Home/ZIPLINE/YARA rules
YARA

YARA rules for ZIPLINE

1 rules · scoped to tool · back to ZIPLINE
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

1 of 1
direct
M_Hunting_Backdoor_ZIPLINE_1
This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor.
author Mandiant license see source repo
view YARA rule 
rule M_Hunting_Backdoor_ZIPLINE_1 {
  meta:
    author = "Mandiant"
    description = "This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor."
    reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
    date = "2024-01-11"
    score = 75
    id = "753884d6-d4c1-5e94-9d2c-f6ebb7bfaf85"
  strings:
    $s1 = "SSH-2.0-OpenSSH_0.3xx" ascii
    $s2 = "$(exec $installer $@)" ascii
    $t1 = "./installer/do-install" ascii
    $t2 = "./installer/bom_files/" ascii
    $t3 = "/tmp/data/root/etc/ld.so.preload" ascii
    $t4 = "/tmp/data/root/home/etc/manifest/exclusion_list" ascii
  condition:
    uint32(0) == 0x464c457f and
    filesize < 5MB and
    ((1 of ($s*)) or
    (3 of ($t*)))
}
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin