suspicious {
meta:
description = "Detects a suspicious Javascript Run command"
author = "Florian Roth"
reference = "https://twitter.com/craiu/status/900314063560998912"
score = 60
date = "2017-08-23"
strings:
$s1 = "w = new ActiveXObject(" ascii
$s2 = " w.Run(r);" fullword ascii
condition:
all of them
}
/* Certutil Rule Improved */
private rule MSI {
strings:
$r1 = "SummaryInformation" wide
condition:
uint16(0) == 0xCFD0 and $r1
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
author = "Florian Roth"
reference = "Internal Research"
score = 40
date = "2017-08-29"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
condition:
( not MSI and filesize < 700KB and 1 of them )
}
Reference in New Issue View Git Blame Copy Permalink