Sneed-Reactivity/yara-Neo23x0/apt_report_ivanti_mandiant_jan24.yar

121 lines
4.7 KiB
Text
Raw Normal View History

rule APT_UNC5221_Ivanti_ForensicArtifacts_Jan24_1 {
meta:
description = "Detects forensic artifacts found in the Ivanti VPN exploitation campaign by APT UNC5221"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
date = "2024-01-11"
score = 75
id = "49ba2a96-379d-5a58-979d-45e83fa546e7"
strings:
$x1 = "system(\"chmod a+x /home/etc/sql/dsserver/sessionserver.sh\");"
$x2 = "SSH-2.0-OpenSSH_0.3xx."
$x3 = "sed -i '/retval=$(exec $installer $@)/d' /pkg/do-install"
condition:
filesize < 5MB and 1 of them
}
rule M_Hunting_Backdoor_ZIPLINE_1 {
meta:
author = "Mandiant"
description = "This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor."
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
date = "2024-01-11"
score = 75
id = "753884d6-d4c1-5e94-9d2c-f6ebb7bfaf85"
strings:
$s1 = "SSH-2.0-OpenSSH_0.3xx" ascii
$s2 = "$(exec $installer $@)" ascii
$t1 = "./installer/do-install" ascii
$t2 = "./installer/bom_files/" ascii
$t3 = "/tmp/data/root/etc/ld.so.preload" ascii
$t4 = "/tmp/data/root/home/etc/manifest/exclusion_list" ascii
condition:
uint32(0) == 0x464c457f and
filesize < 5MB and
((1 of ($s*)) or
(3 of ($t*)))
}
rule M_Hunting_Dropper_WIREFIRE_1 {
meta:
author = "Mandiant"
description = "This rule detects WIREFIRE, a web shell written in Python that exists as trojanized logic to a component of the pulse secure appliance."
md5 = "6de651357a15efd01db4e658249d4981"
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
date = "2024-01-11"
score = 75
id = "051244f0-00b1-5a4b-8c81-f4ce6f1aa22a"
strings:
$s1 = "zlib.decompress(aes.decrypt(base64.b64decode(" ascii
$s2 = "aes.encrypt(t+('\\x00'*(16-len(t)%16))" ascii
$s3 = "Handles DELETE request to delete an existing visits data." ascii
$s4 = "request.data.decode().startswith('GIF'):" ascii
$s5 = "Utils.api_log_admin" ascii
condition:
filesize < 10KB
and all of them
}
rule M_Hunting_Webshell_LIGHTWIRE_2 {
meta:
author = "Mandiant (modified by Florian Roth)"
description = "Detects LIGHTWIRE based on the RC4 decoding and execution 1-liner."
md5 = "3d97f55a03ceb4f71671aa2ecf5b24e9"
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
date = "2024-01-11"
modified = "2024-01-12"
score = 75
id = "9451da63-c68e-51e8-b4b1-c3082d46fbf6"
strings:
// rewritten as strings - because a regex is unnecessary
// $re1 = /eval\{my.{1,20}Crypt::RC4->new\(\".{1,50}->RC4\(decode_base64\(CGI::param\(\'.{1,30};eval\s\$.{1,30}\"Compatibility\scheck:\s\$@\";\}/
$s1 = "eval{my"
$s2 = "Crypt::RC4->new(\""
$s3 = "->RC4(decode_base64(CGI::param('"
$s4 = ";eval $"
$s5 = "\"Compatibility check: $@\";}"
condition:
filesize < 10KB
and all of them
}
rule M_Hunting_Dropper_THINSPOOL_1 {
meta:
author = "Mandiant"
description = "This rule detects THINSPOOL, a dropper that installs the LIGHTWIRE web shell onto a Pulse Secure system."
md5 = "677c1aa6e2503b56fe13e1568a814754"
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
date = "2024-01-11"
score = 75
id = "dd340f72-0a2c-5b66-9e31-1c0f20cd842f"
strings:
$s1 = "/tmp/qactg/" ascii
$s2 = "echo '/home/config/dscommands'" ascii
$s3 = "echo '/home/perl/DSLogConfig.pm'" ascii
$s4 = "ADM20447" ascii
condition:
filesize < 10KB
and all of them
}
rule M_Hunting_CredTheft_WARPWIRE_1 {
meta:
author = "Mandiant"
description = "This rule detects WARPWIRE, a credential stealer written in JavaScript that is embedded into a legitimate Pulse Secure file."
md5 = "d0c7a334a4d9dcd3c6335ae13bee59ea"
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
date = "2024-01-11"
score = 75
id = "9a6a8783-b531-560d-998d-8aa7c90158a8"
strings:
$s1 = {76 61 72 20 77 64 61 74 61 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 66 72 6d 4c 6f 67 69 6e 2e 75 73 65 72 6e 61 6d 65 2e 76 61 6c 75 65 3b}
$s2 = {76 61 72 20 73 64 61 74 61 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 66 72 6d 4c 6f 67 69 6e 2e 70 61 73 73 77 6f 72 64 2e 76 61 6c 75 65 3b}
$s3 = {2b 77 64 61 74 61 2b 27 26 27 2b 73 64 61 74 61 3b}
$s4 = {76 61 72 20 78 68 72 20 3d 20 6e 65 77 20 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74}
$s5 = "Remember the last selected auth realm for 30 days" ascii
condition:
filesize < 8KB and
all of them
}