Sneed-Reactivity/yara-Neo23x0/apt_cisco_asa_line_dancer_apr24.yar

17 lines
613 B
Text
Raw Normal View History

rule Line_Dancer {
meta:
author = "NCSC"
description = "Targets code sections of Line Dancer, a shellcode loader targeting Cisco ASA devices."
reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-dancer.pdf"
date = "2024-04-24"
score = 75
id = "3b49a861-8107-577a-bae1-ae28d424cc13"
strings:
$ = { 48 8D 5E 20 48 8D 3D BB FF FF FF BA 20 00 00 00 }
$ = { 4C 89 EE 44 89 F2 48 8D 3D 9A 27 00 00 }
$ = { 41 FF D7 41 5F 41 5E 41 5D 41 5C 5B 5D 48 C7 C0 01 00 00 00 5F }
condition:
all of them
}