-
Notifications
You must be signed in to change notification settings - Fork 0
/
GoRed.yar
100 lines (91 loc) · 5.89 KB
/
GoRed.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
rule GoRed{
strings:
$hash1 = "67b7a8fad28dcc40c0889e5c4e40aef9348441c64bba74bd6db885d88ce6d246"
$hash2 = "f43c99ef85166774ed47cad96c70b8273aa82c313e55bb08d9c74e2b3f59b000"
$hash3 = "f91c9fd27bf0e3a7e82998721946ee70735ec46ee672ca80e3062aa2d5195447"
$hash4 = "be246cdf932aa5b1c2ada0d74c8d1eca4028538b28fb61d7a8d930b4266fd55c"
$hash5 = "ec36fcd64432843292d16f601a758ba4091ada906c5c4c4e540e326676911141"
$hash6 = "41d35016c78f86eee8972808c7de8c200ff24625639adff5b9d0ab8773fff6b4"
$hash7 = "aca34d7c3832879f6f7ebe8f7c59160896909574c94d1d12d7c71b6f7918bc50"
$hash8 = "8d055f3ad4d01f601df24a7c20ded981005adef7e6d26750415d1f95a471c2e3"
$hash9 = "17e57c5e71b99a386b18728eac4a27e83415756071c9e85859940da41e94976b"
$hash10 = "32d76f2fe1188a131cb3219356639e83c60d47a703e40b8801a364d98e37128f"
$hash11 = "f3bb44d52e43477ce43c91eb8d9830e356fc105b96377edd6b190fcccda61e2f"
$hash12 = "ab801eaa9ad11199e1382a124d6024f9551a5a33ca1b9e5cafc0098621abb91f"
$hash13 = "e2b2ebe1b82d1c122dc2750f318f2484fe5361fcd964bfdcdcae631cf32f8d37"
$hash14 = "4561a38ff34cc71cc73d54e2adfbd378f58d54596b012ff1841fdd7fc42063c3"
$hash15 = "f56b7fbc5dda7e46aff1b7753a1edb1f6fad5c8953dd3dbff30b3d8675b1dbd3"
$hash16 = "9bad8f88be8f143e37616556b9331af69a806281019b8a336ee6e14cd04b3c0e"
$hash17 = "5a3a44d5482bb9b632d0a9da47e5ae7d27cd397ca08d764bdf1ed636565ef5e7"
$hash18 = "8c545687a21481969ea4299e997cfc527a16503d042c2116801ee08f14ec6595"
$hash19 = "f6e8220dbf407300fbc78d823004de5d0c4d2816218b8e2b5f8993e97f1e6a32"
$hash20 = "017e03f9185e24c30de6b94bd6a36d48788d0b72134235e3f3dd1322dca426c9"
$hash21 = "9ec7495bb6d3a7d3bfd5d5ae9e704d0f42f3136166652a5576f15d0379126d75"
$hash22 = "7d2ae888fd06b811f6ba880c1fec3f37d49d50e0716de1b28f978240abe7795e"
$hash23 = "0ac2f15f3a36e67b8e03f69685193480edf3e3b10fc69ccbec76d3d5878c708c"
$hash24 = "f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1"
$hash25 = "c287956c4eb683e1ee62bc9ddb739d3d1c9c5dad7a73be3977bc53468665c7f7"
$hash26 = "37affeab7fb06a052413e9cc9272ea9cb2fd160fd204b506620d4303b06298c4"
$hash27 = "6262558adf132ae3c67d6f241c7abd62f987ce2881d459a66332234971e49e95"
$hash28 = "c738d594d09c651109c4422acbecad23a461bab6cd4eafc41546f036816533a0"
$hash29 = "c0cd580d83f4171b34b956d0c29dbc8fcafba8889594d85d471c14d7cf33be79"
$hash30 = "22ab2abda59edc1b6ba733fc140ab0c6b0c503b726a377a2e2ee6e6c95644aae"
$hash31 = "211a73ab3fb49957277a2efb50ad3140673b65df577961a58c3c9c90791e961e"
$hash32 = "1b96adc3c129e7e41f7c67f0d56dc05d6cdee31f69ff85f27e6a90270cfefdcf"
$hash33 = "bc159721bbe192f9c5cd24d3e9356a28f5b0c6b182de9fecf0b0ac28035f566a"
$hash34 = "1807c7a44da958f15e4dcb77cab78e92eeb96b3ace91d6923c2022d646d5593c"
$hash35 = "a5e61987676b7aed2c6d6d32c657f9351c2daa7c36365db20713dd42a03b1504"
$hash36 = "86bd9caab7526f2cd7e468d692ee2bac571465d25eb0619a10b0b46ae9a5b8e2"
$hash37 = "91136b3145a52b66a3f5edd7d8a8d06698666300f24861074df1308491f50ba5"
$hash38 = "895988088f25c89295f1a17f222a4553eafb2137b115f2ad4a0a25d273eb6521"
$hash39 = "a6dfef8616959969c06b65685e39929630f2819e6d5920498cdb1e89185ab7cd"
$hash40 = "20927a1fc3441668264673d77c81652818a630f3b2055545b0e0938c523827c3"
$hash41 = "a9b1a99729860c004fbef463958871956cbb3c8e365383042978c260012055bd"
$hash42 = "a9b1a99729860c004fbef463958871956cbb3c8e365383042978c260012055bd"
$hash43 = "7e8bde3e34fbf9b99b7915e12de42f6b806153e44b6aaf68b172db50e18e3b9e"
$hash44 = "ac0906ff674c555e102f076100d0c12ea4a4aa7d74cc15f67c4038a84100f4cf"
$hash45 = "8fe0ba1cb68225ab9a2cb11c1419f52adb03898c5f11d2221ba9765843443d24"
$a0 = "For more details see ps(1)."
