more fixing, re-add thread count
This commit is contained in:
parent
625190f682
commit
2c6af7acb1
1013 changed files with 13 additions and 140759 deletions
14
main.py
14
main.py
|
@ -246,7 +246,7 @@ def kill_suspicious_processes():
|
|||
# Scan files for malware as they launch and kill if potentially malicious.
|
||||
for file_path in cmdline:
|
||||
if os.path.isfile(file_path):
|
||||
if scan_for_malware(file_path) and os.path.basename(bypassed_processes):
|
||||
if scan_for_malware(file_path):
|
||||
print(f"Terminating potentially malicious process {proc.info['name']} (PID: {proc.info['pid']} NOW...")
|
||||
proc.terminate()
|
||||
proc.wait()
|
||||
|
@ -332,12 +332,24 @@ def realtimeAV():
|
|||
kill_suspicious_processes()
|
||||
time.sleep(1) # check for malware every second
|
||||
|
||||
def threadCounter():
|
||||
previous_count = 0
|
||||
current_count = 0
|
||||
while True:
|
||||
previous_count = threading.active_count()
|
||||
print(f"Active AntiMalware Threads: {current_count}")
|
||||
if current_count < previous_count and previous_count - current_count > -1:
|
||||
print("WARNING: THREAD KILL DETECTED!")
|
||||
time.sleep(3) # check for malware every second
|
||||
current_count = threading.active_count()
|
||||
|
||||
# Start Monitoring in Threads
|
||||
threads = [
|
||||
threading.Thread(target=start_file_system_monitor),
|
||||
threading.Thread(target=monitor_cpu_gpu_usage),
|
||||
threading.Thread(target=monitor_registry_changes),
|
||||
threading.Thread(target=realtimeAV),
|
||||
threading.Thread(target=threadCounter),
|
||||
threading.Thread(target=monitor_tls_certificates),
|
||||
threading.Thread(target=monitor_browser, args=('chrome',)),
|
||||
threading.Thread(target=monitor_browser, args=('firefox',))
|
||||
|
|
|
@ -1,241 +0,0 @@
|
|||
|
||||
/*
|
||||
Rules which detect vulnerabilities in configuration files.
|
||||
External variables are used so they only work with YARA scanners, that pass them on (e.g. Thor, Loki and Spyre)
|
||||
*/
|
||||
|
||||
|
||||
rule VULN_Linux_Sudoers_Commands {
|
||||
meta:
|
||||
description = "Detects sudoers config with commands which might allow privilege escalation to root"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Arnim Rupp"
|
||||
reference = "https://gtfobins.github.io/"
|
||||
date = "2022-11-22"
|
||||
modified = "2024-04-15"
|
||||
score = 50
|
||||
id = "221d90c8-e70e-5214-a03b-57ecabcdd480"
|
||||
strings:
|
||||
$command1 = "/sh " ascii
|
||||
$command2 = "/bash " ascii
|
||||
$command3 = "/ksh " ascii
|
||||
$command4 = "/csh " ascii
|
||||
$command5 = "/tcpdump " ascii
|
||||
//$command6 = "/cat " ascii
|
||||
//$command7 = "/head " ascii
|
||||
$command8 = "/nano " ascii
|
||||
$command9 = "/pico " ascii
|
||||
$command10 = "/rview " ascii
|
||||
$command11 = "/vi " ascii
|
||||
$command12 = "/vim " ascii
|
||||
$command13 = "/rvi " ascii
|
||||
$command14 = "/rvim " ascii
|
||||
//$command15 = "/more " ascii
|
||||
$command16 = "/less " ascii
|
||||
$command17 = "/dd " ascii
|
||||
/* $command18 = "/mount " ascii prone to FPs */
|
||||
|
||||
condition:
|
||||
( filename == "sudoers" or filepath contains "/etc/sudoers.d" ) and
|
||||
any of ($command*)
|
||||
}
|
||||
|
||||
rule VULN_Linux_NFS_Exports {
|
||||
meta:
|
||||
description = "Detects insecure /etc/exports NFS config which might allow privilege escalation to root or other users. The parameter insecure allows any non-root user to mount NFS shares via e.g. an SSH-tunnel. With no_root_squash SUID root binaries are allowed."
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
reference = "https://www.errno.fr/nfs_privesc.html"
|
||||
author = "Arnim Rupp"
|
||||
date = "2022-11-22"
|
||||
score = 50
|
||||
id = "4b7d81d8-1ae1-5fcf-a91c-271477a839db"
|
||||
strings:
|
||||
// line has to start with / to avoid triggering on #-comment lines
|
||||
$conf1 = /\n\/.{2,200}?\binsecure\b/ ascii
|
||||
$conf2 = /\n\/.{2,200}?\bno_root_squash\b/ ascii
|
||||
|
||||
condition:
|
||||
filename == "exports" and
|
||||
filepath contains "/etc" and
|
||||
any of ($conf*)
|
||||
}
|
||||
|
||||
rule SUSP_AES_Key_in_MySql_History {
|
||||
meta:
|
||||
description = "Detects AES key outside of key management in .mysql_history"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Arnim Rupp"
|
||||
date = "2022-11-22"
|
||||
score = 50
|
||||
id = "28acef39-8606-5d3d-b395-0d8db13f6c9c"
|
||||
strings:
|
||||
$c1 = /\bAES_(DE|EN)CRYPT\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii
|
||||
$c2 = /\baes_(de|en)crypt\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii
|
||||
|
||||
condition:
|
||||
filename == ".mysql_history" and
|
||||
any of ($c*)
|
||||
}
|
||||
|
||||
rule VULN_Slapd_Conf_with_Default_Password {
|
||||
meta:
|
||||
description = "Detects an openldap slapd.conf with the default password test123"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Arnim Rupp"
|
||||
date = "2022-11-22"
|
||||
reference = "https://www.openldap.org/doc/admin21/slapdconfig.html"
|
||||
score = 70
|
||||
id = "1d1319da-125b-5373-88f1-27a23c85729e"
|
||||
strings:
|
||||
/* \nrootpw \{SSHA\}fsAEyxlFOtvZBwPLAF68zpUhth8lERoR */
|
||||
$c1 = { 0A 72 6f 6f 74 70 77 20 7b 53 53 48 41 7d 66 73 41 45 79 78 6c 46 4f 74 76 5a 42 77 50 4c 41 46 36 38 7a 70 55 68 74 68 38 6c 45 52 6f 52 }
|
||||
|
||||
condition:
|
||||
filename == "slapd.conf" and
|
||||
any of ($c*)
|
||||
}
|
||||
|
||||
rule VULN_Unencrypted_SSH_Private_Key : T1552_004 {
|
||||
meta:
|
||||
description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Arnim Rupp"
|
||||
date = "2023-01-06"
|
||||
reference = "https://attack.mitre.org/techniques/T1552/004/"
|
||||
score = 50
|
||||
id = "84b279fc-99c8-5101-b2d8-5c7adbaf753f"
|
||||
strings:
|
||||
/*
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MII
|
||||
*/
|
||||
$openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 }
|
||||
|
||||
/*
|
||||
-----BEGIN DSA PRIVATE KEY-----
|
||||
MIIBvAIBAAKBgQ
|
||||
*/
|
||||
$openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 }
|
||||
|
||||
/*
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
M
|
||||
*/
|
||||
$openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d }
|
||||
|
||||
/*
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmU
|
||||
|
||||
base64 contains: openssh-key-v1.....none
|
||||
*/
|
||||
$openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 }
|
||||
|
||||
$putty_start = "PuTTY-User-Key-File" ascii
|
||||
$putty_noenc = "Encryption: none" ascii
|
||||
|
||||
condition:
|
||||
/*
|
||||
limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those
|
||||
private keys for SSL, signing, ... which might be important but aren't usually used for lateral
|
||||
movement => bad signal noise ratio
|
||||
*/
|
||||
(
|
||||
filepath contains "ssh" or
|
||||
filepath contains "SSH" or
|
||||
filepath contains "utty" or
|
||||
filename contains "ssh" or
|
||||
filename contains "SSH" or
|
||||
filename contains "id_" or
|
||||
filename contains "id2_" or
|
||||
filename contains ".ppk" or
|
||||
filename contains ".PPK" or
|
||||
filename contains "utty"
|
||||
)
|
||||
and
|
||||
(
|
||||
$openssh_dsa at 0 or
|
||||
$openssh_rsa at 0 or
|
||||
$openssh_ecdsa at 0 or
|
||||
$openssh_ed25519 at 0 or
|
||||
(
|
||||
$putty_start at 0 and
|
||||
$putty_noenc
|
||||
)
|
||||
)
|
||||
and not filepath contains "/root/"
|
||||
and not filename contains "ssh_host_"
|
||||
}
|
||||
|
||||
|
||||
rule VULN_Unencrypted_SSH_Private_Key_Root_Folder : T1552_004 {
|
||||
meta:
|
||||
description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Arnim Rupp"
|
||||
date = "2023-01-06"
|
||||
reference = "https://attack.mitre.org/techniques/T1552/004/"
|
||||
score = 65
|
||||
id = "9e6a03a1-d95f-5de7-a6c0-a2e77486007c"
|
||||
strings:
|
||||
/*
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MII
|
||||
*/
|
||||
$openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 }
|
||||
|
||||
/*
|
||||
-----BEGIN DSA PRIVATE KEY-----
|
||||
MIIBvAIBAAKBgQ
|
||||
*/
|
||||
$openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 }
|
||||
|
||||
/*
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
M
|
||||
*/
|
||||
$openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d }
|
||||
|
||||
/*
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmU
|
||||
|
||||
base64 contains: openssh-key-v1.....none
|
||||
*/
|
||||
$openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 }
|
||||
|
||||
$putty_start = "PuTTY-User-Key-File" ascii
|
||||
$putty_noenc = "Encryption: none" ascii
|
||||
|
||||
condition:
|
||||
/*
|
||||
limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those
|
||||
private keys for SSL, signing, ... which might be important but aren't usually used for lateral
|
||||
movement => bad signal noise ratio
|
||||
*/
|
||||
(
|
||||
filepath contains "ssh" or
|
||||
filepath contains "SSH" or
|
||||
filepath contains "utty" or
|
||||
filename contains "ssh" or
|
||||
filename contains "SSH" or
|
||||
filename contains "id_" or
|
||||
filename contains "id2_" or
|
||||
filename contains ".ppk" or
|
||||
filename contains ".PPK" or
|
||||
filename contains "utty"
|
||||
)
|
||||
and
|
||||
(
|
||||
$openssh_dsa at 0 or
|
||||
$openssh_rsa at 0 or
|
||||
$openssh_ecdsa at 0 or
|
||||
$openssh_ed25519 at 0 or
|
||||
(
|
||||
$putty_start at 0 and
|
||||
$putty_noenc
|
||||
)
|
||||
)
|
||||
and filepath contains "/root/"
|
||||
and not filename contains "ssh_host_"
|
||||
}
|
|
@ -1,102 +0,0 @@
|
|||
|
||||
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23 {
|
||||
meta:
|
||||
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
|
||||
date = "2023-07-18"
|
||||
modified = "2023-07-21"
|
||||
score = 70
|
||||
id = "07d725cc-2cf2-55e5-8609-486500547f13"
|
||||
strings:
|
||||
$sa1 = "216.41.162.172" ascii fullword
|
||||
|
||||
$sb1 = "/flash/nsconfig/keys" ascii
|
||||
$sb2 = "ldapsearch" ascii fullword
|
||||
$sb3 = "ns_gui/vpn" ascii
|
||||
$sb4 = "LDAPTLS_REQCERT" ascii fullword
|
||||
condition:
|
||||
filesize < 10MB and $sa1
|
||||
or (
|
||||
filepath == "/var/log"
|
||||
and filename matches /^(bash|sh)\.log/
|
||||
and 1 of ($sb*)
|
||||
)
|
||||
}
|
||||
|
||||
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2 {
|
||||
meta:
|
||||
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
|
||||
date = "2023-07-21"
|
||||
score = 70
|
||||
id = "471ce547-0133-5836-b9d1-02c932ecfd1e"
|
||||
strings:
|
||||
$s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword
|
||||
$s2 = "-out /var/tmp/test.tar.gz" ascii
|
||||
$s3 = "/test.tar.gz /netscaler/"
|
||||
condition:
|
||||
filesize < 10MB and 1 of them
|
||||
}
|
||||
|
||||
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3 {
|
||||
meta:
|
||||
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
|
||||
date = "2023-07-24"
|
||||
score = 70
|
||||
id = "2f40b423-f1da-5711-ac4f-18de77cd52d0"
|
||||
strings:
|
||||
$x1 = "cat /flash/nsconfig/ns.conf >>" ascii
|
||||
$x2 = "cat /nsconfig/.F1.key >>" ascii
|
||||
$x3 = "openssl base64 -d < /tmp/" ascii
|
||||
$x4 = "cp /usr/bin/bash /var/tmp/bash" ascii
|
||||
$x5 = "chmod 4775 /var/tmp/bash"
|
||||
$x6 = "pwd;pwd;pwd;pwd;pwd;"
|
||||
$x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))"
|
||||
condition:
|
||||
filesize < 10MB and 1 of them
|
||||
}
|
||||
|
||||
rule LOG_EXPL_Citrix_Netscaler_ADC_Exploitation_Attempt_CVE_2023_3519_Jul23_1 {
|
||||
meta:
|
||||
description = "This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful."
|
||||
author = "Florian Roth"
|
||||
reference = "https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/"
|
||||
date = "2023-07-27"
|
||||
score = 65
|
||||
id = "7dfe4130-d976-5d6d-a05d-ccadefe45406"
|
||||
strings:
|
||||
/* overly long URL - all URLLEN values >= 200 */
|
||||
$sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/
|
||||
$s1 = ", type=1; Target: start=0x"
|
||||
condition:
|
||||
all of them
|
||||
}
|
||||
|
||||
rule WEBSHELL_SECRETSAUCE_Jul23_1 {
|
||||
meta:
|
||||
description = "Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
|
||||
date = "2023-07-24"
|
||||
score = 85
|
||||
id = "db0542e7-648e-5f60-9838-e07498f58b51"
|
||||
strings:
|
||||
$sa1 = "for ($x=0; $x<=1; $x++) {" ascii
|
||||
$sa2 = "$_REQUEST[" ascii
|
||||
$sa3 = "@eval" ascii
|
||||
|
||||
$sb1 = "public $cmd;" ascii
|
||||
$sb2 = "return @eval($a);" ascii
|
||||
$sb3 = "$z->run($z->get('openssl_public_decrypt'));"
|
||||
condition:
|
||||
filesize < 100KB and (
|
||||
all of ($sa*) or
|
||||
2 of ($sb*)
|
||||
)
|
||||
}
|
||||
|
||||
|
|
@ -1,328 +0,0 @@
|
|||
import "pe"
|
||||
|
||||
rule ConnectWise_ScreenConnect_Authentication_Bypass_Feb_2024_Exploitation_IIS_Logs {
|
||||
meta:
|
||||
description = "Detects an http request to '/SetupWizard.aspx/' with anything following it, which when found in IIS logs is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
|
||||
author = "Huntress DE&TH Team (modified by Florian Roth)"
|
||||
reference = "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
|
||||
date = "2024-02-20"
|
||||
modified = "2024-02-21"
|
||||
id = "2886530b-e164-4c4b-b01e-950e3c40acb4"
|
||||
strings:
|
||||
$s1 = " GET /SetupWizard.aspx/" ascii
|
||||
$s2 = " POST /SetupWizard.aspx/" ascii
|
||||
$s3 = " PUT /SetupWizard.aspx/" ascii
|
||||
$s4 = " HEAD /SetupWizard.aspx/" ascii
|
||||
condition:
|
||||
1 of them
|
||||
}
|
||||
|
||||
rule SUSP_ScreenConnect_User_PoC_Com_Unused_Feb24 {
|
||||
meta:
|
||||
description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account wasn't actually used yet to login"
|
||||
author = "Florian Roth"
|
||||
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
|
||||
date = "2024-02-23"
|
||||
score = 65
|
||||
id = "c57e6c6a-298f-5ff3-b76a-03127ff88699"
|
||||
strings:
|
||||
$a1 = "<Users xmlns:xsi="
|
||||
$a2 = "<CreationDate>"
|
||||
|
||||
$s1 = "@poc.com</Email>"
|
||||
$s2 = "<LastLoginDate>0001"
|
||||
condition:
|
||||
filesize < 200KB
|
||||
and all of ($a*)
|
||||
and all of ($s*)
|
||||
}
|
||||
|
||||
rule SUSP_ScreenConnect_User_PoC_Com_Used_Feb24 {
|
||||
meta:
|
||||
description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account was already used yet to login"
|
||||
author = "Florian Roth"
|
||||
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
id = "91990558-f145-5968-9722-b6815f6ad8d5"
|
||||
strings:
|
||||
$a1 = "<Users xmlns:xsi="
|
||||
$a2 = "<CreationDate>"
|
||||
|
||||
$s1 = "@poc.com</Email>"
|
||||
|
||||
$f1 = "<LastLoginDate>0001"
|
||||
condition:
|
||||
filesize < 200KB
|
||||
and all of ($a*)
|
||||
and $s1
|
||||
and not 1 of ($f*)
|
||||
}
|
||||
|
||||
rule SUSP_ScreenConnect_Exploitation_Artefacts_Feb24 : SCRIPT {
|
||||
meta:
|
||||
description = "Detects post exploitation indicators observed by HuntressLabs in relation to the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
id = "079f4153-8bc7-574f-b6fa-af5536b842ab"
|
||||
strings:
|
||||
$x01 = "-c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}"
|
||||
$x02 = ".msi c:\\mpyutd.msi"
|
||||
$x03 = "/MyUserName_$env:UserName"
|
||||
$x04 = " -OutFile C:\\Windows\\Help\\"
|
||||
$x05 = "/Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_"
|
||||
$x06 = "$e = $r + \"ssh.exe\""
|
||||
$x07 = "Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id"
|
||||
$x08 = "-R 9595:localhost:3389 -p 443 -N -oStrictHostKeyChecking=no "
|
||||
$x09 = "chromeremotedesktophost.msi', $env:ProgramData+"
|
||||
$x10 = "9595; iwr -UseBasicParsing "
|
||||
$x11 = "curl https://cmctt.]com/pub/media/wysiwyg/"
|
||||
$x12 = ":8080/servicetest2.dll"
|
||||
$x13 = "/msappdata.msi c:\\mpyutd.msi"
|
||||
$x14 = "/svchost.exe -OutFile "
|
||||
$x15 = "curl http://minish.wiki.gd"
|
||||
$x16 = " -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile "
|
||||
$x17 = "rundll32.exe' -Headers @"
|
||||
$x18 = "/nssm.exe' -Headers @"
|
||||
$x19 = "c:\\programdata\\update.dat UpdateSystem"
|
||||
$x20 = "::size -eq 4){\\\"TVqQAA" ascii wide
|
||||
$x21 = "::size -eq 4){\"TVqQAA" ascii wide
|
||||
$x22 = "-nop -c [System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:System_"
|
||||
|
||||
/* Persistence */
|
||||
$xp0 = "/add default test@2021! /domain"
|
||||
$xp1 = "/add default1 test@2021! /domain"
|
||||
$xp2 = "oldadmin Pass8080!!"
