Skip to content

Instantly share code, notes, and snippets.

View LloydLabs's full-sized avatar
🍉

Lloyd Davies LloydLabs

🍉
View GitHub Profile
import "pe"
rule Manual_Win64_System_Call
{
meta:
author = "Lloyd @LloydLabs"
date = "10/07/2021"
description = "Allows to detect within malware when Windows system calls are manually invoked."
strings:
### Keybase proof
I hereby claim:
* I am lloydlabs on github.
* I am lloydd (https://keybase.io/lloydd) on keybase.
* I have a public key ASCVBevzbmASlzgmtSQHmSU4FfKIYphNtf4Cm-jD5-evOAo
To claim this, I am signing this object:
@LloydLabs
LloydLabs / smbghost.yara
Last active April 7, 2020 20:47
This is a rule to attempt to detect the SMBGhost packet (derived from https://github.com/ollypwn/SMBGhost/blob/master/scanner.py)
rule SMBv3_Scanner {
meta:
date = "2020-03-11"
author = "@LloydLabs"
author_url = "https://blog.syscall.party"
strings:
$pkt = {00 00 00 c0 fe 53 4d 42 40 00 00 00 00 00 00 00
00 00 1f 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00