Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880CN_Honker_Pk_Pker
Sample from CN Honker Pentest Toolset - file Pker.exe
view YARA rule
rule CN_Honker_Pk_Pker {
meta:
description = "Sample from CN Honker Pentest Toolset - file Pker.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "631787f27f27c46f79e58e1accfcc9ecfb4d3a2f"
id = "dff0e4fb-6b2e-5fa8-910d-63a9e5030b95"
strings:
$s1 = "/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe" fullword wide /* PEStudio Blacklist: strings */
$s2 = "msadc/..\\..\\..\\..\\winnt/system32/cmd.exe" fullword wide /* PEStudio Blacklist: strings */
$s3 = "--Made by VerKey&Only_Guest&Bincker" fullword wide /* PEStudio Blacklist: strings */
$s4 = ";APPLET;EMBED;FRAMESET;HEAD;NOFRAMES;NOSCRIPT;OBJECT;SCRIPT;STYLE;" fullword wide /* PEStudio Blacklist: strings */
$s5 = " --Welcome to Www.Pker.In Made by V.K" fullword wide
$s6 = "Report.dat" fullword wide /* PEStudio Blacklist: strings */
$s7 = ".\\Report.dat" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 5 of them
}
CN_Honker_PostgreSQL
Sample from CN Honker Pentest Toolset - file PostgreSQL.exe
view YARA rule
rule CN_Honker_PostgreSQL {
meta:
description = "Sample from CN Honker Pentest Toolset - file PostgreSQL.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "1ecfaa91aae579cfccb8b7a8607176c82ec726f4"
id = "ae90d03c-ef67-5ece-81ae-86947196a81c"
strings:
$s1 = "&http://192.168.16.186/details.php?id=1" fullword ascii
$s2 = "PostgreSQL_inject" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
CN_Honker_Pwdump7_Pwdump7
Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat
view YARA rule
rule CN_Honker_Pwdump7_Pwdump7 {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "67d0e215c96370dcdc681bb2638703c2eeea188a"
id = "baf6ced6-4298-5453-a020-a384c923584c"
strings:
$s1 = "Pwdump7.exe >pass.txt" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 1KB and all of them
}
CN_Honker_SAMInside
Sample from CN Honker Pentest Toolset - file SAMInside.exe
view YARA rule
rule CN_Honker_SAMInside {
meta:
description = "Sample from CN Honker Pentest Toolset - file SAMInside.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "707ba507f9a74d591f4f2e2f165ff9192557d6dd"
id = "c5ac9f0a-d1af-59c3-9c13-91153180f3d8"
strings:
$s0 = "www.InsidePro.com" fullword wide
$s1 = "SAMInside.exe" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 650KB and all of them
}
CN_Honker_SQLServer_inject_Creaked
Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe
view YARA rule
rule CN_Honker_SQLServer_inject_Creaked {
meta:
description = "Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "af3c41756ec8768483a4cf59b2e639994426e2c2"
id = "9a8a77c2-9e06-5694-8055-4480ab932520"
strings:
$s1 = "http://localhost/index.asp?id=2" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Email:[email protected]<br>" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 8110KB and all of them
}
CN_Honker_Safe3WVS
Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE
view YARA rule
rule CN_Honker_Safe3WVS {
meta:
description = "Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "fee3acacc763dc55df1373709a666d94c9364a7f"
id = "035ecb73-3dbc-55d2-8d0c-b71308094d18"
strings:
$s0 = "2TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "mscoreei.dll" fullword ascii /* reversed goodware string 'lld.ieerocsm' */
$s7 = "SafeVS.exe" fullword wide
$s8 = "www.safe3.com.cn" fullword wide
$s20 = "SOFTWARE\\Classes\\Interface\\" ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
CN_Honker_ScanHistory
Sample from CN Honker Pentest Toolset - file ScanHistory.exe
view YARA rule
rule CN_Honker_ScanHistory {
meta:
description = "Sample from CN Honker Pentest Toolset - file ScanHistory.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "14c31e238924ba3abc007dc5a3168b64d7b7de8d"
