Sneed-Reactivity/yara-Neo23x0/gen_susp_indicators.yar

23 lines
871 B
Text
Raw Normal View History

import "pe"
rule SUSP_ENV_Folder_Root_File_Jan23_1 : SCRIPT {
meta:
description = "Detects suspicious file path pointing to the root of a folder easily accessible via environment variables"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2023-01-11"
score = 70
id = "6067d822-5c1b-5b86-863c-fdcfa37da665"
strings:
$xr1 = /%([Aa]pp[Dd]ata|APPDATA)%\\[A-Za-z0-9_\-]{1,20}\.[a-zA-Z0-9]{1,4}[^\\]/ wide ascii
$xr2 = /%([Pp]ublic|PUBLIC)%\\[A-Za-z0-9_\-]{1,20}\.[a-zA-Z0-9]{1,4}[^\\]/ wide ascii
$xr4 = /%([Pp]rogram[Dd]ata|PROGRAMDATA)%\\[A-Za-z0-9_\-]{1,20}\.[a-zA-Z0-9]{1,4}[^\\]/ wide ascii
$fp1 = "perl -MCPAN " ascii
$fp2 = "CCleaner" ascii
condition:
filesize < 20MB and 1 of ($x*)
and not 1 of ($fp*)
and not pe.number_of_signatures > 0
}