LloydLabs
/ smbghost.yara
Last active
April 7, 2020 20:47
This is a rule to attempt to detect the SMBGhost packet (derived from https://github.com/ollypwn/SMBGhost/blob/master/scanner.py)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule SMBv3_Scanner { | |
| meta: | |
| date = "2020-03-11" | |
| author = "@LloydLabs" | |
| author_url = "https://blog.syscall.party" | |
| strings: | |
| $pkt = {00 00 00 c0 fe 53 4d 42 40 00 00 00 00 00 00 00 | |
| 00 00 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
LloydLabs
/ gist:cad3fc30b26fa06e9525508c99b367ab
Created
May 20, 2021 14:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am lloydlabs on github. | |
| * I am lloydd (https://keybase.io/lloydd) on keybase. | |
| * I have a public key ASCVBevzbmASlzgmtSQHmSU4FfKIYphNtf4Cm-jD5-evOAo | |
| To claim this, I am signing this object: |
LloydLabs
/ Manual_Win64_System_Call.yar
Created
July 10, 2021 21:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule Manual_Win64_System_Call | |
| { | |
| meta: | |
| author = "Lloyd @LloydLabs" | |
| date = "10/07/2021" | |
| description = "Allows to detect within malware when Windows system calls are manually invoked." | |
| strings: |