id = "85585cd2-c5ed-5465-bcac-b61211570055"
strings:
$s1 = "ScanHistory.exe" fullword wide /* PEStudio Blacklist: strings */
$s2 = ".\\Report.dat" fullword wide /* PEStudio Blacklist: strings */
$s3 = "select * from Results order by scandate desc" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_SegmentWeapon
Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe
view YARA rule
rule CN_Honker_SegmentWeapon {
meta:
description = "Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "494ef20067a7ce2cc95260e4abc16fcfa7177fdf"
id = "e1b6f721-4c4d-50f2-9ed6-f38e8e7ea4ab"
strings:
$s0 = "C:\\WINDOWS\\system32\\msvbvm60.dll\\3" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "http://www.nforange.com/inc/1.asp?" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
CN_Honker_ShiftBackdoor_Server
Sample from CN Honker Pentest Toolset - file Server.dat
view YARA rule
rule CN_Honker_ShiftBackdoor_Server {
meta:
description = "Sample from CN Honker Pentest Toolset - file Server.dat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b24d761c6bbf216792c4833890460e8b37d86b37"
id = "c53f4015-ad2b-5898-88b5-34b3bc2c65b6"
strings:
$s0 = "del /q /f %systemroot%system32sethc.exe" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "cacls %s /t /c /e /r administrators" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "\\dllcache\\sethc.exe" ascii
$s3 = "\\ntvdm.exe" ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
CN_Honker_SkinHRootkit_SkinH
Sample from CN Honker Pentest Toolset - file SkinH.exe
view YARA rule
rule CN_Honker_SkinHRootkit_SkinH {
meta:
description = "Sample from CN Honker Pentest Toolset - file SkinH.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "d593f03ae06e54b653c7850c872c0eed459b301f"
id = "8aedd01c-9dc8-537d-97ea-bc8de81edd3d"
strings:
$s0 = "(C)360.cn Inc.All Rights Reserved." fullword wide
$s1 = "SDVersion.dll" fullword wide
$s2 = "skinh.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
CN_Honker_SqlMap_Python_Run
Sample from CN Honker Pentest Toolset - file Run.exe
view YARA rule
rule CN_Honker_SqlMap_Python_Run {
meta:
description = "Sample from CN Honker Pentest Toolset - file Run.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "a51479a1c589f17c77d22f6cf90b97011c33145f"
id = "308d929a-0f38-5db4-92c2-2a7bf25bb64f"
strings:
$s1 = ".\\Run.log" fullword ascii
$s2 = "[root@Hacker~]# Sqlmap " fullword ascii
$s3 = "%sSqlmap %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
CN_Honker_Sword1_5
Sample from CN Honker Pentest Toolset - file Sword1.5.exe
view YARA rule
rule CN_Honker_Sword1_5 {
meta:
description = "Sample from CN Honker Pentest Toolset - file Sword1.5.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f"
id = "832e4998-64fc-5f34-a46d-aeefde0ee763"
strings:
$s1 = "http://www.md5.com.cn" fullword wide
$s2 = "ListBox_Command" fullword wide /* PEStudio Blacklist: strings */
$s3 = "\\Set.ini" wide
$s4 = "OpenFileDialog1" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 740KB and all of them
}
CN_Honker_SwordCollEdition
Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe
view YARA rule
rule CN_Honker_SwordCollEdition {
meta:
description = "Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "6e14f21cac6e2aa7535e45d81e8d1f6913fd6e8b"
id = "4e8d4d48-c053-5579-be9c-af73ec0fe614"
strings:
$s0 = "YuJianScan.exe" fullword wide /* PEStudio Blacklist: strings */
$s1 = "YuJianScan" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 225KB and all of them
}
CN_Honker_SwordHonkerEdition
Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe
view YARA rule
rule CN_Honker_SwordHonkerEdition {
meta:
