30 lines
815 B
Text
30 lines
815 B
Text
|
*
|
||
|
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
|
||
|
|
||
|
*/
|
||
|
|
||
|
/* Certificate Matches for Patterns seen in Duqu 2.0 infection */
|
||
|
|
||
|
/* https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf */
|
||
|
|
||
|
import "pe"
|
||
|
rule honhaicert_goodcheck {
|
||
|
strings:
|
||
|
$honhai = "HON HAI"
|
||
|
condition:
|
||
|
$honhai and pe.version_info["LegalCopyright"] contains "Microsoft"
|
||
|
}
|
||
|
|
||
|
|
||
|
|
||
|
rule sysinternals_not_signed
|
||
|
{
|
||
|
strings:
|
||
|
$sysinternals = "sysinternals" wide nocase
|
||
|
$mz = "MZ"
|
||
|
$url = "technet.microsoft.com" wide
|
||
|
$castuff = "Microsoft Code Signing PCA" wide
|
||
|
|
||
|
condition:
|
||
|
$mz at 0 and $sysinternals and ( not $castuff and not $url)
|
||
|
}
|