20 lines
508 B
Text
20 lines
508 B
Text
|
rule hikit
|
||
|
{
|
||
|
meta:
|
||
|
Author = "Novetta"
|
||
|
Reference = "https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf"
|
||
|
|
||
|
strings:
|
||
|
$hikit_pdb1 = /(H|h)ikit_/
|
||
|
$hikit_pdb2 = "hikit\\"
|
||
|
$hikit_str3 = "hikit>" wide
|
||
|
|
||
|
$driver = "w7fw.sys" wide
|
||
|
$device = "\\Device\\w7fw" wide
|
||
|
$global = "Global\\%s__HIDE__" wide nocase
|
||
|
$backdr = "backdoor closed" wide
|
||
|
$hidden = "*****Hidden:" wide
|
||
|
|
||
|
condition:
|
||
|
(1 of ($hikit_pdb1,$hikit_pdb2,$hikit_str3)) and ($driver or $device or $global or $backdr or $hidden)
|
||
|
}
|