Sneed-Reactivity/yara-Neo23x0/gen_susp_wer_files.yar

55 lines
2 KiB
Text
Raw Normal View History

rule SUSP_WER_Critical_HeapCorruption {
meta:
description = "Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1185459425710092288"
date = "2019-10-18"
score = 45
id = "2b1dad5f-cc2c-5d8c-8275-ebb56d079895"
strings:
$a1 = "ReportIdentifier=" wide
$a2 = ".Name=Fault Module Name" wide
$s1 = "c0000374" wide /* Heap Corruption */
condition:
( uint32be(0) == 0x56006500 or uint32be(0) == 0xfffe5600 )
and all of them
}
rule SUSP_WER_Suspicious_Crash_Directory {
meta:
description = "Detects a crashed application executed in a suspicious directory"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1185585050059976705"
date = "2019-10-18"
score = 45
id = "bf91e20c-aa35-5b13-86ed-a63e6fb4d1a2"
strings:
$a1 = "ReportIdentifier=" wide
$a2 = ".Name=Fault Module Name" wide
$a3 = "AppPath=" wide nocase
/* Whitelist */
$l1 = "AppPath=C:\\Windows\\" wide nocase
$l2 = "AppPath=C:\\Program" wide nocase
$l3 = "AppPath=C:\\Python" wide nocase
$l4 = "AppPath=C:\\Users\\" wide nocase
/* Blacklist */
/* covered via Whitelist
$s1 = "AppPath=C:\\$Recycle.Bin\\" wide
$s2 = "AppPath=C:\\Perflogs\\" wide
$s3 = "AppPath=C:\\Temp\\" wide
$s4 = "AppPath=\\\\" wide // network share, or \\tsclient\c etc.
$s5 = /AppPath=[C-Z]:\\\\[^\\]{1,64}\.exe/ wide nocase // in the root of a partition - no sub folder
*/
$s6 = "AppPath=C:\\Users\\Public\\" nocase wide
$s7 = "AppPath=C:\\Users\\Default\\" nocase wide
/* Root of AppData */
$s8 = /AppPath=C:\\Users\\[^\\]{1,64}\\AppData\\(Local|Roaming)\\[^\\]{1,64}\.exe/ wide nocase
condition:
( uint32be(0) == 0x56006500 or uint32be(0) == 0xfffe5600 )
and all of ($a*) and ( not 1 of ($l*) or 1 of ($s*) )
}