16 lines
446 B
Text
16 lines
446 B
Text
|
rule Mozi_Obfuscation_Technique
|
||
|
{
|
||
|
meta:
|
||
|
author = "Elastic Security, Lars Wallenborn (@larsborn)"
|
||
|
description = "Detects obfuscation technique used by Mozi botnet."
|
||
|
reference = "https://www.elastic.co/security-labs/collecting-and-operationalizing-threat-data-from-the-mozi-botnet"
|
||
|
strings:
|
||
|
$a = { 55 50 58 21
|
||
|
[4]
|
||
|
00 00 00 00
|
||
|
00 00 00 00
|
||
|
00 00 00 00 }
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|