23 lines
748 B
Text
23 lines
748 B
Text
|
rule SUSP_certificate_payload {
|
||
|
meta:
|
||
|
description = "Detects payloads that pretend to be certificates"
|
||
|
date = "2018/08/02"
|
||
|
author = "Didier Stevens, Florian Roth"
|
||
|
reference = "https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/"
|
||
|
score = 50
|
||
|
id = "6f1fe410-591a-5a59-a683-67cad9777dfe"
|
||
|
strings:
|
||
|
$re1 = "-----BEGIN CERTIFICATE-----"
|
||
|
|
||
|
$fp1 = "replace it with the PEM-encoded root certificate"
|
||
|
condition:
|
||
|
uint32(0) == 0x2D2D2D2D
|
||
|
and $re1 at 0
|
||
|
/* not 'M' at position 29, which is after the BEGIN CERTIFICATE header plus line break */
|
||
|
/* \r\n */
|
||
|
and not uint8(29) == 0x4D
|
||
|
/* \n */
|
||
|
and not uint8(28) == 0x4D
|
||
|
and not 1 of ($fp*)
|
||
|
}
|