Yara Rule - Windows 배치 파일에서 난독 화의 지표를 감지
Yara 정의.
Yara Rule - Detects indicators of obfuscation in Windows Batch files
Yara definition.
Author: Florian Roth
https://x.com/0xToxin/status/1811656147943752045
date = "2024-07-12"
score = 70
$s1 = "&&set "
and uint32(0) == 0x20746573 // "set " at the beginning of the file
date = "2024-07-12"
score = 70
$s1 = "&&set "
and uint16(filesize-2) == 0x0a0d
and uint8(filesize-3) == 0x25
date = "2024-07-12"
score = 70
$s1 = "% \\\\%" // part of the UNC path for the SMB connection
// =?&&set
$s2 = { 3D ?? 26 26 73 65 74 20 }```
[https://github.com/Neo23x0/signature-base/commit/4979d907e8ef27034df70b2a54052c1e6b48a339](https://github.com/Neo23x0/signature-base/commit/4979d907e8ef27034df70b2a54052c1e6b48a339)