|
||||
$xp3 = "temp 123123qwE /add "
|
||||
$xp4 = "oldadmin \"Pass8080!!\""
|
||||
$xp5 = "nssm set xmrig AppDirectory "
|
||||
condition:
|
||||
1 of ($x*)
|
||||
}
|
||||
|
||||
rule SUSP_Command_Line_Combos_Feb24_2 : SCRIPT {
|
||||
meta:
|
||||
description = "Detects suspicious command line combinations often found in post exploitation activities"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
id = "d9bc6083-c3ca-5639-a9df-483fea6d0187"
|
||||
strings:
|
||||
$sa1 = " | iex"
|
||||
$sa2 = "iwr -UseBasicParsing "
|
||||
condition:
|
||||
filesize < 2MB and all of them
|
||||
}
|
||||
|
||||
rule SUSP_PS1_Combo_TransferSH_Feb24 : SCRIPT {
|
||||
meta:
|
||||
description = "Detects suspicious PowerShell command that downloads content from transfer.sh as often found in loaders"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 70
|
||||
id = "fd14cca5-9cf8-540b-9d6e-39ca2c267272"
|
||||
strings:
|
||||
$x1 = ".DownloadString('https://transfer.sh"
|
||||
$x2 = ".DownloadString(\"https://transfer.sh"
|
||||
$x3 = "Invoke-WebRequest -Uri 'https://transfer.sh"
|
||||
$x4 = "Invoke-WebRequest -Uri \"https://transfer.sh"
|
||||
condition:
|
||||
1 of them
|
||||
}
|
||||
|
||||
rule MAL_SUSP_RANSOM_LockBit_RansomNote_Feb24 {
|
||||
meta:
|
||||
description = "Detects the LockBit ransom note file 'LockBit-DECRYPT.txt' which is a sign of a LockBit ransomware infection"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
id = "b2fcb2a7-49e8-520c-944f-6acd5ded579b"
|
||||
strings:
|
||||
$x1 = ">>>> Your personal DECRYPTION ID:"
|
||||
condition:
|
||||
1 of them
|
||||
}
|
||||
|
||||
rule MAL_SUSP_RANSOM_Lazy_RansomNote_Feb24 {
|
||||
meta:
|
||||
description = "Detects the Lazy ransom note file 'HowToRestoreYourFiles.txt' which is a sign of a Lazy ransomware infection"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
id = "287dfd67-8d0d-5906-b593-3af42a5a3aa4"
|
||||
strings:
|
||||
$x1 = "All Encrypted files can be reversed to original form and become usable"
|
||||
condition:
|
||||
1 of them
|
||||
}
|
||||
|
||||
|
||||
rule SUSP_MAL_SigningCert_Feb24_1 {
|
||||
meta:
|
||||
description = "Detects PE files signed with a certificate used to sign malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
hash1 = "37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231b"
|
||||
hash2 = "e8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793"
|
||||
id = "f25ea77a-1b4e-5c13-9117-eedf0c20335a"
|
||||
strings:
|
||||
$s1 = "Wisdom Promise Security Technology Co." ascii
|
||||
$s2 = "Globalsign TSA for CodeSign1" ascii
|
||||
$s3 = { 5D AC 0B 6C 02 5A 4B 21 89 4B A3 C2 }
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filesize < 70000KB
|
||||
and all of them
|
||||
}
|
||||
|
||||
rule MAL_CS_Loader_Feb24_1 {
|
||||
meta:
|
||||
description = "Detects Cobalt Strike malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
hash1 = "0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fe"
|
||||
id = "6c9914a4-b079-5a39-9d3b-7b9a2b54dc2b"
|
||||
strings:
|
||||
$s1 = "Dll_x86.dll" ascii fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filesize < 1000KB
|
||||
and (
|
||||
pe.exports("UpdateSystem") and (
|
||||
pe.imphash() == "0dc05c4c21a86d29f1c3bf9cc5b712e0"
|
||||
or $s1
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
rule MAL_RANSOM_LockBit_Indicators_Feb24 {
|
||||
meta:
|
||||
description = "Detects Lockbit ransomware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
hash1 = "a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0"
|
||||
id = "108430c8-4fe5-58a1-b709-539b257c120c"
|
||||
strings:
|
||||
$op1 = { 76 c1 95 8b 18 00 93 56 bf 2b 88 71 4c 34 af b1 a5 e9 77 46 c3 13 }
|
||||
$op2 = { e0 02 10 f7 ac 75 0e 18 1b c2 c1 98 ac 46 }
|
||||
$op3 = { 8b c6 ab 53 ff 15 e4 57 42 00 ff 45 fc eb 92 ff 75 f8 ff 15 f4 57 42 00 }
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filesize < 500KB
|
||||
and (
|
||||
pe.imphash() == "914685b69f2ac2ff61b6b0f1883a054d"
|
||||
or 2 of them
|
||||
) or all of them
|
||||
}
|
||||
|
||||
rule MAL_MSI_Mpyutils_Feb24_1 {
|
||||
meta:
|
||||
description = "Detects malicious MSI package mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 70
|
||||
hash1 = "8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600"
|
||||
id = "e7794336-a325-5b92-8c25-81ed9cb28044"
|
||||
strings:
|
||||
$s1 = "crypt64ult.exe" ascii fullword
|
||||
$s2 = "EXPAND.EXE" wide fullword
|
||||
$s6 = "ICACLS.EXE" wide fullword
|
||||
condition:
|
||||
uint16(0) == 0xcfd0
|
||||
and filesize < 20000KB
|
||||
and all of them
|
||||
}
|
||||
|
||||
rule MAL_Beacon_Unknown_Feb24_1 {
|
||||
meta:
|
||||
description = "Detects malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709 "
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
|
||||
date = "2024-02-23"
|
||||
score = 75
|
||||
hash1 = "6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090"
|
||||
hash2 = "b0adf3d58fa354dbaac6a2047b6e30bc07a5460f71db5f5975ba7b96de986243"
|
||||
hash3 = "c0f7970bed203a5f8b2eca8929b4e80ba5c3276206da38c4e0a4445f648f3cec"
|
||||
id = "9299fd44-5327-5a73-8299-108b710cb16e"
|
||||
strings:
|
||||
$s1 = "Driver.dll" wide fullword
|
||||
$s2 = "X l.dlT" ascii fullword
|
||||
$s3 = "$928c7481-dd27-8e23-f829-4819aefc728c" ascii fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filesize < 2000KB
|
||||
and 3 of ($s*)
|
||||
}
|
||||
|
||||
/* --------------------------------------------------------------------------------- */
|
||||
/* only usable with THOR or THOR Lite, e.g. in THOR Cloud */
|
||||
|
||||
rule SUSP_ScreenConnect_User_Gmail_2024_Feb24 {
|
||||
meta:
|
||||
description = "Detects suspicious ScreenConnect user with Gmail address created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
|
||||
author = "Florian Roth"
|
||||
reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
|
||||
date = "2024-02-22"
|
||||
score = 65
|
||||
id = "3c86f4ee-4e8c-566b-b54e-e94418e4ec7e"
|
||||
strings:
|
||||
$a1 = "<Users xmlns:xsi="
|
||||
|
||||
$s1 = "@gmail.com</Email>"
|
||||
$s2 = "<CreationDate>2024-"
|
||||
condition:
|
||||
filesize < 200KB
|
||||
and all of them
|
||||
and filepath contains "\\ScreenConnect\\App_Data\\"
|
||||
}
|
||||
|
||||
rule SUSP_ScreenConnect_New_User_2024_Feb24 {
|
||||
meta:
|
||||
description = "Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
|
||||
author = "Florian Roth"
|
||||
reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
|
||||
date = "2024-02-22"
|
||||
score = 50
|
||||
id = "f6675ded-39a4-590a-a201-fcfe3c056e60"
|
||||
strings:
|
||||
$a1 = "<Users xmlns:xsi="
|
||||
|
||||
$s1 = "<CreationDate>2024-"
|
||||
condition:
|
||||
filesize < 200KB
|
||||
and all of them
|
||||
and filepath contains "\\ScreenConnect\\App_Data\\"
|
||||
}
|
||||
|
||||
rule SUSP_ScreenConnect_User_2024_No_Logon_Feb24 {
|
||||
meta:
|
||||
description = "Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
|
||||
author = "Florian Roth"
|
||||
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
|
||||
date = "2024-02-23"
|
||||
score = 60
|
||||
id = "c0861f1c-08e2-565d-a468-2075c51b4004"
|
||||
strings:
|
||||
$a1 = "<Users xmlns:xsi="
|
||||
$a2 = "<CreationDate>"
|
||||
|
||||
$s1 = "<CreationDate>2024-"
|
||||
$s2 = "<LastLoginDate>0001-01-01T00:00:00</LastLoginDate>"
|
||||
condition:
|
||||
filesize < 200KB
|
||||
and all of them
|
||||
and filepath contains "\\ScreenConnect\\App_Data\\"
|
||||
}
|
|
@ -1,68 +0,0 @@
|
|||
import "pe"
|
||||
|
||||
rule SUSP_Fake_AMSI_DLL_Jun23_1 {
|
||||
meta:
|
||||
description = "Detects an amsi.dll that has the same exports as the legitimate one but very different contents or file sizes"
|
||||
author = "Florian Roth"
|
||||
reference = "https://twitter.com/eversinc33/status/1666121784192581633?s=20"
|
||||
date = "2023-06-07"
|
||||
modified = "2023-06-12"
|
||||
score = 65
|
||||
id = "b12df9de-ecfb-562b-b599-87fa786a33bc"
|
||||
strings:
|
||||
$a1 = "Microsoft.Antimalware.Scan.Interface" ascii
|
||||
$a2 = "Amsi.pdb" ascii fullword
|
||||
$a3 = "api-ms-win-core-sysinfo-" ascii
|
||||
$a4 = "Software\\Microsoft\\AMSI\\Providers" wide
|
||||
$a5 = "AmsiAntimalware@" ascii
|
||||
$a6 = "AMSI UAC Scan" ascii
|
||||
|
||||
$fp1 = "Wine builtin DLL"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
// AMSI.DLL exports
|
||||
and (
|
||||
pe.exports("AmsiInitialize")
|
||||
and pe.exports("AmsiScanString")
|
||||
)
|
||||
// and now the anomalies
|
||||
and (
|
||||
filesize > 200KB // files bigger than 100kB
|
||||
or filesize < 35KB // files smaller than 35kB
|
||||
or not 4 of ($a*) // files that don't contain the expected strings
|
||||
)
|
||||
and not 1 of ($fp*)
|
||||
}
|
||||
|
||||
/* Uses the external variable "filename" and can thus only be used in LOKI or THOR */
|
||||
|
||||
rule SUSP_Fake_AMSI_DLL_Jun23_2 {
|
||||
meta:
|
||||
description = "Detects an amsi.dll that has very different contents or file sizes than the legitimate"
|
||||
author = "Florian Roth"
|
||||
reference = "https://twitter.com/eversinc33/status/1666121784192581633?s=20"
|
||||
date = "2023-06-07"
|
||||
modified = "2023-06-14"
|
||||
score = 65
|
||||
id = "adec9525-6299-52d5-8f4e-a83366d3dcfd"
|
||||
strings:
|
||||
$a1 = "Microsoft.Antimalware.Scan.Interface" ascii
|
||||
$a2 = "Amsi.pdb" ascii fullword
|
||||
$a3 = "api-ms-win-core-sysinfo-" ascii
|
||||
$a4 = "Software\\Microsoft\\AMSI\\Providers" wide
|
||||
$a5 = "AmsiAntimalware@" ascii
|
||||
$a6 = "AMSI UAC Scan" ascii
|
||||
|
||||
$fp1 = "Wine builtin DLL"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
// AMSI.DLL
|
||||
and filename == "amsi.dll"
|
||||
// and now the anomalies
|
||||
and (
|
||||
filesize > 200KB // files bigger than 100kB
|
||||
or filesize < 35KB // files smaller than 35kB
|
||||
or not 4 of ($a*) // files that don't contain the expected strings
|
||||
)
|
||||
and not 1 of ($fp*)
|
||||
}
|
|
@ -1,428 +0,0 @@
|
|||
import "pe"
|
||||
|
||||
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects malicious DLLs related to 3CX compromise"
|
||||
author = "X__Junior, Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
|
||||
date = "2023-03-29"
|
||||
modified = "2023-04-20"
|
||||
score = 85
|
||||
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
|
||||
hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
|
||||
hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2"
|
||||
id = "a6ea3299-fde5-5206-b5db-eb3a3f5944d9"
|
||||
strings:
|
||||
$opa1 = { 4C 89 F1 4C 89 EA 41 B8 40 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 F0 FF 15 ?? ?? ?? ?? 4C 8D 4C 24 ?? 45 8B 01 4C 89 F1 4C 89 EA FF 15 } /* VirtualProtect and execute payload*/
|
||||
$opa2 = { 48 C7 44 24 ?? 00 00 00 00 4C 8D 7C 24 ?? 48 89 F9 48 89 C2 41 89 E8 4D 89 F9 FF 15 ?? ?? ?? ?? 41 83 3F 00 0F 84 ?? ?? ?? ?? 0F B7 03 3D 4D 5A 00 00} /* ReadFile and MZ compare*/
|
||||
$opa3 = { 41 80 7C 00 ?? FE 75 ?? 41 80 7C 00 ?? ED 75 ?? 41 80 7C 00 ?? FA 75 ?? 41 80 3C 00 CE} /* marker */
|
||||
$opa4 = { 44 0F B6 CD 46 8A 8C 0C ?? ?? ?? ?? 45 30 0C 0E 48 FF C1} /* xor part in RC4 decryption*/
|
||||
|
||||
$opb1 = { 41 B8 40 00 00 00 49 8B D5 49 8B CC FF 15 ?? ?? ?? ?? 85 C0 74 ?? 41 FF D4 44 8B 45 ?? 4C 8D 4D ?? 49 8B D5 49 8B CC FF 15 } /* VirtualProtect and execute payload */
|
||||
$opb2 = { 44 8B C3 48 89 44 24 ?? 48 8B 5C 24 ?? 4C 8D 4D ?? 48 8B CB 48 89 74 24 ?? 48 8B D0 4C 8B F8 FF 15 } /* ReadFile and MZ compare*/
|
||||
$opb3 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */
|
||||
$opb4 = { 49 63 C1 44 0F B6 44 05 ?? 44 88 5C 05 ?? 44 88 02 0F B6 54 05 ?? 49 03 D0 0F B6 C2 0F B6 54 05 ?? 41 30 12} /* xor part in RC4 decryption*/
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filesize < 5MB
|
||||
and pe.characteristics & pe.DLL
|
||||
and ( 2 of ($opa*) or 2 of ($opb*) )
|
||||
}
|
||||
|
||||
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_2 {
|
||||
meta:
|
||||
description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://twitter.com/dan__mayer/status/1641170769194672128?s=20"
|
||||
date = "2023-03-29"
|
||||
score = 80
|
||||
hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973"
|
||||
id = "bf3597ff-d62b-5d21-9c9b-e46e685284cf"
|
||||
strings:
|
||||
$s1 = "raw.githubusercontent.com/IconStorages/images/main/icon%d.ico" wide fullword
|
||||
$s2 = "https://raw.githubusercontent.com/IconStorages" wide fullword
|
||||
$s3 = "icon%d.ico" wide fullword
|
||||
$s4 = "__tutmc" ascii fullword
|
||||
|
||||
$op1 = { 2d ee a1 00 00 c5 fa e6 f5 e9 40 fe ff ff 0f 1f 44 00 00 75 2e c5 fb 10 0d 46 a0 00 00 44 8b 05 7f a2 00 00 e8 0a 0e 00 00 }
|
||||
$op4 = { 4c 8d 5c 24 71 0f 57 c0 48 89 44 24 60 89 44 24 68 41 b9 15 cd 5b 07 0f 11 44 24 70 b8 b1 68 de 3a 41 ba a4 7b 93 02 }
|
||||
$op5 = { f7 f3 03 d5 69 ca e8 03 00 00 ff 15 c9 0a 02 00 48 8d 44 24 30 45 33 c0 4c 8d 4c 24 38 48 89 44 24 20 }
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and
|
||||
filesize < 900KB and 3 of them
|
||||
or 5 of them
|
||||
}
|
||||
|
||||
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_3 {
|
||||
meta:
|
||||
description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)"
|
||||
author = "Florian Roth , X__Junior (Nextron Systems)"
|
||||
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
|
||||
date = "2023-03-29"
|
||||
score = 80
|
||||
hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973"
|
||||
id = "d2d361b6-8485-57eb-b6eb-88785f42e93e"
|
||||
strings:
|
||||
$opa1 = { 41 81 C0 ?? ?? ?? ?? 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1 41 69 D0 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 ?? ?? ?? ?? 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 } /*lcg chunk */
|
||||
$opa2 = { 8B C8 41 69 D1 ?? ?? ?? ?? C1 E1 ?? 33 C1 45 8B CA 8B C8 C1 E9 ?? 33 C1 81 C2 ?? ?? ?? ?? 8B C8 C1 E1 ?? 33 C1 41 8B C8 4C 0F AF CF 44 69 C2 ?? ?? ?? ?? 4C 03 C9 45 8B D1 4C 0F AF D7} /*lcg chunk */
|
||||
|
||||
