Sneed-Reactivity/yara-mikesxrs/crowdstrike/CrowdStrike_CSIT_14004_02.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

19 lines
No EOL
598 B
Text

rule CrowdStrike_CSIT_14004_02 : loader backdoor bouncer {
meta:
description = "Deep Panda Compiled ASP.NET <http://ASP.NET> Webshell"
last_modified = "2014-04-25"
version = "1.0"
report = "CSIT-14004"
in_the_wild = true
copyright = "CrowdStrike, Inc"
actor = "DEEP PANDA"
strings:
$cookie = "zWiz\x00" wide
$cp = "es-DN" wide
$enum_fs1 = "File system: {0}" wide
$enum_fs2 = "Available: {0} bytes" wide
$enum_fs3 = "Total space: {0} bytes" wide
$enum_fs4 = "Total size: {0} bytes" wide
condition:
($cookie and $cp) or all of ($enum*)
}