Sneed-Reactivity/yara-Neo23x0/expl_proxyshell.yar

267 lines
11 KiB
Text
Raw Normal View History

rule EXPL_Exchange_ProxyShell_Failed_Aug21_1 : SCRIPT {
meta:
description = "Detects ProxyShell exploitation attempts in log files"
author = "Florian Roth (Nextron Systems)"
score = 50
reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"
date = "2021-08-08"
modified = "2021-08-09"
id = "9b849042-8918-5322-a35a-2165d4b541d5"
strings:
$xr1 = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell|mapi\/nspi|EWS\/|X-Rps-CAT)[^\n]{1,400}401 0 0/ nocase ascii
$xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}401 0 0/ nocase ascii
condition:
1 of them
}
rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 : SCRIPT {
meta:
description = "Detects successful ProxyShell exploitation attempts in log files"
author = "Florian Roth (Nextron Systems)"
score = 85
reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"
date = "2021-08-08"
modified = "2021-08-09"
id = "8c11cd1a-6d3f-5f29-af61-17179b01ca8b"
strings:
$xr1a = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell|X-Rps-CAT)/ nocase ascii
$xr1b = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(mapi\/nspi|EWS\/)[^\n]{1,400}(200|302) 0 0/
$xr2 = /autodiscover\/autodiscover\.json[^\n]{1,60}&X-Rps-CAT=/ nocase ascii
$xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}200 0 0/ nocase ascii
condition:
1 of them
}
rule WEBSHELL_ASPX_ProxyShell_Aug21_2 {
meta:
description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST), size and content"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/"
date = "2021-08-13"
id = "a351a466-695e-570e-8c7f-9c6c0534839c"
strings:
$s1 = "Page Language=" ascii nocase
condition:
uint32(0) == 0x4e444221 /* PST header: !BDN */
and filesize < 2MB
and $s1
}
rule WEBSHELL_ASPX_ProxyShell_Aug21_3 {
meta:
description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be DER), size and content"
author = "Max Altgelt"
reference = "https://twitter.com/gossithedog/status/1429175908905127938?s=12"
date = "2021-08-23"
score = 75
id = "a7bca62b-c8f1-5a38-81df-f3d4582a590b"
strings:
$s1 = "Page Language=" ascii nocase
condition:
uint16(0) == 0x8230 /* DER start */
and filesize < 10KB
and $s1
}
rule WEBSHELL_ASPX_ProxyShell_Sep21_1 {
meta:
description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST) and base64 decoded request"
author = "Tobias Michalski"
date = "2021-09-17"
reference = "Internal Research"
hash = "219468c10d2b9d61a8ae70dc8b6d2824ca8fbe4e53bbd925eeca270fef0fd640"
score = 75
id = "d0d23e17-6b6a-51d1-afd9-59cc2404bcd8"
strings:
$s = ".FromBase64String(Request["
condition:
uint32(0) == 0x4e444221
and any of them
}
rule APT_IIS_Config_ProxyShell_Artifacts {
meta:
description = "Detects virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
date = "2021-08-25"
score = 90
id = "21888fc0-82c6-555a-9320-9cbb8332a843"
strings:
$a1 = "<site name=" ascii /* marker used to select IIS configs */
$a2 = "<sectionGroup name=\"system.webServer\">" ascii
$sa1 = " physicalPath=\"C:\\ProgramData\\COM" ascii
