schrodyn/RareEquities_Pcap.yar

## RareEquities_Pcap.yar
rule ELF_Methodology_RareEquities_Pcap
{
 meta:
 author = "@stvemillertime"
 description = "This is a wide catchall rule looking for executables with pcap equities. Matches on this rule may have built-in pcap collection, sniffing capability such as in MESSAGETAP, RATSNIF, etc."
 ref_md5 = "8d3b3d5b68a1d08485773d70c186d877"
 strings:
 $a1 = "pcap_"
 condition:
 (uint32(0) == 0x464c457f) and int8(0x10) == 0x02 and $a1
}
rule PE_Methodology_RareEquities_Pcap
{
 meta:
 author = "@stvemillertime"
 description = "This is a wide catchall rule looking for executables with pcap equities. Matches on this rule may have built-in pcap collection, sniffing capability such as in MESSAGETAP, RATSNIF, etc."
 ref_md5 = "8d3b3d5b68a1d08485773d70c186d877"
 strings:
 $a1 = "pcap_"
 condition:
 (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $a1
}
	rule ELF_Methodology_RareEquities_Pcap
	{
	meta:
	author = "@stvemillertime"
	description = "This is a wide catchall rule looking for executables with pcap equities. Matches on this rule may have built-in pcap collection, sniffing capability such as in MESSAGETAP, RATSNIF, etc."
	ref_md5 = "8d3b3d5b68a1d08485773d70c186d877"
	strings:
	$a1 = "pcap_"
	condition:
	(uint32(0) == 0x464c457f) and int8(0x10) == 0x02 and $a1
	}
	rule PE_Methodology_RareEquities_Pcap
	{
	meta:
	author = "@stvemillertime"
	description = "This is a wide catchall rule looking for executables with pcap equities. Matches on this rule may have built-in pcap collection, sniffing capability such as in MESSAGETAP, RATSNIF, etc."
	ref_md5 = "8d3b3d5b68a1d08485773d70c186d877"
	strings:
	$a1 = "pcap_"
	condition:
	(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $a1
	}