description = "Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3f9479151c2cada04febea45c2edcf5cece1df6c"
id = "5688fa03-bcb0-545d-9fdf-7ab48a389424"
strings:
$s0 = "\\bin\\systemini\\MyPort.ini" wide /* PEStudio Blacklist: strings */
$s1 = "PortThread=200 //" fullword wide /* PEStudio Blacklist: strings */
$s2 = " Port Open -> " fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 375KB and all of them
}
CN_Honker_T00ls_Lpk_Sethc_v2
Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe
view YARA rule
rule CN_Honker_T00ls_Lpk_Sethc_v2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "a995451d9108687b8892ad630a79660a021d670a"
id = "499b251a-e0e1-5550-825d-acab112be74b"
strings:
$s1 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "2011-2012 T00LS&RICES" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
CN_Honker_T00ls_Lpk_Sethc_v3_0
Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe
view YARA rule
rule CN_Honker_T00ls_Lpk_Sethc_v3_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "fa47c4affbac01ba5606c4862fdb77233c1ef656"
id = "7513a513-e8a3-58a8-8dd5-512ba33ff013"
strings:
$s1 = "http://127.0.0.1/1.exe" fullword wide /* PEStudio Blacklist: strings */
$s2 = ":Rices Forum:T00Ls.Net [4 Fucker Te@m]" fullword wide
$s3 = "SkinH_EL.dll" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}
CN_Honker_T00ls_Lpk_Sethc_v3_LPK
Sample from CN Honker Pentest Toolset - file LPK.DAT
view YARA rule
rule CN_Honker_T00ls_Lpk_Sethc_v3_LPK {
meta:
description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "cf2549bbbbdb7aaf232d9783873667e35c8d96c1"
id = "c5b806d9-74dc-5244-b1e0-9837abeaeaac"
strings:
$s1 = "FreeHostKillexe.exe" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
$s3 = "c:\\1.exe" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Set user Group Error! Username:" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
CN_Honker_T00ls_Lpk_Sethc_v4_0
Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe
view YARA rule
rule CN_Honker_T00ls_Lpk_Sethc_v4_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "98f21f72c761e504814f0a7db835a24a2413a6c2"
id = "d41cbed5-a6e3-5165-a8c3-e0375c1ed75d"
strings:
$s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
$s15 = "2011-2012 T00LS&RICES" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 2077KB and all of them
}
CN_Honker_T00ls_Lpk_Sethc_v4_LPK
Sample from CN Honker Pentest Toolset - file LPK.DAT
view YARA rule
rule CN_Honker_T00ls_Lpk_Sethc_v4_LPK {
meta:
description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "2b2ab50753006f62965bba83460e3960ca7e1926"
id = "808f5de2-1360-521e-8939-b759e361507c"
strings:
$s1 = "http://127.0.0.1/1.exe" fullword wide /* PEStudio Blacklist: strings */
$s2 = "FreeHostKillexe.exe" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
$s4 = "c:\\1.exe" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 1 of them
}
CN_Honker_T00ls_scanner
Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe
view YARA rule
rule CN_Honker_T00ls_scanner {
meta:
description = "Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "70b04b910d82b32b90cd7f355a0e3e17dd260cb3"
id = "80d4a950-24cb-55c7-903f-8788a71be7ac"
strings:
$s0 = "http://cn.bing.com/search?first=1&count=50&q=ip:" fullword wide
$s17 = "Team:www.t00ls.net" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 330KB and all of them
}
CN_Honker_Tuoku_script_MSSQL_
Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp
view YARA rule
rule CN_Honker_Tuoku_script_MSSQL_ {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "7097c21f92306983add3b5b29a517204cd6cd819"
id = "35c4f119-6a57-580a-b5ee-c36af0ccc94a"
strings:
$s1 = "GetLoginCookie = Request.Cookies(Cookie_Login)" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "if ShellPath=\"\" Then ShellPath = \"c:\\\\windows\\\\system32\\\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
