Sneed-Reactivity/yara-Neo23x0/thor_inverse_matches.yar

582 lines
21 KiB
Text
Raw Normal View History

/*
THOR Yara Inverse Matches
> Detect system file manipulations and common APT anomalies
This is an extract from the THOR signature database
Reference:
http://www.bsk-consulting.de/2014/05/27/inverse-yara-signature-matching/
https://www.bsk-consulting.de/2014/08/28/scan-system-files-manipulations-yara-inverse-matching-22/
Notice: These rules require an external variable called "filename"
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
*/
import "pe"
private rule WINDOWS_UPDATE_BDC
{
meta:
score = 0
condition:
(uint32be(0) == 0x44434d01 and // magic: DCM PA30
uint32be(4) == 0x50413330)
or
(uint32be(0) == 0x44434401 and
uint32be(12)== 0x50413330) // magic: DCD PA30
}
/* Rules -------------------------------------------------------------------- */
rule iexplore_ANOMALY {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Abnormal iexplore.exe - typical strings not found in file"
date = "23/04/2014"
score = 55
nodeepdive = 1
id = "ea436608-d191-5058-b844-025e48082edc"
strings:
$win2003_win7_u1 = "IEXPLORE.EXE" wide nocase
$win2003_win7_u2 = "Internet Explorer" wide fullword
$win2003_win7_u3 = "translation" wide fullword nocase
$win2003_win7_u4 = "varfileinfo" wide fullword nocase
condition:
filename == "iexplore.exe"
and uint16(0) == 0x5a4d
and not filepath contains "teamviewer"
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
and filepath contains "C:\\"
and not filepath contains "Package_for_RollupFix"
}
rule svchost_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal svchost.exe - typical strings not found in file"
date = "23/04/2014"
score = 55
id = "5630054d-9fa4-587f-ba78-cda4478f9cc1"
strings:
$win2003_win7_u1 = "svchost.exe" wide nocase
$win2003_win7_u3 = "coinitializesecurityparam" wide fullword nocase
$win2003_win7_u4 = "servicedllunloadonstop" wide fullword nocase
$win2000 = "Generic Host Process for Win32 Services" wide fullword
$win2012 = "Host Process for Windows Services" wide fullword
condition:
filename == "svchost.exe"
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
/* removed 1 rule here */
rule explorer_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal explorer.exe - typical strings not found in file"
date = "27/05/2014"
score = 55
id = "ecadd78f-21a1-5a9f-8f3f-cb51e872805b"
strings:
$s1 = "EXPLORER.EXE" wide fullword
$s2 = "Windows Explorer" wide fullword
condition:
filename == "explorer.exe"
and uint16(0) == 0x5a4d
and not filepath contains "teamviewer"
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule sethc_ANOMALY {
meta:
description = "Sethc.exe has been replaced - Indicates Remote Access Hack RDP"
author = "F. Roth"
reference = "http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf"
date = "2014/01/23"
score = 70
id = "9dfbab4e-3dc8-5246-a051-1618f2ca5f39"
strings:
$s1 = "stickykeys" fullword nocase
$s2 = "stickykeys" wide nocase
$s3 = "Control_RunDLL access.cpl" wide fullword
$s4 = "SETHC.EXE" wide fullword
condition:
filename == "sethc.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule Utilman_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal utilman.exe - typical strings not found in file"
date = "01/06/2014"
score = 70
id = "98daff9b-1600-56b3-87ff-637deaa6808c"
strings:
$win7 = "utilman.exe" wide fullword
$win2000 = "Start with Utility Manager" fullword wide
$win2012 = "utilman2.exe" fullword wide
condition:
( filename == "utilman.exe" or filename == "Utilman.exe" )
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
rule osk_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file"
date = "01/06/2014"
score = 55
id = "6b78b001-f863-5a24-a9d1-ee5e8305766b"
strings:
$s1 = "Accessibility On-Screen Keyboard" wide fullword
$s2 = "\\oskmenu" wide fullword
$s3 = "&About On-Screen Keyboard..." wide fullword
$s4 = "Software\\Microsoft\\Osk" wide
condition:
filename == "osk.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule magnify_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal magnify.exe (Magnifier) - typical strings not found in file"
date = "01/06/2014"
score = 55
id = "db75201e-81a3-5f82-bf6f-ba155bfbcf81"
strings:
$win7 = "Microsoft Screen Magnifier" wide fullword
$win2000 = "Microsoft Magnifier" wide fullword
$winxp = "Software\\Microsoft\\Magnify" wide
condition:
filename =="magnify.exe"
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
rule narrator_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal narrator.exe - typical strings not found in file"
date = "01/06/2014"
score = 55
id = "a51f1916-f89a-58a9-b65c-91bf99575b80"
strings:
$win7 = "Microsoft-Windows-Narrator" wide fullword
$win2000 = "&About Narrator..." wide fullword
