Sneed-Reactivity/yara-Neo23x0/crime_credstealer_generic.yar


rule CredentialStealer_Generic_Backdoor {
   meta:
      description = "Detects credential stealer byed on many strings that indicate password store access"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "Internal Research"
      date = "2017-06-07"
      hash1 = "edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c"
      id = "b3124f6c-4e18-562c-84d9-d51e086da446"
   strings:
      $s1 = "GetOperaLoginData" fullword ascii
      $s2 = "GetInternetExplorerCredentialsPasswords" fullword ascii
      $s3 = "%s\\Opera Software\\Opera Stable\\Login Data" fullword ascii
      $s4 = "select *  from moz_logins" fullword ascii
      $s5 = "%s\\Google\\Chrome\\User Data\\Default\\Login Data" fullword ascii
      $s6 = "Host.dll.Windows" fullword ascii
      $s7 = "GetInternetExplorerVaultPasswords" fullword ascii
      $s8 = "GetWindowsLiveMessengerPasswords" fullword ascii
      $s9 = "%s\\Chromium\\User Data\\Default\\Login Data" fullword ascii
      $s10 = "%s\\Opera\\Opera\\profile\\wand.dat" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and 4 of them )
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule CredentialStealer_Generic_Backdoor {`
			`meta:`
			`description = "Detects credential stealer byed on many strings that indicate password store access"`
			`license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "Internal Research"`
			`date = "2017-06-07"`
			`hash1 = "edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c"`
			`id = "b3124f6c-4e18-562c-84d9-d51e086da446"`
			`strings:`
			`$s1 = "GetOperaLoginData" fullword ascii`
			`$s2 = "GetInternetExplorerCredentialsPasswords" fullword ascii`
			`$s3 = "%s\\Opera Software\\Opera Stable\\Login Data" fullword ascii`
			`$s4 = "select * from moz_logins" fullword ascii`
			`$s5 = "%s\\Google\\Chrome\\User Data\\Default\\Login Data" fullword ascii`
			`$s6 = "Host.dll.Windows" fullword ascii`
			`$s7 = "GetInternetExplorerVaultPasswords" fullword ascii`
			`$s8 = "GetWindowsLiveMessengerPasswords" fullword ascii`
			`$s9 = "%s\\Chromium\\User Data\\Default\\Login Data" fullword ascii`
			`$s10 = "%s\\Opera\\Opera\\profile\\wand.dat" fullword ascii`
			`condition:`
			`( uint16(0) == 0x5a4d and 4 of them )`
			`}`