$s8 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 100KB and all of them
}
CN_Honker_Tuoku_script_oracle_2
Sample from CN Honker Pentest Toolset - file oracle.txt
view YARA rule
rule CN_Honker_Tuoku_script_oracle_2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file oracle.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "865dd591b552787eda18ee0ab604509bae18c197"
id = "b88a0faa-1616-5f1b-80dc-6e6a2f0cb671"
strings:
$s0 = "webshell" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "Silic Group Hacker Army " fullword ascii
condition:
filesize < 3KB and all of them
}
CN_Honker_WebCruiserWVS
Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe
view YARA rule
rule CN_Honker_WebCruiserWVS {
meta:
description = "Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "6c90a9ed4c8a141a343dab1b115cc840a7190304"
id = "16bed1e8-a1f0-5fcf-9c03-83625a388547"
strings:
$s0 = "id:uid:user:username:password:access:account:accounts:admin_id:admin_name:admin_" ascii /* PEStudio Blacklist: strings */
$s1 = "Created By WebCruiser - Web Vulnerability Scanner http://sec4app.com" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 700KB and all of them
}
CN_Honker_WebRobot
Sample from CN Honker Pentest Toolset - file WebRobot.exe
view YARA rule
rule CN_Honker_WebRobot {
meta:
description = "Sample from CN Honker Pentest Toolset - file WebRobot.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "af054994c911b4301490344fca4bb19a9f394a8f"
id = "8b6350b6-17ea-5f44-a42a-875d55bb2de8"
strings:
$s1 = "%d-%02d-%02d %02d^%02d^%02d ScanReprot.htm" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "\\log\\ProgramDataFile.dat" ascii /* PEStudio Blacklist: strings */
$s3 = "\\data\\FilterKeyword.txt" ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
CN_Honker_WebScan_WebScan
Sample from CN Honker Pentest Toolset - file WebScan.exe
view YARA rule
rule CN_Honker_WebScan_WebScan {
meta:
description = "Sample from CN Honker Pentest Toolset - file WebScan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "a0b0e2422e0e9edb1aed6abb5d2e3d156b7c8204"
id = "1545494b-9a74-5b2e-921c-e54dd5ac4b51"
strings:
$s1 = "wwwscan.exe" fullword wide /* PEStudio Blacklist: strings */
$s2 = "WWWScan Gui" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 700KB and all of them
}
CN_Honker_WebScan_wwwscan
Sample from CN Honker Pentest Toolset - file wwwscan.exe
view YARA rule
rule CN_Honker_WebScan_wwwscan {
meta:
description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "6dbffa916d0f0be2d34c8415592b9aba690634c7"
id = "defe0024-f94a-560a-a9f6-b3849b41f9bb"
strings:
$s1 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
$s3 = "<Usage>: %s <HostName|Ip> [Options]" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
CN_Honker_Webshell
Sample from CN Honker Pentest Toolset - file Webshell.exe
view YARA rule
rule CN_Honker_Webshell {
meta:
description = "Sample from CN Honker Pentest Toolset - file Webshell.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "c85bd09d241c2a75b4e4301091aa11ddd5ad6d59"
id = "12870766-2b85-522d-9ad8-abba2786caaf"
strings:
$s1 = "Windows NT users: Please note that having the WinIce/SoftIce" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Do you want to cancel the file download?" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Downloading: %s" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 381KB and all of them
}
CN_Honker_Webshell_ASPX_aspx
Webshell from CN Honker Pentest Toolset - file aspx.txt
view YARA rule
rule CN_Honker_Webshell_ASPX_aspx {
meta:
description = "Webshell from CN Honker Pentest Toolset - file aspx.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "8378619b2a7d446477946eabaa1e6744dec651c1"
