yara/rules/Linux_Exploit

rule Linux_Exploit_Local_47c64fb6 { meta: author = "Elastic Security" id = "47c64fb6-cfa6-4350-a41f-870b87116b32" fingerprint = "aa286440061fb31167f314111dde7c2f596357b41fb6a5656216892fee6bf56e" creation_date = "2021-01-12" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "0caa9035027ff88788e6b8e43bfc012a367a12148be809555c025942054a6360" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { F4 C6 00 FF 8B 45 F4 40 C6 00 25 8B 45 F4 83 C0 02 C7 00 08 00 } condition: all of them } rule Linux_Exploit_Local_76c24b62 { meta: author = "Elastic Security" id = "76c24b62-e04f-410d-b7cb-668daa9aea20" fingerprint = "907cb776c9200b715c5b20475c2d4b16cb55c607dfb4b57bd3bd95368ce66257" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "330de2ca1add7e06389d94dfc541c367a484394c51663b26d27d89346b08ad1b" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 00 00 00 31 DB 89 D8 B0 17 CD 80 31 C0 50 50 B0 } condition: all of them } rule Linux_Exploit_Local_30c21b03 { meta: author = "Elastic Security" id = "30c21b03-22fc-4ec8-8b65-084e98da8d8d" fingerprint = "8112c4a9bce4b4c9407e851849a5850fa36591570694950a4b53e8a09a1dd92b" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "a09c81f185a4ceed134406fa7fefdfa7d8dfc10d639dd044c94fbb6d570fa029" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 1B CD 80 31 DB 89 D8 B0 17 CD 80 31 C0 50 50 B0 } condition: all of them } rule Linux_Exploit_Local_9ace9649 { meta: author = "Elastic Security" id = "9ace9649-c74a-4b27-a147-d14123104c0a" fingerprint = "2e526d7ec47a30c7683725c2d2c3db0a8267630bb0f270599325d50227f6ae29" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "b38869605521531153cfd8077f05e0d6b52dca0fffbc627a4d5eaa84855a491c" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 31 C0 31 DB 31 C9 B0 46 CD 80 31 C0 50 68 2F } condition: all of them } rule Linux_Exploit_Local_705c9589 { meta: author = "Elastic Security" id = "705c9589-f735-45ef-8cf0-b99a05905a9f" fingerprint = "d75edca622f0ab8a0b60c4ba5c1026c89d3613c0e101c5c12c03ee08cb7c576e" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "845727ea46491b46a665d4e1a3a9dbbe6cd0536d070f1c1efd533b91b75cdc88" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 51 53 8D 0C 24 31 C0 B0 0B CD 80 31 C0 B0 01 CD } condition: all of them } rule Linux_Exploit_Local_a677fb9c { meta: author = "Elastic Security" id = "a677fb9c-0271-4491-a7c7-48504b6ec389" fingerprint = "b7916eefad806131b39af5f9bef27648e2444c9a9c95216b520d73e64fa734f0" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "d20b260c7485173264e3e674adc7563ea3891224a3dc98bdd342ebac4a1349e8" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 89 C0 89 45 EC 83 7D EC FF 75 1A 83 EC 0C 68 } condition: all of them } rule Linux_Exploit_Local_78e50162 { meta: author = "Elastic Security" id = "78e50162-8f1e-4c78-94fe-9b793b006269" fingerprint = "a5771dad186d0c23d25efb7b22b11aa0a67148cf6efb9657b09ca6e160c192aa" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "706c865257d5e1f5f434ae0f31e11dfc7e16423c4c639cb2763ec0f51bc73300" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 90 90 90 31 C0 31 DB B0 17 CD 80 31 C0 B0 2E CD } condition: all of them } rule Linux_Exploit_Local_3b767a1f { meta: author = "Elastic Security" id = "3b767a1f-5844-4742-a5fd-ef8a3ddb6c12" fingerprint = "2bc0dc4de92306076cda6f2d069855b85861375c8b7eb5324f915a1ed10c39e5" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "e05fed9e514cccbdb775f295327d8f8838b73ad12f25e7bb0b9d607ff3d0511c" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { E3 50 53 89 E1 89 C2 B0 0B CD 80 89 C3 31 C0 40 } condition: all of them } rule Linux_Exploit_Local_2535c9b6 { meta: author = "Elastic Security" id = "2535c9b6-a575-4190-8e33-88758675e5b4" fingerprint = "4ec419bfd0ac83da2f826ba4cbd6a4b05bbd7b6f6cc077529ec4667b7d2f761a" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "d0f9cc114f6a1f788f36e359e03a9bbf89c075f41aec006229b6ad20ebbfba0b" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { E8 63 F9 FF FF 83 7D D8 FF 75 14 BF 47 12 40 00 } condition: all of them } rule Linux_Exploit_Local_6a9b5d50 { meta: author = "Elastic Security" id = "6a9b5d50-3cd4-4b64-9a52-713e1a8f02b2" fingerprint = "7eea1345492359984e9be089c3e7339b79927abcff0ae4a40a713e956bb25919" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "80ab71dc9ed2131b08b5b75b5a4a12719d499c6b6ee6819ad5a6626df4a1b862" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { E8 ?? F9 FF FF 83 7D D8 FF 75 14 BF ?? 13 40 00 } condition: all of them } rule Linux_Exploit_Local_66557224 { meta: author = "Elastic Security" id = "66557224-2c7a-4770-8333-8984d4a7b3f7" fingerprint = "88503c2e1e389866962704a8b19a47c22f758bb2cee9b76600e5d9bab125d4ca" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "f58151a2f653972e744822cdc420ab1c2b8b642877d3dfa2e8b2b6915e8edf40" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { FF FF 83 BD E4 FB FF FF FF 75 1A 83 EC 0C 68 24 } condition: all of them } rule Linux_Exploit_Local_6229602f { meta: author = "Elastic Security" id = "6229602f-1c88-46fa-8fae-a6268ed6d632" fingerprint = "b26b21518fd436d79d6a23dbf3d7056b7c056e4df6639718e285de096476f61d" creation_date = "2021-04-06" last_modified = "2021-09-16" threat_name = "Linux.Exploit.Local" reference_sample = "4fdb15663a405f6fc4379aad9a5021040d7063b8bb82403bedb9578d45d428fa" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $a = { 89 C0 89 45 FC 83 7D FC 00 7D 17 68 ?? ?? 04 08 } condition: all of them }

yara/rules/Linux_Exploit_Local.yar (228 lines of code) (raw):