-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathcreate.yara
79 lines (62 loc) · 1.46 KB
/
create.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
rule _fork {
meta:
pledge = "exec"
syscall = "fork"
description = "create child process"
ref = "https://man7.org/linux/man-pages/man2/fork.2.html"
strings:
$fork = "_fork" fullword
condition:
any of them
}
rule fork {
meta:
pledge = "exec"
syscall = "fork"
description = "create child process"
ref = "https://man7.org/linux/man-pages/man2/fork.2.html"
strings:
$fork = "fork" fullword
condition:
any of them in (1000..3000)
}
rule syscall_vfork {
meta:
pledge = "exec"
syscall = "vfork"
description = "create child process"
ref = "https://man7.org/linux/man-pages/man2/vfork.2.html"
strings:
$vfork = "vfork" fullword
condition:
any of them
}
rule js_child_process: medium {
meta:
description = "create child process"
strings:
$child_process = /require\(['"]child_process['"]\)/
condition:
filesize < 1MB and any of them
}
rule syscall_clone: harmless {
meta:
pledge = "exec"
syscall = "clone"
description = "create child process"
ref = "https://man7.org/linux/man-pages/man2/clone.2.html"
strings:
$clone = "clone" fullword
$clone2 = "clone2" fullword
$clone3 = "clone3" fullword
condition:
any of them
}
rule CreateProcess: low {
meta:
description = "create a new process"
strings:
$create = /CreateProcess\w{0,8}/
condition:
any of them
}