45 lines
1.5 KiB
Text
45 lines
1.5 KiB
Text
|
|
||
|
rule HKTL_Khepri_Beacon_Sep21_1 {
|
||
|
meta:
|
||
|
description = "Detects Khepri C2 framework beacons"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://github.com/geemion/Khepri/"
|
||
|
date = "2021-09-08"
|
||
|
score = 90
|
||
|
hash1 = "86c48679db5f4c085fd741ebec5235bc6cf0cdf8ef2d98fd8a689ceb5088f431"
|
||
|
id = "b2c8aaf7-7953-55a3-8499-565800fa01f1"
|
||
|
strings:
|
||
|
$x1 = "NT %d.%d Build %d ProductType:%s" ascii fullword
|
||
|
|
||
|
/* c2.CMDPARAM.cmd */
|
||
|
$xe1 = "YzIuQ01EUEFSQU0uY21k" ascii
|
||
|
$xe2 = "MyLkNNRFBBUkFNLmNtZ" ascii
|
||
|
$xe3 = "jMi5DTURQQVJBTS5jbW" ascii
|
||
|
|
||
|
$sx1 = "c2.ProcessItem.user" ascii fullword
|
||
|
$sx2 = "c2.CMDPARAM.cmd" ascii fullword
|
||
|
$sx3 = "c2.DownLoadFile.file_path" ascii fullword
|
||
|
|
||
|
$sa1 = "file size zero"
|
||
|
$sa2 = "cmd.exe /c "
|
||
|
$sa3 = "error parse param"
|
||
|
$sa4 = "innet_ip"
|
||
|
|
||
|
$op1 = { c3 b9 b4 98 49 00 87 01 5d c3 b8 b8 98 49 00 c3 8b ff }
|
||
|
$op2 = { 8b f1 80 3d 58 97 49 00 00 0f 85 96 00 00 00 33 c0 40 b9 50 97 49 00 87 01 33 db }
|
||
|
$op3 = { 90 d5 0c 43 00 34 0d 43 00 ea 0c 43 00 7e 0d 43 00 b6 0d 43 00 cc }
|
||
|
$op4 = { 69 c0 ff 00 00 00 8b 4d c0 23 88 40 7c 49 00 89 4d c0 8b 45 cc 0b 45 c0 89 45 cc 8b 45 d0 }
|
||
|
condition:
|
||
|
( uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46 ) and
|
||
|
filesize < 2000KB and (
|
||
|
1 of ($x*) or
|
||
|
2 of ($sx*) or
|
||
|
all of ($sa*) or
|
||
|
3 of ($op*)
|
||
|
) or (
|
||
|
filesize < 10MB
|
||
|
and 1 of ($xe*)
|
||
|
)
|
||
|
or 5 of them
|
||
|
}
|