Sneed-Reactivity/yara-Neo23x0/apt_mal_ilo_board_elf.yar


rule APT_MAL_HP_iLO_Firmware_Dec21_1 {
   meta:
      description = "Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/"
      date = "2021-12-28"
      score = 80
      id = "7f5fa905-07a3-55da-b644-c5ab882b4a9d"
   strings:
      $s1 = ".newelf.elf.text" ascii
      $s2 = ".newelf.elf.libc.so.data" ascii
      $s3 = ".newelf.elf.Initial.stack" ascii
      $s4 = ".newelf.elf.libevlog.so.data" ascii
   condition:
      filesize < 5MB and 2 of them or 
      all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule APT_MAL_HP_iLO_Firmware_Dec21_1 {`
			`meta:`
			`description = "Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/"`
			`date = "2021-12-28"`
			`score = 80`
			`id = "7f5fa905-07a3-55da-b644-c5ab882b4a9d"`
			`strings:`
			`$s1 = ".newelf.elf.text" ascii`
			`$s2 = ".newelf.elf.libc.so.data" ascii`
			`$s3 = ".newelf.elf.Initial.stack" ascii`
			`$s4 = ".newelf.elf.libevlog.so.data" ascii`
			`condition:`
			`filesize < 5MB and 2 of them or`
			`all of them`
			`}`