forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssh.yara
72 lines (57 loc) · 1.73 KB
/
ssh.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
rule tar_ssh_net: medium {
meta:
description = "possible tar-based SSH stealer"
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
strings:
$s_curl = "curl" fullword
$s_wget = "wget" fullword
$s_socket = "socket" fullword
$h = ".ssh" fullword
$z_zip = "zip" fullword
$z_tar = "tar" fullword
$z_xargs = "xargs cat"
$not_auth_keys = ".ssh/authorized_keys"
condition:
filesize < 10MB and $h and any of ($s*) and any of ($z*) and none of ($not*)
}
rule curl_https_ssh: high {
meta:
description = "possible curl-based SSH stealer"
strings:
$curl = "curl" fullword
$ssh = ".ssh" fullword
$id_rsa = "id_rsa"
$http = "http://"
$https = "https://"
condition:
filesize < 15KB and $curl and $ssh and $id_rsa and any of ($http*)
}
rule stealssh: critical {
meta:
description = "SSH stealer"
strings:
$folder = ".ssh" fullword
$steal = "stealssh"
$stealSSH = "stealSSH"
$steal_ssh = "steal_ssh"
condition:
filesize < 10MB and $folder and any of ($steal*)
}
rule sshd_tmp_policy: high {
meta:
description = "adjusts sshd tmp policy, possibly to dump credentials"
strings:
$unconfined = "unconfined_u:object_r:sshd_tmp_t:s0"
condition:
any of them
}
rule ssh_pass_file: high {
meta:
description = "may store SSH passwords"
strings:
$unconfined = /sshpass\w\.txt/
condition:
any of them
}