paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-03 05:13:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create yara_decoders.xml

Browse Source
This commit is contained in:
SOCFortress
2022-08-18 10:37:32 -05:00
committed by GitHub
parent 224333a71e
commit 25fb1a9f95
1 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
Yara/yara_decoders.xml Normal file
View File

@@ -0,0 +1,32 @@
<!--
- YARA decoders
- Created by SOCFortress.
- https://www.socfortress.co
- info@socfortress.co.
-->
<decoder name="yara">
<prematch>wazuh-yara: </prematch>
</decoder>
<!--
wazuh-yara: info: Hacktool_Strings_p0wnedShell [description="p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs",license="https://creativecommons.org/licenses/by-nc/4.0/",author="Florian Roth",reference="https://github.com/Cn33liz/p0wnedShell",date="2017-01-14",hash1="e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60"] /tmp/atomic-red-team/.git/objects/pack/pack-ac8e332a09d2b8b1b0793d7cafcd1faca4c9f705.pack
-->
<decoder name="yara">
<parent>yara</parent>
<regex offset="after_parent">info: (\S+) [(\.+)] (\.+)</regex>
<order>yara_info,yara_metadata,file</order>
</decoder>
<!--
ALERT:
**Phase 2: Completed decoding.
decoder: 'yara'
yara_info: 'Hacktool_Strings_p0wnedShell'
yara_metadata: 'description="p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs",license="https://creativecommons.org/licenses/by-nc/4.0/",author="Florian Roth",reference="https://github.com/Cn33liz/p0wnedShell",date="2017-01-14",hash1="e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60"'
file: '/tmp/atomic-red-team/.git/objects/pack/pack-ac8e332a09d2b8b1b0793d7cafcd1faca4c9f705.pack'
**Phase 3: Completed filtering (rules).
Rule id: '200103'
Level: '12'
Description: 'YARA detected.'
-->