Last active
January 11, 2022 02:19
-
-
Save captainGeech42/3e60e639ea62dd6e907e3e1e7cbac0fc to your computer and use it in GitHub Desktop.
Yara rule that detects string.replace() being used for possible script obfuscation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_ScriptObf_ReplaceEmpty { | |
| meta: | |
| author = "Zander Work (@captainGeech42)" | |
| descr = "Detects the use of string.Replace() or similar, where the replacement string is an empty string. This is a common technique for basic script obfuscation." | |
| strings: | |
| // doesn't hit on the search string being passed in as a variable FYSA | |
| $re1 = /replace\(["'].*["'], ["']["']\)/ nocase // catches basic usage in at least python and powershell | |
| $re2 = /replace\(["'].*["'], ["']["'], \d+\)/ // python str.replace has an optional third argument, a number. this only catches a decimal number fysa | |
| $re3 = /replace\(\/.*\/\w*, ["']["']\)/ // javascript String.prototype.replace can take a regex pattern for the first argument | |
| $re4 = /replace\(\w+, ["'].*["'], ["']["']/ nocase // vbscript replace takes at least 3 arguments: var to replace in, search string, replacement string. there are three more optional args | |
| condition: | |
| any of them | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment