File tree Expand file tree Collapse file tree 1 file changed +41
-0
lines changed
rules/exe/executable/grum_custom_rule Expand file tree Collapse file tree 1 file changed +41
-0
lines changed Original file line number Diff line number Diff line change @@ -24,6 +24,47 @@ rule EntryPointZero
2424 pe .entry_point == 0x0
2525
2626
27+ rule missing_certificate
28+ {
29+ meta :
30+ atk_type = " missing_certificate "
31+ description = " Detects PE files that do not have a digital signature "
32+ condition :
33+ uint16 (0 ) == 0x5A4D and
34+ pe .is_pe and
35+ pe .number_of_signatures == 0
36+
37+
38+ rule SectionSizeGreaterThanImageSize
39+ {
40+ meta :
41+ atk_type = " suspicious_section "
42+ description = " Detects if any section size is greater than image size "
43+
44+ condition :
45+ uint16 (0 ) == 0x5A4D and
46+ pe .is_pe and
47+ for any i in (0 .. pe .number_of_sections - 1 ) : (
48+ pe .sections [i ].raw_data_size > pe .size_of_image
49+ )
50+
51+
52+ rule TextSectionLargerThanHalfImageSize
53+ {
54+ meta :
55+ atk_type = " suspicious_section "
56+ description = " Detects if .text section is larger than half of the image size "
57+
58+ condition :
59+ uint16 (0 ) == 0x5A4D and
60+ pe .is_pe and
61+ (pe .characteristics & 0x2000 == 0 ) and // .dll 파일이 아닌지 확인
62+ (pe .characteristics & 0x0002 != 0 ) and // .exe 파일인지 확인
63+ for any i in (0 .. pe .number_of_sections - 1 ) : (
64+ pe .sections [i ].name == " .text " and pe .sections [i ].raw_data_size > pe .size_of_image * 0.5
65+ )
66+
67+
2768rule SC_Signed_Executable_With_Custom_Elliptic_Curve_Parameters
2869{
2970
You can’t perform that action at this time.
0 commit comments