forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
embedded.yara
77 lines (60 loc) · 2.07 KB
/
embedded.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
rule https_url {
meta:
description = "contains embedded HTTPS URLs"
strings:
$ref = /https:\/\/[\w][\w\.\/\-_\?=\@]{8,64}/
$not_apple = "https://www.apple.com/appleca/"
condition:
$ref and none of ($not*)
}
rule http_url {
meta:
description = "contains embedded HTTP URLs"
strings:
$ref = /http:\/\/[\w][\w\.\/\-_\?=\@]{8,64}/
$not_apple = "http://crl.apple.com/"
condition:
$ref and none of ($not*)
}
rule ftp_url {
meta:
description = "contains embedded FTP URLs"
strings:
$ref = /ftp:\/\/[\w][\w\.\/\-_]{8,64}/
condition:
any of them
}
rule ssh_url {
meta:
description = "contains embedded URLs"
strings:
$ref = /ssh:\/\/[\w][\w\.\/\-_]{8,64}/
condition:
any of them
}
rule http_url_with_php: medium {
meta:
description = "contains hardcoded PHP endpoint"
hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad"
hash_2022_laysound_4_5_2_setup = "4465bbf91efedb996c80c773494295ae3bff27c0fff139c6aefdb9efbdf7d078"
hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac"
strings:
$php_url = /https*:\/\/[\w\.]{0,160}\/[\/\w\_\-\?\@=]{0,160}\.php/
$php_question = /[\.\w\-\_\/:]{0,160}\.php\?[\w\-@\=]{0,32}/
$php_c = /https*:\/\/%s\/[\w\/\-\_]{0,160}.php/
condition:
any of ($php*)
}
rule http_url_with_asp: medium {
meta:
description = "contains hardcoded ASP endpoint"
hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad"
hash_2022_laysound_4_5_2_setup = "4465bbf91efedb996c80c773494295ae3bff27c0fff139c6aefdb9efbdf7d078"
hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac"
strings:
$asp_url = /https*:\/\/[\w\.]{0,160}\/[\/\w\_\-\?\@=]{0,160}\.asp/
$asp_question = /[\.\w\-\_\/:]{0,160}\.asp\?[\w\-@\=]{0,32}/
$asp_c = /https*:\/\/%s\/[\w\/\-\_]{0,160}.asp/
condition:
any of ($asp*)
}