From 2d9541628e287021f533523c451f188db0e87b66 Mon Sep 17 00:00:00 2001
From: Kazgangap <halilkirazkaya@yandex.com>
Date: Tue, 16 Apr 2024 03:46:46 +0300
Subject: [PATCH] upstyle malware detect add

---
 file/malware/upstyle-malware.yaml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 file/malware/upstyle-malware.yaml

diff --git a/file/malware/upstyle-malware.yaml b/file/malware/upstyle-malware.yaml
new file mode 100644
index 0000000000..fab6017d8d
--- /dev/null
+++ b/file/malware/upstyle-malware.yaml
@@ -0,0 +1,31 @@
+id: upstyle-py-malware
+info:
+  name: Upstyle Malware - Detect
+  author: Kazgangap
+  severity: info
+  reference:
+    - https://unit42.paloaltonetworks.com/cve-2024-3400/
+    - https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar
+  tags: malware,cve-2024-3400
+file:
+  - extensions:
+      - "py"
+
+    matchers:
+      - type: word
+        part: raw
+        words:
+          - "/opt/pancfg/mgmt/licenses/PA_VM"
+          - "exec(base64."
+        condition: or
+
+      - type: word
+        part: raw
+        words:
+          - "signal.signal(signal.SIGTERM,stop)"
+          - "exec(base64."
+        condition: or
+
+      - type: regex
+        regex:
+          - "write(\"/*\"+output+\"*/\")"
\ No newline at end of file