signature-base/yara/gen_suspicious_strings.yar
2016-11-05 10:32:30 +01:00

14 lines
348 B
Plaintext

rule Ping_Command_in_EXE {
meta:
description = "Detects an suspicious ping command execution in an executable"
author = "Florian Roth"
reference = "Internal Research"
date = "2016-11-03"
score = 60
strings:
$x1 = "cmd /c ping 127.0.0.1 -n " ascii
condition:
uint16(0) == 0x5a4d and all of them
}