$win2012 = "Screen Reader" wide fullword
$winxp = "Software\\Microsoft\\Narrator"
$winxp_en = "SOFTWARE\\Microsoft\\Speech\\Voices" wide
condition:
filename == "narrator.exe"
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
rule notepad_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal notepad.exe - typical strings not found in file"
date = "01/06/2014"
score = 55
id = "16ddcd9e-ab6f-593e-80e0-a90399cbc3df"
strings:
$win7 = "HELP_ENTRY_ID_NOTEPAD_HELP" wide fullword
$win2000 = "Do you want to create a new file?" wide fullword
$win2003 = "Do you want to save the changes?" wide
$winxp = "Software\\Microsoft\\Notepad" wide
$winxp_de = "Software\\Microsoft\\Notepad" wide
condition:
filename == "notepad.exe"
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
/* NEW ---------------------------------------------------------------------- */
rule csrss_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "17542707a3d9fa13c569450fd978272ef7070a77"
id = "bbd2841a-ec72-5eb4-b34a-5ecbf9c5b517"
strings:
$s1 = "Client Server Runtime Process" fullword wide
$s4 = "name=\"Microsoft.Windows.CSRSS\"" fullword ascii
$s5 = "CSRSRV.dll" fullword ascii
$s6 = "CsrServerInitialization" fullword ascii
condition:
filename == "csrss.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule conhost_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "1bd846aa22b1d63a1f900f6d08d8bfa8082ae4db"
id = "9803fa1b-bcaf-5451-831b-fc0dc9d711f2"
strings:
$s2 = "Console Window Host" fullword wide
condition:
filename == "conhost.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule wininit_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "2de5c051c0d7d8bcc14b1ca46be8ab9756f29320"
id = "a251984f-c667-55ec-8cc3-3888e80ddf1e"
strings:
$s1 = "Windows Start-Up Application" fullword wide
condition:
filename == "wininit.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule winlogon_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "af210c8748d77c2ff93966299d4cd49a8c722ef6"
id = "ee424459-8048-52b8-ba97-4d09265a881f"
strings:
$s1 = "AuthzAccessCheck failed" fullword
$s2 = "Windows Logon Application" fullword wide
condition:
filename == "winlogon.exe"
and not 1 of ($s*)
and uint16(0) == 0x5a4d
and not WINDOWS_UPDATE_BDC
and not filepath contains "Malwarebytes"
}
rule SndVol_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "e057c90b675a6da19596b0ac458c25d7440b7869"
id = "0c4d705f-4b24-55f9-bcf4-3f65eea0b7af"
strings:
$s1 = "Volume Control Applet" fullword wide
condition:
filename == "sndvol.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule doskey_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file doskey.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "f2d1995325df0f3ca6e7b11648aa368b7e8f1c7f"
id = "be9c239a-2918-5330-bbd0-33cc17067f70"
strings:
$s3 = "Keyboard History Utility" fullword wide
condition:
filename == "doskey.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule lsass_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "04abf92ac7571a25606edfd49dca1041c41bef21"
id = "0c0f6129-3e01-56d3-b297-cee231567759"
strings:
$s1 = "LSA Shell" fullword wide
$s2 = "<description>Local Security Authority Process</description>" fullword ascii
$s3 = "Local Security Authority Process" fullword wide
$s4 = "LsapInitLsa" fullword
condition:
filename == "lsass.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule taskmgr_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
nodeepdive = 1
hash = "e8b4d84a28e5ea17272416ec45726964fdf25883"
id = "e1c3a150-6e7e-5ead-a338-0bac6f43185d"
strings:
$s0 = "Windows Task Manager" fullword wide
$s1 = "taskmgr.chm" fullword
$s2 = "TmEndTaskHandler::" ascii
$s3 = "CM_Request_Eject_PC" /* Win XP */
$s4 = "NTShell Taskman Startup Mutex" fullword wide
condition:
( filename == "taskmgr.exe" or filename == "Taskmgr.exe" ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
and uint16(0) == 0x5a4d
and filepath contains "C:\\"
and not filepath contains "Package_for_RollupFix"
}
/* removed 22 rules here */
/* APT ---------------------------------------------------------------------- */
rule APT_Cloaked_PsExec
{
meta:
description = "Looks like a cloaked PsExec. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3"
strings:
$s0 = "psexesvc.exe" wide fullword
$s1 = "Sysinternals PsExec" wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1
and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is
and not filepath matches /RECYCLE.BIN\\S-1/
}
/* removed 6 rules here */
rule APT_Cloaked_SuperScan
{
meta:
description = "Looks like a cloaked SuperScan Port Scanner. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 50
id = "96027f7d-822c-5c5e-acd9-cde8289c6b50"
strings:
$s0 = "SuperScan4.exe" wide fullword
