Intitial release

rules/network.yar

@@ -0,0 +1,102 @@
+rule UsesDiscordWebhook {
+    meta:
+        description = "Detects Discord webhook usage"
+        author = "Malware Researcher"
+        severity = "Medium"
+        date = "2023-01-01"
+    strings:
+        $webhook1 = "https://discord.com/api/webhooks/" ascii wide
+        $webhook2 = "https://discordapp.com/api/webhooks/" ascii wide
+        $webhook3 = "https://ptb.discord.com/api/webhooks/" ascii wide
+        $webhook4 = "https://canary.discord.com/api/webhooks/" ascii wide
+        $func1 = "requests.post" ascii wide
+        $func2 = "httpx.post" ascii wide
+        $func3 = "aiohttp" ascii wide
+        $func4 = "urllib" ascii wide
+    condition:
+        1 of ($webhook*) and 1 of ($func*)
+}
+
+rule DiscordPyFramework {
+    meta:
+        description = "Detects Discord.py bot framework usage"
+        author = "Malware Researcher"
+        severity = "Medium"
+        date = "2023-01-01"
+    strings:
+        $import1 = "import discord" ascii wide
+        $import2 = "from discord.ext import commands" ascii wide
+        $class1 = "discord.Client" ascii wide
+        $class2 = "commands.Bot" ascii wide
+        $func1 = "bot.run" ascii wide
+        $func2 = "client.run" ascii wide
+        $token = /['"][A-Za-z\d]{24}\.[\w-]{6}\.[\w-]{27}['"]/ ascii wide
+    condition:
+        (1 of ($import*) or 1 of ($class*)) and 
+        (1 of ($func*) or $token)
+}
+
+rule PythonSMTPUsage {
+    meta:
+        description = "Detects Python SMTP mail sending functionality"
+        author = "Malware Researcher"
+        severity = "Medium"
+        date = "2023-01-01"
+    strings:
+        $import1 = "import smtplib" ascii wide
+        $import2 = "from email" ascii wide
+        $func1 = "smtplib.SMTP" ascii wide
+        $func2 = "smtp.send_message" ascii wide
+        $func3 = "smtp.sendmail" ascii wide
+        $auth1 = "smtp.login" ascii wide
+        $provider1 = "smtp.gmail.com" ascii wide
+        $provider2 = "smtp-mail.outlook.com" ascii wide
+        $provider3 = "smtp.mail.yahoo.com" ascii wide
+    condition:
+        $import1 and 
+        (1 of ($func*)) and 
+        ($auth1 or 1 of ($provider*))
+}
+
+rule HTTPRequests {
+    meta:
+        description = "Detects HTTP request libraries usage for data exfiltration"
+        author = "Malware Researcher"
+        severity = "Low"
+        date = "2023-01-01"
+    strings:
+        $import1 = "import requests" ascii wide
+        $import2 = "import httpx" ascii wide
+        $import3 = "import aiohttp" ascii wide
+        $import4 = "from urllib" ascii wide
+        $func1 = ".post(" ascii wide
+        $func2 = ".get(" ascii wide
+        $func3 = "urlopen(" ascii wide
+        $data1 = "json=" ascii wide
+        $data2 = "data=" ascii wide
+        $data3 = "files=" ascii wide
+    condition:
+        1 of ($import*) and 
+        1 of ($func*) and 
+        1 of ($data*)
+}
+
+rule TelegramBotAPI {
+    meta:
+        description = "Detects Telegram Bot API usage"
+        author = "Malware Researcher"
+        severity = "Medium"
+        date = "2023-01-01"
+    strings:
+        $url1 = "api.telegram.org/bot" ascii wide
+        $token = /[0-9]{8,10}:[A-Za-z0-9_-]{35}/ ascii wide
+        $method1 = "/sendMessage" ascii wide
+        $method2 = "/sendDocument" ascii wide
+        $method3 = "/sendPhoto" ascii wide
+        $import1 = "telebot" ascii wide
+        $import2 = "telegram.ext" ascii wide
+    condition:
+        ($url1 and 1 of ($method*)) or 
+        ($token and 1 of ($method*)) or
+        1 of ($import*)
+}