Sneed-Reactivity/yara-Neo23x0/susp_bat_obfusc_jul24.yar


rule SUSP_BAT_OBFUSC_Jul24_1 {
   meta:
      description = "Detects indicators of obfuscation in Windows Batch files"
      author = "Florian Roth"
      reference = "https://x.com/0xToxin/status/1811656147943752045"
      date = "2024-07-12"
      score = 70
   strings:
      $s1 = "&&set "
   condition:
      filesize < 300KB  
      and uint32(0) == 0x20746573 // "set " at the beginning of the file
      and $s1 in (0..32) // "&&set " in the first 32 bytes
}

rule SUSP_BAT_OBFUSC_Jul24_2 {
   meta:
      description = "Detects indicators of obfuscation in Windows Batch files"
      author = "Florian Roth"
      reference = "https://x.com/0xToxin/status/1811656147943752045"
      date = "2024-07-12"
      score = 70
   strings:
      $s1 = "&&set "
   condition:
      filesize < 300KB
      // number of occurrences of the string "&&set " in the file
      and #s1 > 30
      // it's the "%\n" at the very end of the file
      and uint16(filesize-2) == 0x0a0d
      and uint8(filesize-3) == 0x25
}

rule SUSP_BAT_OBFUSC_Jul24_3 {
   meta:
      description = "Detects indicators of obfuscation in Windows Batch files"
      author = "Florian Roth"
      reference = "https://x.com/0xToxin/status/1811656147943752045"
      date = "2024-07-12"
      score = 70
   strings:
      $s1 = "% \\\\%" // part of the UNC path for the SMB connection
      // It detects the set pattern with a single character value in front of the %%
      // we use ?? to wildcard the character
      // =?&&set 
      $s2 = { 3D ?? 26 26 73 65 74 20 } 
   condition:
      filesize < 300KB
      and all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule SUSP_BAT_OBFUSC_Jul24_1 {`
			`meta:`
			`description = "Detects indicators of obfuscation in Windows Batch files"`
			`author = "Florian Roth"`
			`reference = "https://x.com/0xToxin/status/1811656147943752045"`
			`date = "2024-07-12"`
			`score = 70`
			`strings:`
			`$s1 = "&&set "`
			`condition:`
			`filesize < 300KB`
			`and uint32(0) == 0x20746573 // "set " at the beginning of the file`
			`and $s1 in (0..32) // "&&set " in the first 32 bytes`
			`}`

			`rule SUSP_BAT_OBFUSC_Jul24_2 {`
			`meta:`
			`description = "Detects indicators of obfuscation in Windows Batch files"`
			`author = "Florian Roth"`
			`reference = "https://x.com/0xToxin/status/1811656147943752045"`
			`date = "2024-07-12"`
			`score = 70`
			`strings:`
			`$s1 = "&&set "`
			`condition:`
			`filesize < 300KB`
			`// number of occurrences of the string "&&set " in the file`
			`and #s1 > 30`
			`// it's the "%\n" at the very end of the file`
			`and uint16(filesize-2) == 0x0a0d`
			`and uint8(filesize-3) == 0x25`
			`}`

			`rule SUSP_BAT_OBFUSC_Jul24_3 {`
			`meta:`
			`description = "Detects indicators of obfuscation in Windows Batch files"`
			`author = "Florian Roth"`
			`reference = "https://x.com/0xToxin/status/1811656147943752045"`
			`date = "2024-07-12"`
			`score = 70`
			`strings:`
			`$s1 = "% \\\\%" // part of the UNC path for the SMB connection`
			`// It detects the set pattern with a single character value in front of the %%`
			`// we use ?? to wildcard the character`
			`// =?&&set`
			`$s2 = { 3D ?? 26 26 73 65 74 20 }`
			`condition:`
			`filesize < 300KB`
			`and all of them`
			`}`