fix: rules

Neo23x0 · Neo23x0 · commit cc1c7b6241ac · 2025-03-21T20:09:23.000+01:00
diff --git a/yara/apt_mal_ru_snake_may23.yar b/yara/apt_mal_ru_snake_may23.yar
@@ -19,9 +19,10 @@ rule APT_MAL_RU_WIN_Snake_Malware_May23_1 {
         author = "Matt Suiche (Magnet Forensics)"
         description = "Hunting Russian Intelligence Snake Malware"
         date = "2023-05-10"
+        modified = "2025-03-21"
         threat_name = "Windows.Malware.Snake"
         reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
-        score = 75
+        score = 70
         scan_context = "memory"
         license = "MIT"
 
diff --git a/yara/gen_doc_follina.yar b/yara/gen_doc_follina.yar
@@ -1,12 +1,12 @@
+
 rule SUSP_PS1_Msdt_Execution_May22 {
    meta:
       description = "Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation"
       author = "Nasreddine Bencherchali, Christian Burkard"
       date = "2022-05-31"
-      modified = "2022-07-08"
+      modified = "2025-03-21"
       reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
-      score = 75
-      id = "caa8a042-ffd4-52b2-a9f0-86e6c83a0aa3"
+      score = 65
    strings:
       $a = "PCWDiagnostic" ascii wide fullword
       $sa1 = "msdt.exe" ascii wide
@@ -23,12 +23,16 @@ rule SUSP_PS1_Msdt_Execution_May22 {
                00 00 70 00 63 00 77 00 72 00 75 00 6E 00 2E 00
                65 00 78 00 65 00 }
       $fp2 = "FilesFullTrust" wide
+      $fp3 = "Cisco Spark" ascii wide
+      $fp4 = "author: " ascii
    condition:
       filesize < 10MB
       and $a
       and 1 of ($sa*)
       and 1 of ($sb*)
       and not 1 of ($fp*)
+      // not JSON
+      and not uint8(0) == 0x7B
 }
 
 rule SUSP_Doc_WordXMLRels_May22 {
diff --git a/yara/vuln_paloalto_cve_2024_3400_apr24.yar b/yara/vuln_paloalto_cve_2024_3400_apr24.yar
@@ -83,7 +83,7 @@ rule SUSP_LNX_Base64_Exec_Apr24 : SCRIPT {
       description = "Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)"
       author = "Christian Burkard"
       date = "2024-04-18"
-      modified = "2025-01-17"
+      modified = "2025-03-21"
       reference = "Internal Research"
       score = 75
       id = "2da3d050-86b0-5903-97eb-c5f39ce4f3a3"
@@ -94,7 +94,12 @@ rule SUSP_LNX_Base64_Exec_Apr24 : SCRIPT {
       // $s4 = "/tmp/" base64 // prone to FPs
       
       $mirai = "country="
+
+      $fp1 = "<html"
+      $fp2 = "<?xml"
    condition:
       filesize < 800KB
-      and 1 of ($s*) and not $mirai
+      and 1 of ($s*) 
+      and not $mirai
+      and not 1 of ($fp*)
 }
