Skip to content

Commit

Permalink
Merge pull request #345 from tstromberg/fix-yara-err
Browse files Browse the repository at this point in the history 
recently downloaded go-crypt: Fix YARA error
  • Loading branch information
@tstromberg
tstromberg authored Jan 9, 2024
2 parents 46defea + fa4e0d0 commit de2bdd3
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions detection/exfil/yara-recently-downloaded-go-crypt-exec.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,11 @@ WHERE
$s_aes = "crypto/aes.newCipher"
$s_run = "os/exec.(*Cmd).Run" ascii
$s_exec = "os/exec.Command" ascii
$not_analysis = "Dynamic Section"
$dynamic = "Dynamic Section"
condition:
3 of ($s*) and none of ($not*)
}'
3 of ($s*) and not $dynamic
}
'
AND yara.count > 0
AND file.path NOT LIKE '/Users/%/Downloads/chainctl%'
AND file.filename NOT IN ('grype', 'chainctl', 'elastic-agent')

0 comments on commit de2bdd3

Please sign in to comment.