$opb1 = { 45 33 C9 48 89 6C 24 ?? 48 8D 44 24 ?? 48 89 6C 24 ?? 8B D3 48 89 B4 24 ?? ?? ?? ?? 48 89 44 24 ?? 45 8D 41 ?? FF 15 } /* base64 decode */
|
||||
$opb2 = { 44 8B 0F 45 8B C6 48 8B 4D ?? 49 8B D7 44 89 64 24 ?? 48 89 7C 24 ?? 44 89 4C 24 ?? 4C 8D 4D ?? 48 89 44 24 ?? 44 89 64 24 ?? 4C 89 64 24 ?? FF 15} /* AES decryption */
|
||||
$opb3 = { 48 FF C2 66 44 39 2C 56 75 ?? 4C 8D 4C 24 ?? 45 33 C0 48 8B CE FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 44 0F B7 44 24 ?? 33 F6 48 8B 54 24 ?? 45 33 C9 48 8B 0B 48 89 74 24 ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 74 24 ?? FF 15 } /* internet connection */
|
||||
$opb4 = { 33 C0 48 8D 6B ?? 4C 8D 4C 24 ?? 89 44 24 ?? BA ?? ?? ?? ?? 48 89 44 24 ?? 48 8B CD 89 44 24 ?? 44 8D 40 ?? 8B F8 FF 15} /* VirtualProtect */
|
||||
condition:
|
||||
( all of ($opa*) )
|
||||
or
|
||||
( 1 of ($opa*) and 1 of ($opb*) )
|
||||
or
|
||||
( 3 of ($opb*) )
|
||||
}
|
||||
|
||||
rule SUSP_APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects marker found in malicious DLLs related to 3CX compromise"
|
||||
author = "X__Junior, Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
|
||||
date = "2023-03-29"
|
||||
modified = "2023-04-20"
|
||||
score = 75
|
||||
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
|
||||
hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
|
||||
hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2"
|
||||
id = "9fc6eb94-d02f-5bcd-9f55-b6c6a8301b4f"
|
||||
strings:
|
||||
$opx1 = { 41 80 7C 00 FD FE 75 ?? 41 80 7C 00 FE ED 75 ?? 41 80 7C 00 FF FA 75 ?? 41 80 3C 00 CE } /* marker */
|
||||
$opx2 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */
|
||||
condition:
|
||||
1 of them
|
||||
}
|
||||
|
||||
rule APT_SUSP_NK_3CX_RC4_Key_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects RC4 key used in 3CX binaries known to be malicious"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
date = "2023-03-29"
|
||||
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
|
||||
score = 70
|
||||
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
|
||||
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
|
||||
hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
|
||||
hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
|
||||
id = "18ea2185-11a1-51ad-a51a-df9e6357bb58"
|
||||
strings:
|
||||
$x1 = "3jB(2bsG#@c7"
|
||||
condition:
|
||||
( uint16(0) == 0xcfd0 or uint16(0) == 0x5a4d )
|
||||
and $x1
|
||||
}
|
||||
|
||||
rule SUSP_3CX_App_Signed_Binary_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects 3CX application binaries signed with a certificate and created in a time frame in which other known malicious binaries have been created"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
date = "2023-03-29"
|
||||
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
|
||||
score = 65
|
||||
hash1 = "fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405"
|
||||
hash2 = "dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc"
|
||||
id = "b6ce4c1d-1b7b-5e0c-af4c-05cb3ad0a4e0"
|
||||
strings:
|
||||
$sa1 = "3CX Ltd1"
|
||||
$sa2 = "3CX Desktop App" wide
|
||||
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } // Known compromised cert
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and pe.timestamp > 1669680000 // 29.11.2022 earliest known malicious sample
|
||||
and pe.timestamp < 1680108505 // 29.03.2023 date of the report
|
||||
and all of ($sa*)
|
||||
and $sc1 // serial number of known compromised certificate
|
||||
}
|
||||
|
||||
rule SUSP_3CX_MSI_Signed_Binary_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects 3CX MSI installers signed with a known compromised certificate and signed in a time frame in which other known malicious binaries have been signed"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
date = "2023-03-29"
|
||||
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
|
||||
score = 60
|
||||
hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
|
||||
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
|
||||
id = "15d6d8ca-6982-5095-9879-ce97269a71c6"
|
||||
strings:
|
||||
$a1 = { 84 10 0C 00 00 00 00 00 C0 00 00 00 00 00 00 46 } // MSI marker
|
||||
|
||||
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } // Known compromised cert
|
||||
|
||||
$s1 = "3CX Ltd1"
|
||||
$s2 = "202303" // in
|
||||
condition:
|
||||
uint16(0) == 0xcfd0
|
||||
and $a1
|
||||
and $sc1
|
||||
and (
|
||||
$s1 in (filesize-20000..filesize)
|
||||
and $s2 in (filesize-20000..filesize)
|
||||
)
|
||||
}
|
||||
|
||||
rule APT_MAL_macOS_NK_3CX_Malicious_Samples_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects malicious macOS application related to 3CX compromise (decrypted payload)"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
|
||||
date = "2023-03-30"
|
||||
score = 80
|
||||
hash1 = "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb"
|
||||
hash2 = "ac99602999bf9823f221372378f95baa4fc68929bac3a10e8d9a107ec8074eca"
|
||||
hash3 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72"
|
||||
id = "ff39e577-7063-5025-bead-68394a86c87c"
|
||||
strings:
|
||||
$s1 = "20230313064152Z0"
|
||||
$s2 = "Developer ID Application: 3CX (33CF4654HL)"
|
||||
condition:
|
||||
( uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca ) and all of them
|
||||
}
|
||||
|
||||
/* 30.03.2023 */
|
||||
|
||||
rule APT_MAL_MacOS_NK_3CX_DYLIB_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects malicious DYLIB files related to 3CX compromise"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
|
||||
date = "2023-03-30"
|
||||
score = 80
|
||||
hash1 = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67"
|
||||
hash2 = "fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7"
|
||||
id = "a19904d3-9b2d-561f-b734-20bf09584fa7"
|
||||
strings:
|
||||
/* XORed UA 0x7a */
|
||||
$xc1 = { 37 15 00 13 16 16 1B 55 4F 54 4A 5A 52 2D 13 14
|
||||
1E 15 0D 09 5A 34 2E 5A 4B 4A 54 4A 41 5A 2D 13
|
||||
14 4C 4E 41 5A 02 4C 4E 53 5A 3B 0A 0A 16 1F 2D
|
||||
1F 18 31 13 0E 55 4F 49 4D 54 49 4C 5A 52 31 32
|
||||
2E 37 36 56 5A 16 13 11 1F 5A 3D 1F 19 11 15 53
|
||||
5A 39 12 08 15 17 1F 55 4B 4A 42 54 4A 54 4F 49
|
||||
4F 43 54 4B 48 42 5A 29 1B 1C 1B 08 13 55 4F 49
|
||||
4D 54 49 4C 7A }
|
||||
/* /;3cx_auth_token_content=%s;__tutma= */
|
||||
$xc2 = { 41 49 19 02 25 1b 0f 0e 12 25 0e 15 11 1f 14 25 19 15 14 0e 1f 14 0e 47 5f 09 41 25 25 0e 0f 0e 17 1b 47 }
|
||||
/* /System/Library/CoreServices/SystemVersion.plist */
|
||||
$xc3 = { 55 29 03 09 0e 1f 17 55 36 13 18 08 1b 08 03 55 39 15 08 1f 29 1f 08 0c 13 19 1f 09 55 29 03 09 0e 1f 17 2c 1f 08 09 13 15 14 54 0a 16 13 09 0e }
|
||||
condition:
|
||||
1 of them
|
||||
}
|
||||
|
||||
rule APT_SUSP_NK_3CX_Malicious_Samples_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects indicator (event name) found in samples related to 3CX compromise"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
|
||||
date = "2023-03-30"
|
||||
score = 70
|
||||
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
|
||||
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
|
||||
hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
|
||||
hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
|
||||
id = "b233846a-19df-579b-a674-233d66824008"
|
||||
strings:
|
||||
$a1 = "AVMonitorRefreshEvent" wide fullword
|
||||
condition:
|
||||
1 of them
|
||||
}
|
||||
|
||||
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_4 {
|
||||
meta:
|
||||
author = "MalGamy (Nextron Systems)"
|
||||
reference = "https://twitter.com/WhichbufferArda/status/1641404343323688964?s=20"
|
||||
description = "Detects decrypted payload loaded inside 3CXDesktopApp.exe which downloads info stealer"
|
||||
date = "2023-03-29"
|
||||
hash = "851c2c99ebafd4e5e9e140cfe3f2d03533846ca16f8151ae8ee0e83c692884b7"
|
||||
score = 80
|
||||
id = "d11170df-570c-510c-80ec-39048acd0fbd"
|
||||
strings:
|
||||
$op1 = {41 69 D0 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 [4] 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 [4] 33 C1 4C 0F AF CF 4D 03 CA 45 8B D1 4C 0F AF D7 41 8D 0C 11 49 C1 E9 ?? 02 C8} // // xor with mul operation
|
||||
$op2 = {4D 0F AF CC 44 69 C2 [4] 4C 03 C9 45 8B D1 4D 0F AF D4 41 8D 0C 11 41 81 C0 [4] 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1} // xor with mul operation
|
||||
$op3 = {33 C1 4C 0F AF C7 8B C8 C1 E1 ?? 4D 03 C2 33 C1} // shift operation
|
||||
condition:
|
||||
2 of them
|
||||
}
|
||||
|
||||
rule MAL_3CXDesktopApp_MacOS_Backdoor_Mar23 {
|
||||
meta:
|
||||
author = "X__Junior (Nextron Systems)"
|
||||
reference = "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"
|
||||
description = "Detects 3CXDesktopApp MacOS Backdoor component"
|
||||
date = "2023-03-30"
|
||||
hash = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67"
|
||||
score = 80
|
||||
id = "80046c8e-0c2a-5885-b140-a6084f48160d"
|
||||
strings:
|
||||
$sa1 = "%s/.main_storage" ascii fullword
|
||||
$sa2 = "%s/UpdateAgent" ascii fullword
|
||||
|
||||
$op1 = { 31 C0 41 80 34 06 ?? 48 FF C0 48 83 F8 ?? 75 ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 89 F7 48 89 D9 E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 89 F7 5B 41 5E 41 5F E9 ?? ?? ?? ?? 5B 41 5E 41 5F C3} /* string decryption */
|
||||
$op2 = { 0F 11 84 24 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 31 C0 80 B4 04 ?? ?? ?? ?? ?? 48 FF C0} /* string decryption */
|
||||
condition:
|
||||
( ( uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca ) and filesize < 6MB
|
||||
and
|
||||
(
|
||||
( 1 of ($sa*) and 1 of ($op* ) )
|
||||
or all of ($sa*)
|
||||
)
|
||||
)
|
||||
or ( all of ($op*) )
|
||||
}
|
||||
|
||||
/* 31.03.2023 */
|
||||
|
||||
rule APT_MAL_NK_3CX_ICONIC_Stealer_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects ICONIC stealer payload used in the 3CX incident"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/attachments/iconicstealer.7z"
|
||||
date = "2023-03-31"
|
||||
score = 80
|
||||
hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423"
|
||||
id = "e92b5b90-1146-5235-9711-a4d42689c49b"
|
||||
strings:
|
||||
|
||||
$s1 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\": \"%d.%d.%d\"}" wide fullword
|
||||
$s2 = "******************************** %s ******************************" wide fullword
|
||||
$s3 = "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" wide fullword
|
||||
$s4 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" wide fullword
|
||||
$s5 = "SELECT url, title FROM urls ORDER BY id DESC LIMIT 500" wide fullword
|
||||
$s6 = "TEXT value in %s.%s" ascii fullword
|
||||
|
||||
$op1 = { 48 63 d1 48 63 ce 49 03 d1 49 03 cd 4c 63 c7 e8 87 1f 09 00 8b 45 d0 44 8d 04 37 }
|
||||
$op2 = { 48 8b c8 8b 56 f0 48 89 46 d8 e8 78 8f f8 ff e9 ec 13 00 00 c7 46 20 ff ff ff ff e9 e0 13 00 00 33 ff }
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filesize < 4000KB
|
||||
and 4 of them
|
||||
or 6 of them
|
||||
}
|
||||
|
||||
rule APT_MAL_NK_3CX_macOS_Elextron_App_Mar23_1 {
|
||||
meta:
|
||||
description = "Detects macOS malware used in the 3CX incident"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research"
|
||||
date = "2023-03-31"
|
||||
score = 80
|
||||
hash1 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72"
|
||||
hash2 = "f7ba7f9bf608128894196cf7314f68b78d2a6df10718c8e0cd64dbe3b86bc730"
|
||||
id = "7a3755d4-37e5-5d3b-93aa-34edb557f2d5"
|
||||
strings:
|
||||
$a1 = "com.apple.security.cs.allow-unsigned-executable-memory" ascii
|
||||
$a2 = "com.electron.3cx-desktop-app" ascii fullword
|
||||
|
||||
$s1 = "s8T/RXMlALbXfowom9qk15FgtdI=" ascii
|
||||
$s2 = "o8NQKPJE6voVZUIGtXihq7lp0cY=" ascii
|
||||
condition:
|
||||
uint16(0) == 0xfacf and
|
||||
filesize < 400KB and (
|
||||
all of ($a*)
|
||||
and 1 of ($s*)
|
||||
)
|
||||
}
|
||||
|
||||
rule MAL_3CXDesktopApp_MacOS_UpdateAgent_Mar23 {
|
||||
meta:
|
||||
description = "Detects 3CXDesktopApp MacOS UpdateAgent backdoor component"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://twitter.com/patrickwardle/status/1641692164303515653?s=20"
|
||||
date = "2023-03-30"
|
||||
hash = "9e9a5f8d86356796162cee881c843cde9eaedfb3"
|
||||
score = 80
|
||||
id = "596eb6d0-f96f-5106-ae67-9372d238e4cf"
|
||||
strings:
|
||||
$a1 = "/3CX Desktop App/.main_storage" ascii
|
||||
|
||||
$x1 = ";3cx_auth_token_content=%s;__tutma=true"
|
||||
|
||||
$s1 = "\"url\": \"https://"
|
||||
$s3 = "/dev/null"
|
||||
$s4 = "\"AccountName\": \""
|
||||
condition:
|
||||
uint16(0) == 0xfeca
|
||||
and filesize < 6MB
|
||||
and (
|
||||
1 of ($x*)
|
||||
or ( $a1 and all of ($s*) )
|
||||
) or all of them
|
||||
}
|
||||
|
||||
rule SUSP_APT_3CX_Regtrans_Anomaly_Apr23 : METARULE {
|
||||
meta:
|
||||
description = "Detects suspicious .regtrans-ms files with suspicious size or contents"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.3cx.com/blog/news/mandiant-initial-results/"
|
||||
date = "2023-04-12"
|
||||
score = 60
|
||||
id = "97406b8d-68fe-5f68-a26a-205dd4694e50"
|
||||
strings:
|
||||
$fp1 = "REGISTRY" wide
|
||||
condition:
|
||||
extension == ".regtrans-ms" and (
|
||||
filesize < 100KB
|
||||
and not 1 of ($fp*)
|
||||
)
|
||||
}
|
||||
|
||||
rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_2 {
|
||||
meta:
|
||||
description = "Detects malicious VEILEDSIGNAL backdoor"
|
||||
author = "X__Junior"
|
||||
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
|
||||
date = "2023-04-29"
|
||||
hash = "c4887a5cd6d98e273ba6e9ea3c1d8f770ef26239819ea24a1bfebd81d6870505"
|
||||
score = 80
|
||||
id = "ff1fa0bd-19b7-553a-9506-bc5aa5d29056"
|
||||
strings:
|
||||
$sa1 = "\\.\\pipe\\gecko.nativeMessaging" ascii
|
||||
$sa2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40" ascii
|
||||
$sa3 = "application/json, text/javascript, */*; q=0.01" ascii
|
||||
|
||||
$op1 = { 89 7? 24 ?? 44 8B CD 4C 8B C? 48 89 44 24 ?? 33 D2 33 C9 FF 15} /* MultiByteToWideChar */