id = "4a13c809-48f7-54f7-9ce3-10d6d48104fb"
strings:
$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii /* PEStudio Blacklist: strings */
$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii /* PEStudio Blacklist: strings */
$s2 = "td.Text=\"<a href=\\\"javascript:Bin_PostBack('urJG','\"+dt.Rows[j][\"ProcessID" ascii /* PEStudio Blacklist: strings */
$s3 = "vyX.Text+=\"<a href=\\\"javascript:Bin_PostBack('Bin_Regread','\"+MVVJ(rootkey)+" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 353KB and 2 of them
}
CN_Honker_Webshell_ASPX_aspx2
Webshell from CN Honker Pentest Toolset - file aspx2.txt
view YARA rule
rule CN_Honker_Webshell_ASPX_aspx2 {
meta:
description = "Webshell from CN Honker Pentest Toolset - file aspx2.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "95db7a60f4a9245ffd04c4d9724c2745da55e9fd"
id = "0da59fde-2214-5677-943f-05b8da4fd9d4"
strings:
$s0 = "if (password.Equals(this.txtPass.Text))" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "<head runat=\"server\">" fullword ascii /* PEStudio Blacklist: strings */
$s2 = ":<asp:TextBox runat=\"server\" ID=\"txtPass\" Width=\"400px\"></asp:TextBox>" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "this.lblthispath.Text = Server.MapPath(Request.ServerVariables[\"PATH_INFO\"]);" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x253c and filesize < 9KB and all of them
}
CN_Honker_Webshell_ASPX_aspx3
Webshell from CN Honker Pentest Toolset - file aspx3.txt
view YARA rule
rule CN_Honker_Webshell_ASPX_aspx3 {
meta:
description = "Webshell from CN Honker Pentest Toolset - file aspx3.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "dd61481771f67d9593214e605e63b62d5400c72f"
id = "4f835136-744a-5324-a1f4-02d1cfa2cab6"
strings:
$s0 = "Process p1 = Process.Start(\"\\\"\" + txtRarPath.Value + \"\\\"\", \" a -y -k -m" ascii /* PEStudio Blacklist: strings */
$s12 = "if (_Debug) System.Console.WriteLine(\"\\ninserting filename into CDS:" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 100KB and all of them
}
CN_Honker_Webshell_ASPX_aspx4
Webshell from CN Honker Pentest Toolset - file aspx4.txt
view YARA rule
rule CN_Honker_Webshell_ASPX_aspx4 {
meta:
description = "Webshell from CN Honker Pentest Toolset - file aspx4.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "200a8f15ffb6e3af31d28c55588003b5025497eb"
id = "4a13c809-48f7-54f7-9ce3-10d6d48104fb"
strings:
$s4 = "File.Delete(cdir.FullName + \"\\\\test\");" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "start<asp:TextBox ID=\"Fport_TextBox\" runat=\"server\" Text=\"c:\\\" Width=\"60" ascii /* PEStudio Blacklist: strings */
$s6 = "<div>Code By <a href =\"http://www.hkmjj.com\">Www.hkmjj.Com</a></div>" fullword ascii
condition:
filesize < 11KB and all of them
}
CN_Honker_Webshell_ASPX_shell_shell
Webshell from CN Honker Pentest Toolset - file shell.aspx
view YARA rule
rule CN_Honker_Webshell_ASPX_shell_shell {
meta:
description = "Webshell from CN Honker Pentest Toolset - file shell.aspx"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "1816006827d16ed73cefdd2f11bd4c47c8af43e4"
id = "8fbcae22-07b7-5afe-9f15-06e2f426b5ca"
strings:
$s0 = "<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cook" ascii /* PEStudio Blacklist: strings */
$s1 = "<%@ Page Language=\"C#\" ValidateRequest=\"false\" %>" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 1KB and all of them
}
CN_Honker_Webshell_ASPX_sniff
Webshell from CN Honker Pentest Toolset - file sniff.txt
view YARA rule
rule CN_Honker_Webshell_ASPX_sniff {
meta:
description = "Webshell from CN Honker Pentest Toolset - file sniff.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e246256696be90189e6d50a4ebc880e6d9e28dfd"
