Yara Rule - 파이썬을 사용하여 의심스러운 원 라이너를 감지
Yara 정의.
Yara Rule - Detects suspicious one-liner to spawn a shell using Python
Yara definition.
Author: Florian Roth
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
date = "2023-06-15"
modified = "2023-06-16"
score = 75
$x01 = "=;ee=ba;G=s;_ech_o $abcdefg_${ee}se64" ascii
$x02 = ";echo $abcdefg | base64 -d | sh" ascii
$x03 = "setsid sh -c \"mkfifo /tmp/p" ascii
$x04 = "sh -i </tmp/p 2>&1" ascii
$x05 = "if string.match(hdr:body(), \"^[%w%+/=" ascii
$x06 = "setsid sh -c \"/sbin/BarracudaMailService eth0\""
$x07 = "echo \"set the bvp ok\""
$x08 = "find ${path} -type f ! -name $excludeFileNameKeyword | while read line ;"
$x09 = " /mail/mstore | xargs -i cp {} /usr/share/.uc/"
$x10 = "tar -T /mail/mstore/tmplist -czvf "
$sa1 = "sh -c wget --no-check-certificate http"
$sa2 = ".tar;chmod +x "
date = "2023-06-16"
score = 85
hash1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
$sx1 = "usage: ./BarracudaMailService <Network-Interface>. e.g.: ./BarracudaMailService eth0" ascii fullword
$s1 = "fcntl.tmp.amd64." ascii
$s2 = "Child process id:%d" ascii fullword
$s3 = "[*]Success!" ascii fullword
$s4 = "NO port code" ascii
$s5 = "enter open tty shell" ascii
$op1 = { 48 89 c6 f3 a6 0f 84 f7 01 00 00 bf 6c 84 5f 00 b9 05 00 00 00 48 89 c6 f3 a6 0f 84 6a 01 00 00 }
$op2 = { f3 a6 0f 84 d2 00 00 00 48 89 de bf 51 5e 61 00 b9 05 00 00 00 f3 a6 74 21 48 89 de }
$op3 = { 72 de 45 89 f4 e9 b8 f4 ff ff 48 8b 73 08 45 85 e4 ba 49 3d 62 00 b8 44 81 62 00 48 0f 45 d0 }
uint16(0) == 0x457f
date = "2023-06-16"
score = 90
hash1 = "56e8066bf83ff6fe0cec92aede90f6722260e0a3f169fc163ed88589bffd7451"
$x1 = "os.execute('rverify'..' /tmp/'..attachment:filename())" ascii fullword
$x2 = "log.debug(\"--- opening archive [%s], mimetype [%s]\", tmpfile" ascii fullword
$xe1 = "os.execute('rverify'..' /tmp/'..attachment:filename())" ascii base64
$xe2 = "log.debug(\"--- opening archive [%s], mimetype [%s]\", tmpfile" ascii base64
date = "2023-06-16"
score = 75
hash1 = "ca72fa64ed0a9c22d341a557c6e7c1b6a7264b0c4de0b6f717dd44bddf550bca"
hash2 = "57e4b180fd559f15b59c43fb3335bd59435d4d76c4676e51a06c6b257ce67fb2"
//$a1 = "Go build" // not available in all samples
$a2 = "/src/runtime/panic.go"
$s1 = "main.handleClientRequest" ascii fullword
$s2 = "main.sockIP.toAddr" ascii fullword
// $s3 = "main.slave" ascii fullword
uint16(0) == 0x5a4d // Windows PE
or uint32be(0) == 0x7f454c46 // ELF
or uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca or uint32(0) == 0xbebafeca // MacOS
date = "2023-06-15"
score = 70
$s1 = "[*] NetInfo:" ascii
$s2 = ":443 open" ascii
$s3 = " [->]"
date = "2023-06-15"
score = 70
$x1 = "python -c import pty;pty.spawn(\"/bin/" ascii```
[https://github.com/Neo23x0/signature-base/commit/dbf2221743534f48926cfe8ceb9c71c3daa313a3](https://github.com/Neo23x0/signature-base/commit/dbf2221743534f48926cfe8ceb9c71c3daa313a3)