70 lines
2.8 KiB
Text
70 lines
2.8 KiB
Text
|
|
||
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Ian.Ahl@fireeye.com @TekDefense, modified by Florian Roth
|
||
|
Date: 2017-06-05
|
||
|
Identifier: APT19
|
||
|
Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
|
||
|
*/
|
||
|
|
||
|
rule Beacon_K5om {
|
||
|
meta:
|
||
|
description = "Detects Meterpreter Beacon - file K5om.dll"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html"
|
||
|
date = "2017-06-07"
|
||
|
hash1 = "e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9"
|
||
|
id = "9354d20a-d798-55bf-a735-820f21d4a861"
|
||
|
strings:
|
||
|
$x1 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
|
||
|
$x2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
|
||
|
$x3 = "%d is an x86 process (can't inject x64 content)" fullword ascii
|
||
|
|
||
|
$s1 = "Could not open process token: %d (%u)" fullword ascii
|
||
|
$s2 = "0fd00b.dll" fullword ascii
|
||
|
$s3 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
|
||
|
$s4 = "Could not connect to pipe (%s): %d" fullword ascii
|
||
|
condition:
|
||
|
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 3 of them ) )
|
||
|
}
|
||
|
|
||
|
/* Rule Set ----------------------------------------------------------------- */
|
||
|
|
||
|
rule FE_LEGALSTRIKE_MACRO {
|
||
|
meta:
|
||
|
version=".1"
|
||
|
filetype="MACRO"
|
||
|
author="Ian.Ahl@fireeye.com @TekDefense - modified by Florian Roth"
|
||
|
date="2017-06-02"
|
||
|
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
|
||
|
id = "eb15e5aa-16e5-5c07-a293-ad15c0c09d8e"
|
||
|
strings:
|
||
|
// OBSFUCATION
|
||
|
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
|
||
|
// wscript
|
||
|
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
|
||
|
$wsobj2 = "Obj.Run " ascii wide
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
rule FE_LEGALSTRIKE_RTF {
|
||
|
meta:
|
||
|
version=".1"
|
||
|
filetype="MACRO"
|
||
|
author="joshua.kim@FireEye. - modified by Florian Roth"
|
||
|
date="2017-06-02"
|
||
|
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
|
||
|
id = "b62ceffa-445f-517e-b86b-56e47876c6c0"
|
||
|
strings:
|
||
|
$lnkinfo = "4c0069006e006b0049006e0066006f"
|
||
|
$encoded1 = "4f4c45324c696e6b"
|
||
|
$encoded2 = "52006f006f007400200045006e007400720079"
|
||
|
$encoded3 = "4f0062006a0049006e0066006f"
|
||
|
$encoded4 = "4f006c0065"
|
||
|
$datastore = "\\*\\datastore"
|
||
|
condition:
|
||
|
uint32be(0) == 0x7B5C7274 and all of them
|
||
|
}
|