YARA rules for Ping
2 rules · scoped to tool · back to Ping
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule Ping_Command_in_EXE {
meta:
description = "Detects an suspicious ping command execution in an executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-11-03"
score = 60
id = "937ab622-fbcf-5a31-a3ff-af2584484140"
strings:
$x1 = "cmd /c ping 127.0.0.1 -n " ascii
condition:
uint16(0) == 0x5a4d and all of them
}
rule APT_Project_Sauron_arping_module {
meta:
description = "Detects strings from arping module - Project Sauron report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
id = "42389511-de92-57cb-9dee-9f829fd5e55a"
strings:
$s1 = "Resolve hosts that answer"
$s2 = "Print only replying Ips"
$s3 = "Do not display MAC addresses"
condition:
all of them
}