Update yara/volt_typhoon_cisa.md
This commit is contained in:
@ -141,3 +141,45 @@ rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
|
|||||||
filesize<50KB and 4 of them
|
filesize<50KB and 4 of them
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
rule Volt_Suspicious_IPs
|
||||||
|
{
|
||||||
|
meta:
|
||||||
|
description = "Detects known malicious Volt Typhoon IP addresses"
|
||||||
|
author = "Cpl Iverson"
|
||||||
|
date = "2025-01-08"
|
||||||
|
|
||||||
|
strings:
|
||||||
|
$ip1 = "46.10.197.206"
|
||||||
|
$ip2 = "176.102.35.175"
|
||||||
|
$ip3 = "93.62.0.77"
|
||||||
|
$ip4 = "194.50.159.3"
|
||||||
|
$ip5 = "80.64.80.169"
|
||||||
|
$ip6 = "24.212.225.54"
|
||||||
|
$ip7 = "208.97.106.10"
|
||||||
|
$ip8 = "70.60.30.222"
|
||||||
|
$ip9 = "184.67.141.110"
|
||||||
|
$ip10 = "202.22.227.179"
|
||||||
|
$ip11 = "49.204.75.92"
|
||||||
|
$ip12 = "61.2.141.161"
|
||||||
|
$ip13 = "49.204.75.90"
|
||||||
|
$ip14 = "114.143.222.242"
|
||||||
|
$ip15 = "117.211.166.22"
|
||||||
|
$ip16 = "49.204.65.90"
|
||||||
|
$ip17 = "49.204.73.250"
|
||||||
|
$ip18 = "192.149.47.110"
|
||||||
|
$ip19 = "212.11.106.139"
|
||||||
|
$ip20 = "89.203.140.246"
|
||||||
|
$ip21 = "94.125.218.19"
|
||||||
|
$ip22 = "183.82.110.178"
|
||||||
|
$ip23 = "117.239.157.74"
|
||||||
|
$ip24 = "210.212.224.124"
|
||||||
|
$ip25 = "109.166.39.139"
|
||||||
|
$ip26 = "23.227.198.247"
|
||||||
|
$ip27 = "104.161.54.203"
|
||||||
|
|
||||||
|
condition:
|
||||||
|
any of them
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|||||||
Reference in New Issue
Block a user