Sneed-Reactivity/yara-mikesxrs/Elastic/APT_APT40_Implant_June2020.yar

20 lines
753 B
Text
Raw Normal View History

rule APT_APT40_Implant_June2020 {
meta:
version = "1.0"
author = "Elastic Security"
date_added = "2020-06-19"
description = "APT40 second stage implant"
reference = "https://www.elastic.co/security-labs/advanced-techniques-used-in-malaysian-focused-apt-campaign"
strings:
$a = "/list_direction" fullword wide
$b = "/post_document" fullword wide
$c = "/postlogin" fullword wide
$d = "Download Read Path Failed %s" fullword ascii
$e = "Open Pipe Failed %s" fullword ascii
$f = "Open Remote File %s Failed For: %s" fullword ascii
$g = "Download Read Path Failed %s" fullword ascii
$h = "\\cmd.exe" fullword wide
condition:
all of them
}