$sa2 = " physicalPath=\"C:\\ProgramData\\WHO" ascii
$sa3 = " physicalPath=\"C:\\ProgramData\\ZING" ascii
$sa4 = " physicalPath=\"C:\\ProgramData\\ZOO" ascii
$sa5 = " physicalPath=\"C:\\ProgramData\\XYZ" ascii
$sa6 = " physicalPath=\"C:\\ProgramData\\AUX" ascii
$sa7 = " physicalPath=\"C:\\ProgramData\\CON\\" ascii
$sb1 = " physicalPath=\"C:\\Users\\All Users\\" ascii
condition:
filesize < 500KB and all of ($a*) and 1 of ($s*)
}
rule WEBSHELL_ASPX_ProxyShell_Exploitation_Aug21_1 {
meta:
description = "Detects unknown malicious loaders noticed in August 2021"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/VirITeXplorer/status/1430206853733097473"
date = "2021-08-25"
score = 90
id = "1fa563fc-c91c-5f4e-98f1-b895e1acb4f4"
strings:
$x1 = ");eval/*asf" ascii
condition:
filesize < 600KB and 1 of them
}
rule WEBSHELL_ASPX_ProxyShell_Aug15 {
meta:
description = "Webshells iisstart.aspx and Logout.aspx"
author = "Moritz Oettle"
reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"
date = "2021-09-04"
score = 75
id = "b1e6c0f3-787f-59b8-8123-4045522047ca"
strings:
$g1 = "language=\"JScript\"" ascii
$g2 = "function getErrorWord" ascii
$g3 = "errorWord" ascii
$g4 = "Response.Redirect" ascii
$g5 = "function Page_Load" ascii
$g6 = "runat=\"server\"" ascii
$g7 = "Request[" ascii
$g8 = "eval/*" ascii
$s1 = "AppcacheVer" ascii /* HTTP Request Parameter */
$s2 = "clientCode" ascii /* HTTP Request Parameter */
$s3 = "LaTkWfI64XeDAXZS6pU1KrsvLAcGH7AZOQXjrFkT816RnFYJQR" ascii
condition:
filesize < 1KB and
( 1 of ($s*) or 4 of ($g*) )
}
rule WEBSHELL_Mailbox_Export_PST_ProxyShell_Aug26 {
meta:
description = "Webshells generated by an Mailbox export to PST and stored as aspx: 570221043.aspx 689193944.aspx luifdecggoqmansn.aspx"
author = "Moritz Oettle"
reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"
date = "2021-09-04"
score = 85
id = "6aea414f-d27c-5202-84f8-b8620782fc90"
strings:
$x1 = "!BDN" /* PST file header */
$g1 = "Page language=" ascii
$g2 = "<%@ Page" ascii
$g3 = "Request.Item[" ascii
$g4 = "\"unsafe\");" ascii
$g5 = "<%eval(" ascii
$g6 = "script language=" ascii
$g7 = "Request[" ascii
$s1 = "gold8899" ascii /* HTTP Request Parameter */
$s2 = "exec_code" ascii /* HTTP Request Parameter */
$s3 = "orangenb" ascii /* HTTP Request Parameter */
condition:
filesize < 500KB and
$x1 at 0 and
( 1 of ($s*) or 3 of ($g*) )
}
/*
Hunting Rules
*/
rule SUSP_IIS_Config_ProxyShell_Artifacts {
meta:
description = "Detects suspicious virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
date = "2021-08-25"
score = 70
id = "bde65d9e-b17d-5746-8d29-8419363d0511"
strings:
$a1 = "<site name=" ascii /* marker used to select IIS configs */
$a2 = "<sectionGroup name=\"system.webServer\">" ascii
$s1 = " physicalPath=\"C:\\ProgramData\\" ascii
condition:
filesize < 500KB and all of ($a*) and 1 of ($s*)
}
rule SUSP_IIS_Config_VirtualDir {
meta:
description = "Detects suspicious virtual directory configured in IIS pointing to a User folder"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
date = "2021-08-25"
modified = "2022-09-17"