$s1 = "Foundstone Inc." wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1 and not filename contains "superscan"
}
rule APT_Cloaked_ScanLine
{
meta:
description = "Looks like a cloaked ScanLine Port Scanner. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 50
id = "78041dc0-491b-5a44-a125-3ad72b266cf8"
strings:
$s0 = "ScanLine" wide fullword
$s1 = "Command line port scanner" wide fullword
$s2 = "sl.exe" wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1 and $s2 and not filename == "sl.exe"
}
rule SUSP_Renamed_Dot1Xtray {
meta:
description = "Detects a legitimate renamed dot1ctray.exe, which is often used by PlugX for DLL side-loading"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-11-15"
hash1 = "f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68"
id = "3685a79e-7dd6-5221-b58a-6ec1c61030cc"
strings:
$a1 = "\\Symantec_Network_Access_Control\\" ascii
$a2 = "\\dot1xtray.pdb" ascii
$a3 = "DOT1X_NAMED_PIPE_CONNECT" fullword wide /* Goodware String - occured 2 times */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
and not filename matches /dot1xtray.exe/i
and not filepath matches /Recycle.Bin/i
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule APT_SUSP_Solarwinds_Orion_Config_Anomaly_Dec20 {
meta:
description = "Detects a suspicious renamed Afind.exe as used by different attackers"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/iisresetme/status/1339546337390587905?s=12"
date = "2020-12-15"
score = 70
nodeepdive = 1
id = "440a3eb9-b573-53ea-ab26-c44d9cf62401"
strings:
$s1 = "ReportWatcher" fullword wide ascii
$fp1 = "ReportStatus" fullword wide ascii
condition:
filename == "SolarWindows.Orion.Core.BusinessLayer.dll.config"
and $s1
and not $fp1
}
rule PAExec_Cloaked {
meta:
description = "Detects a renamed remote access tool PAEXec (like PsExec)"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 70
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) )
and not filename == "paexec.exe"
and not filename == "PAExec.exe"
and not filename == "PAEXEC.EXE"
and not filename matches /Install/
and not filename matches /uninstall/
}
rule SUSP_VULN_DRV_PROCEXP152_May23 {
meta:
description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS), often used by attackers to elevate privileges (false positives are possible in cases in which old versions of process explorer are still present on the system)"
author = "Florian Roth"
reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
date = "2023-05-05"
modified = "2023-07-28"
score = 50
hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
id = "748eb390-f320-5045-bed2-24ae70471f43"
strings:
$a1 = "\\ProcExpDriver.pdb" ascii
$a2 = "\\Device\\PROCEXP152" wide fullword
$a3 = "procexp.Sys" wide fullword
condition:
uint16(0) == 0x5a4d
and filesize < 200KB
and all of them
}
rule SUSP_VULN_DRV_PROCEXP152_Renamed_May23 {
meta:
description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS) that has been renamed (often used by attackers to elevate privileges)"
author = "Florian Roth"
reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
date = "2023-05-05"
score = 70
hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
id = "af2ec5d5-3453-5d35-8d19-4f37c61fabce"
strings:
$a1 = "\\ProcExpDriver.pdb" ascii
$a2 = "\\Device\\PROCEXP152" wide fullword
$a3 = "procexp.Sys" wide fullword
condition:
uint16(0) == 0x5a4d
and filesize < 200KB
and all of them
and not filename matches /PROCEXP152\.SYS/i
}
rule SUSP_ANOMALY_Teams_Binary_Nov23 : SCRIPT {
meta:
description = "Detects a suspicious binary with the name teams.exe, update.exe or squirrel.exe in the AppData folder of Microsoft Teams that is unsigned or signed by a different CA"
author = "Florian Roth"
score = 60
reference = "https://twitter.com/steve_noel/status/1722698479636476325/photo/1"
date = "2023-11-11"
id = "60557ed1-ac16-5e3b-b105-157dc34f6ad7"
strings:
$a1 = "Microsoft Code Signing PCA" ascii
condition:
(
filename iequals "teams.exe" or
filename iequals "update.exe" or
filename iequals "squirrel.exe"
)
and filepath icontains "\\AppData\\Local\\Microsoft\\Teams"
and pe.number_of_signatures == 0
and not $a1
}
rule SAM_Hive_Backup {
meta:
description = "Detects a SAM hive backup file - SAM is the Security Account Manager - contains password hashes"
author = "Florian Roth"
reference = "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry"
score = 60
nodeepdive = 1
date = "2015-03-31"
modified = "2023-12-12"
id = "31fb6c0c-966d-5002-bf8c-4129964c81ff"
strings:
$s1 = "\\SystemRoot\\System32\\Config\\SAM" wide
condition:
uint32(0) == 0x66676572 and $s1 in (0..200)
and not filepath contains "\\System32\\Config"
and not filepath contains "\\System32\\config"
and not filepath contains "System Volume Information"
and not filepath contains "\\config\\RegBack"
}