Sneed-Reactivity/yara-Neo23x0/gen_anydesk_compromised_cert_feb23.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

77 lines
3.4 KiB
Text

import "pe"
rule PUA_AnyDesk_Compromised_Certificate_Revoked_Jan24 {
meta:
description = "Detects binaries signed with a compromised signing certificate of AnyDesk (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8) after it was revoked. This is not a threat detection. It detects an outdated version of AnyDesk that was signed with a certificate that has been revoked."
date = "2024-02-05"
author = "Florian Roth"
reference = "https://anydesk.com/en/public-statement"
score = 50
id = "eeefc9a5-1416-544b-b95e-c063000a4028"
condition:
uint16(0) == 0x5a4d
and for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" and
pe.signatures[i].serial == "0d:bf:15:2d:ea:f0:b9:81:a8:a9:38:d5:3f:76:9d:b8"
)
}
rule SUSP_AnyDesk_Compromised_Certificate_Jan24_1 {
meta:
description = "Detects binaries signed with a compromised signing certificate of AnyDesk that aren't AnyDesk itself (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8; strict version)"
date = "2024-02-02"
author = "Florian Roth"
reference = "https://anydesk.com/en/public-statement"
score = 75
id = "8d172b04-f7f7-54df-b30c-3ee17d3cca12"
strings:
$a1 = "AnyDesk Software GmbH" wide
condition:
uint16(0) == 0x5a4d
and not $a1
and for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" and
pe.signatures[i].serial == "0d:bf:15:2d:ea:f0:b9:81:a8:a9:38:d5:3f:76:9d:b8"
)
}
rule SUSP_AnyDesk_Compromised_Certificate_Jan24_2 {
meta:
description = "Detects binaries signed with a compromised signing certificate of AnyDesk that aren't AnyDesk itself (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8; permissive version)"
date = "2024-02-02"
author = "Florian Roth"
reference = "https://anydesk.com/en/public-statement"
score = 65
id = "a41af8d8-ebdf-5a2f-8cf5-abd4587bdfc5"
strings:
$sc1 = { 0D BF 15 2D EA F0 B9 81 A8 A9 38 D5 3F 76 9D B8 }
$s2 = "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
$f1 = "AnyDesk Software GmbH" wide
condition:
uint16(0) == 0x5a4d
and filesize < 20000KB
and all of ($s*)
and not 1 of ($f*)
}
rule SUSP_AnyDesk_Compromised_Certificate_Jan24_3 {
meta:
description = "Detects binaries signed with a compromised signing certificate of AnyDesk after it was revoked (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8; version that uses dates for validation)"
date = "2024-02-02"
author = "Florian Roth"
reference = "https://anydesk.com/en/public-statement"
score = 75
id = "9610e61c-25d7-53e8-ba3f-b78b3d108aa3"
condition:
uint16(0) == 0x5a4d and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" and
pe.signatures[i].serial == "0d:bf:15:2d:ea:f0:b9:81:a8:a9:38:d5:3f:76:9d:b8" and
// valid after Monday, January 29, 2024 0:00:00
(
pe.signatures[i].not_before > 1706486400 // certificate validity starts after it was revoked
or pe.timestamp > 1706486400 // PE was created after it was revoked
)
)
}