score = 60
id = "cfe5ca5e-a0cc-5f60-84d2-1b0538e999c7"
strings:
$a1 = "<site name=" ascii /* marker used to select IIS configs */
$a2 = "<sectionGroup name=\"system.webServer\">" ascii
$s2 = " physicalPath=\"C:\\Users\\" ascii
$fp1 = "Microsoft.Web.Administration" wide
$fp2 = "<virtualDirectory path=\"/\" physicalPath=\"C:\\Users\\admin\\"
condition:
filesize < 500KB and all of ($a*) and 1 of ($s*)
and not 1 of ($fp*)
}
rule SUSP_ASPX_PossibleDropperArtifact_Aug21 {
meta:
description = "Detects an ASPX file with a non-ASCII header, often a result of MS Exchange drop techniques"
reference = "Internal Research"
author = "Max Altgelt"
date = "2021-08-23"
score = 60
id = "52016598-74a1-53d6-812a-40b078ba0bb9"
strings:
$s1 = "Page Language=" ascii nocase
$fp1 = "Page Language=\"java\"" ascii nocase
condition:
filesize < 500KB
and not uint16(0) == 0x4B50 and not uint16(0) == 0x6152 and not uint16(0) == 0x8b1f // Exclude ZIP / RAR / GZIP files (can cause FPs when uncompressed)
and not uint16(0) == 0x5A4D // PE
and not uint16(0) == 0xCFD0 // OLE
and not uint16(0) == 0xC3D4 // PCAP
and not uint16(0) == 0x534D // CAB
and all of ($s*) and not 1 of ($fp*) and
(
((uint8(0) < 0x20 or uint8(0) > 0x7E /*non-ASCII*/ ) and uint8(0) != 0x9 /* tab */ and uint8(0) != 0x0D /* carriage return */ and uint8(0) != 0x0A /* new line */ and uint8(0) != 0xEF /* BOM UTF-8 */)
or ((uint8(1) < 0x20 or uint8(1) > 0x7E /*non-ASCII*/ ) and uint8(1) != 0x9 /* tab */ and uint8(1) != 0x0D /* carriage return */ and uint8(1) != 0x0A /* new line */ and uint8(1) != 0xBB /* BOM UTF-8 */)
or ((uint8(2) < 0x20 or uint8(2) > 0x7E /*non-ASCII*/ ) and uint8(2) != 0x9 /* tab */ and uint8(2) != 0x0D /* carriage return */ and uint8(2) != 0x0A /* new line */ and uint8(2) != 0xBF /* BOM UTF-8 */)
or ((uint8(3) < 0x20 or uint8(3) > 0x7E /*non-ASCII*/ ) and uint8(3) != 0x9 /* tab */ and uint8(3) != 0x0D /* carriage return */ and uint8(3) != 0x0A /* new line */)
or ((uint8(4) < 0x20 or uint8(4) > 0x7E /*non-ASCII*/ ) and uint8(4) != 0x9 /* tab */ and uint8(4) != 0x0D /* carriage return */ and uint8(4) != 0x0A /* new line */)
or ((uint8(5) < 0x20 or uint8(5) > 0x7E /*non-ASCII*/ ) and uint8(5) != 0x9 /* tab */ and uint8(5) != 0x0D /* carriage return */ and uint8(5) != 0x0A /* new line */)
or ((uint8(6) < 0x20 or uint8(6) > 0x7E /*non-ASCII*/ ) and uint8(6) != 0x9 /* tab */ and uint8(6) != 0x0D /* carriage return */ and uint8(6) != 0x0A /* new line */)
or ((uint8(7) < 0x20 or uint8(7) > 0x7E /*non-ASCII*/ ) and uint8(7) != 0x9 /* tab */ and uint8(7) != 0x0D /* carriage return */ and uint8(7) != 0x0A /* new line */)
)
}
rule WEBSHELL_ProxyShell_Exploitation_Nov21_1 {
meta:
description = "Detects webshells dropped by DropHell malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside"
date = "2021-11-01"
score = 85
id = "300eaadf-db0c-5591-84fc-abdf7cdd90c1"
strings:
$s01 = ".LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[" ascii wide
$s02 = "new System.IO.MemoryStream()" ascii wide
$s03 = "Transform(" ascii wide
condition:
all of ($s*)
}