Detecting a Meterpreter Reverse TCP Session with YARA Rule
Tags
attack-pattern: Data Malware - T1587.001 Malware - T1588.001 Network Devices - T1584.008 Python - T1059.006 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID 441afbf8-c668-449c-93a1-a6468ee940ff
Fingerprint 4c036981edb4e4fd
Analysis status DONE
Considered CTI value 0
Text language
Published June 27, 2023, 5:31 p.m.
Added to db June 28, 2023, 1 a.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline Detecting a Meterpreter Reverse TCP Session with YARA Rule
Title Detecting a Meterpreter Reverse TCP Session with YARA Rule
Detected Hints/Tags/Attributes 25/1/7
Source URLs
Redirection Url
Details Source https://medium.com/@onur_osturk/detecting-a-meterpreter-reverse-tcp-session-with-yara-rule-fab1b0992ce7?source=rss------malware-5
URL Provider
Details Provider Source level domain
Details medium.com medium.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 171 Malware on Medium https://medium.com/feed/tag/malware 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 4 
yargen.py
Details Domain 4128 
github.com
Details File 4 
yargen.py
Details Github username 35 
neo23x0
Details sha256 1 
f9b0d98e29556216aebdf568ba7779d5575735ba576b8b82659e54236190b88c
Details Url 2 
https://github.com/neo23x0/yargen
Details Yara rule 1 
rule meterpreter_reverse_tcp {
	meta:
		description = "meterpreter reverse tcp session may be open"
		author = "yarGen Rule Generator"
		reference = "https://github.com/Neo23x0/yarGen"
		date = "2023-06-25"
		hash1 = "f9b0d98e29556216aebdf568ba7779d5575735ba576b8b82659e54236190b88c"
	strings:
		$s1 = "Error reading private key %s - mbedTLS: (-0xX) %s" ascii fullword
		$s2 = "processing command: %u id: '%s'" ascii fullword
		$s3 = "Failed reading the chunked-encoded stream" ascii fullword
		$s4 = "0 0 0 0 PC Service User:" ascii fullword
		$s5 = "Dumping cert info:" ascii fullword
		$s6 = "Error reading client cert file %s - mbedTLS: (-0xX) %s" ascii fullword
		$s7 = "[fqdn] gethostbyaddr(%s) failed: %s" ascii fullword
		$s8 = "NTLM handshake failure (bad type-2 message). Target Info Offset Len is set incorrect by the peer" ascii fullword
		$s9 = "process_new: got %zd byte executable to run in memory" ascii fullword
		$s10 = "[fqdn] gethostbyname(%s) failed: %s" ascii fullword
		$s11 = "thread vulnerable" ascii fullword
		$s12 = /\/(\d+\.)(\d+\.)(\d+\.)(\d+)/
	condition:
		uint16(0) == 0x457f and 8 of them
}