Sneed-Reactivity/yara-mikesxrs/M4r14ch1/Havex_NetScan.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

16 lines
804 B
Text

rule Havex_NetScan_Malware {
meta:
description = "This rule will search for known indicators of a Havex Network Scan module infection. This module looks for hosts listening on known ICS-related ports to identify OPC or ICS systems and the file created when the scanning data is written."
author = "M4r14ch1"
reference = "https://github.com/M4r14ch1/Havex-Network-Scanner-Modules"
date = "2015/12/21"
strings:
$s0 = "~tracedscn.yls" wide nocase //yls file created in temp directory
$s1 = { 2B E2 ?? } //Measuresoft ScadaPro
$s2 = { 30 71 ?? } //7-Technologies IGSS SCADA
/* $s3 = { 0A F1 2? } //Rslinx*/
condition:
$s0 and ($s1 or $s2 /*or $s3*/)
}