id = "8cf47d71-1b97-5967-ad70-2ea6fad7cc29"
strings:
$s1 = "IPHostEntry HosyEntry = Dns.GetHostEntry((Dns.GetHostName()));" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "if (!logIt && my_s_smtp && (dport == 25 || sport == 25))" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 91KB and all of them
}
CN_Honker_Webshell_ASP_asp1
Webshell from CN Honker Pentest Toolset - file asp1.txt
view YARA rule
rule CN_Honker_Webshell_ASP_asp1 {
meta:
description = "Webshell from CN Honker Pentest Toolset - file asp1.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "78b5889b363043ed8a60bed939744b4b19503552"
id = "bf0b1f1e-cf7b-5afb-8e0a-bcfd70fc8887"
strings:
$s1 = "SItEuRl=" ascii
$s2 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Server.ScriptTimeout=" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 200KB and all of them
}
CN_Honker_Webshell_ASP_asp2
Webshell from CN Honker Pentest Toolset - file asp2.txt
view YARA rule
rule CN_Honker_Webshell_ASP_asp2 {
meta:
description = "Webshell from CN Honker Pentest Toolset - file asp2.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b3ac478e72a0457798a3532f6799adeaf4a7fc87"
id = "e5296405-c345-55dc-acd9-be6aca86c60b"
strings:
$s1 = "<%=server.mappath(request.servervariables(\"script_name\"))%>" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "webshell</font> <font color=#00FF00>" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Userpwd = \"admin\" 'User Password" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 10KB and all of them
}
CN_Honker_Webshell_ASP_asp3
Webshell from CN Honker Pentest Toolset - file asp3.txt
view YARA rule
rule CN_Honker_Webshell_ASP_asp3 {
meta:
description = "Webshell from CN Honker Pentest Toolset - file asp3.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "87c5a76989bf08da5562e0b75c196dcb3087a27b"
id = "0cb01c07-b424-532d-8aef-5ec25dfe3f19"
strings:
$s1 = "if shellpath=\"\" then shellpath = \"cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "c.open \"GET\", \"http://127.0.0.1:\" & port & \"/M_Schumacher/upadmin/s3\", Tru" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 444KB and all of them
}
CN_Honker_Webshell_ASP_asp4
Webshell from CN Honker Pentest Toolset - file asp4.txt
view YARA rule
rule CN_Honker_Webshell_ASP_asp4 {
meta:
description = "Webshell from CN Honker Pentest Toolset - file asp4.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "4005b83ced1c032dc657283341617c410bc007b8"
id = "4125bb40-3f5c-53f5-b906-54fa77b119f5"
strings:
$s2 = "if ShellPath=\"\" Then ShellPath = \"cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "Response.Cookies(Cookie_Login) = sPwd" fullword ascii /* PEStudio Blacklist: strings */
$s8 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 150KB and all of them
}
CN_Honker_Webshell_ASP_asp404
Webshell from CN Honker Pentest Toolset - file asp404.txt
view YARA rule
rule CN_Honker_Webshell_ASP_asp404 {
meta:
description = "Webshell from CN Honker Pentest Toolset - file asp404.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "bed51971288aeabba6dabbfb80d2843ec0c4ebf6"
id = "4125bb40-3f5c-53f5-b906-54fa77b119f5"
strings:
$s0 = "temp1 = Len(folderspec) - Len(server.MapPath(\"./\")) -1" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "<form name=\"form1\" method=\"post\" action=\"<%= url%>?action=chklogin\">" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<td> <a href=\"<%=tempurl+f1.name%>\" target=\"_blank\"><%=f1.name%></a></t" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 113KB and all of them
}
CN_Honker_Webshell_ASP_hy2006a
Webshell from CN Honker Pentest Toolset - file hy2006a.txt
view YARA rule
rule CN_Honker_Webshell_ASP_hy2006a {
meta:
