yara简介
rule silent_banker : banker{meta:description = "This is just an example"threat_level = 3in_the_wild = truestrings:$a = {6A 40 68 00 30 00 00 6A 14 8D 91}$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"condition:$a or $b or $c}
yara规则
rule RuleName{meta:strings:condition:}
-
英文或字母组成的字符串
-
可以使用下划线
-
第一个字符禁止为数字
-
大小写敏感
-
不可以大于128个字符长度
yara关键词
rule RuleName{meta:author = "lengyi"strings:$hex1 = { EF 44 ?? D8 A? FB}condition:$hex1}
rule RuleName{meta:author = "lengyi"strings:$hex1 = { EF 44 [-] D8 A2 FB}$hex2 = { EF 44 [4-6] D8 A2 FB}condition:$hex1 or $hex2}
rule RuleName{meta:author = "lengyi"strings:$hex1 = "honghe"condition:$hex1}
rule RuleName{meta:author = "lengyi"strings:$hex1 = "honghe" nocasecondition:$hex1}
rule RuleName{meta:author = "lengyi"strings:$hex1 = "honghe" widecondition:$hex1}
rule RuleName{meta:author = "lengyi"strings:$hex1 = "honghe" base64condition:$hex1}
rule RuleName{meta:author = "lengyi"strings:$hex1 = "facebook" fullwordcondition:$hex1}
www.facebook.com www.xor.facebook.com https://www.facebook.com/rule RuleName{meta:author = "lengyi"strings:$hex1 = "facebook"$hex2 = "book"$hex3 = "face"condition:($hex1 and $hex2) or $hex3}
rule RuleName{meta:author = "lengyi"condition:filesize > 200KB}
int8(<offset or virtual address>)int16(<offset or virtual address>)int32(<offset or virtual address>)uint8(<offset or virtual address>)uint16(<offset or virtual address>)uint32(<offset or virtual address>)int8be(<offset or virtual address>)int16be(<offset or virtual address>)int32be(<offset or virtual address>)uint8be(<offset or virtual address>)uint16be(<offset or virtual address>)uint32be(<offset or virtual address>)
rule RuleName{meta:author = "lengyi"condition:unint16(0) and unit32(unit32(0x3c)) == 0x00004550}
rule hacktool_windows_mimikatz_copywrite{meta:description = "Mimikatz credential dump tool: Author copywrite"reference = "https://github.com/gentilkiwi/mimikatz"author = "@fusionrace"md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"md5_3 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"md5_5 = "09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca"md5_6 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"strings:$s1 = "Kiwi en C" fullword ascii wide$s2 = "Benjamin DELPY `gentilkiwi`" fullword ascii wide$s3 = "http://blog.gentilkiwi.com/mimikatz" fullword ascii wide$s4 = "Build with love for POC only" fullword ascii wide$s5 = "gentilkiwi (Benjamin DELPY)" fullword wide$s6 = "KiwiSSP" fullword wide$s7 = "Kiwi Security Support Provider" fullword wide$s8 = "kiwi flavor !" fullword widecondition:any of them}
yara编写
rule CobaltStrike4_1:beacon{meta:description = "This rule is used to detect CobaltStrike4.1 Trojan"author = "lengyi"condition:filesize > 10KB and filesize < 24KB}
import"pe" rule CobaltStrike4_1:beacon{meta:description ="This rule is used to detect CobaltStrike4.1 Trojan"author = "lengyi"condition:pe.entry_point ==0x8b0 and filesize >10KB and filesize < 24KB}
import "pe" rule CobaltStrike4_1:beacon{meta:description = "This rule is used to detect CobaltStrike4.1 Trojan"author = "lengyi"strings:$name = "%c%c%c%c%c%c%c%c%cMSSE-%d-server"condition:pe.entry_point ==0x8b0 and filesize > 10KB and filesize < 24KB and $name}
import "pe" rule CobaltStrike4_1:beacon{meta:description = "This rule is used to detect CobaltStrike4.1 Trojan"author = "lengyi"strings:$name = "%c%c%c%c%c%c%c%c%cMSSE-%d-server"condition:uint16(0) == 0x5A4D and pe.entry_point ==0x8b0 and filesize > 10KB and filesize < 24KB and $name}
声明: 文章初衷仅为攻防研究学习交流之用,严禁利用相关技术去从事一切未经合法授权的入侵攻击破坏活动,因此所产生的一切不良后果与本文作者及该公众号无任何关联。
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论