YARA rules for SLOWPULSE
2 rules · scoped to tool · back to SLOWPULSE
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule FE_APT_Backdoor_Linux32_SLOWPULSE_1
{
meta:
author = "Mandiant"
date = "2021-04-16"
sha256 = "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "dd35257f-5b6f-55a6-a709-873ded1f4b72"
strings:
$sb1 = {FC b9 [4] e8 00 00 00 00 5? 8d b? [4] 8b}
$sb2 = {f3 a6 0f 85 [4] b8 03 00 00 00 5? 5? 5?}
$sb3 = {9c 60 e8 00 00 00 00 5? 8d [5] 85 ?? 0f 8?}
$sb4 = {89 13 8b 51 04 89 53 04 8b 51 08 89 53 08}
$sb5 = {8d [5] b9 [4] f3 a6 0f 8?}
condition:
((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them
}
rule FE_APT_Backdoor_Linux32_SLOWPULSE_2
{
meta:
author = "Strozfriedberg"
date = "2021-04-16"
sha256 = "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
strings:
$sig = /[\x20-\x7F]{16}([\x20-\x7F\x00]+)\x00.{1,32}\xE9.{3}\xFF\x00+[\x20-\x7F][\x20-\x7F\x00]{16}/
// TOI_MAGIC_STRING
$exc1 = /\xED\xC3\x02\xE9\x98\x56\xE5\x0C/
condition:
uint32(0) == 0x464C457F and (1 of ($sig*)) and (not (1 of ($exc*)))
}