Sneed-Reactivity/yara-Neo23x0/general_cloaking.yar

154 lines
6.1 KiB
Text
Raw Normal View History

/*
Generic Cloaking
Florian Roth
Nextron Systems GmbH
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
*/
rule EXE_cloaked_as_TXT {
meta:
description = "Executable with TXT extension"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
id = "2188c0fe-71b0-5dee-bde9-f310c66e39c6"
condition:
uint16(0) == 0x5a4d // Executable
and filename matches /\.txt$/is // TXT extension (case insensitive)
}
rule EXE_extension_cloaking {
meta:
description = "Executable showing different extension (Windows default 'hide known extension')"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
id = "78da6129-a11d-5e9e-8eaf-2a18178b7278"
condition:
filename matches /\.txt\.exe$/is or // Special file extensions
filename matches /\.pdf\.exe$/is // Special file extensions
}
rule Cloaked_RAR_File {
meta:
description = "RAR file cloaked by a different extension"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
id = "a3a9ad40-8a39-513d-be95-73f5a909265e"
condition:
uint32be(0) == 0x52617221 // RAR File Magic Header
and not filename matches /(rarnew.dat|\.rar)$/is // not the .RAR extension
and not filename matches /\.[rR][\d]{2}$/ // split RAR file
and not filepath contains "Recycle" // not a deleted RAR file in recycler
}
rule Base64_encoded_Executable : FILE {
meta:
description = "Detects an base64 encoded executable (often embedded)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015-05-28"
score = 40
id = "0bfc5916-3e63-5601-9f14-65f848c9322b"
strings:
$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive
$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive
$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive
$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive
$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive
condition:
1 of them
and not filepath contains "Thunderbird"
and not filepath contains "Internet Explorer"
and not filepath contains "Chrome"
and not filepath contains "Opera"
and not filepath contains "Outlook"
and not filepath contains "Temporary Internet Files"
}
rule Gen_Base64_EXE: HIGHVOL {
meta:
description = "Detects Base64 encoded Executable in Executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "ef919a63-9a29-5624-a084-b92e3578e3a6"
strings:
$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" wide ascii // 14 samples
$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" wide ascii // 26 samples
$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" wide ascii // 75 samples
$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" wide ascii // 168 samples
$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" wide ascii // 28,529 samples
$fp1 = "BAM Management class library"
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and 1 of ($s*)
and not 1 of ($fp*)
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule StegoKatz {
meta:
description = "Encoded Mimikatz in other file types"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/jWPBBY"
date = "2015-09-11"
score = 70
id = "78868bb0-af69-573d-afd2-350a46f69137"
strings:
$s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
$s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
condition:
filesize < 1000KB and 1 of them
}
rule Obfuscated_VBS_April17 {
meta:
description = "Detects cloaked Mimikatz in VBS obfuscation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "ca60b885-bb56-55ee-a2b3-dea6958883c2"
strings:
$s1 = "::::::ExecuteGlobal unescape(unescape(" ascii
condition:
filesize < 500KB and all of them
}
rule Obfuscated_JS_April17 {
meta:
description = "Detects cloaked Mimikatz in JS obfuscation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "44abd2c0-5f8d-5a8c-b282-a09853e12054"
strings:
$s1 = "\";function Main(){for(var " ascii
$s2 = "=String.fromCharCode(parseInt(" ascii
$s3 = "));(new Function(" ascii
condition:
filesize < 500KB and all of them
}