Sneed-Reactivity/yara-mikesxrs/Pasquale Stirparo/beef_hooked.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

36 lines
1.5 KiB
Text

/*
This Yara Rule is to be considered as "experimental"
It reperesents a first attempt to detect BeEF hook function in memory
It still requires further refinement
*/
rule BeEF_browser_hooked {
meta:
description = "Yara rule related to hook.js, BeEF Browser hooking capability"
author = "Pasquale Stirparo"
date = "2015-10-07"
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
strings:
$s0 = "mitb.poisonAnchor" wide ascii
$s1 = "this.request(this.httpproto" wide ascii
$s2 = "beef.logger.get_dom_identifier" wide ascii
$s3 = "return (!!window.opera" wide ascii
$s4 = "history.pushState({ Be:\"EF\" }" wide ascii
$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii
$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii
$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii
$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii
$s9 = "mitb.sniff(" wide ascii
$s10 = "Method XMLHttpRequest.open override" wide ascii
$s11 = ".browser.hasWebSocket" wide ascii
$s12 = ".mitb.poisonForm" wide ascii
$s13 = "resolved=require.resolve(file,cwd||" wide ascii
$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii
$s15 = "beef.net.request" wide ascii
$s16 = "uagent.search(engineOpera)" wide ascii
$s17 = "mitb.sniff" wide ascii
$s18 = "beef.logger.start" wide ascii
condition:
all of them
}