38 lines
623 B
Text
38 lines
623 B
Text
|
rule QUIETEXIT_strings
|
||
|
|
||
|
{
|
||
|
|
||
|
meta:
|
||
|
|
||
|
author = "Mandiant"
|
||
|
|
||
|
reference = "https://www.mandiant.com/resources/unc3524-eye-spy-email"
|
||
|
|
||
|
date_created = "2022-01-13"
|
||
|
|
||
|
date_modified = "2022-01-13"
|
||
|
|
||
|
rev = 1
|
||
|
|
||
|
strings:
|
||
|
|
||
|
$s1 = "auth-agent@openssh.com"
|
||
|
|
||
|
$s2 = "auth-%.8x-%d"
|
||
|
|
||
|
$s3 = "Child connection from %s:%s"
|
||
|
|
||
|
$s4 = "Compiled without normal mode, can't run without -i"
|
||
|
|
||
|
$s5 = "cancel-tcpip-forward"
|
||
|
|
||
|
$s6 = "dropbear_prng"
|
||
|
|
||
|
$s7 = "cron"
|
||
|
|
||
|
condition:
|
||
|
|
||
|
uint32be(0) == 0x7F454C46 and filesize < 2MB and all of them
|
||
|
|
||
|
}
|