102 lines
3.4 KiB
Text
102 lines
3.4 KiB
Text
rule UsesDiscordWebhook {
|
|
meta:
|
|
description = "Detects Discord webhook usage"
|
|
author = "Malware Researcher"
|
|
severity = "Medium"
|
|
date = "2023-01-01"
|
|
strings:
|
|
$webhook1 = "https://discord.com/api/webhooks/" ascii wide
|
|
$webhook2 = "https://discordapp.com/api/webhooks/" ascii wide
|
|
$webhook3 = "https://ptb.discord.com/api/webhooks/" ascii wide
|
|
$webhook4 = "https://canary.discord.com/api/webhooks/" ascii wide
|
|
$func1 = "requests.post" ascii wide
|
|
$func2 = "httpx.post" ascii wide
|
|
$func3 = "aiohttp" ascii wide
|
|
$func4 = "urllib" ascii wide
|
|
condition:
|
|
1 of ($webhook*) and 1 of ($func*)
|
|
}
|
|
|
|
rule DiscordPyFramework {
|
|
meta:
|
|
description = "Detects Discord.py bot framework usage"
|
|
author = "Malware Researcher"
|
|
severity = "Medium"
|
|
date = "2023-01-01"
|
|
strings:
|
|
$import1 = "import discord" ascii wide
|
|
$import2 = "from discord.ext import commands" ascii wide
|
|
$class1 = "discord.Client" ascii wide
|
|
$class2 = "commands.Bot" ascii wide
|
|
$func1 = "bot.run" ascii wide
|
|
$func2 = "client.run" ascii wide
|
|
$token = /['"][A-Za-z\d]{24}\.[\w-]{6}\.[\w-]{27}['"]/ ascii wide
|
|
condition:
|
|
(1 of ($import*) or 1 of ($class*)) and
|
|
(1 of ($func*) or $token)
|
|
}
|
|
|
|
rule PythonSMTPUsage {
|
|
meta:
|
|
description = "Detects Python SMTP mail sending functionality"
|
|
author = "Malware Researcher"
|
|
severity = "Medium"
|
|
date = "2023-01-01"
|
|
strings:
|
|
$import1 = "import smtplib" ascii wide
|
|
$import2 = "from email" ascii wide
|
|
$func1 = "smtplib.SMTP" ascii wide
|
|
$func2 = "smtp.send_message" ascii wide
|
|
$func3 = "smtp.sendmail" ascii wide
|
|
$auth1 = "smtp.login" ascii wide
|
|
$provider1 = "smtp.gmail.com" ascii wide
|
|
$provider2 = "smtp-mail.outlook.com" ascii wide
|
|
$provider3 = "smtp.mail.yahoo.com" ascii wide
|
|
condition:
|
|
$import1 and
|
|
(1 of ($func*)) and
|
|
($auth1 or 1 of ($provider*))
|
|
}
|
|
|
|
rule HTTPRequests {
|
|
meta:
|
|
description = "Detects HTTP request libraries usage for data exfiltration"
|
|
author = "Malware Researcher"
|
|
severity = "Low"
|
|
date = "2023-01-01"
|
|
strings:
|
|
$import1 = "import requests" ascii wide
|
|
$import2 = "import httpx" ascii wide
|
|
$import3 = "import aiohttp" ascii wide
|
|
$import4 = "from urllib" ascii wide
|
|
$func1 = ".post(" ascii wide
|
|
$func2 = ".get(" ascii wide
|
|
$func3 = "urlopen(" ascii wide
|
|
$data1 = "json=" ascii wide
|
|
$data2 = "data=" ascii wide
|
|
$data3 = "files=" ascii wide
|
|
condition:
|
|
1 of ($import*) and
|
|
1 of ($func*) and
|
|
1 of ($data*)
|
|
}
|
|
|
|
rule TelegramBotAPI {
|
|
meta:
|
|
description = "Detects Telegram Bot API usage"
|
|
author = "Malware Researcher"
|
|
severity = "Medium"
|
|
date = "2023-01-01"
|
|
strings:
|
|
$url1 = "api.telegram.org/bot" ascii wide
|
|
$token = /[0-9]{8,10}:[A-Za-z0-9_-]{35}/ ascii wide
|
|
$method1 = "/sendMessage" ascii wide
|
|
$method2 = "/sendDocument" ascii wide
|
|
$method3 = "/sendPhoto" ascii wide
|
|
$import1 = "telebot" ascii wide
|
|
$import2 = "telegram.ext" ascii wide
|
|
condition:
|
|
($url1 and 1 of ($method*)) or
|
|
($token and 1 of ($method*)) or
|
|
1 of ($import*)
|
|
}
|