|
||||
$op2 = { 4C 8B CB 4C 89 74 24 ?? 4C 8D 05 ?? ?? ?? ?? 44 89 74 24 ?? 33 D2 33 C9 FF 15} /* create thread*/
|
||||
$op3 = { 48 89 74 24 ?? 45 33 C0 89 74 24 ?? 41 B9 ?? ?? ?? ?? 89 74 24 ?? 48 8B D8 48 C7 00 ?? ?? ?? ?? 48 8B 0F 41 8D 50 ?? 48 89 44 24 ?? 89 74 24 ?? FF 15} /* CreateNamedPipeW */
|
||||
condition:
|
||||
all of ($op*) or all of ($sa*)
|
||||
}
|
||||
|
||||
rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_3 {
|
||||
meta:
|
||||
description = "Detects malicious VEILEDSIGNAL backdoor"
|
||||
author = "X__Junior"
|
||||
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
|
||||
date = "2023-04-29"
|
||||
hash = "595392959b609caf088d027a23443cf2fefd043607ccdec3de19ad3bb43a74b1"
|
||||
score = 80
|
||||
id = "6b6f984e-242a-5b84-baa9-6311992cde9b"
|
||||
strings:
|
||||
$op1 = { 4C 8B CB 4C 89 74 24 ?? 4C 8D 05 ?? ?? ?? ?? 44 89 74 24 ?? 33 D2 33 C9 FF 15} /* create thread*/
|
||||
$op2 = { 89 7? 24 ?? 44 8B CD 4C 8B C? 48 89 44 24 ?? 33 D2 33 C9 FF 15} /* MultiByteToWideChar */
|
||||
$op3 = { 8B 54 24 ?? 4C 8D 4C 24 ?? 45 8D 46 ?? 44 89 74 24 ?? 48 8B CB FF 15} /* virtualprotect */
|
||||
$op4 = { 48 8D 44 24 ?? 45 33 C9 41 B8 01 00 00 40 48 89 44 24 ?? 41 8B D5 48 8B CF FF 15} /* CryptBinaryToStringA */
|
||||
condition:
|
||||
all of them
|
||||
}
|
||||
|
||||
rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_4 {
|
||||
meta:
|
||||
description = "Detects malicious VEILEDSIGNAL backdoor"
|
||||
author = "X__Junior"
|
||||
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
|
||||
date = "2023-04-29"
|
||||
hash = "9b0761f81afb102bb784b398b16faa965594e469a7fcfdfd553ced19cc17e70b"
|
||||
score = 80
|
||||
id = "77340ec0-36bb-5c47-995f-4e6f76b68fe1"
|
||||
strings:
|
||||
$op1 = { 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 } /* check for certian process */
|
||||
$op2 = { 48 8B C8 48 8D 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 45 33 C0 4C 8D 4D ?? B2 01 41 8D 48 ?? FF D0} /* RtlAdjustPrivilege */
|
||||
$op3 = { 33 FF C7 44 24 ?? 38 02 00 00 33 D2 8D 4F ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 FF 74 ?? 48 8D 54 24 ?? 48 8B C8 FF 15 } /* Process32FirstW */
|
||||
$op4 = { 4C 8D 05 ?? ?? ?? ?? 48 89 4C 24 ?? 4C 8B C8 33 D2 89 4C 24 ?? FF 15 } /* create thread*/
|
||||
condition:
|
||||
all of them
|
||||
}
|
|
@ -1,30 +0,0 @@
|
|||
import "pe"
|
||||
|
||||
rule SUSP_VCRuntime_Sideloading_Indicators_Aug23 {
|
||||
meta:
|
||||
description = "Detects indicators of .NET based malware sideloading as VCRUNTIME140 with .NET DLL imports"
|
||||
author = "Jonathan Peters"
|
||||
date = "2023-08-30"
|
||||
hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
|
||||
score = 75
|
||||
id = "00400122-1343-5051-af31-880a3ef1745d"
|
||||
condition:
|
||||
(filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
|
||||
and pe.imports("mscoree.dll", "_CorDllMain")
|
||||
}
|
||||
|
||||
// rule SUSP_VCRuntime_Sideloading_Indicators_1_Aug23 {
|
||||
// meta:
|
||||
// description = "Detects indicators of .NET based malware sideloading as an unsigned VCRUNTIME140"
|
||||
// author = "Jonathan Peters"
|
||||
// date = "2023-08-30"
|
||||
// hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
|
||||
// score = 75
|
||||
// strings:
|
||||
// $fp1 = "Wine builtin DLL" ascii
|
||||
// condition:
|
||||
// (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
|
||||
// and not pe.number_of_signatures == 0
|
||||
// and not pe.signatures[0].issuer contains "Microsoft Corporation"
|
||||
// and not $fp1
|
||||
// }
|
|
@ -1,103 +0,0 @@
|
|||
/*
|
||||
Webshell rules that use external variables for false positive filtering
|
||||
*/
|
||||
|
||||
rule webshell_php_by_string_obfuscation : FILE {
|
||||
meta:
|
||||
description = "PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Arnim Rupp"
|
||||
date = "2021/01/09"
|
||||
modified = "2022-10-25"
|
||||
hash = "e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc"
|
||||
id = "be890bf6-de7e-588e-b5cd-72e8081d0b9c"
|
||||
strings:
|
||||
$opbs13 = "{\"_P\"./*-/*-*/\"OS\"./*-/*-*/\"T\"}" wide ascii
|
||||
$opbs14 = "/*-/*-*/\"" wide ascii
|
||||
$opbs16 = "'ev'.'al'" wide ascii
|
||||
$opbs17 = "'e'.'val'" wide ascii
|
||||
$opbs18 = "e'.'v'.'a'.'l" wide ascii
|
||||
$opbs19 = "bas'.'e6'." wide ascii
|
||||
$opbs20 = "ba'.'se6'." wide ascii
|
||||
$opbs21 = "as'.'e'.'6'" wide ascii
|
||||
$opbs22 = "gz'.'inf'." wide ascii
|
||||
$opbs23 = "gz'.'un'.'c" wide ascii
|
||||
$opbs24 = "e'.'co'.'d" wide ascii
|
||||
$opbs25 = "cr\".\"eat" wide ascii
|
||||
$opbs26 = "un\".\"ct" wide ascii
|
||||
$opbs27 = "'c'.'h'.'r'" wide ascii
|
||||
$opbs28 = "\"ht\".\"tp\".\":/\"" wide ascii
|
||||
$opbs29 = "\"ht\".\"tp\".\"s:" wide ascii
|
||||
$opbs31 = "'ev'.'al'" nocase wide ascii
|
||||
$opbs32 = "eval/*" nocase wide ascii
|
||||
$opbs33 = "eval(/*" nocase wide ascii
|
||||
$opbs34 = "eval(\"/*" nocase wide ascii
|
||||
$opbs36 = "assert/*" nocase wide ascii
|
||||
$opbs37 = "assert(/*" nocase wide ascii
|
||||
$opbs38 = "assert(\"/*" nocase wide ascii
|
||||
$opbs40 = "'ass'.'ert'" nocase wide ascii
|
||||
$opbs41 = "${'_'.$_}['_'](${'_'.$_}['__'])" wide ascii
|
||||
$opbs44 = "'s'.'s'.'e'.'r'.'t'" nocase wide ascii
|
||||
$opbs45 = "'P'.'O'.'S'.'T'" wide ascii
|
||||
$opbs46 = "'G'.'E'.'T'" wide ascii
|
||||
$opbs47 = "'R'.'E'.'Q'.'U'" wide ascii
|
||||
$opbs48 = "se'.(32*2)" nocase
|
||||
$opbs49 = "'s'.'t'.'r_'" nocase
|
||||
$opbs50 = "'ro'.'t13'" nocase
|
||||
$opbs51 = "c'.'od'.'e" nocase
|
||||
$opbs53 = "e'. 128/2 .'_' .'d"
|
||||
// move malicious code out of sight if line wrapping not enabled
|
||||
$opbs54 = "<?php " //here I end
|
||||
$opbs55 = "=chr(99).chr(104).chr(114);$_"
|
||||
$opbs56 = "\\x47LOBAL"
|
||||
$opbs57 = "pay\".\"load"
|
||||
$opbs58 = "bas'.'e64"
|
||||
$opbs59 = "dec'.'ode"
|
||||
$opbs60 = "fla'.'te"
|
||||
// rot13 of eval($_POST
|
||||
$opbs70 = "riny($_CBFG["
|
||||
$opbs71 = "riny($_TRG["
|
||||
$opbs72 = "riny($_ERDHRFG["
|
||||
$opbs73 = "eval(str_rot13("
|
||||
$opbs74 = "\"p\".\"r\".\"e\".\"g\""
|
||||
$opbs75 = "$_'.'GET"
|
||||
$opbs76 = "'ev'.'al("
|
||||
// eval( in hex
|
||||
$opbs77 = "\\x65\\x76\\x61\\x6c\\x28" wide ascii nocase
|
||||
|
||||
//strings from private rule capa_php_old_safe
|
||||
$php_short = "<?" wide ascii
|
||||
// prevent xml and asp from hitting with the short tag
|
||||
$no_xml1 = "<?xml version" nocase wide ascii
|
||||
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
|
||||
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
|
||||
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
|
||||
$no_pdf = "<?xpacket"
|
||||
|
||||
// of course the new tags should also match
|
||||
// already matched by "<?"
|
||||
$php_new1 = /<\?=[^?]/ wide ascii
|
||||
$php_new2 = "<?php" nocase wide ascii
|
||||
$php_new3 = "<script language=\"php" nocase wide ascii
|
||||
|
||||
$fp1 = "NanoSpell TinyMCE Spellchecker for PHP" ascii fullword
|
||||
condition:
|
||||
filesize < 500KB and (
|
||||
(
|
||||
(
|
||||
$php_short in (0..100) or
|
||||
$php_short in (filesize-1000..filesize)
|
||||
)
|
||||
and not any of ( $no_* )
|
||||
)
|
||||
or any of ( $php_new* )
|
||||
)
|
||||
and any of ( $opbs* )
|
||||
and not 1 of ($fp*)
|
||||
and not filepath contains "\\Cache\\" /* generic cache e.g. for Chrome: \User Data\Default\Cache\ */
|
||||
and not filepath contains "\\User Data\\Default\\Extensions\\" // chrome extensions
|
||||
and not filepath contains "\\cache2\\" // FF cache
|
||||
and not filepath contains "\\Microsoft\\Windows\\INetCache\\IE\\" // old IE
|
||||
and not filepath contains "/com.apple.Safari/WebKitCache/"
|
||||
and not filepath contains "\\Edge\\User Data\\" // some uncommon Edge path
|
||||
}
|
|
@ -1,153 +0,0 @@
|
|||
/*
|
||||
|
||||
Generic Cloaking
|
||||
|
||||
Florian Roth
|
||||
Nextron Systems GmbH
|
||||
|
||||
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
|
||||
|
||||
*/
|
||||
|
||||
rule EXE_cloaked_as_TXT {
|
||||
meta:
|
||||
description = "Executable with TXT extension"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
id = "2188c0fe-71b0-5dee-bde9-f310c66e39c6"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d // Executable
|
||||
and filename matches /\.txt$/is // TXT extension (case insensitive)
|
||||
}
|
||||
|
||||
rule EXE_extension_cloaking {
|
||||
meta:
|
||||
description = "Executable showing different extension (Windows default 'hide known extension')"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
id = "78da6129-a11d-5e9e-8eaf-2a18178b7278"
|
||||
condition:
|
||||
filename matches /\.txt\.exe$/is or // Special file extensions
|
||||
filename matches /\.pdf\.exe$/is // Special file extensions
|
||||
}
|
||||
|
||||
rule Cloaked_RAR_File {
|
||||
meta:
|
||||
description = "RAR file cloaked by a different extension"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
id = "a3a9ad40-8a39-513d-be95-73f5a909265e"
|
||||
condition:
|
||||
uint32be(0) == 0x52617221 // RAR File Magic Header
|
||||
and not filename matches /(rarnew.dat|\.rar)$/is // not the .RAR extension
|
||||
and not filename matches /\.[rR][\d]{2}$/ // split RAR file
|
||||
and not filepath contains "Recycle" // not a deleted RAR file in recycler
|
||||
}
|
||||
|
||||
rule Base64_encoded_Executable : FILE {
|
||||
meta:
|
||||
description = "Detects an base64 encoded executable (often embedded)"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
date = "2015-05-28"
|
||||
score = 40
|
||||
id = "0bfc5916-3e63-5601-9f14-65f848c9322b"
|
||||
strings:
|
||||
$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive
|
||||
$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive
|
||||
$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive
|
||||
$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive
|
||||
$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive
|
||||
condition:
|
||||
1 of them
|
||||
and not filepath contains "Thunderbird"
|
||||
and not filepath contains "Internet Explorer"
|
||||
and not filepath contains "Chrome"
|
||||
and not filepath contains "Opera"
|
||||
and not filepath contains "Outlook"
|
||||
and not filepath contains "Temporary Internet Files"
|
||||
}
|
||||
|
||||
rule Gen_Base64_EXE: HIGHVOL {
|
||||
meta:
|
||||
description = "Detects Base64 encoded Executable in Executable"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research"
|
||||
date = "2017-04-21"
|
||||
id = "ef919a63-9a29-5624-a084-b92e3578e3a6"
|
||||
strings:
|
||||
$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" wide ascii // 14 samples
|
||||
$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" wide ascii // 26 samples
|
||||
$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" wide ascii // 75 samples
|
||||
$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" wide ascii // 168 samples
|
||||
$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" wide ascii // 28,529 samples
|
||||
|
||||
$fp1 = "BAM Management class library"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 5000KB and 1 of ($s*)
|
||||
and not 1 of ($fp*)
|
||||
}
|
||||
|
||||
rule Binary_Drop_Certutil {
|
||||
meta:
|
||||
description = "Drop binary as base64 encoded cert trick"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://goo.gl/9DNn8q"
|
||||
date = "2015-07-15"
|
||||
score = 70
|
||||
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
|
||||
strings:
|
||||
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
|
||||
$s1 = "echo -----END CERTIFICATE----- >>" ascii
|
||||
$s2 = "certutil -decode " ascii
|
||||
condition:
|
||||
filesize < 10KB and all of them
|
||||
}
|
||||
|
||||
rule StegoKatz {
|
||||
meta:
|
||||
description = "Encoded Mimikatz in other file types"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://goo.gl/jWPBBY"
|
||||
date = "2015-09-11"
|
||||
score = 70
|
||||
id = "78868bb0-af69-573d-afd2-350a46f69137"
|
||||
strings:
|
||||
$s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
|
||||
$s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
|
||||
condition:
|
||||
filesize < 1000KB and 1 of them
|
||||
}
|
||||
|
||||
rule Obfuscated_VBS_April17 {
|
||||
meta:
|
||||
description = "Detects cloaked Mimikatz in VBS obfuscation"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research"
|
||||
date = "2017-04-21"
|
||||
id = "ca60b885-bb56-55ee-a2b3-dea6958883c2"
|
||||
strings:
|
||||
$s1 = "::::::ExecuteGlobal unescape(unescape(" ascii
|
||||
condition:
|
||||
filesize < 500KB and all of them
|
||||
}
|
||||
|
||||
rule Obfuscated_JS_April17 {
|
||||
meta:
|
||||
description = "Detects cloaked Mimikatz in JS obfuscation"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research"
|
||||
date = "2017-04-21"
|
||||
id = "44abd2c0-5f8d-5a8c-b282-a09853e12054"
|
||||
strings:
|
||||
$s1 = "\";function Main(){for(var " ascii
|
||||
$s2 = "=String.fromCharCode(parseInt(" ascii
|
||||
$s3 = "));(new Function(" ascii
|
||||
condition:
|
||||
filesize < 500KB and all of them
|
||||
}
|
|
@ -1,518 +0,0 @@
|
|||
/*
|
||||
|
||||
Generic Anomalies
|
||||
|
||||
Florian Roth
|
||||
Nextron Systems GmbH
|
||||
|
||||
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
|
||||
|
||||
*/
|
||||
|
||||
/* Performance killer - value isn't big enough
|
||||
rule Embedded_EXE_Cloaking {
|
||||
meta:
|
||||
description = "Detects an embedded executable in a non-executable file"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
date = "2015/02/27"
|
||||
score = 65
|
||||
strings:
|
||||
$noex_png = { 89 50 4E 47 }
|
||||
$noex_pdf = { 25 50 44 46 }
|
||||
$noex_rtf = { 7B 5C 72 74 66 31 }
|
||||
$noex_jpg = { FF D8 FF E0 }
|
||||
$noex_gif = { 47 49 46 38 }
|
||||
$mz = { 4D 5A }
|
||||
$a1 = "This program cannot be run in DOS mode"
|
||||
$a2 = "This program must be run under Win32"
|
||||
condition:
|
||||
(
|
||||
( $noex_png at 0 ) or
|
||||
( $noex_pdf at 0 ) or
|
||||
( $noex_rtf at 0 ) or
|