description = "Webshell from CN Honker Pentest Toolset - file hy2006a.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "20da92b2075e6d96636f883dcdd3db4a38c01090"
id = "115651d3-63e1-58e3-b27c-42271111bb91"
strings:
$s15 = "Const myCmdDotExeFile = \"command.com\"" fullword ascii /* PEStudio Blacklist: strings */
$s16 = "If LCase(appName) = \"cmd.exe\" And appArgs <> \"\" Then" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 406KB and all of them
}
CN_Honker_Webshell_ASP_rootkit
Webshell from CN Honker Pentest Toolset - file rootkit.txt
view YARA rule
rule CN_Honker_Webshell_ASP_rootkit {
meta:
description = "Webshell from CN Honker Pentest Toolset - file rootkit.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3bfc1c95782e702cf56184e7d438edcf5802eab3"
id = "ab51abca-0790-541c-9f18-1568809ef113"
strings:
$s0 = "set ss=zsckm.get(\"Win32_ProcessSta\"&uyy&\"rtup\")" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "If jzgm=\"\"Then jzgm=\"cmd.exe /c net user\"" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 80KB and all of them
}
CN_Honker_Webshell_ASP_shell
Webshell from CN Honker Pentest Toolset - file shell.txt
view YARA rule
rule CN_Honker_Webshell_ASP_shell {
meta:
description = "Webshell from CN Honker Pentest Toolset - file shell.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b7b34215c2293ace70fc06cbb9ce73743e867289"
id = "fdfc3fc1-9400-533b-978b-1a1fac112e1f"
strings:
$s1 = "xPost.Open \"GET\",\"http://www.i0day.com/1.txt\",False //" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "sGet.SaveToFile Server.MapPath(\"test.asp\"),2 //" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "http://hi.baidu.com/xahacker/fuck.txt" fullword ascii
condition:
filesize < 1KB and all of them
}
CN_Honker_Webshell_ASP_web_asp
Webshell from CN Honker Pentest Toolset - file web.asp.txt
view YARA rule
rule CN_Honker_Webshell_ASP_web_asp {
meta:
description = "Webshell from CN Honker Pentest Toolset - file web.asp.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "aebf6530e89af2ad332062c6aae4a8ca91517c76"
id = "67e03591-770a-5b32-9579-c899894740fc"
strings:
$s0 = "<FORM method=post target=_blank>ShellUrl: <INPUT " fullword ascii /* PEStudio Blacklist: strings */
$s1 = "\" >[Copy code]</a> 4ngr7 </td>" fullword ascii
condition:
filesize < 13KB and all of them
}
CN_Honker_Webshell_FTP_MYSQL_MSSQL_SSH
Webshell from CN Honker Pentest Toolset - file FTP MYSQL MSSQL SSH.txt
view YARA rule
rule CN_Honker_Webshell_FTP_MYSQL_MSSQL_SSH {
meta:
description = "Webshell from CN Honker Pentest Toolset - file FTP MYSQL MSSQL SSH.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "fe63b215473584564ef2e08651c77f764999e8ac"
id = "dd619901-6f0e-527e-9926-808176641c09"
strings:
$s1 = "$_SESSION['hostlist'] = $hostlist = $_POST['hostlist'];" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Codz by <a href=\"http://www.sablog.net/blog\">4ngel</a><br />" fullword ascii
$s3 = "if ($conn_id = @ftp_connect($host, $ftpport)) {" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "$_SESSION['sshport'] = $mssqlport = $_POST['sshport'];" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "<title>ScanPass(FTP/MYSQL/MSSQL/SSH) by 4ngel</title>" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 20KB and 3 of them
}
CN_Honker_Webshell_Injection_Transit_jmPost
Webshell from CN Honker Pentest Toolset - file jmPost.asp
view YARA rule
rule CN_Honker_Webshell_Injection_Transit_jmPost {
meta:
description = "Webshell from CN Honker Pentest Toolset - file jmPost.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f80ec26bbdc803786925e8e0450ad7146b2478ff"
id = "892f747e-6065-5baf-b928-8d69d8792483"
strings:
