100 Days of YARA – Day 5: Shell Scripts Two Ways!

This rule will find files that are shell scripts. This is not a complete list of valid shells and will not match on scripts lacking a shebang.

rule shell_script
{
	meta:
		description = "Shell scripts"

	strings:
		$s1 = "#!/bin/sh"
		$s2 = "#!/bin/bash"
		$s3 = "#!/bin/zsh"
		$s4 = "#!/bin/csh"
		$s5 = "#!/bin/tcsh"

	condition:
		$s1 at 0 or
		$s2 at 0 or
		$s3 at 0 or
		$s4 at 0 or
		$s5 at 0
}

Matching on scripts that do not start with a shebang is significantly harder to do. I came up with this rule, which has false positives for Perl, Python, and JavaScript files:

rule shell_script_linguist
{
	meta:
		description = "Match *nix shell scripts"

	strings:
		$s1 = "echo" fullword
		$s2 = "read" fullword
		$s3 = "set" fullword
		$s4 = "unset" fullword
		$s5 = "shift" fullword
		$s6 = "export" fullword
		$if1 = "if" fullword
		$if2 = "fi" fullword
		$if3 = "then" fullword
		$if4 = "else" fullword
		$loop1 = "while" fullword
		$loop2 = "do" fullword
		$loop3 = "done" fullword
		$loop4 = "for" fullword
		$case1 = "case" fullword
		$case2 = "esac" fullword
		$case3 = "in" fullword
		$s7 = "ulimit" fullword
		$s8 = "umask" fullword
		$s9 = "eval" fullword
		$s10 = "exec" fullword
		$elf = "\x7fELF"
		$pe = "MZ"

	condition:
		3 of ($s*) and (3 of ($if*) or 3 of ($case*) or 3 of ($loop*)) and (not $elf at 0 and not $pe at 0)
}

YARA Rules Index

One thought on “100 Days of YARA – Day 5: Shell Scripts Two Ways!

  1. Pingback: YARA Rules Index – DMFR SECURITY

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s