||||
( $noex_jpg at 0 ) or
|
||||
( $noex_gif at 0 )
|
||||
)
|
||||
and
|
||||
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
|
||||
}
|
||||
*/
|
||||
|
||||
// whitelist-approach failed : reworked in SUSP_Known_Type_Cloaked_as_JPG
|
||||
|
||||
// rule Cloaked_as_JPG {
|
||||
// meta:
|
||||
// description = "Detects a non-JPEG file cloaked as JPG"
|
||||
// author = "Florian Roth (Nextron Systems)"
|
||||
// date = "2015/03/02"
|
||||
// modified = "2022-09-16"
|
||||
// score = 40
|
||||
// strings:
|
||||
// $fp1 = "<!DOCTYPE" ascii
|
||||
// $fp2 = "Sophos Encrypted File Format" ascii
|
||||
// $fp3 = "This is a critical resource file used by WatchGuard/TDR" ascii
|
||||
// condition:
|
||||
// uint16be(0) != 0xFFD8 and extension == ".jpg"
|
||||
// and filetype != "GIF"
|
||||
// and filetype != "PDF"
|
||||
// and not $fp1 in (0..30)
|
||||
// and not $fp2 at 0
|
||||
// and not $fp3
|
||||
// and not uint16(0) == 0x8b1f /* GZIP */
|
||||
// and not uint16(0) == 0x4d42 /* BMP */
|
||||
// and not uint32(0) == 0x474E5089 /* PNG Header */
|
||||
// and not uint32(0) == 0x002A4949 /* TIFF Header */
|
||||
// and not uint32be(0) == 0x3c737667 /* <svg */
|
||||
// and not uint32be(0) == 0x52494646 /* RIFF (WebP) */
|
||||
// and not uint32be(0x4) == 0x66747970 /* HEIF Header https://github.com/strukturag/libheif/commit/6ca8e2548dbfe21200bae3a7c2c315a1796e3852 */
|
||||
// and not uint32be(0xe) == 0x4a464946 /* JFIF distributed by Matlab */
|
||||
// and not filename matches /\$[Ii][A-Z0-9]{6}/
|
||||
// and not filepath contains "WinSxS"
|
||||
// and not filepath contains "Package_for_RollupFix"
|
||||
// and not filename matches /^\._/
|
||||
// and not filepath contains "$Recycle.Bin"
|
||||
// and not filepath contains "\\Cache\\" /* generic cache e.g. for Chrome: \User Data\Default\Cache\ */
|
||||
// and not filepath contains "\\User Data\\Default\\Extensions\\" // chrome extensions
|
||||
// and not filepath contains "\\cache2\\" // FF cache
|
||||
// and not filepath contains "\\Microsoft\\Windows\\INetCache\\IE\\" // old IE
|
||||
// and not filepath contains "/com.apple.Safari/WebKitCache/"
|
||||
// and not filepath contains "\\Edge\\User Data\\" // some uncommon Edge path
|
||||
// and not filepath contains "/Code/"
|
||||
// and not filepath contains "\\Code\\"
|
||||
// }
|
||||
|
||||
rule SUSP_Known_Type_Cloaked_as_JPG {
|
||||
meta:
|
||||
description = "Detects a non-JPEG file type cloaked as .jpg"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research - replacement for Cloaked_as_JPG rule"
|
||||
date = "2022-09-16"
|
||||
score = 60
|
||||
id = "728908a6-74cf-5bab-a23f-cd03ed209430"
|
||||
condition:
|
||||
( extension == ".jpg" or extension == ".jpeg" ) and (
|
||||
filetype == "EXE" or
|
||||
filetype == "ELF" or
|
||||
filetype == "MACH-O" or
|
||||
filetype == "VBS" or
|
||||
filetype == "PHP" or
|
||||
filetype == "JSP" or
|
||||
filetype == "Python" or
|
||||
filetype == "LSASS Dump File" or
|
||||
filetype == "ASP" or
|
||||
filetype == "BATCH" or
|
||||
filetype == "RTF" or
|
||||
filetype == "MDMP" or
|
||||
|
||||
filetype contains "PowerShell" or
|
||||
filetype contains "Base64"
|
||||
)
|
||||
}
|
||||
|
||||
/*
|
||||
Yara Rule Set
|
||||
Author: Florian Roth
|
||||
Date: 2015-12-21
|
||||
Identifier: Uncommon File Sizes
|
||||
*/
|
||||
|
||||
rule Suspicious_Size_explorer_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of explorer.exe"
|
||||
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
nodeepdive = 1
|
||||
date = "2015-12-21"
|
||||
modified = "2022-04-27"
|
||||
noarchivescan = 1
|
||||
id = "408bdb95-3b15-5f4e-a948-949ea4ce0477"
|
||||
strings:
|
||||
$fp = "Wine placeholder DLL"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "explorer.exe"
|
||||
and not filepath contains "teamviewer"
|
||||
and not filepath contains "/lib/wine/fakedlls"
|
||||
and ( filesize < 800KB or filesize > 6500KB )
|
||||
and not $fp
|
||||
}
|
||||
|
||||
rule Suspicious_Size_chrome_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of chrome.exe"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
nodeepdive = 1
|
||||
date = "2015-12-21"
|
||||
modified = "2022-09-15"
|
||||
noarchivescan = 1
|
||||
id = "f164394a-5c02-5056-aceb-044ee118578d"
|
||||
strings:
|
||||
$fp1 = "HP Sure Click Chromium Launcher" wide
|
||||
$fp2 = "BrChromiumLauncher.exe" wide fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "chrome.exe"
|
||||
and ( filesize < 500KB or filesize > 5000KB )
|
||||
and not 1 of ($fp*)
|
||||
}
|
||||
|
||||
rule Suspicious_Size_csrss_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of csrss.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-21"
|
||||
modified = "2022-01-28"
|
||||
noarchivescan = 1
|
||||
id = "5a247b51-6c91-5753-95b3-4a4c2b2286eb"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "csrss.exe"
|
||||
and ( filesize > 50KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_iexplore_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of iexplore.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-21"
|
||||
noarchivescan = 1
|
||||
id = "d097a599-0fad-574f-8281-46c910e8e54d"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "iexplore.exe"
|
||||
and not filepath contains "teamviewer"
|
||||
and ( filesize < 75KB or filesize > 910KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_firefox_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of firefox.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-21"
|
||||
noarchivescan = 1
|
||||
id = "73c4b838-9277-5756-a35d-4a644be5ad5d"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "firefox.exe"
|
||||
and ( filesize < 265KB or filesize > 910KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_java_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of java.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-21"
|
||||
noarchivescan = 1
|
||||
id = "b6dc297b-8388-5e39-ba77-c027cdea7afa"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "java.exe"
|
||||
and ( filesize < 30KB or filesize > 900KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_lsass_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of lsass.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-21"
|
||||
noarchivescan = 1
|
||||
id = "005661c7-7576-5c13-9534-b49c12b2faad"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "lsass.exe"
|
||||
and ( filesize < 10KB or filesize > 100KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_svchost_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of svchost.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-21"
|
||||
noarchivescan = 1
|
||||
id = "31a8d00e-ebfc-5001-9c58-d3a2580f16b3"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "svchost.exe"
|
||||
and ( filesize < 14KB or filesize > 100KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_winlogon_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of winlogon.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-21"
|
||||
noarchivescan = 1
|
||||
id = "8665e8d0-3b5f-5227-8879-cdd614123439"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "winlogon.exe"
|
||||
and ( filesize < 279KB or filesize > 970KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_igfxhk_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of igfxhk.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-21"
|
||||
modified = "2022-03-08"
|
||||
noarchivescan = 1
|
||||
id = "18cc167a-3e65-567f-adcf-d2d311520c1d"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "igfxhk.exe"
|
||||
and ( filesize < 200KB or filesize > 300KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_servicehost_dll {
|
||||
meta:
|
||||
description = "Detects uncommon file size of servicehost.dll"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-23"
|
||||
noarchivescan = 1
|
||||
id = "ac71393c-a475-59e0-b22a-d5ee3d25084b"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "servicehost.dll"
|
||||
and filesize > 150KB
|
||||
}
|
||||
|
||||
rule Suspicious_Size_rundll32_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of rundll32.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-23"
|
||||
noarchivescan = 1
|
||||
id = "5b9feae7-17d8-56e4-870a-ef865f2d09bf"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "rundll32.exe"
|
||||
and ( filesize < 30KB or filesize > 120KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_taskhost_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of taskhost.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-23"
|
||||
noarchivescan = 1
|
||||
id = "71b6c853-f490-5d5a-b481-909f6f3a8798"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "taskhost.exe"
|
||||
and ( filesize < 45KB or filesize > 120KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_spoolsv_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of spoolsv.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-23"
|
||||
noarchivescan = 1
|
||||
id = "14bb3463-b99f-57e1-8cff-fe9a34771093"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "spoolsv.exe"
|
||||
and ( filesize < 50KB or filesize > 1000KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_smss_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of smss.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-23"
|
||||
noarchivescan = 1
|
||||
id = "7bdc8953-9240-5d22-b2a6-fe95fbc101c2"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "smss.exe"
|
||||
and ( filesize < 40KB or filesize > 5000KB )
|
||||
}
|
||||
|
||||
rule Suspicious_Size_wininit_exe {
|
||||
meta:
|
||||
description = "Detects uncommon file size of wininit.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
date = "2015-12-23"
|
||||
noarchivescan = 1
|
||||
id = "7b58f497-f214-5bf3-8a5c-8edb52749d09"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filename == "wininit.exe"
|
||||
and ( filesize < 90KB or filesize > 800KB )
|
||||
}
|
||||
|
||||
rule Suspicious_AutoIt_by_Microsoft {
|
||||
meta:
|
||||
description = "Detects a AutoIt script with Microsoft identification"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research - VT"
|
||||
date = "2017-12-14"
|
||||
score = 60
|
||||
hash1 = "c0cbcc598d4e8b501aa0bd92115b4c68ccda0993ca0c6ce19edd2e04416b6213"
|
||||
id = "69b1c93d-ab12-5fdc-b6eb-fb135796d3a9"
|
||||
strings:
|
||||
$s1 = "Microsoft Corporation. All rights reserved" fullword wide
|
||||
$s2 = "AutoIt" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
|
||||
}
|
||||
|
||||
rule SUSP_Size_of_ASUS_TuningTool {
|
||||
meta:
|
||||
description = "Detects an ASUS tuning tool with a suspicious size"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
|
||||
date = "2018-10-17"
|
||||
modified = "2022-12-21"
|
||||
score = 60
|
||||
noarchivescan = 1
|
||||
hash1 = "d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a"
|
||||
id = "d22a1bf9-55d6-5cb4-9537-ad13b23af4d1"
|
||||
strings:
|
||||
$s1 = "\\Release\\ASGT.pdb" ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 300KB and filesize > 70KB and all of them
|
||||
}
|
||||
|
||||
rule SUSP_PiratedOffice_2007 {
|
||||
meta:
|
||||
description = "Detects an Office document that was created with a pirated version of MS Office 2007"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://twitter.com/pwnallthethings/status/743230570440826886?lang=en"
|
||||
date = "2018-12-04"
|
||||
score = 40
|
||||
hash1 = "210448e58a50da22c0031f016ed1554856ed8abe79ea07193dc8f5599343f633"
|
||||
id = "b36e9a59-7617-503b-968d-5b6b72b227ea"
|
||||
strings:
|
||||
$s7 = "<Company>Grizli777</Company>" ascii
|
||||
condition:
|
||||
uint16(0) == 0xcfd0 and filesize < 300KB and all of them
|
||||
}
|
||||
|
||||
rule SUSP_Scheduled_Task_BigSize {
|
||||
meta:
|
||||
description = "Detects suspiciously big scheduled task XML file as seen in combination with embedded base64 encoded PowerShell code"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research"
|
||||
date = "2018-12-06"
|
||||
id = "61b07b30-1058-5a53-99e7-2c48ec9d23b5"
|
||||
strings:
|
||||
$a0 = "<Task version=" ascii wide
|
||||
$a1 = "xmlns=\"http://schemas.microsoft.com/windows/" ascii wide
|
||||
|
||||
$fp1 = "</Counter><Counter>" wide
|
||||
$fp2 = "Office Feature Updates Logon" wide
|
||||
$fp3 = "Microsoft Shared" fullword wide
|
||||
condition:
|
||||
uint16(0) == 0xfeff and filesize > 20KB and all of ($a*) and not 1 of ($fp*)
|
||||
}
|
||||
|
||||
rule SUSP_Putty_Unnormal_Size {
|
||||
meta:
|
||||
description = "Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware)"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research"
|
||||
date = "2019-01-07"
|
||||
modified = "2022-06-30"
|
||||
score = 50
|
||||
hash1 = "e5e89bdff733d6db1cffe8b3527e823c32a78076f8eadc2f9fd486b74a0e9d88"
|
||||
hash2 = "ce4c1b718b54973291aefdd63d1cca4e4d8d4f5353a2be7f139a290206d0c170"
|
||||
hash3 = "adb72ea4eab7b2efc2da6e72256b5a3bb388e9cdd4da4d3ff42a9fec080aa96f"
|
||||
hash4 = "1c0bd6660fa43fa90bd88b56cdd4a4c2ffb4ef9d04e8893109407aa7039277db"
|
||||
id = "576b118c-d4be-5ce2-994a-ce3f943dda88"
|
||||
strings:
|
||||
$s1 = "SSH, Telnet and Rlogin client" fullword wide
|
||||
|
||||
$v1 = "Release 0.6" wide
|
||||
$v2 = "Release 0.70" wide
|
||||
|
||||
$fp1 = "KiTTY fork" fullword wide
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and $s1 and 1 of ($v*)
|
||||
and not 1 of ($fp*)
|
||||
// has offset
|
||||
and filesize != 524288
|
||||
and filesize != 495616
|
||||
and filesize != 483328
|
||||
and filesize != 524288
|
||||
and filesize != 712176
|
||||
and filesize != 828400
|
||||
and filesize != 569328
|
||||
and filesize != 454656
|
||||
and filesize != 531368
|
||||
and filesize != 524288
|
||||
and filesize != 483328
|
||||
and filesize != 713592
|
||||
and filesize != 829304
|
||||
and filesize != 571256
|
||||
and filesize != 774200
|
||||
and filesize != 854072
|
||||
and filesize != 665144
|
||||
and filesize != 774200
|
||||
and filesize != 854072
|
