08e8d462fe
RED PILL 🔴 💊
36 lines
1.5 KiB
Text
36 lines
1.5 KiB
Text
/*
|
|
This Yara Rule is to be considered as "experimental"
|
|
It reperesents a first attempt to detect BeEF hook function in memory
|
|
It still requires further refinement
|
|
|
|
*/
|
|
|
|
rule BeEF_browser_hooked {
|
|
meta:
|
|
description = "Yara rule related to hook.js, BeEF Browser hooking capability"
|
|
author = "Pasquale Stirparo"
|
|
date = "2015-10-07"
|
|
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
|
|
strings:
|
|
$s0 = "mitb.poisonAnchor" wide ascii
|
|
$s1 = "this.request(this.httpproto" wide ascii
|
|
$s2 = "beef.logger.get_dom_identifier" wide ascii
|
|
$s3 = "return (!!window.opera" wide ascii
|
|
$s4 = "history.pushState({ Be:\"EF\" }" wide ascii
|
|
$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii
|
|
$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii
|
|
$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii
|
|
$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii
|
|
$s9 = "mitb.sniff(" wide ascii
|
|
$s10 = "Method XMLHttpRequest.open override" wide ascii
|
|
$s11 = ".browser.hasWebSocket" wide ascii
|
|
$s12 = ".mitb.poisonForm" wide ascii
|
|
$s13 = "resolved=require.resolve(file,cwd||" wide ascii
|
|
$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii
|
|
$s15 = "beef.net.request" wide ascii
|
|
$s16 = "uagent.search(engineOpera)" wide ascii
|
|
$s17 = "mitb.sniff" wide ascii
|
|
$s18 = "beef.logger.start" wide ascii
|
|
condition:
|
|
all of them
|
|
}
|