Sneed-Reactivity/yara-mikesxrs/adamburt/win_metasploit_related.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

49 lines
1 KiB
Text

import "pe"
rule metasploit_payload_msfpayload
{
meta:
description = "This rule detects generic metasploit callback payloads generated with msfpayload"
Author = "Adam Burt (adam_burt@symantec.com)"
strings:
$a1 = "asf"
$a2 = "release"
$a3 = "build"
$a4 = "support"
$a5 = "ab.pdb"
$l1 = "WS2_32.dll"
$l2 = "mswsock"
$l3 = "ntdll.dll"
$l4 = "KERNEL32.dll"
$l5 = "shell32"
$l6 = "malloc"
$l7 = "fopen"
$l8 = "fclose"
$l9 = "fprintf"
$l10 = "strncpy"
condition:
all of ($l*)
and all of ($a*)
}
rule metasploit_service_starter
{
meta:
description = "This rule detects related metasploit service starters"
author = "Adam Burt (adam_burt@symantec.com)"
strings:
$a1 = "StartServiceCtrlDispatcher"
$a2 = "RegisterServiceCtrlHandle"
$a3 = "CloseHandle"
$a4 = "memset"
$a5 = "rundll32.exe"
$a6 = "msvcrt.dll"
condition:
pe.sections[3].name == ".bss"
and pe.sections[3].virtual_size == 0x00000030
and pe.sections[2].virtual_size == 0x0000001c
and pe.sections[4].virtual_size == 0x00000224
and all of them
}