$a1 = {48 8B BB A8 02 00 00 48 ?? ?? 74 0DE8 ?? ?? ?? ?? 85 ?? 0F 85 81 05 00 00 48 8B BB 28 03 00 00 48 ?? ?? 74 0D E8 ?? ?? ?? ?? 85 C0 0F 85 68 05 00 00 41 8B 54 24 50 48 89 D8 85 D2 74 13 83 7B 04 02 0F 84 52 05 00 00 83 ?? ?? 0F 84 49 05 00 00}
$b0 = "usage: netstat [-vWeenNcCF] [<Af>] -r"
$b1 = {48 8D 05 ?? ?? ?? ?? 4A 8B ?? ?? 0F B6 [1-2] 8D 50 ?? 80 FA ?? 76 ?? 84 C0 74 ?? 66 0F EF C0 31 F6}
$c0 = "Usage: ss [ OPTIONS ]"
$c1 = {48 63 FD 48 8D 05 ?? ?? ?? ?? 4C 89 EE 83 C5 ?? 48 C1 E7 ?? BA ?? ?? ?? ?? 48 01 C7 E8 ?? ?? ?? ?? 83 FB ?? 0F 9E C0 83 FD ?? 0F 9E C2 48 83 C3 ?? 20 D0 0F 85 ?? ?? ?? ??}
$d0 = "/.htoprc"
$d1 = {48 89 DF E8 ?? ?? ?? ?? 48 8B 7B ?? 48 85 FF 74 ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 48 8B 7B ?? 48 85 FF 74 ?? E8 ?? ?? ?? ?? 85 C0 75 ??}
$s1 = ").Parse" ascii nocase
$s2 = ").MarshalBinary" ascii nocase
$s3 = ").UnmarshalBinary" ascii nocase
$s4 = ").Request" ascii nocase
$s5 = ").Connect" ascii nocase
$s6 = ").MarshalJSON" ascii nocase
$s7 = ").Hash" ascii nocase
$s8 = ").Add" ascii nocase
$s9 = ").Close" ascii nocase
$s10 = "JWT" ascii nocase
$s11 = "config" ascii nocase
$s12 = "GET" ascii nocase
$s13 = "POST" ascii nocase
$s14 = "a5674391" ascii nocase
$s15 = {0F B6 54 0C ?? 0F B6 74 0C ?? 29 D6 40 88 74 0C ?? 48 FF ?? 48 83 F9 ?? 7C ?? }
$s16 = {0F B6 54 04 ?? 0F B6 74 04 ?? 31 D6 40 88 74 04 ?? 48 FF ?? 66 0F 1F 44 00 ?? 48 83 F8 ?? 7C ?? }
$s17 = {0F B6 54 0C ?? 0F B6 74 0C ?? 01 F2 88 54 0C ?? 48 FF ?? 48 83 F9 ?? 7C ?? }
$c1 = "embedded.GetConfig" ascii nocase
$c2 = "common.runInBackground" ascii nocase
$c3 = "common.run" ascii nocase
$c4 = "common.RunCommand" ascii nocase
$c5 = "revsh" ascii nocase
$c6 = "dns" ascii nocase
$c7 = "ws" ascii nocase
$c8 = "dump" ascii nocase
$c9 = "shell" ascii nocase
$c10 = "files" ascii nocase
condition:
(( uint32be ( 0 ) == 0x7f454c46 ) and ( all of ($a*))) or
(( uint32be ( 0 ) == 0x7f454c46 ) and ( all of ($b*))) or
(( uint32be ( 0 ) == 0x7f454c46 ) and ( all of ($c*))) or
(( uint32be ( 0 ) == 0x7f454c46 ) and ( all of ($d*))) or
(((uint32be(0) == 0x7f454c46) or (uint16be(0) == 0x4d5a)) and (all of ($s*))) or
(((uint32be(0) == 0x7f454c46) or (uint16be(0) == 0x4d5a)) and (all of ($c*))) or
(any of ($hash*))
}