Common Information
| Type | Value |
|---|---|
| Value |
rule wellmess_certificate_base64_snippets {
meta:
description = "Rule for detection of WellMess based on base64
snippets of certificates used"
author = "NCSC"
hash = "8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"
strings:
$a1 = "BgNVHQ4EBwQFAQIDBA"
$a2 = "YDVR0OBAcEBQECAwQG"
$a3 = "GA1UdDgQHBAUBAgMEB"
$b1 = "BgNVBAYTBVR1bmlzMQswCQYDVQQKEwJJVD"
$b2 = "YDVQQGEwVUdW5pczELMAkGA1UEChMCSVQx"
$b3 = "GA1UEBhMFVHVuaXMxCzAJBgNVBAoTAklUM"
condition:
((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or uint32(0) == 0x464c457f) and any of ($a*) and any of ($b*)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |