YARA rules for netsh
2 rules · scoped to tool · back to netsh
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule SUSP_Netsh_PortProxy_Command {
meta:
description = "Detects a suspicious command line with netsh and the portproxy command"
author = "Florian Roth (Nextron Systems)"
reference = "https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy"
date = "2019-04-20"
score = 65
hash1 = "9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09"
id = "cbbd2042-572c-5283-bd45-e745b36733ad"
strings:
$x1 = "netsh interface portproxy add v4tov4 listenport=" ascii
condition:
1 of them
}
rule Loader_MSIL_NetshShellCodeRunner_1
{
meta:
description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NetshShellCodeRunner' project."
md5 = "dd8805d0e470e59b829d98397507d8c2"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "b3521812-7ea3-5f80-89bd-3bdd71b687f2"
strings:
$typelibguid0 = "49c045bc-59bb-4a00-85c3-4beb59b2ee12" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}