30 lines
1.1 KiB
Text
30 lines
1.1 KiB
Text
import "pe"
|
|
|
|
rule SUSP_VCRuntime_Sideloading_Indicators_Aug23 {
|
|
meta:
|
|
description = "Detects indicators of .NET based malware sideloading as VCRUNTIME140 with .NET DLL imports"
|
|
author = "Jonathan Peters"
|
|
date = "2023-08-30"
|
|
hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
|
|
score = 75
|
|
id = "00400122-1343-5051-af31-880a3ef1745d"
|
|
condition:
|
|
(filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
|
|
and pe.imports("mscoree.dll", "_CorDllMain")
|
|
}
|
|
|
|
// rule SUSP_VCRuntime_Sideloading_Indicators_1_Aug23 {
|
|
// meta:
|
|
// description = "Detects indicators of .NET based malware sideloading as an unsigned VCRUNTIME140"
|
|
// author = "Jonathan Peters"
|
|
// date = "2023-08-30"
|
|
// hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
|
|
// score = 75
|
|
// strings:
|
|
// $fp1 = "Wine builtin DLL" ascii
|
|
// condition:
|
|
// (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
|
|
// and not pe.number_of_signatures == 0
|
|
// and not pe.signatures[0].issuer contains "Microsoft Corporation"
|
|
// and not $fp1
|
|
// }
|