/
pe-cert-test.yara
53 lines (47 loc) · 1.36 KB
/
pe-cert-test.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
// Practice Yara rule for PE module: look for short CN and DN in signing certs
// requires Yara 3.4+
/*
github.com/dfirnotes/rules
Version 0.0.0
*/
import "pe"
//import "hash"
//import "math"
rule has_signature
{
meta:
author = "@adricnet"
description = "Check for signing certificate"
// method = "String match"
condition:
pe.number_of_signatures >= 1 //and
// for any s in (0..pe.number_of_signatures - 1): (
// pe.signatures[s].issuer !$a > 5 or
// pe.signatures[s].subject !$a < 10 )
}
rule amazon_cert_str
{
meta:
author = "@adricnet"
description = "Check for Amazon strings in signing certificate"
method = "String match"
// strings:
// $amzllc = "Amazon Services LLC"
condition:
pe.number_of_signatures >= 1 and
for any s in (0..pe.number_of_signatures - 1): (
pe.signatures[s].subject contains "Amazon Services LLC" )
}
rule amazon_cert_re
{
meta:
author = "@adricnet"
description = "Check for short CN and DN in signing certs"
// method = "String match"
// strings:
// $amzllc = "Amazon Services LLC"
condition:
pe.number_of_signatures >= 1 and
for any s in (0..pe.number_of_signatures - 1): (
pe.signatures[s].subject matches /Amazon Services LLC/ )
}