Sneed-Reactivity/yara-Neo23x0/apt_aus_parl_compromise.yar

173 lines
7.4 KiB
Text
Raw Permalink Normal View History

/*
YARA Rule Set
Author: Florian Roth
Date: 2019-02-18
Identifier: Compromise of the Australian Parliament House network
Reference: https://cyber.gov.au/government/news/parliament-house-network-compromise/
https://twitter.com/cyb3rops/status/1097423665472376832
*/
/* Rule Set ----------------------------------------------------------------- */
rule APT_WebShell_Tiny_1 {
meta:
description = "Detetcs a tiny webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
id = "e65a8920-0684-5aae-a2b8-079c2beae08a"
strings:
$x1 = "eval(" ascii wide
condition:
( uint16(0) == 0x3f3c or uint16(0) == 0x253c ) and filesize < 40 and $x1
}
rule APT_WebShell_AUS_Tiny_2 {
meta:
description = "Detetcs a tiny webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "0d6209d86f77a0a69451b0f27b476580c14e0cda15fa6a5003aab57a93e7e5a5"
id = "4746d4ce-628a-59b0-9032-7e0759d96ad3"
strings:
$x1 = "Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(\"[password]\"))];" ascii
$x2 = "eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(\"" ascii
condition:
( uint16(0) == 0x3f3c or uint16(0) == 0x253c ) and filesize < 1KB and 1 of them
}
rule APT_WebShell_AUS_JScript_3 {
meta:
description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "7ac6f973f7fccf8c3d58d766dec4ab7eb6867a487aa71bc11d5f05da9322582d"
id = "ff7e780b-ccf9-53b6-b741-f04a8cbaf580"
strings:
$s1 = "<%@ Page Language=\"Jscript\" validateRequest=\"false\"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String" ascii
$s2 = ".Item[\"[password]\"])),\"unsafe\");}" ascii
condition:
uint16(0) == 0x6568 and filesize < 1KB and all of them
}
rule APT_WebShell_AUS_4 {
meta:
description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "83321c02339bb51735fbcd9a80c056bd3b89655f3dc41e5fef07ca46af09bb71"
id = "bb5b10d1-3528-5361-92fc-8440c65dcda4"
strings:
$s1 = "wProxy.Credentials = new System.Net.NetworkCredential(pusr, ppwd);" fullword ascii
$s2 = "{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(" ascii
$s3 = ".Equals('User-Agent', StringComparison.OrdinalIgnoreCase))" ascii
$s4 = "gen.Emit(System.Reflection.Emit.OpCodes.Ret);" fullword ascii
condition:
uint16(0) == 0x7566 and filesize < 10KB and 3 of them
}
rule APT_Script_AUS_4 {
meta:
description = "Detetcs a script involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "fdf15f388a511a63fbad223e6edb259abdd4009ec81fcc87ce84f0f2024c8057"
id = "5cbf2476-5ce8-540d-b87b-e400daf49b43"
strings:
$x1 = "myMutex = CreateMutex(0, 1, \"teX23stNew\")" fullword ascii
$x2 = "mmpath = Environ(appdataPath) & \"\\\" & \"Microsoft\" & \"\\\" & \"mm.accdb\"" fullword ascii
$x3 = "Dim mmpath As String, newmmpath As String, appdataPath As String" fullword ascii
$x4 = "'MsgBox \"myMutex Created\" Do noting" fullword ascii
$x5 = "appdataPath = \"app\" & \"DatA\"" fullword ascii
$x6 = ".DoCmd.Close , , acSaveYes" fullword ascii
condition:
filesize < 7KB and 1 of them
}
rule APT_WebShell_AUS_5 {
meta:
description = "Detetcs a webshell involved in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "54a17fb257db2d09d61af510753fd5aa00537638a81d0a8762a5645b4ef977e4"
id = "59b3f6aa-2d3b-54b4-b543-57bd9d981e87"
strings:
$a1 = "function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}" fullword ascii
$a2 = "function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}" fullword ascii
$s1 = "var hash=DEC(Request.Item['" ascii
$s2 = "Response.Write(ENC(SET_ASS_SUCCESS));" fullword ascii
$s3 = "hashtable[hash] = assCode;" fullword ascii
$s4 = "Response.Write(ss);" fullword ascii
$s5 = "var hashtable = Application[CachePtr];" fullword ascii
condition:
uint16(0) == 0x7566 and filesize < 2KB and 4 of them
}
rule HKTL_LazyCat_LogEraser {
meta:
description = "Detetcs a tool used in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
hash1 = "1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b"
hash2 = "510375f8142b3651df67d42c3eff8d2d880987c0e057fc75a5583f36de34bf0e"
id = "a3d74657-a389-5482-ab26-966e790afd50"
strings:
$x1 = "LazyCat.dll" ascii wide fullword
$x2 = ".local_privilege_escalation.rotten_potato" ascii wide
$x3 = "LazyCat.Extension" ascii wide
$x4 = " MEOWof" ascii wide
$x5 = "VirtualSite: {0}, Address: {1:X16}, Name: {2}, Handle: {3:X16}, LogPath: {4}" fullword wide
$s1 = "LazyCat" fullword ascii wide
$s2 = "$e3ff37f2-85d7-4b24-a385-7eeb1f5a9562"
$s3 = "local -> remote {0} bytes"
$s4 = "remote -> local {0} bytes"
condition:
3 of them
}
rule HKTL_PowerKatz_Feb19_1 {
meta:
description = "Detetcs a tool used in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
id = "294d6f6c-dbc8-5431-87a0-64abe582c4ea"
strings:
$x1 = "Powerkatz32" ascii wide fullword
$x2 = "Powerkatz64" ascii wide
$s1 = "GetData: not found taskName" fullword ascii wide
$s2 = "GetRes Ex:" fullword ascii wide
condition:
1 of ($x*) and 1 of ($s*)
}
rule HKTL_Unknown_Feb19_1 {
meta:
description = "Detetcs a tool used in the Australian Parliament House network compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1097423665472376832"
date = "2019-02-18"
id = "bdcadc4b-8881-5dc7-b203-4e79cbc850ed"
strings:
$x1 = "not a valid timeout format!" ascii wide fullword
$x2 = "host can not be empty!" ascii wide fullword
$x3 = "not a valid port format!" ascii wide fullword
$x4 = "{0} - {1} TTL={2} time={3}" ascii wide fullword
$x5 = "ping count is not a correct format!" ascii wide fullword
$s1 = "The result is too large,program store to '{0}'.Please download it manully." fullword ascii wide
$s2 = "C:\\Windows\\temp\\" ascii wide
condition:
1 of ($x*) or 2 of them
}