Common Information
| Type | Value |
|---|---|
| Value |
rule M_Code_LIGHTSHIFT {
meta:
author = "Mandiant"
description = "Hunting rule for LIGHTSHIFT"
sha256 = "ce501fd5c96223fb17d3fed0da310ea121ad83c463849059418639d211933aa4"
strings:
$p00_0 = { 48 8B 7C 24 ?? 44 8D 40 ?? 48 03 7C 24 ?? 48 8B CF FF 15 [4] 81 7C 24 [5] 74 ?? 48 8B 4B ?? 33 D2 }
$p00_1 = { 49 8D 7C 01 ?? 8B 47 ?? 85 C0 75 ?? 49 63 45 ?? 85 C0 7E ?? 8B 0F 41 B9 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (750 .. 11000) and $p00_1 in (0 .. 8200)))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |