100 Days of YARA – Day 10: WinSock

On By DanielIn 100 days of Yara

This rule will find files utilizing WinSock. A match for this rule would indicate that the sample is likely able to communicate over the network.

As stated in Microsoft’s documentation, The WSAStartup function is called to initiate use of WS2_32.dll.https://docs.microsoft.com/en-us/windows/win32/winsock/initializing-winsock

rule winsock
{
	meta:
		description = "Utilizes Winsock"
		reference = "https://docs.microsoft.com/en-us/windows/win32/winsock/initializing-winsock"

	strings:
		$ = "WSAStartup" ascii wide
		$ = "ws2_32.dll" ascii wide nocase

	condition:
		any of them
}

YARA Rules Index

2 thoughts on “100 Days of YARA – Day 10: WinSock

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 01 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s