Yara Rule - TypelibGuid를 통해 .NET Red/Black-Team 도구를 감지
Yara 정의.
Yara Rule - Detects .NET red/black-team tools via typelibguid
Yara definition.
Author: Arnim Rupp (https://github.com/ruppde)
Internal Research
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2023-11-30"
$typelibguid0 = "d16fd95f-23ce-4f8d-8763-b9f5a9cdd0c3" ascii nocase wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2023-11-30"
$typelibguid0 = "344ee55a-4e32-46f2-a003-69ad52b55945" ascii nocase wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2023-12-06"
$typelibguid0 = "572804d3-dbd6-450a-be64-2e3cb54fd173" ascii nocase wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2023-12-06"
$typelibguid0 = "d305f8a3-019a-4cdf-909c-069d5b483613" ascii nocase wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2023-12-06"
$typelibguid0 = "c8112750-972d-4efa-a75b-da9b8a4533c7" ascii nocase wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2023-12-19"
$typelibguid0 = "64bfeb18-b65c-4a83-bde0-b54363b09b71" ascii nocase wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2023-12-19"
$typelibguid0 = "e54195f0-060c-4b24-98f2-ad9fb5351045" ascii nocase wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
date = "2021/02/07"
modified = "2024-02-23"
score = 50
hash = "6559bfc4be43a55c6bb2bd867b4c9b929713d3f7f6de8111a3c330f87a9b302c"
hash = "9e82c9c2fa64e26fd55aa18f74759454d89f968068d46b255bd4f41eb556112e"```
[https://github.com/Neo23x0/signature-base/commit/b6a07188e0081de8774d3f9c76bd7062615d1750](https://github.com/Neo23x0/signature-base/commit/b6a07188e0081de8774d3f9c76bd7062615d1750)