08e8d462fe
RED PILL 🔴 💊
49 lines
1 KiB
Text
49 lines
1 KiB
Text
import "pe"
|
|
|
|
rule metasploit_payload_msfpayload
|
|
{
|
|
meta:
|
|
description = "This rule detects generic metasploit callback payloads generated with msfpayload"
|
|
Author = "Adam Burt (adam_burt@symantec.com)"
|
|
strings:
|
|
$a1 = "asf"
|
|
$a2 = "release"
|
|
$a3 = "build"
|
|
$a4 = "support"
|
|
$a5 = "ab.pdb"
|
|
$l1 = "WS2_32.dll"
|
|
$l2 = "mswsock"
|
|
$l3 = "ntdll.dll"
|
|
$l4 = "KERNEL32.dll"
|
|
$l5 = "shell32"
|
|
$l6 = "malloc"
|
|
$l7 = "fopen"
|
|
$l8 = "fclose"
|
|
$l9 = "fprintf"
|
|
$l10 = "strncpy"
|
|
condition:
|
|
all of ($l*)
|
|
and all of ($a*)
|
|
|
|
}
|
|
|
|
|
|
rule metasploit_service_starter
|
|
{
|
|
meta:
|
|
description = "This rule detects related metasploit service starters"
|
|
author = "Adam Burt (adam_burt@symantec.com)"
|
|
strings:
|
|
$a1 = "StartServiceCtrlDispatcher"
|
|
$a2 = "RegisterServiceCtrlHandle"
|
|
$a3 = "CloseHandle"
|
|
$a4 = "memset"
|
|
$a5 = "rundll32.exe"
|
|
$a6 = "msvcrt.dll"
|
|
condition:
|
|
pe.sections[3].name == ".bss"
|
|
and pe.sections[3].virtual_size == 0x00000030
|
|
and pe.sections[2].virtual_size == 0x0000001c
|
|
and pe.sections[4].virtual_size == 0x00000224
|
|
and all of them
|
|
}
|