Merge pull request #320 from mgreen27/master

Update vuln_paloalto_cve_2024_3400_apr24.yar
Neo23x0 · Jan 17, 2025 · 983cff1 · 983cff1
2 parents 253a7c6 + 5d6f3ef
commit 983cff1
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/yara/vuln_paloalto_cve_2024_3400_apr24.yar b/yara/vuln_paloalto_cve_2024_3400_apr24.yar
@@ -83,6 +83,7 @@ rule SUSP_LNX_Base64_Exec_Apr24 : SCRIPT {
       description = "Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)"
       author = "Christian Burkard"
       date = "2024-04-18"
+      modified = "2025-01-17"
       reference = "Internal Research"
       score = 75
       id = "2da3d050-86b0-5903-97eb-c5f39ce4f3a3"
@@ -91,6 +92,8 @@ rule SUSP_LNX_Base64_Exec_Apr24 : SCRIPT {
       $s2 = "wget http://" base64
       $s3 = ";chmod 777 " base64
       $s4 = "/tmp/" base64
+      
+      $mirai = "country="
    condition:
-      all of them
-}
+      any of them and not $mirai
+}