mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-06-28 09:51:38 +00:00
34 lines
824 B
Plaintext
34 lines
824 B
Plaintext
rule derusbi_kernel
|
|
{
|
|
meta:
|
|
description = "Derusbi Driver version"
|
|
date = "2015-12-09"
|
|
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
|
|
strings:
|
|
$token1 = "$$$--Hello"
|
|
$token2 = "Wrod--$$$"
|
|
$cfg = "XXXXXXXXXXXXXXX"
|
|
$class = ".?AVPCC_BASEMOD@@"
|
|
$MZ = "MZ"
|
|
|
|
condition:
|
|
$MZ at 0 and $token1 and $token2 and $cfg and $class
|
|
}
|
|
|
|
rule derusbi_linux
|
|
{
|
|
meta:
|
|
description = "Derusbi Server Linux version"
|
|
date = "2015-12-09"
|
|
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
|
|
strings:
|
|
$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
|
|
$cmd = "unset LS_OPTIONS;uname -a"
|
|
$pname = "[diskio]"
|
|
$rkfile = "/tmp/.secure"
|
|
$ELF = "\x7fELF"
|
|
|
|
condition:
|
|
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile
|
|
}
|