Last active
April 20, 2022 21:34
-
-
Save captainGeech42/30a709143ad8881c1682d4c769678eba to your computer and use it in GitHub Desktop.
Yara rule for PEs with only LoadLibrary* and GetProcAddress imports
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule Methodology_PE_LoadLibraryGetProcAddrOnly { | |
| meta: | |
| date = "2022-04-18" | |
| author = "Zander Work (@captainGeech42)" | |
| ref = "80ecb9e09772f5c54b2c02519ed68883" | |
| desc = "Look for binaries with only LoadLibrary* and GetProcAddress imports. Not necessarily a sign of maliciousness, but worth looking into probably." | |
| condition: | |
| pe.is_pe and pe.number_of_imported_functions == 2 and | |
| pe.imports("kernel32.dll", "GetProcAddress") and | |
| ( | |
| pe.imports("kernel32.dll", "LoadLibraryA") or | |
| pe.imports("kernel32.dll", "LoadLibraryW") or | |
| pe.imports("kernel32.dll", "LoadLibraryExA") or | |
| pe.imports("kernel32.dll", "LoadLibraryExW") | |
| ) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment