193 lines
7.3 KiB
Text
193 lines
7.3 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: NCSC (modified for performance reasons by Florian Roth)
|
||
|
Date: 2018-04-06
|
||
|
Identifier: Hostile state actors compromising UK organisations
|
||
|
Reference: https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
|
||
|
*/
|
||
|
|
||
|
rule Bytes_used_in_AES_key_generation {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects Backdoor.goodor"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
|
||
|
id = "26a549dd-cbd2-5abc-8d9d-5ea354d0ece8"
|
||
|
strings:
|
||
|
$a1 = {35 34 36 35 4B 4A 55 54 5E 49 55 5F 29 7B 68 36 35 67 34 36 64 66 35 68}
|
||
|
/* $a2 = {fb ff ff ff 00 00} disabled due to performance issues */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 5000KB and all of ($a*)
|
||
|
}
|
||
|
|
||
|
rule Partial_Implant_ID {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects implant from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
|
||
|
id = "15144f4a-2c96-57f0-b7e9-adbac477c38a"
|
||
|
strings:
|
||
|
$a1 = {38 38 31 34 35 36 46 43}
|
||
|
/* $a2 = {fb ff ff ff 00 00} disabled due to performance issues */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and all of ($a*)
|
||
|
}
|
||
|
|
||
|
rule Sleep_Timer_Choice {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects malware from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
|
||
|
id = "c64db0dd-2858-5508-ac51-d3318113a060"
|
||
|
strings:
|
||
|
$a1 = {8b0424b90f00000083f9ff743499f7f98d420f}
|
||
|
/* $a2 = {fb ff ff ff 00 00} disabled due to performance issues */
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 1000KB and all of ($a*)
|
||
|
}
|
||
|
|
||
|
rule User_Function_String {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects user function string from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
hash = "b5278301da06450fe4442a25dda2d83d21485be63598642573f59c59e980ad46"
|
||
|
id = "563ac6af-6b37-53c6-ae13-d97e31edb088"
|
||
|
strings:
|
||
|
/* $b1 = {fb ff ff ff 00 00} disabled due to performance issues */
|
||
|
$a2 = "e.RandomHashString"
|
||
|
$a3 = "e.Decode"
|
||
|
$a4 = "e.Decrypt"
|
||
|
$a5 = "e.HashStr"
|
||
|
$a6 = "e.FromB64"
|
||
|
condition:
|
||
|
/* $b1 and */ 4 of ($a*)
|
||
|
}
|
||
|
|
||
|
rule generic_shellcode_downloader_specific {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects Doorshell from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
hash = "b8bc0611a7fd321d2483a0a9a505251e15c22402e0cfdc62c0258af53ed3658a"
|
||
|
id = "ddd25add-ff84-5106-ac3c-5d5b4c1ef2a9"
|
||
|
strings:
|
||
|
$push1 = {68 6C 6C 6F 63}
|
||
|
$push2 = {68 75 61 6C 41}
|
||
|
$push3 = {68 56 69 72 74}
|
||
|
$a = {BA 90 02 00 00 46 C1 C6 19 03 DD 2B F4 33 DE}
|
||
|
$b = {87 C0 81 F2 D1 19 89 14 C1 C8 1F FF E0}
|
||
|
condition:
|
||
|
(uint16(0) == 0x5A4D and uint16(uint32(0x3C)) == 0x4550) and ($a or $b) and @push1 < @push2 and @push2 < @push3
|
||
|
}
|
||
|
|
||
|
rule Batch_Script_To_Run_PsExec {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects malicious batch file from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
|
||
|
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
|
||
|
strings:
|
||
|
$ = "Tokens=1 delims=" ascii
|
||
|
$ = "SET ws=%1" ascii
|
||
|
$ = "Checking %ws%" ascii
|
||
|
$ = "%TEMP%\\%ws%ns.txt" ascii
|
||
|
$ = "ps.exe -accepteula" ascii
|
||
|
condition:
|
||
|
3 of them
|
||
|
}
|
||
|
|
||
|
rule Batch_Powershell_Invoke_Inveigh {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects malicious batch file from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
hash = "0a6b1b29496d4514f6485e78680ec4cd0296ef4d21862d8bf363900a4f8e3fd2"
|
||
|
id = "c5dab029-6515-5d58-9ccd-bf438ba692d5"
|
||
|
strings:
|
||
|
$ = "Inveigh.ps1" ascii
|
||
|
$ = "Invoke-Inveigh" ascii
|
||
|
$ = "-LLMNR N -HTTP N -FileOutput Y" ascii
|
||
|
$ = "powershell.exe" ascii
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
rule lnk_detect {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects malicious LNK file from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
id = "76d382f3-b2f2-5ede-94b2-5ae8b766c194"
|
||
|
strings:
|
||
|
$lnk_magic = {4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46}
|
||
|
$lnk_target = {41 00 55 00 54 00 4F 00 45 00 58 00 45 00 43 00 2E 00 42 00 41 00 54}
|
||
|
$s1 = {5C 00 5C 00 31 00}
|
||
|
$s2 = {5C 00 5C 00 32 00}
|
||
|
$s3 = {5C 00 5C 00 33 00}
|
||
|
$s4 = {5C 00 5C 00 34 00}
|
||
|
$s5 = {5C 00 5C 00 35 00}
|
||
|
$s6 = {5C 00 5C 00 36 00}
|
||
|
$s7 = {5C 00 5C 00 37 00}
|
||
|
$s8 = {5C 00 5C 00 38 00}
|
||
|
$s9 = {5C 00 5C 00 39 00}
|
||
|
condition:
|
||
|
uint32be(0) == 0x4c000000 and
|
||
|
uint32be(4) == 0x01140200 and
|
||
|
(($lnk_magic at 0) and $lnk_target) and 1 of ($s*)
|
||
|
}
|
||
|
|
||
|
rule RDP_Brute_Strings {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects RDP brute forcer from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
hash = "8234bf8a1b53efd2a452780a69666d1aedcec9eb1bb714769283ccc2c2bdcc65"
|
||
|
id = "d6f0cdbc-a910-5826-b25a-61c2924f8e2a"
|
||
|
strings:
|
||
|
$ = "RDP Brute" ascii wide
|
||
|
$ = "RdpChecker" ascii
|
||
|
$ = "RdpBrute" ascii
|
||
|
$ = "Brute_Count_Password" ascii
|
||
|
$ = "BruteIPList" ascii
|
||
|
$ = "Chilkat_Socket_Key" ascii
|
||
|
$ = "Brute_Sync_Stat" ascii
|
||
|
$ = "(Error! Hyperlink reference not valid.)" wide
|
||
|
$ = "BadRDP" wide
|
||
|
$ = "GoodRDP" wide
|
||
|
$ = "@echo off{0}:loop{0}del {1}{0}if exist {1} goto loop{0}del {2}{0}del \"{2}\"" wide
|
||
|
$ = "Coded by z668" wide
|
||
|
condition:
|
||
|
4 of them
|
||
|
}
|
||
|
|
||
|
rule WEBSHELL_Z_WebShell_1 {
|
||
|
meta:
|
||
|
author = "NCSC"
|
||
|
description = "Detects Z Webshell from NCSC report"
|
||
|
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
|
||
|
date = "2018/04/06"
|
||
|
old_rule_name = "Z_WebShell"
|
||
|
hash = "ace12552f3a980f1eed4cadb02afe1bfb851cafc8e58fb130e1329719a07dbf0"
|
||
|
id = "f4b50760-bd3a-5e1f-bf32-50f16a42c381"
|
||
|
strings:
|
||
|
$ = "Z_PostBackJS" ascii wide
|
||
|
$ = "z_file_download" ascii wide
|
||
|
$ = "z_WebShell" ascii wide
|
||
|
$ = "1367948c7859d6533226042549228228" ascii wide
|
||
|
condition:
|
||
|
3 of them
|
||
|
}
|