Create Costura_Protobuf.yar

bartblaze · Mar 20, 2024 · 879468c · 879468c
1 parent 8156c63
commit 879468c
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/rules/generic/Costura_Protobuf.yar b/rules/generic/Costura_Protobuf.yar
@@ -0,0 +1,24 @@
+import "dotnet"
+rule Costura_Protobuf
+{
+    meta:
+        id = "2XP6PwlYvHaaVOgoVbFcQC"
+        fingerprint = "da84b0a5628231b790fa802d404dcebd30c39805360e619ea78c6d56cf5d3c52"
+        version = "1.0"
+        date = "2024-03-20"
+        modified = "2024-03-20"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies Costura and Protobuf in .NET assemblies, respectively for storing resources and (de)serialization. Seen together might indicate a suspect binary."
+        category = "INFO"
+        reference_a = "https://github.com/Fody/Costura"
+        reference_b = "https://github.com/protobuf-net/protobuf-net"
+
+strings:
+    $comp = "costura.protobuf-net.dll.compressed" ascii wide fullword
+    
+condition:
+    dotnet.is_dotnet and $comp
+}