156 lines
5.7 KiB
Text
156 lines
5.7 KiB
Text
|
|
||
|
/* Various rules - see the references */
|
||
|
|
||
|
rule PS_AMSI_Bypass : FILE {
|
||
|
meta:
|
||
|
description = "Detects PowerShell AMSI Bypass"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1"
|
||
|
date = "2017-07-19"
|
||
|
score = 65
|
||
|
id = "31ab8932-4c74-5251-a044-3fcc0aa159f4"
|
||
|
strings:
|
||
|
$s1 = ".GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static')." ascii nocase
|
||
|
condition:
|
||
|
1 of them
|
||
|
}
|
||
|
|
||
|
rule JS_Suspicious_Obfuscation_Dropbox {
|
||
|
meta:
|
||
|
description = "Detects PowerShell AMSI Bypass"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://twitter.com/ItsReallyNick/status/887705105239343104"
|
||
|
date = "2017-07-19"
|
||
|
score = 70
|
||
|
id = "9b6b288d-3a15-5267-bbb1-885febf4df78"
|
||
|
strings:
|
||
|
$x1 = "j\"+\"a\"+\"v\"+\"a\"+\"s\"+\"c\"+\"r\"+\"i\"+\"p\"+\"t\""
|
||
|
$x2 = "script:https://www.dropbox.com" ascii
|
||
|
condition:
|
||
|
2 of them
|
||
|
}
|
||
|
|
||
|
rule JS_Suspicious_MSHTA_Bypass {
|
||
|
meta:
|
||
|
description = "Detects MSHTA Bypass"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://twitter.com/ItsReallyNick/status/887705105239343104"
|
||
|
date = "2017-07-19"
|
||
|
score = 70
|
||
|
id = "b2ddca78-c19a-5bb6-a1c9-4413e637ab1d"
|
||
|
strings:
|
||
|
$s1 = "mshtml,RunHTMLApplication" ascii
|
||
|
$s2 = "new ActiveXObject(\"WScript.Shell\").Run(" ascii
|
||
|
$s3 = "/c start mshta j" ascii nocase
|
||
|
condition:
|
||
|
2 of them
|
||
|
}
|
||
|
|
||
|
rule JavaScript_Run_Suspicious {
|
||
|
meta:
|
||
|
description = "Detects a suspicious Javascript Run command"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://twitter.com/craiu/status/900314063560998912"
|
||
|
score = 60
|
||
|
date = "2017-08-23"
|
||
|
id = "87f98ead-3052-5777-8877-574619173aaa"
|
||
|
strings:
|
||
|
$s1 = "w = new ActiveXObject(" ascii
|
||
|
$s2 = " w.Run(r);" fullword ascii
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
/* Certutil Rule Improved */
|
||
|
|
||
|
rule Certutil_Decode_OR_Download {
|
||
|
meta:
|
||
|
description = "Certutil Decode"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research"
|
||
|
score = 40
|
||
|
date = "2017-08-29"
|
||
|
modified = "2023-10-19"
|
||
|
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
|
||
|
strings:
|
||
|
$a1 = "certutil -decode " ascii wide
|
||
|
$a2 = "certutil -decode " ascii wide
|
||
|
$a3 = "certutil.exe -decode " ascii wide
|
||
|
$a4 = "certutil.exe -decode " ascii wide
|
||
|
$a5 = "certutil -urlcache -split -f http" ascii wide
|
||
|
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
|
||
|
|
||
|
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
|
||
|
condition:
|
||
|
filesize < 700KB
|
||
|
and 1 of ($a*)
|
||
|
and not 1 of ($fp*)
|
||
|
}
|
||
|
|
||
|
rule Suspicious_JS_script_content {
|
||
|
meta:
|
||
|
description = "Detects suspicious statements in JavaScript files"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Research on Leviathan https://goo.gl/MZ7dRg"
|
||
|
date = "2017-12-02"
|
||
|
score = 70
|
||
|
hash1 = "fc0fad39b461eb1cfc6be57932993fcea94fca650564271d1b74dd850c81602f"
|
||
|
id = "6a547aa5-c58c-5559-9d3f-3f0d541eafd4"
|
||
|
strings:
|
||
|
$x1 = "new ActiveXObject('WScript.Shell')).Run('cmd /c " ascii
|
||
|
$x2 = ".Run('regsvr32 /s /u /i:" ascii
|
||
|
$x3 = "new ActiveXObject('WScript.Shell')).Run('regsvr32 /s" fullword ascii
|
||
|
$x4 = "args='/s /u /i:" ascii
|
||
|
condition:
|
||
|
( filesize < 10KB and 1 of them )
|
||
|
}
|
||
|
|
||
|
rule Universal_Exploit_Strings {
|
||
|
meta:
|
||
|
description = "Detects a group of strings often used in exploit codes"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "not set"
|
||
|
date = "2017-12-02"
|
||
|
score = 50
|
||
|
hash1 = "9b07dacf8a45218ede6d64327c38478640ff17d0f1e525bd392c002e49fe3629"
|
||
|
id = "4b3a9eec-5f7c-579c-9719-fe23cc291aee"
|
||
|
strings:
|
||
|
$s1 = "Exploit" fullword ascii
|
||
|
$s2 = "Payload" fullword ascii
|
||
|
$s3 = "CVE-201" ascii
|
||
|
$s4 = "bindshell"
|
||
|
condition:
|
||
|
( filesize < 2KB and 3 of them )
|
||
|
}
|
||
|
|
||
|
rule VBS_Obfuscated_Mal_Feb18_1 {
|
||
|
meta:
|
||
|
description = "Detects malicious obfuscated VBS observed in February 2018"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://goo.gl/zPsn83"
|
||
|
date = "2018-02-12"
|
||
|
hash1 = "06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab"
|
||
|
hash2 = "c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036"
|
||
|
hash3 = "e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74"
|
||
|
id = "39ea10e5-9dea-5cc8-8388-15378fcbab60"
|
||
|
strings:
|
||
|
$x1 = "A( Array( (1* 2^1 )+" ascii
|
||
|
$x2 = ".addcode(A( Array(" ascii
|
||
|
$x3 = "false:AA.send:Execute(AA.responsetext):end" ascii
|
||
|
$x4 = "& A( Array( (1* 2^1 )+" ascii
|
||
|
|
||
|
$s1 = ".SYSTEMTYPE:NEXT:IF (UCASE(" ascii
|
||
|
$s2 = "A = STR:next:end function" ascii
|
||
|
$s3 = "&WSCRIPT.SCRIPTFULLNAME&CHR" fullword ascii
|
||
|
condition:
|
||
|
filesize < 600KB and ( 1 of ($x*) or 3 of them )
|
||
|
}
|