||||
and filesize != 665144
|
||||
and filesize != 640000 /* putty provided by Safenet https://thalesdocs.com/gphsm/luna/7.1/docs/network/Content/install/sa_hw_install/hardware_installation_lunasa.htm */
|
||||
and filesize != 650720 /* Citrix XenCenter */
|
||||
and filesize != 662808 /* Citrix XenCenter */
|
||||
and filesize != 651256 /* Citrix XenCenter */
|
||||
and filesize != 664432 /* Citrix XenCenter */
|
||||
}
|
||||
|
||||
rule SUSP_RTF_Header_Anomaly {
|
||||
meta:
|
||||
description = "Detects malformed RTF header often used to trick mechanisms that check for a full RTF header"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://twitter.com/ItsReallyNick/status/975705759618158593"
|
||||
date = "2019-01-20"
|
||||
modified = "2022-09-15"
|
||||
score = 50
|
||||
id = "fb362640-9a45-5ee5-8749-3980e0549932"
|
||||
condition:
|
||||
uint32(0) == 0x74725c7b and /* {\rt */
|
||||
not uint8(4) == 0x66 /* not f */
|
||||
}
|
||||
|
||||
rule WEBSHELL_ASPX_ProxyShell_Aug21_1 {
|
||||
meta:
|
||||
description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST) and extension"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/"
|
||||
date = "2021-08-13"
|
||||
id = "8f01cbda-b1cf-5556-9f6a-e709df6dadb2"
|
||||
condition:
|
||||
uint32(0) == 0x4e444221 /* PST header: !BDN */
|
||||
and extension == ".aspx"
|
||||
}
|
|
@ -1,581 +0,0 @@
|
|||
/*
|
||||
THOR Yara Inverse Matches
|
||||
> Detect system file manipulations and common APT anomalies
|
||||
|
||||
This is an extract from the THOR signature database
|
||||
|
||||
Reference:
|
||||
http://www.bsk-consulting.de/2014/05/27/inverse-yara-signature-matching/
|
||||
https://www.bsk-consulting.de/2014/08/28/scan-system-files-manipulations-yara-inverse-matching-22/
|
||||
|
||||
Notice: These rules require an external variable called "filename"
|
||||
|
||||
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
|
||||
|
||||
*/
|
||||
|
||||
import "pe"
|
||||
|
||||
private rule WINDOWS_UPDATE_BDC
|
||||
{
|
||||
meta:
|
||||
score = 0
|
||||
condition:
|
||||
(uint32be(0) == 0x44434d01 and // magic: DCM PA30
|
||||
uint32be(4) == 0x50413330)
|
||||
or
|
||||
(uint32be(0) == 0x44434401 and
|
||||
uint32be(12)== 0x50413330) // magic: DCD PA30
|
||||
}
|
||||
|
||||
/* Rules -------------------------------------------------------------------- */
|
||||
|
||||
rule iexplore_ANOMALY {
|
||||
meta:
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
description = "Abnormal iexplore.exe - typical strings not found in file"
|
||||
date = "23/04/2014"
|
||||
score = 55
|
||||
nodeepdive = 1
|
||||
id = "ea436608-d191-5058-b844-025e48082edc"
|
||||
strings:
|
||||
$win2003_win7_u1 = "IEXPLORE.EXE" wide nocase
|
||||
$win2003_win7_u2 = "Internet Explorer" wide fullword
|
||||
$win2003_win7_u3 = "translation" wide fullword nocase
|
||||
$win2003_win7_u4 = "varfileinfo" wide fullword nocase
|
||||
condition:
|
||||
filename == "iexplore.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not filepath contains "teamviewer"
|
||||
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
|
||||
and filepath contains "C:\\"
|
||||
and not filepath contains "Package_for_RollupFix"
|
||||
}
|
||||
|
||||
rule svchost_ANOMALY {
|
||||
meta:
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
description = "Abnormal svchost.exe - typical strings not found in file"
|
||||
date = "23/04/2014"
|
||||
score = 55
|
||||
id = "5630054d-9fa4-587f-ba78-cda4478f9cc1"
|
||||
strings:
|
||||
$win2003_win7_u1 = "svchost.exe" wide nocase
|
||||
$win2003_win7_u3 = "coinitializesecurityparam" wide fullword nocase
|
||||
$win2003_win7_u4 = "servicedllunloadonstop" wide fullword nocase
|
||||
$win2000 = "Generic Host Process for Win32 Services" wide fullword
|
||||
$win2012 = "Host Process for Windows Services" wide fullword
|
||||
condition:
|
||||
filename == "svchost.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
/* removed 1 rule here */
|
||||
|
||||
rule explorer_ANOMALY {
|
||||
meta:
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
description = "Abnormal explorer.exe - typical strings not found in file"
|
||||
date = "27/05/2014"
|
||||
score = 55
|
||||
id = "ecadd78f-21a1-5a9f-8f3f-cb51e872805b"
|
||||
strings:
|
||||
$s1 = "EXPLORER.EXE" wide fullword
|
||||
$s2 = "Windows Explorer" wide fullword
|
||||
condition:
|
||||
filename == "explorer.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not filepath contains "teamviewer"
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule sethc_ANOMALY {
|
||||
meta:
|
||||
description = "Sethc.exe has been replaced - Indicates Remote Access Hack RDP"
|
||||
author = "F. Roth"
|
||||
reference = "http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf"
|
||||
date = "2014/01/23"
|
||||
score = 70
|
||||
id = "9dfbab4e-3dc8-5246-a051-1618f2ca5f39"
|
||||
strings:
|
||||
$s1 = "stickykeys" fullword nocase
|
||||
$s2 = "stickykeys" wide nocase
|
||||
$s3 = "Control_RunDLL access.cpl" wide fullword
|
||||
$s4 = "SETHC.EXE" wide fullword
|
||||
condition:
|
||||
filename == "sethc.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule Utilman_ANOMALY {
|
||||
meta:
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
description = "Abnormal utilman.exe - typical strings not found in file"
|
||||
date = "01/06/2014"
|
||||
score = 70
|
||||
id = "98daff9b-1600-56b3-87ff-637deaa6808c"
|
||||
strings:
|
||||
$win7 = "utilman.exe" wide fullword
|
||||
$win2000 = "Start with Utility Manager" fullword wide
|
||||
$win2012 = "utilman2.exe" fullword wide
|
||||
condition:
|
||||
( filename == "utilman.exe" or filename == "Utilman.exe" )
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule osk_ANOMALY {
|
||||
meta:
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
description = "Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file"
|
||||
date = "01/06/2014"
|
||||
score = 55
|
||||
id = "6b78b001-f863-5a24-a9d1-ee5e8305766b"
|
||||
strings:
|
||||
$s1 = "Accessibility On-Screen Keyboard" wide fullword
|
||||
$s2 = "\\oskmenu" wide fullword
|
||||
$s3 = "&About On-Screen Keyboard..." wide fullword
|
||||
$s4 = "Software\\Microsoft\\Osk" wide
|
||||
condition:
|
||||
filename == "osk.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule magnify_ANOMALY {
|
||||
meta:
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
description = "Abnormal magnify.exe (Magnifier) - typical strings not found in file"
|
||||
date = "01/06/2014"
|
||||
score = 55
|
||||
id = "db75201e-81a3-5f82-bf6f-ba155bfbcf81"
|
||||
strings:
|
||||
$win7 = "Microsoft Screen Magnifier" wide fullword
|
||||
$win2000 = "Microsoft Magnifier" wide fullword
|
||||
$winxp = "Software\\Microsoft\\Magnify" wide
|
||||
condition:
|
||||
filename =="magnify.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule narrator_ANOMALY {
|
||||
meta:
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
description = "Abnormal narrator.exe - typical strings not found in file"
|
||||
date = "01/06/2014"
|
||||
score = 55
|
||||
id = "a51f1916-f89a-58a9-b65c-91bf99575b80"
|
||||
strings:
|
||||
$win7 = "Microsoft-Windows-Narrator" wide fullword
|
||||
$win2000 = "&About Narrator..." wide fullword
|
||||
$win2012 = "Screen Reader" wide fullword
|
||||
$winxp = "Software\\Microsoft\\Narrator"
|
||||
$winxp_en = "SOFTWARE\\Microsoft\\Speech\\Voices" wide
|
||||
condition:
|
||||
filename == "narrator.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule notepad_ANOMALY {
|
||||
meta:
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
description = "Abnormal notepad.exe - typical strings not found in file"
|
||||
date = "01/06/2014"
|
||||
score = 55
|
||||
id = "16ddcd9e-ab6f-593e-80e0-a90399cbc3df"
|
||||
strings:
|
||||
$win7 = "HELP_ENTRY_ID_NOTEPAD_HELP" wide fullword
|
||||
$win2000 = "Do you want to create a new file?" wide fullword
|
||||
$win2003 = "Do you want to save the changes?" wide
|
||||
$winxp = "Software\\Microsoft\\Notepad" wide
|
||||
$winxp_de = "Software\\Microsoft\\Notepad" wide
|
||||
condition:
|
||||
filename == "notepad.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
/* NEW ---------------------------------------------------------------------- */
|
||||
|
||||
rule csrss_ANOMALY {
|
||||
meta:
|
||||
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "not set"
|
||||
date = "2015/03/16"
|
||||
hash = "17542707a3d9fa13c569450fd978272ef7070a77"
|
||||
id = "bbd2841a-ec72-5eb4-b34a-5ecbf9c5b517"
|
||||
strings:
|
||||
$s1 = "Client Server Runtime Process" fullword wide
|
||||
$s4 = "name=\"Microsoft.Windows.CSRSS\"" fullword ascii
|
||||
$s5 = "CSRSRV.dll" fullword ascii
|
||||
$s6 = "CsrServerInitialization" fullword ascii
|
||||
condition:
|
||||
filename == "csrss.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule conhost_ANOMALY {
|
||||
meta:
|
||||
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "not set"
|
||||
date = "2015/03/16"
|
||||
hash = "1bd846aa22b1d63a1f900f6d08d8bfa8082ae4db"
|
||||
id = "9803fa1b-bcaf-5451-831b-fc0dc9d711f2"
|
||||
strings:
|
||||
$s2 = "Console Window Host" fullword wide
|
||||
condition:
|
||||
filename == "conhost.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule wininit_ANOMALY {
|
||||
meta:
|
||||
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "not set"
|
||||
date = "2015/03/16"
|
||||
hash = "2de5c051c0d7d8bcc14b1ca46be8ab9756f29320"
|
||||
id = "a251984f-c667-55ec-8cc3-3888e80ddf1e"
|
||||
strings:
|
||||
$s1 = "Windows Start-Up Application" fullword wide
|
||||
condition:
|
||||
filename == "wininit.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule winlogon_ANOMALY {
|
||||
meta:
|
||||
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "not set"
|
||||
date = "2015/03/16"
|
||||
hash = "af210c8748d77c2ff93966299d4cd49a8c722ef6"
|
||||
id = "ee424459-8048-52b8-ba97-4d09265a881f"
|
||||
strings:
|
||||
$s1 = "AuthzAccessCheck failed" fullword
|
||||
$s2 = "Windows Logon Application" fullword wide
|
||||
condition:
|
||||
filename == "winlogon.exe"
|
||||
and not 1 of ($s*)
|
||||
and uint16(0) == 0x5a4d
|
||||
and not WINDOWS_UPDATE_BDC
|
||||
and not filepath contains "Malwarebytes"
|
||||
}
|
||||
|
||||
rule SndVol_ANOMALY {
|
||||
meta:
|
||||
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "not set"
|
||||
date = "2015/03/16"
|
||||
hash = "e057c90b675a6da19596b0ac458c25d7440b7869"
|
||||
id = "0c4d705f-4b24-55f9-bcf4-3f65eea0b7af"
|
||||
strings:
|
||||
$s1 = "Volume Control Applet" fullword wide
|
||||
condition:
|
||||
filename == "sndvol.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule doskey_ANOMALY {
|
||||
meta:
|
||||
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file doskey.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "not set"
|
||||
date = "2015/03/16"
|
||||
hash = "f2d1995325df0f3ca6e7b11648aa368b7e8f1c7f"
|
||||
id = "be9c239a-2918-5330-bbd0-33cc17067f70"
|
||||
strings:
|
||||
$s3 = "Keyboard History Utility" fullword wide
|
||||
condition:
|
||||
filename == "doskey.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule lsass_ANOMALY {
|
||||
meta:
|
||||
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "not set"
|
||||
date = "2015/03/16"
|
||||
hash = "04abf92ac7571a25606edfd49dca1041c41bef21"
|
||||
id = "0c0f6129-3e01-56d3-b297-cee231567759"
|
||||
strings:
|
||||
$s1 = "LSA Shell" fullword wide
|
||||
$s2 = "<description>Local Security Authority Process</description>" fullword ascii
|
||||
$s3 = "Local Security Authority Process" fullword wide
|
||||
$s4 = "LsapInitLsa" fullword
|
||||
condition:
|
||||
filename == "lsass.exe"
|
||||
and uint16(0) == 0x5a4d
|
||||
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
}
|
||||
|
||||
rule taskmgr_ANOMALY {
|
||||
meta:
|
||||
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "not set"
|
||||
date = "2015/03/16"
|
||||
nodeepdive = 1
|
||||
hash = "e8b4d84a28e5ea17272416ec45726964fdf25883"
|
||||
id = "e1c3a150-6e7e-5ead-a338-0bac6f43185d"
|
||||
strings:
|
||||
$s0 = "Windows Task Manager" fullword wide
|
||||
$s1 = "taskmgr.chm" fullword
|
||||
$s2 = "TmEndTaskHandler::" ascii
|
||||
$s3 = "CM_Request_Eject_PC" /* Win XP */
|
||||
$s4 = "NTShell Taskman Startup Mutex" fullword wide
|
||||
condition:
|
||||
( filename == "taskmgr.exe" or filename == "Taskmgr.exe" ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
|
||||
and uint16(0) == 0x5a4d
|
||||
and filepath contains "C:\\"
|
||||
and not filepath contains "Package_for_RollupFix"
|
||||
}
|
||||
|
||||
/* removed 22 rules here */
|
||||
|
||||
/* APT ---------------------------------------------------------------------- */
|
||||
|
||||
rule APT_Cloaked_PsExec
|
||||
{
|
||||
meta:
|
||||
description = "Looks like a cloaked PsExec. This may be APT group activity."
|
||||
date = "2014-07-18"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 60
|
||||
id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3"
|
||||
strings:
|
||||
$s0 = "psexesvc.exe" wide fullword
|
||||
$s1 = "Sysinternals PsExec" wide fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and $s0 and $s1
|
||||
and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is
|
||||
and not filepath matches /RECYCLE.BIN\\S-1/
|
||||
}
|
||||
|
||||
/* removed 6 rules here */
|
||||
|
||||
rule APT_Cloaked_SuperScan
|
||||
{
|
||||
meta:
|
||||
description = "Looks like a cloaked SuperScan Port Scanner. This may be APT group activity."
|
||||
date = "2014-07-18"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 50
|
||||
id = "96027f7d-822c-5c5e-acd9-cde8289c6b50"
|
||||
strings:
|
||||
$s0 = "SuperScan4.exe" wide fullword
|
||||
$s1 = "Foundstone Inc." wide fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and $s0 and $s1 and not filename contains "superscan"
|
||||
}
|
||||
|
||||
rule APT_Cloaked_ScanLine
|
||||
{
|
||||
meta:
|
||||
description = "Looks like a cloaked ScanLine Port Scanner. This may be APT group activity."
