100 Days of YARA – Day 10: WinSock

On December 29, 2021December 24, 2021 By DanielIn 100 days of Yara

This rule will find files utilizing WinSock. A match for this rule would indicate that the sample is likely able to communicate over the network.

As stated in Microsoft’s documentation, The WSAStartup function is called to initiate use of WS2_32.dll.https://docs.microsoft.com/en-us/windows/win32/winsock/initializing-winsock

rule winsock
{
	meta:
		description = "Utilizes Winsock"
		reference = "https://docs.microsoft.com/en-us/windows/win32/winsock/initializing-winsock"

	strings:
		$ = "WSAStartup" ascii wide
		$ = "ws2_32.dll" ascii wide nocase

	condition:
		any of them
}

YARA Rules Index

2 thoughts on “100 Days of YARA – Day 10: WinSock”

Pingback: YARA Rules Index – DMFR SECURITY
Pingback: Week 01 – 2022 – This Week In 4n6

Share this:

2 thoughts on “100 Days of YARA – Day 10: WinSock”

Leave a comment Cancel reply