08e8d462fe
RED PILL 🔴 💊
82 lines
1.8 KiB
Text
82 lines
1.8 KiB
Text
import "pe"
|
|
import "dotnet"
|
|
|
|
/*
|
|
"dbgsview.exe"
|
|
Agent.exe
|
|
"adflctlmon.exe"
|
|
d3429016-d029-45b8-b260-85221265838e
|
|
76b7b11a-4124-448b-9903-15524e321f3f
|
|
2cde886e-ee24-496a-bb31-1ced6b766ced
|
|
imphash
|
|
f34d5f2d4577ed6d9ceec516c1f5a744
|
|
*/
|
|
|
|
rule apt_RU_Turla_Kazuar_DebugView_peFeatures
|
|
{
|
|
meta:
|
|
desc = "Turla mimicking SysInternals Tools- peFeatures"
|
|
version = "2.0"
|
|
author = "JAG-S"
|
|
hash = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
|
|
hash = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d
|
|
and
|
|
(
|
|
pe.version_info["LegalCopyright"] == "Test Copyright"
|
|
and
|
|
(
|
|
(
|
|
pe.version_info["ProductName"] == "Sysinternals DebugView"
|
|
and
|
|
pe.version_info["Description"] == "Sysinternals DebugView"
|
|
)
|
|
or
|
|
(
|
|
pe.version_info["FileVersion"] == "4.80.0.0"
|
|
and
|
|
pe.version_info["Comments"] == "Sysinternals DebugView"
|
|
)
|
|
or
|
|
(
|
|
pe.version_info["OriginalName"] contains "DebugView.exe"
|
|
and
|
|
pe.version_info["InternalName"] contains "DebugView.exe"
|
|
)
|
|
or
|
|
(
|
|
pe.version_info["OriginalName"] == "Agent.exe"
|
|
and
|
|
pe.version_info["InternalName"] == "Agent.exe"
|
|
)
|
|
)
|
|
)
|
|
}
|
|
|
|
|
|
rule apt_RU_Turla_Kazuar_DebugView_dotnet
|
|
{
|
|
meta:
|
|
desc = "Turla mimicking SysInternals Tools- peFeatures"
|
|
version = "1.0"
|
|
author = "JAG-S"
|
|
hash = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
|
|
hash = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
|
|
condition:
|
|
uint16(0) == 0x5a4d
|
|
and
|
|
(
|
|
for any i in (0..dotnet.number_of_guids-1):
|
|
(
|
|
dotnet.guids[i] == "d3429016-d029-45b8-b260-85221265838e"
|
|
or
|
|
dotnet.guids[i] == "76b7b11a-4124-448b-9903-15524e321f3f"
|
|
or
|
|
dotnet.guids[i] == "2cde886e-ee24-496a-bb31-1ced6b766ced"
|
|
)
|
|
or
|
|
dotnet.module_name == "DebugView.exe"
|
|
)
|
|
}
|