12 lines
360 B
Text
12 lines
360 B
Text
rule embedded_psexec{
|
|
meta:
|
|
description = "Look for indications of embedded psexec"
|
|
author = "Dragos Inc"
|
|
reference = "https://troopers.de/downloads/troopers18/TR18_DM_Mind-The-Gap.pdf"
|
|
strings:
|
|
$mz = "!This program cannot be run in DOS mode." ascii wide
|
|
$s1 = "-accepteula -s" ascii wide
|
|
$s2 = ",Sysinternals" ascii wide
|
|
condition:
|
|
all of ($s*) and #mz > 1
|
|
}
|