$s1 = "response.write PostData(JMUrl,JmStr,JmCok,JmRef)" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "JmdcwName=request(\"jmdcw\")" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 9KB and all of them
}
CN_Honker_Webshell_Interception3389_get
Webshell from CN Honker Pentest Toolset - file get.asp
view YARA rule
rule CN_Honker_Webshell_Interception3389_get {
meta:
description = "Webshell from CN Honker Pentest Toolset - file get.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ceb6306f6379c2c1634b5058e1894b43abcf0296"
id = "b17a793f-ffb7-5cdc-ba21-b0e2f0d14490"
strings:
$s0 = "userip = Request.ServerVariables(\"HTTP_X_FORWARDED_FOR\")" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "file.writeline szTime + \" HostName:\" + szhostname + \" IP:\" + userip+\":\"+n" ascii /* PEStudio Blacklist: strings */
$s3 = "set file=fs.OpenTextFile(server.MapPath(\"WinlogonHack.txt\"),8,True)" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 3KB and all of them
}
CN_Honker_Webshell_JSPMSSQL
Webshell from CN Honker Pentest Toolset - file JSPMSSQL.txt
view YARA rule
rule CN_Honker_Webshell_JSPMSSQL {
meta:
description = "Webshell from CN Honker Pentest Toolset - file JSPMSSQL.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "c6b4faecd743d151fe0a4634e37c9a5f6533655f"
id = "061c1e53-edd0-5838-8d0f-6fb8f4fa078a"
strings:
$s1 = "<form action=\"?action=operator&cmd=execute\"" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "String sql = request.getParameter(\"sqlcmd\");" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 35KB and all of them
}
CN_Honker_Webshell_JSP_jsp
Webshell from CN Honker Pentest Toolset - file jsp.html
view YARA rule
rule CN_Honker_Webshell_JSP_jsp {
meta:
description = "Webshell from CN Honker Pentest Toolset - file jsp.html"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "c58fed3d3d1e82e5591509b04ed09cb3675dc33a"
id = "46f2fb10-2c0c-5bc2-b3bb-eba4c74bcad7"
strings:
$s1 = "<input name=f size=30 value=shell.jsp>" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<font color=red>www.i0day.com By:" fullword ascii
condition:
filesize < 3KB and all of them
}
CN_Honker_Webshell_Linux_2_6_Exploit
Webshell from CN Honker Pentest Toolset - file 2.6.9
view YARA rule
rule CN_Honker_Webshell_Linux_2_6_Exploit {
meta:
description = "Webshell from CN Honker Pentest Toolset - file 2.6.9"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ec22fac0510d0dc2c29d56c55ff7135239b0aeee"
id = "22e2aca7-418f-598f-af0c-99942aaf3278"
strings:
$s0 = "[+] Failed to get root :( Something's wrong. Maybe the kernel isn't vulnerable?" fullword ascii
condition:
filesize < 56KB and all of them
}
CN_Honker_Webshell_PHP_BlackSky
Webshell from CN Honker Pentest Toolset - file php6.txt
view YARA rule
rule CN_Honker_Webshell_PHP_BlackSky {
meta:
description = "Webshell from CN Honker Pentest Toolset - file php6.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "a60a599c6c8b6a6c0d9da93201d116af257636d7"
id = "741bb4db-6296-5222-8480-1169a6f44fd8"
strings:
$s0 = "eval(gzinflate(base64_decode('" ascii /* PEStudio Blacklist: strings */
$s1 = "B1ac7Sky-->" fullword ascii
condition:
filesize < 641KB and all of them
}
CN_Honker_Webshell_PHP_linux
Webshell from CN Honker Pentest Toolset - file linux.txt
view YARA rule
rule CN_Honker_Webshell_PHP_linux {
meta:
description = "Webshell from CN Honker Pentest Toolset - file linux.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "78339abb4e2bb00fe8a012a0a5b7ffce305f4e06"
id = "8d94f1c5-2139-5d0d-8af9-9c30a0359910"
strings:
$s0 = "<form name=form1 action=exploit.php method=post>" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "<title>Changing CHMOD Permissions Exploit " fullword ascii
condition:
uint16(0) == 0x696c and filesize < 6KB and all of them
}
Showing 201-250 of 18,880