|
||||
date = "2014-07-18"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 50
|
||||
id = "78041dc0-491b-5a44-a125-3ad72b266cf8"
|
||||
strings:
|
||||
$s0 = "ScanLine" wide fullword
|
||||
$s1 = "Command line port scanner" wide fullword
|
||||
$s2 = "sl.exe" wide fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and $s0 and $s1 and $s2 and not filename == "sl.exe"
|
||||
}
|
||||
|
||||
rule SUSP_Renamed_Dot1Xtray {
|
||||
meta:
|
||||
description = "Detects a legitimate renamed dot1ctray.exe, which is often used by PlugX for DLL side-loading"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research"
|
||||
date = "2018-11-15"
|
||||
hash1 = "f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68"
|
||||
id = "3685a79e-7dd6-5221-b58a-6ec1c61030cc"
|
||||
strings:
|
||||
$a1 = "\\Symantec_Network_Access_Control\\" ascii
|
||||
$a2 = "\\dot1xtray.pdb" ascii
|
||||
$a3 = "DOT1X_NAMED_PIPE_CONNECT" fullword wide /* Goodware String - occured 2 times */
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||||
and not filename matches /dot1xtray.exe/i
|
||||
and not filepath matches /Recycle.Bin/i
|
||||
}
|
||||
|
||||
rule APT_Cloaked_CERTUTIL {
|
||||
meta:
|
||||
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "Internal Research"
|
||||
date = "2018-09-14"
|
||||
modified = "2022-06-27"
|
||||
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
|
||||
strings:
|
||||
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
|
||||
$s5 = "certutil.pdb" fullword ascii
|
||||
$s3 = "Password Token" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and all of them
|
||||
and not filename contains "certutil"
|
||||
and not filename contains "CertUtil"
|
||||
and not filename contains "Certutil"
|
||||
and not filepath contains "\\Bromium\\"
|
||||
}
|
||||
|
||||
rule APT_SUSP_Solarwinds_Orion_Config_Anomaly_Dec20 {
|
||||
meta:
|
||||
description = "Detects a suspicious renamed Afind.exe as used by different attackers"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://twitter.com/iisresetme/status/1339546337390587905?s=12"
|
||||
date = "2020-12-15"
|
||||
score = 70
|
||||
nodeepdive = 1
|
||||
id = "440a3eb9-b573-53ea-ab26-c44d9cf62401"
|
||||
strings:
|
||||
$s1 = "ReportWatcher" fullword wide ascii
|
||||
|
||||
$fp1 = "ReportStatus" fullword wide ascii
|
||||
condition:
|
||||
filename == "SolarWindows.Orion.Core.BusinessLayer.dll.config"
|
||||
and $s1
|
||||
and not $fp1
|
||||
}
|
||||
|
||||
rule PAExec_Cloaked {
|
||||
meta:
|
||||
description = "Detects a renamed remote access tool PAEXec (like PsExec)"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
|
||||
date = "2017-03-27"
|
||||
score = 70
|
||||
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
|
||||
id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8"
|
||||
strings:
|
||||
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
|
||||
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
|
||||
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
|
||||
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
|
||||
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
|
||||
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
|
||||
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
|
||||
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
|
||||
condition:
|
||||
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) )
|
||||
and not filename == "paexec.exe"
|
||||
and not filename == "PAExec.exe"
|
||||
and not filename == "PAEXEC.EXE"
|
||||
and not filename matches /Install/
|
||||
and not filename matches /uninstall/
|
||||
}
|
||||
|
||||
rule SUSP_VULN_DRV_PROCEXP152_May23 {
|
||||
meta:
|
||||
description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS), often used by attackers to elevate privileges (false positives are possible in cases in which old versions of process explorer are still present on the system)"
|
||||
author = "Florian Roth"
|
||||
reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
|
||||
date = "2023-05-05"
|
||||
modified = "2023-07-28"
|
||||
score = 50
|
||||
hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
|
||||
id = "748eb390-f320-5045-bed2-24ae70471f43"
|
||||
strings:
|
||||
$a1 = "\\ProcExpDriver.pdb" ascii
|
||||
$a2 = "\\Device\\PROCEXP152" wide fullword
|
||||
$a3 = "procexp.Sys" wide fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filesize < 200KB
|
||||
and all of them
|
||||
}
|
||||
|
||||
rule SUSP_VULN_DRV_PROCEXP152_Renamed_May23 {
|
||||
meta:
|
||||
description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS) that has been renamed (often used by attackers to elevate privileges)"
|
||||
author = "Florian Roth"
|
||||
reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
|
||||
date = "2023-05-05"
|
||||
score = 70
|
||||
hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
|
||||
id = "af2ec5d5-3453-5d35-8d19-4f37c61fabce"
|
||||
strings:
|
||||
$a1 = "\\ProcExpDriver.pdb" ascii
|
||||
$a2 = "\\Device\\PROCEXP152" wide fullword
|
||||
$a3 = "procexp.Sys" wide fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and filesize < 200KB
|
||||
and all of them
|
||||
and not filename matches /PROCEXP152\.SYS/i
|
||||
}
|
||||
|
||||
rule SUSP_ANOMALY_Teams_Binary_Nov23 : SCRIPT {
|
||||
meta:
|
||||
description = "Detects a suspicious binary with the name teams.exe, update.exe or squirrel.exe in the AppData folder of Microsoft Teams that is unsigned or signed by a different CA"
|
||||
author = "Florian Roth"
|
||||
score = 60
|
||||
reference = "https://twitter.com/steve_noel/status/1722698479636476325/photo/1"
|
||||
date = "2023-11-11"
|
||||
id = "60557ed1-ac16-5e3b-b105-157dc34f6ad7"
|
||||
strings:
|
||||
$a1 = "Microsoft Code Signing PCA" ascii
|
||||
condition:
|
||||
(
|
||||
filename iequals "teams.exe" or
|
||||
filename iequals "update.exe" or
|
||||
filename iequals "squirrel.exe"
|
||||
)
|
||||
and filepath icontains "\\AppData\\Local\\Microsoft\\Teams"
|
||||
and pe.number_of_signatures == 0
|
||||
and not $a1
|
||||
}
|
||||
|
||||
rule SAM_Hive_Backup {
|
||||
meta:
|
||||
description = "Detects a SAM hive backup file - SAM is the Security Account Manager - contains password hashes"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry"
|
||||
score = 60
|
||||
nodeepdive = 1
|
||||
date = "2015-03-31"
|
||||
modified = "2023-12-12"
|
||||
id = "31fb6c0c-966d-5002-bf8c-4129964c81ff"
|
||||
strings:
|
||||
$s1 = "\\SystemRoot\\System32\\Config\\SAM" wide
|
||||
condition:
|
||||
uint32(0) == 0x66676572 and $s1 in (0..200)
|
||||
and not filepath contains "\\System32\\Config"
|
||||
and not filepath contains "\\System32\\config"
|
||||
and not filepath contains "System Volume Information"
|
||||
and not filepath contains "\\config\\RegBack"
|
||||
}
|
File diff suppressed because it is too large
Load diff
|
@ -1,556 +0,0 @@
|
|||
/*
|
||||
This is a collection of rules that use external variables
|
||||
They work with scanners that support the use of external variables, like
|
||||
THOR, LOKI or SPARK
|
||||
https://www.nextron-systems.com/compare-our-scanners/
|
||||
*/
|
||||
|
||||
import "pe"
|
||||
import "math"
|
||||
|
||||
rule Acrotray_Anomaly {
|
||||
meta:
|
||||
description = "Detects an acrotray.exe that does not contain the usual strings"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 75
|
||||
id = "e3fef644-e535-5137-ac98-2fd1b7ca4361"
|
||||
strings:
|
||||
$s1 = "PDF/X-3:2002" fullword wide
|
||||
$s2 = "AcroTray - Adobe Acrobat Distiller helper application" fullword wide
|
||||
$s3 = "MS Sans Serif" fullword wide
|
||||
$s4 = "COOLTYPE.DLL" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 3000KB
|
||||
and ( filename == "acrotray.exe" or filename == "AcroTray.exe" )
|
||||
and not all of ($s*)
|
||||
}
|
||||
|
||||
rule COZY_FANCY_BEAR_modified_VmUpgradeHelper {
|
||||
meta:
|
||||
description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
|
||||
date = "2016-06-14"
|
||||
id = "97b844a4-0fa4-5850-8803-2212a69e3d16"
|
||||
strings:
|
||||
$s1 = "VMware, Inc." wide fullword
|
||||
$s2 = "Virtual hardware upgrade helper service" fullword wide
|
||||
$s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and
|
||||
filename == "VmUpgradeHelper.exe" and
|
||||
not all of ($s*)
|
||||
}
|
||||
|
||||
rule IronTiger_Gh0stRAT_variant
|
||||
{
|
||||
meta:
|
||||
author = "Cyber Safety Solutions, Trend Micro"
|
||||
description = "This is a detection for a s.exe variant seen in Op. Iron Tiger"
|
||||
reference = "http://goo.gl/T5fSJC"
|
||||
id = "e7eeee0f-d7a1-5359-bc1f-5a2a883c7227"
|
||||
strings:
|
||||
$str1 = "Game Over Good Luck By Wind" nocase wide ascii
|
||||
$str2 = "ReleiceName" nocase wide ascii
|
||||
$str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii
|
||||
$str4 = "Winds Update" nocase wide ascii fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and (any of ($str*))
|
||||
and not filename == "UpdateSystemMib.exe"
|
||||
}
|
||||
|
||||
rule OpCloudHopper_Cloaked_PSCP {
|
||||
meta:
|
||||
description = "Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
|
||||
date = "2017-04-07"
|
||||
score = 90
|
||||
id = "c1e2e456-dbdd-54cf-b0e0-b356f291cfcd"
|
||||
strings:
|
||||
$s1 = "AES-256 SDCTR" ascii
|
||||
$s2 = "direct-tcpip" ascii
|
||||
condition:
|
||||
all of them and filename == "rundll32.exe"
|
||||
}
|
||||
|
||||
rule msi_dll_Anomaly {
|
||||
meta:
|
||||
description = "Detetcs very small and supicious msi.dll"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
|
||||
date = "2017-02-10"
|
||||
hash1 = "8c9048e2f5ea2ef9516cac06dc0fba8a7e97754468c0d9dc1e5f7bce6dbda2cc"
|
||||
id = "92cd5c51-ed84-5428-9105-50139f9289c8"
|
||||
strings:
|
||||
$x1 = "msi.dll.eng" fullword wide
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 15KB and filename == "msi.dll" and $x1
|
||||
}
|
||||
|
||||
rule PoS_Malware_MalumPOS_Config
|
||||
{
|
||||
meta:
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
date = "2015-06-25"
|
||||
description = "MalumPOS Config File"
|
||||
reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/"
|
||||
id = "0fd2b9c2-d016-5db2-8fcc-618df6c815de"
|
||||
strings:
|
||||
$s1 = "[PARAMS]"
|
||||
$s2 = "Name="
|
||||
$s3 = "InterfacesIP="
|
||||
$s4 = "Port="
|
||||
condition:
|
||||
all of ($s*) and filename == "log.ini" and filesize < 20KB
|
||||
}
|
||||
|
||||
rule Malware_QA_update_test {
|
||||
meta:
|
||||
description = "VT Research QA uploaded malware - file update_.exe"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "VT Research QA"
|
||||
date = "2016-08-29"
|
||||
score = 80
|
||||
hash1 = "3b3392bc730ded1f97c51e23611740ff8b218abf0a1100903de07819eeb449aa"
|
||||
id = "8f319277-1eaf-559e-87ad-f4ab89b04ca5"
|
||||
strings:
|
||||
$s1 = "test.exe" fullword ascii
|
||||
$s2 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == "update.exe"
|
||||
}
|
||||
|
||||
|
||||
/* These only work with external variable "filename" ------------------------ */
|
||||
/* as used in LOKI, THOR, SPARK --------------------------------------------- */
|
||||
|
||||
rule SysInterals_PipeList_NameChanged {
|
||||
meta:
|
||||
description = "Detects NirSoft PipeList"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://goo.gl/Mr6M2J"
|
||||
date = "2016-06-04"
|
||||
score = 90
|
||||
hash1 = "83f0352c14fa62ae159ab532d85a2b481900fed50d32cc757aa3f4ccf6a13bee"
|
||||
id = "01afcf29-a74c-5be2-8b24-694a2802ef34"
|
||||
strings:
|
||||
$s1 = "PipeList" ascii fullword
|
||||
$s2 = "Sysinternals License" ascii fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 170KB and all of them
|
||||
and not filename contains "pipelist.exe"
|
||||
and not filename contains "PipeList.exe"
|
||||
}
|
||||
|
||||
/*
|
||||
Yara Rule Set
|
||||
Author: Florian Roth
|
||||
Date: 2016-04-26
|
||||
Identifier: regsvr32 issue
|
||||
*/
|
||||
|
||||
/* Rule Set ----------------------------------------------------------------- */
|
||||
|
||||
rule SCT_Scriptlet_in_Temp_Inet_Files {
|
||||
meta:
|
||||
description = "Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "http://goo.gl/KAB8Jw"
|
||||
date = "2016-04-26"
|
||||
id = "8b729257-3676-59b2-961c-dae1085cbbf6"
|
||||
strings:
|
||||
$s1 = "<scriptlet>" fullword ascii nocase
|
||||
$s2 = "ActiveXObject(\"WScript.Shell\")" ascii
|
||||
condition:
|
||||
( uint32(0) == 0x4D583F3C or uint32(0) == 0x6D78F3C ) /* <?XM or <?xm */
|
||||
and $s1 and $s2
|
||||
and filepath contains "Temporary Internet Files"
|
||||
}
|
||||
|
||||
|
||||
rule GIFCloaked_Webshell_A {
|
||||
meta:
|
||||
description = "Looks like a webshell cloaked as GIF"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
|
||||
score = 60
|
||||
id = "4fdef65c-204a-5019-9b4f-c5877c3e39d4"
|
||||
strings:
|
||||
$s0 = "input type"
|
||||
$s1 = "<%eval request"
|
||||
$s2 = "<%eval(Request.Item["
|
||||
$s3 = "LANGUAGE='VBScript'"
|
||||
$s4 = "$_REQUEST" fullword
|
||||
$s5 = ";eval("
|
||||
$s6 = "base64_decode"
|
||||
|
||||
$fp1 = "<form name=\"social_form\""
|
||||
condition:
|
||||
uint32(0) == 0x38464947 and ( 1 of ($s*) )
|
||||
and not 1 of ($fp*)
|
||||
}
|
||||
|
||||
/* causes FPs and relevancy is limited
|
||||
rule exploit_ole_stdolelink {
|
||||
meta:
|
||||
author = "David Cannings"
|
||||
description = "StdOleLink, potential 0day in April 2017"
|
||||
score = 55
|
||||
strings:
|
||||
// Parsers will open files without the full 'rtf'
|
||||
$header_rtf = "{\\rt" nocase
|
||||
$header_office = { D0 CF 11 E0 }
|
||||
$header_xml = "<?xml version=" nocase wide ascii
|
||||
|
||||
// Marks of embedded data (reduce FPs)
|
||||
// RTF format
|
||||
$embedded_object = "\\object" nocase
|
||||
$embedded_objdata = "\\objdata" nocase
|
||||
$embedded_ocx = "\\objocx" nocase
|
||||
$embedded_objclass = "\\objclass" nocase
|
||||
$embedded_oleclass = "\\oleclsid" nocase
|
||||
|
||||
// XML Office documents
|
||||
$embedded_axocx = "<ax:ocx" nocase wide ascii
|
||||
$embedded_axclassid = "ax:classid" nocase wide ascii
|
||||
|
||||
// OLE format
|
||||
$embedded_root_entry = "Root Entry" wide
|
||||
$embedded_comp_obj = "Comp Obj" wide
|
||||
$embedded_obj_info = "Obj Info" wide
|
||||
$embedded_ole10 = "Ole10Native" wide
|
||||
|
||||
$data0 = "00000300-0000-0000-C000-000000000046" nocase wide ascii
|
||||
$data2 = "OLE2Link" nocase wide ascii
|
||||
$data3 = "4f4c45324c696e6b" nocase wide ascii
|
||||
$data4 = "StdOleLink" nocase wide ascii
|
||||
$data5 = "5374644f6c654c696e6b" nocase wide ascii
|
||||
|
||||
condition:
|
||||
// Mandatory header plus sign of embedding, then any of the others
|
||||
for any of ($header*) : ( @ == 0 ) and 1 of ($embedded*)
|
||||
and (1 of ($data*))
|
||||
and extension != ".msi"
|
||||
}
|
||||
*/
|
||||
|
||||
rule HackTool_Producers {
|
||||
meta:
|
||||
description = "Hacktool Producers String"
|
||||
threat_level = 5
|
||||
score = 50
|
||||
nodeepdive = 1
|
||||
id = "75cb2c86-0eaa-5cf5-96d8-85b91054de36"
|
||||
strings:
|
||||
$a1 = "www.oxid.it"
|
||||
$a2 = "www.analogx.com"
|
||||
$a3 = "ntsecurity.nu"
|
||||
$a4 = "gentilkiwi.com"
|
||||
$a6 = "Marcus Murray"
|
||||
$a7 = "Nsasoft US LLC0"
|
||||
$a8 = " Nir Sofer"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and 1 of ($a*) and
|
||||
not extension contains ".ini" and
|
||||
not extension contains ".xml" and
|
||||
not extension contains ".sqlite"
|
||||
}
|
||||
|
||||
rule Exe_Cloaked_as_ThumbsDb
|
||||
{
|
||||
meta:
|
||||
description = "Detects an executable cloaked as thumbs.db - Malware"
|
||||
date = "2014-07-18"
|
||||
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 50
|
||||
id = "ff09f8cf-de5a-50fc-aa0b-c54f7667e246"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filename matches /[Tt]humbs\.db/
|
||||
}
|
||||
|
||||
rule Fake_AdobeReader_EXE
|
||||
{
|
||||
meta:
|
||||
description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file"
|
||||
date = "2014-09-11"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
score = 50
|
||||
nodeepdive = 1
|
||||
nodeepdive = 1
|
||||
id = "e3dd9d94-9f4b-5ff9-bfec-29abfb3555bb"
|
||||
strings:
|
||||
$s1 = "Adobe Systems" ascii
|
||||
|
||||
$fp1 = "Adobe Reader" ascii wide
|
||||
$fp2 = "Xenocode Virtual Appliance Runtime" ascii wide
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and
|
||||
filename matches /AcroRd32.exe/i and
|
||||
not $s1 in (filesize-2500..filesize)
|
||||
and not 1 of ($fp*)
|
||||
}
|
||||
|
||||
rule mimikatz_lsass_mdmp
|
||||
{
|
||||
meta:
|
||||
description = "LSASS minidump file for mimikatz"
|
||||
author = "Benjamin DELPY (gentilkiwi)"
|
||||
id = "3d850dbe-1342-55ac-b0f7-91343d88f147"
|
||||
strings:
|
||||
$lsass = "System32\\lsass.exe" wide nocase
|
||||
condition:
|
||||
(uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /WER/
|
||||
}
|
||||
|
||||
rule lsadump {
|
||||
meta:
|
||||
description = "LSA dump programe (bootkey/syskey) - pwdump and others"
|
||||
author = "Benjamin DELPY (gentilkiwi)"
|
||||
score = 80
|
||||
nodeepdive = 1
|
||||
id = "3bfa8dd8-720d-5326-ac92-0fb96cf21219"
|
||||
strings:
|
||||
$str_sam_inc = "\\Domains\\Account" ascii nocase
|
||||
$str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
|
||||
$hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
|
||||
$str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
|
||||
$hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
|
||||
|
||||
$fp1 = "Sysinternals" ascii
|
||||
$fp2 = "Apple Inc." ascii wide
|
||||
$fp3 = "Kaspersky Lab" ascii fullword
|
||||
$fp4 = "ESET Security" ascii
|
||||
$fp5 = "Disaster Recovery Module" wide
|
||||
$fp6 = "Bitdefender" wide fullword
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and
|
||||
(($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey )
|
||||
and not 1 of ($fp*)
|
||||
and not filename contains "Regdat"
|
||||
and not filetype == "EXE"
|
||||
and not filepath contains "Dr Watson"
|
||||
and not extension == "vbs"
|
||||
}
|
||||
|
||||
rule SUSP_ServU_SSH_Error_Pattern_Jul21_1 {
|
||||
meta:
|
||||
description = "Detects suspicious SSH component exceptions that could be an indicator of exploitation attempts as described in advisory addressing CVE-2021-35211 in ServU services"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ"
|
||||
date = "2021-07-12"
|
||||
score = 60
|
||||
id = "1a89f0b0-445c-5867-94cd-f07ba1becad6"
|
||||
strings:
|
||||
$s1 = "EXCEPTION: C0000005;" ascii
|
||||
$s2 = "CSUSSHSocket::ProcessReceive();" ascii
|
||||
condition:
|
||||
filename == "DebugSocketlog.txt"
|
||||
and all of ($s*)
|
||||
}
|
||||
|
||||
rule SUSP_ServU_Known_Mal_IP_Jul21_1 {
|
||||
meta:
|
||||
description = "Detects suspicious IP addresses used in exploitation of ServU services CVE-2021-35211 and reported by Solarwinds"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ"
|
||||
date = "2021-07-12"
|
||||
score = 60
|
||||
id = "118272a7-7ec9-568b-99e0-8cfe97f3f64e"
|
||||
strings:
|
||||
$xip1 = "98.176.196.89" ascii fullword
|
||||
$xip2 = "68.235.178.32" ascii fullword
|
||||
$xip3 = "208.113.35.58" ascii fullword
|
||||
$xip4 = "144.34.179.162" ascii fullword
|
||||
$xip5 = "97.77.97.58" ascii fullword
|
||||
condition:
|
||||
filename == "DebugSocketlog.txt"
|
||||
and 1 of them
|
||||
}
|
||||
|
||||
rule SUSP_EXPL_Confluence_RCE_CVE_2021_26084_Indicators_Sep21 {
|
||||
meta:
|
||||
description = "Detects ELF binaries owner by the confluence user but outside usual confluence directories"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis"
|
||||
date = "2021-09-01"
|
||||
score = 55
|
||||
id = "395d37ea-1986-5fdd-b58c-562ae0d8be35"
|
||||
condition:
|
||||
uint32be(0) == 0x7f454c46 /* ELF binary */
|
||||
and owner == "confluence"
|
||||
and not filepath contains "/confluence/"
|
||||
}
|
||||
|
||||
rule SUSP_Blocked_Download_Proxy_Replacement_Jan23_1 {
|
||||
meta:
|
||||
description = "Detects a file that has been replaced with a note by a security solution like an Antivirus or a filtering proxy server"
|
||||
author = "Florian Roth (Nextron Systems)"
|
||||
reference = "https://www.virustotal.com/gui/search/filename%253A*.exe%2520tag%253Ahtml%2520size%253A10kb-%2520size%253A2kb%252B/files"
|
||||
date = "2023-01-28"
|
||||
score = 60
|
||||
id = "58bc8288-6bdb-57d5-9de5-a54a39584838"
|
||||
strings:
|
||||
$x01 = "Web Filter Violation"
|
||||
$x02 = "Google Drive can't scan this file for viruses."
