rule SUSP_XORed_Mozilla { meta: description = "Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key." author = "Florian Roth" reference = "https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()" date = "2019-10-28" modified = "2023-11-25" score = 65 id = "af7fc551-0d4e-589e-9152-95d9c4ab03bf" strings: $xo1 = "Mozilla/5.0" xor(0x01-0xff) ascii wide $fp1 = "Sentinel Labs" wide $fp2 = "