Yara Rule - PE 헤더에서 versioninfo 값을 사용하여 loldrivers 프로젝트에서 언급 된 악성 드라이버 감지 -Ndislan.sys
Yara 정의.
Yara Rule - Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ndislan.sys
Yara definition.
Author: Florian Roth
https://github.com/magicsword-io/LOLDrivers
hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d"
hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12"
hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */
hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */
hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */
hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c"
hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */
hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3"
hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce"
hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */
hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */
hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */
hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */
hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */
hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427"
date = "2023-06-13"
score = 70
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */```
[https://github.com/Neo23x0/signature-base/commit/da3de64fc3c7d3cc3beaeb33d9e3c84fd956b385](https://github.com/Neo23x0/signature-base/commit/da3de64fc3c7d3cc3beaeb33d9e3c84fd956b385)