15 lines
602 B
Text
15 lines
602 B
Text
|
rule FE_APT_Tool_Linux_BLOODBANK_2
|
||
|
{
|
||
|
meta:
|
||
|
author = "Mandiant"
|
||
|
date_created = "2021-05-17"
|
||
|
sha256 = "8bd504ac5fb342d3533fbe0febe7de5c2adcf74a13942c073de6a9db810f9936"
|
||
|
reference_url = "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html"
|
||
|
strings:
|
||
|
$ss1 = "\x00:%4d-%02d-%02d %02d:%02d:%02d \x00"
|
||
|
$ss2 = "\x00ok!\x00"
|
||
|
$ss3 = "\x00\x0a\x0a%s:%s \x00"
|
||
|
$ss4 = "\x00PRIMARY!%s \x00"
|
||
|
condition:
|
||
|
(uint32(0) == 0x464c457f) and all of them
|
||
|
}
|