Volatility3 MCP Server

/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Description: This rule keys on email headers that may have been sent from a malicious PHP script on a compromised webserver. Priority: 4 Scope: Against Email Tags: None Author: P.Burbage Created in PhishMe's Triage on September 1, 2015 1:43 PM */ rule PM_Email_Sent_By_PHP_Script { strings: $php1="X-PHP-Script" fullword $php2="X-PHP-Originating-Script" fullword $php3="/usr/bin/php" fullword condition: any of them } /* Description: Hits on ZIP attachments that contain *.js or *.jse - usually JS Dropper malware that has downloaded Kovter & Boaxee in the past. Priority: 5 Scope: Against Attachment Tags: FileID Author: P.Burbage Created in PhishMe's Triage on September 1, 2015 1:43 PM */ rule PM_Zip_with_js { strings: $hdr="PK" $e1=".js" nocase $e2=".jse" nocase condition: $hdr at 0 and (($e1 in (filesize-100..filesize)) or ($e2 in (filesize-100..filesize))) }