89 lines
1.8 KiB
Text
89 lines
1.8 KiB
Text
|
//Rule to Catch Intelligence files in the meta of files uploaded. Current rule looks for NSA and MOSAD in meta of samples.
|
||
|
|
||
|
rule catch_intelligence_files
|
||
|
{
|
||
|
meta:
|
||
|
author = "@abhinavbom"
|
||
|
maltype = "NA"
|
||
|
version = "0.1"
|
||
|
date = "21/09/2015"
|
||
|
description = "catch files"
|
||
|
strings:
|
||
|
$meta1 = "National Security Agency"
|
||
|
$meta3 = "Israeli Secret Intelligence"
|
||
|
$tag1 = "docx"
|
||
|
$tag2 = "doc"
|
||
|
$tag3 = "xls"
|
||
|
$tag4 = "xlxs"
|
||
|
$tag5 = "pdf"
|
||
|
$tag6 = "zip"
|
||
|
$tag7 = "rar"
|
||
|
$tag8 = "xlsb"
|
||
|
|
||
|
condition:
|
||
|
any of ($meta*) and any of ($tag*)
|
||
|
}
|
||
|
|
||
|
//Rule to pick up all the pcaps uploaded to Virustotal. This rule can be very noisy.
|
||
|
|
||
|
rule FE_PCAPs
|
||
|
{
|
||
|
meta:
|
||
|
author = "@abhinavbom"
|
||
|
maltype = "NA"
|
||
|
version = "0.1"
|
||
|
description = "All pcaps uploaded to VT"
|
||
|
date = "29/07/2015"
|
||
|
strings:
|
||
|
$magic = {D4 C3 B2 A1}
|
||
|
condition:
|
||
|
$magic at 0
|
||
|
}
|
||
|
|
||
|
//Rule to detect all pcap uploads to Virustotal with +3 detection.
|
||
|
|
||
|
rule pcap_positives
|
||
|
{
|
||
|
meta:
|
||
|
author = "@abhinavbom"
|
||
|
maltype = "NA"
|
||
|
version = "0.1"
|
||
|
description = "All pcaps uploaded to VT with +3 detection rate"
|
||
|
date = "21/06/2015"
|
||
|
strings:
|
||
|
$magic = {D4 C3 B2 A1}
|
||
|
condition:
|
||
|
$magic at 0 and positives > 3
|
||
|
}
|
||
|
|
||
|
//Rule to detect All pcaps submitted to VT and tagged as Exploit kits.
|
||
|
|
||
|
rule ek_submissions
|
||
|
{
|
||
|
meta:
|
||
|
author = "@abhinavbom"
|
||
|
maltype = "NA"
|
||
|
version = "0.1"
|
||
|
description = "Detects pcaps uploaded to VT and matches IDS detections for Exploit kits"
|
||
|
date = "23/06/2015"
|
||
|
strings:
|
||
|
$magic = {D4 C3 B2 A1}
|
||
|
condition:
|
||
|
$magic at 0 and tags contains "exploit-kit"
|
||
|
}
|
||
|
|
||
|
//EK detection in VT for +3 positive engine detections
|
||
|
|
||
|
rule ek_submissions_2
|
||
|
{
|
||
|
meta:
|
||
|
author = "@abhinavbom"
|
||
|
maltype = "NA"
|
||
|
version = "0.1"
|
||
|
description = "Detects pcaps uploaded to VT and matches IDS detections for Exploit kits"
|
||
|
date = "23/06/2015"
|
||
|
strings:
|
||
|
$magic = {D4 C3 B2 A1}
|
||
|
condition:
|
||
|
$magic at 0 and tags contains "exploit-kit" and positives >3
|
||
|
}
|