-
-
Save andreyglauzer/6e6f8ec2c0532480aa3e1f972696cb2c to your computer and use it in GitHub Desktop.
IDDQD - Godmode YARA Rule
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule IDDQD_Godmode_Rule { | |
| meta: | |
| description = "This is the most powerful YARA rule. It detects literally everything." | |
| author = "Florian Roth" | |
| reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems" | |
| date = "2019-05-13" | |
| score = 60 | |
| strings: | |
| $ = "sekurlsa::logonpasswords" ascii wide nocase | |
| $ = "ERROR kuhl" wide | |
| $ = "@subtee" fullword ascii | |
| $ = " -w hidden " ascii wide | |
| $ = " -decode " ascii wide | |
| $ = "Koadic." ascii | |
| $ = "ReflectiveLoader" fullword ascii wide | |
| $ = "InjectDLL" fullword ascii wide | |
| $ = "[System.Convert]::FromBase64String(" ascii wide | |
| $ = /\\(Release|Debug)\\ms1[2-9]/ ascii | |
| $ = "windows/meterpreter" ascii | |
| $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide | |
| $ = / (sEt|SEt|SeT|sET|seT) / ascii wide | |
| $ = ");iex " nocase ascii wide | |
| $ = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide | |
| $ = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide | |
| $ = "Nir Sofer" fullword wide | |
| $ = "Web Shell By " nocase ascii | |
| $ = "impacket." ascii | |
| $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject)/ nocase | |
| $ = "ecalper" fullword ascii wide | |
| condition: | |
| 1 of them | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment