You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I intentionally added an extra and to the condition in the following rule:
rule HackTool_MSIL_Rubeus_1_Wibble
{
meta:
description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project."
md5 = "66e0681a500c726ed52e5ea9423d2654"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
strings:
$typelibguid = "658C8B7F-3664-4A95-9572-A3E5871DFC06" ascii nocase wide
condition:
uint16(0) == 0x5A4D and $typelibguid and
}
$ plyara /tmp/test.yar
[
{
"condition_terms": [
"uint16",
"(",
"0",
")",
"==",
"0x5A4D",
"and",
"$typelibguid",
"and"
],
"metadata": [
{
"description": "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project."
},
{
"md5": "66e0681a500c726ed52e5ea9423d2654"
},
{
"reference": "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
},
{
"author": "FireEye"
}
],
"raw_condition": "condition:\n uint16(0) == 0x5A4D and $typelibguid and\n",
"raw_meta": "meta:\n description = \"The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project.\"\n md5 = \"66e0681a500c726ed52e5ea9423d2654\"\n reference = \"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html\"\n author = \"FireEye\"\n ",
"raw_strings": "strings:\n $typelibguid = \"658C8B7F-3664-4A95-9572-A3E5871DFC06\" ascii nocase wide\n ",
"rule_name": "HackTool_MSIL_Rubeus_1_Wibble",
"start_line": 1,
"stop_line": 12,
"strings": [
{
"modifiers": [
"ascii",
"nocase",
"wide"
],
"name": "$typelibguid",
"type": "text",
"value": "658C8B7F-3664-4A95-9572-A3E5871DFC06"
}
]
}
]
The text was updated successfully, but these errors were encountered:
I intentionally added an extra
and
to the condition in the following rule:Yara won't accept this rule as it's invalid:
But plyara parses the rule without any errors:
The text was updated successfully, but these errors were encountered: