Sneed-Reactivity/yara-Neo23x0/gen_merlin_agent.yar

28 lines
873 B
Text
Raw Permalink Normal View History

rule merlinAgent {
meta:
description = "Detects Merlin agent"
filetype = "pe, elf, mach"
author = "Hilko Bengen"
reference = "https://github.com/Ne0nd0g/merlin"
date = "2017-12-26"
id = "92346a3f-dce4-58db-893b-b7797fa20029"
strings:
$x1 = "Command output:\x0d\x0a\x0d\x0a%s"
$x2 = "[-]Connecting to web server at %s to update agent configuration information."
$x3 = "[-]%d out of %d total failed checkins"
$x4 = "[!}Unknown AgentControl message type received %s"
$x5 = "[-]Received Agent Kill Message"
$x6 = "[-]Received Server OK, doing nothing"
$x7 = "[!]There was an error with the HTTP client while performing a POST:"
$x8 = "[-]Sleeping for %s at %s"
$s1 = "Executing command %s %s %s"
$s2 = "[+]Host Information:"
$s3 = "\tHostname: %s"
$s4 = "\tPlatform: %s"
$s5 = "\tUser GUID: %s"
condition:
1 of ($x*) or 4 of them
}