Sneed-Reactivity/yara-mikesxrs/Novetta/hikit.yar

20 lines
508 B
Text
Raw Normal View History

rule hikit
{
meta:
Author = "Novetta"
Reference = "https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf"
strings:
$hikit_pdb1 = /(H|h)ikit_/
$hikit_pdb2 = "hikit\\"
$hikit_str3 = "hikit>" wide
$driver = "w7fw.sys" wide
$device = "\\Device\\w7fw" wide
$global = "Global\\%s__HIDE__" wide nocase
$backdr = "backdoor closed" wide
$hidden = "*****Hidden:" wide
condition:
(1 of ($hikit_pdb1,$hikit_pdb2,$hikit_str3)) and ($driver or $device or $global or $backdr or $hidden)
}