|
||||
$x03 = " target=\"_blank\">Cloudflare <img "
|
||||
$x04 = "Sorry, this file is infected with a virus.</p>"
|
||||
$x05 = "-- Sophos Warn FileType Page -->"
|
||||
$x06 = "<p>Certain Sophos products may not be exported for use by government end-users" // accept EULA
|
||||
$x07 = "<p class=\"content-list\">Bitly displays this warning when a link has been flagged as suspect. There are many"
|
||||
$x08 = "Something went wrong. Don't worry, your files are still safe and the Dropbox team has been notified."
|
||||
$x09 = "<p>sinkhole</p>"
|
||||
$x10 = "The requested short link is blocked by website administration due to violation of the website policy terms."
|
||||
$x11 = "<img src=\"https://www.malwarebytes.com/images/"
|
||||
$x12 = "<title>Malwarebytes</title>"
|
||||
$x13 = "<title>Blocked by VIPRE</title>"
|
||||
$x14 = "<title>Your request appears to be from an automated process</title>"
|
||||
$x15 = "<p>Advanced Security blocked access to"
|
||||
$x16 = "<title>Suspected phishing site | Cloudflare</title>"
|
||||
$x17 = ">This link has been flagged "
|
||||
$x18 = "<h1>Trend Micro Apex One</h1>"
|
||||
$x19 = "Hitachi ID Identity and Access Management Suite"
|
||||
$x20 = ">http://www.fortinet.com/ve?vn="
|
||||
$x21 = "access to URL with fixed IP not allowed" // FritzBox
|
||||
$x23 = "<title>Web Page Blocked</title>"
|
||||
$x24 = "<title>Malicious Website Blocked</title>"
|
||||
$x25 = "<h2>STOPzilla has detected"
|
||||
$x26 = ">Seqrite Endpoint Security</span>"
|
||||
$x27 = "<TITLE>K7 Safe Surf</TITLE>"
|
||||
$x28 = "<title>Blocked by VIPRE</title>"
|
||||
|
||||
$g01 = "blocked access" fullword
|
||||
$g02 = "policy violation" fullword
|
||||
$g03 = "violation of "
|
||||
$g04 = "blocked by" fullword
|
||||
$g05 = "Blocked by" fullword
|
||||
$g07 = "Suspected Phishing"
|
||||
$g08 = "ile quarantined"
|
||||
$g09 = " is infected "
|
||||
$g10 = "Blocked</title>"
|
||||
$g11 = "site blocked" fullword
|
||||
$g12 = "Site Blocked" fullword
|
||||
$g13 = "blocked for" fullword
|
||||
$g14 = "is blocked" fullword
|
||||
$g15 = "potentially harmful"
|
||||
$g16 = "Page Blocked" fullword
|
||||
$g17 = "page blocked" fullword
|
||||
condition:
|
||||
extension == ".exe" and not uint16(0) == 0x5a4d and 1 of them
|
||||
or (
|
||||
extension == ".rar" or
|
||||
extension == ".ps1" or
|
||||
extension == ".vbs" or
|
||||
extension == ".bat"
|
||||
)
|
||||
and 1 of ($x*)
|
||||
}
|
||||
|
||||
/* too many FPs
|
||||
rule APT_MAL_RU_WIN_Snake_Malware_PeIconSizes_May23_1 {
|
||||
meta:
|
||||
description = "Detects Comadmin file that houses Snake's kernel driver and the driver's loader"
|
||||
author = "CSA"
|
||||
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
|
||||
date = "2023-05-10"
|
||||
score = 75
|
||||
condition:
|
||||
uint16(0) == 0x5a4d
|
||||
and (
|
||||
filename == "WerFault.exe"
|
||||
or filename == "werfault.exe"
|
||||
)
|
||||
and filepath contains "\\WinSxS\\"
|
||||
and for any rsrc in pe.resources: (
|
||||
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 3240
|
||||
)
|
||||
and for any rsrc in pe.resources: (
|
||||
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 1384
|
||||
)
|
||||
and for any rsrc in pe.resources: (
|
||||
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 7336
|
||||
)
|
||||
}
|
||||
*/
|
||||
|
||||
rule APT_MAL_RU_Snake_Malware_Queue_File_May23_1 {
|
||||
meta:
|
||||
description = "Detects Queue files used by Snake malware"
|
||||
author = "Florian Roth"
|
||||
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
|
||||
date = "2023-05-10"
|
||||
score = 80
|
||||
id = "c7ed554e-b55e-5c3f-aa8b-231cb1073f34"
|
||||
condition:
|
||||
filename matches /(\{[0-9A-Fa-f]{8}\-([0-9A-Fa-f]{4}\-){3}[0-9A-Fa-f]{12}\}\.){2}crmlog/
|
||||
/* and filepath contains "\\Registration\\" // not needed - already specific enough */
|
||||
// we reduce the range for the entropy calculation to the first 1024 for performance
|
||||
// reasons. In a fully encrypted file - as used by Snake - this should already be specific enough
|
||||
//and math.entropy(0, filesize) >= 7.0
|
||||
and math.entropy(0, 1024) >= 7.0
|
||||
}
|
||||
|
||||
|
||||
rule SUSP_Password_XLS_Unencrypted {
|
||||
meta:
|
||||
description = "Detects files named e.g. password.xls, which might contain unportected clear text passwords"
|
||||
author = "Arnim Rupp (https://github.com/ruppde)"
|
||||
reference = "Internal Research"
|
||||
date = "2023-10-04"
|
||||
score = 60
|
||||
id = "41096ef1-dd02-5956-9053-3d7fb1a5092c"
|
||||
condition:
|
||||
// match password and the german passwort:
|
||||
(
|
||||
filename istartswith "passwor" or /* EN / DE */
|
||||
filename istartswith "contrase" or /* ES */
|
||||
filename istartswith "mot de pass" or /* FR */
|
||||
filename istartswith "mot_de_pass" or /* FR */
|
||||
filename istartswith "motdepass" or /* FR */
|
||||
filename istartswith "wachtwoord" /* NL */
|
||||
)
|
||||
and (
|
||||
// no need to check if an xls is password protected, because it's trivial to break
|
||||
(
|
||||
filename iendswith ".xls"
|
||||
and uint32be(0) == 0xd0cf11e0 // xls
|
||||
)
|
||||
or
|
||||
(
|
||||
filename iendswith ".xlsx"
|
||||
and uint32be(0) == 0x504b0304 // unencrypted xlsx = pkzip
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
rule SUSP_Password_XLS_Encrypted {
|
||||
meta:
|
||||
description = "Detects files named e.g. password.xlsx, which might contain clear text passwords, but are password protected from MS Office"
|
||||
author = "Arnim Rupp (https://github.com/ruppde)"
|
||||
reference = "Internal Research"
|
||||
date = "2023-10-04"
|
||||
score = 50
|
||||
id = "d3334923-3396-524d-9111-8ccb754ab99e"
|
||||
condition:
|
||||
// match password and the german passwort:
|
||||
(
|
||||
filename istartswith "passwor" or /* EN / DE */
|
||||
filename istartswith "contrase" or /* ES */
|
||||
filename istartswith "mot de pass" or /* FR */
|
||||
filename istartswith "mot_de_pass" or /* FR */
|
||||
filename istartswith "motdepass" or /* FR */
|
||||
filename istartswith "wachtwoord" /* NL */
|
||||
)
|
||||
and filename iendswith ".xlsx"
|
||||
and uint32be(0) == 0xd0cf11e0 // encrypted xlsx = CDFV2
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
rule AnomaliLABS_Lazarus_wipe_file_routine {
|
||||
meta:
|
||||
author = "aaron shelmire"
|
||||
date = "2015 May 26"
|
||||
desc = “Yara sig to detect File Wiping routine of the Lazarus group”
|
||||
reference = "https://blog.anomali.com/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks"
|
||||
strings:
|
||||
$rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }
|
||||
/* imports for overwrite function */
|
||||
$imp_getTick = "GetTickCount"
|
||||
$imp_srand = "srand"
|
||||
$imp_CreateFile = "CreateFileA"
|
||||
$imp_SetFilePointer = "SetFilePointer"
|
||||
$imp_WriteFile = "WriteFile"
|
||||
$imp_FlushFileBuffers = "FlushFileBuffers"
|
||||
$imp_GetFileSizeEx = "GetFileSizeEx"
|
||||
$imp_CloseHandle = "CloseHandle"
|
||||
/* imports for rename function */
|
||||
$imp_strrchr = "strrchr"
|
||||
$imp_rand = "rand"
|
||||
$Move_File = "MoveFileA"
|
||||
$Move_FileEx = "MoveFileEx"
|
||||
$imp_RemoveDir = "RemoveDirectoryA"
|
||||
$imp_DeleteFile = "DeleteFileA"
|
||||
$imp_GetLastError = "GetLastError"
|
||||
condition:
|
||||
$rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
rule PyInstaller_Binary
|
||||
{
|
||||
meta:
|
||||
author = "Nicholas Albright, ThreatStream"
|
||||
desc = "Generic rule to identify PyInstaller Compiled Binaries"
|
||||
reference = "https://blog.anomali.com/crushing-python-malware"
|
||||
strings:
|
||||
$string0 = "zout00-PYZ.pyz"
|
||||
$string1 = "python"
|
||||
$string2 = "Python DLL"
|
||||
$string3 = "Py_OptimizeFlag"
|
||||
$string4 = "pyi_carchive"
|
||||
$string5 = ".manifest"
|
||||
condition:
|
||||
all of them // and new_file
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
rule chinapic_zip
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
description = "Find zip archives of pony panels that have china.jpg"
|
||||
author = "Brian Carter"
|
||||
last_modified = "March 31, 2017"
|
||||
|
||||
strings:
|
||||
$txt1 = "china.jpg"
|
||||
$txt2 = "config.php"
|
||||
$magic = { 50 4b 03 04 }
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
rule PotentiallyCompromisedCert
|
||||
|
||||
{
|
||||
meta:
|
||||
description = "Search for PE files using cert issued to DEMUZA "
|
||||
author = "Brian Carter"
|
||||
last_modified = "July 21, 2017"
|
||||
sample = "7ef8f5e0ca92a0f3a5bd8cdc52236564"
|
||||
TLP = "WHITE"
|
||||
|
||||
strings:
|
||||
$magic = { 50 4b 03 04 (14 | 0a) 00 }
|
||||
|
||||
$txt1 = "demuza@yandex.ru" nocase
|
||||
$txt2 = "https://secure.comodo.net/CPS0C" nocase
|
||||
$txt3 = "COMODO CA Limited1"
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
rule INJECTOR_PANEL_SQLITE
|
||||
|
||||
{
|
||||
meta:
|
||||
description = "Find sqlite dbs used with tables inject panel"
|
||||
author = "Brian Carter"
|
||||
last_modified = "August 14, 2017"
|
||||
|
||||
strings:
|
||||
$magic = { 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00 }
|
||||
$txt1 = "CREATE TABLE Settings"
|
||||
$txt2 = "CREATE TABLE Jabber"
|
||||
$txt3 = "CREATE TABLE Users"
|
||||
$txt4 = "CREATE TABLE Log"
|
||||
$txt5 = "CREATE TABLE Fakes"
|
||||
$txt6 = "CREATE TABLE ATS_links"
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
rule PDF_EMBEDDED_DOCM
|
||||
|
||||
{
|
||||
meta:
|
||||
description = "Find pdf files that have an embedded docm with openaction"
|
||||
author = "Brian Carter"
|
||||
last_modified = "May 11, 2017"
|
||||
|
||||
strings:
|
||||
$magic = { 25 50 44 46 2d }
|
||||
|
||||
$txt1 = "EmbeddedFile"
|
||||
$txt2 = "docm)"
|
||||
$txt3 = "JavaScript" nocase
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
|
@ -1,128 +0,0 @@
|
|||
rule chinapic_zip
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
description = "Find zip archives of pony panels that have china.jpg"
|
||||
author = "Brian Carter"
|
||||
last_modified = "March 31, 2017"
|
||||
|
||||
strings:
|
||||
$txt1 = "china.jpg"
|
||||
$txt2 = "config.php"
|
||||
$txt3 = "setup.php"
|
||||
$magic = { 50 4b 03 04 }
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
||||
|
||||
rule diamondfox_zip
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
description = "Find zip archives of panels"
|
||||
author = "Brian Carter"
|
||||
last_modified = "March 31, 2017"
|
||||
|
||||
strings:
|
||||
$txt1 = "gate.php"
|
||||
$txt2 = "install.php"
|
||||
$txt3 = "post.php"
|
||||
$txt4 = "plugins"
|
||||
$txt5 = "statistics.php"
|
||||
$magic = { 50 4b 03 04 }
|
||||
$not1 = "joomla" nocase
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*) and not any of ($not*)
|
||||
|
||||
}
|
||||
|
||||
rule keybase_zip
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
description = "Find zip archives of panels"
|
||||
author = "Brian Carter"
|
||||
last_modified = "March 31, 2017"
|
||||
|
||||
strings:
|
||||
$txt1 = "clipboard.php"
|
||||
$txt2 = "config.php"
|
||||
$txt3 = "create.php"
|
||||
$txt4 = "login.php"
|
||||
$txt5 = "screenshots.php"
|
||||
$magic = { 50 4b 03 04 }
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
||||
|
||||
rule zeus_zip
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
description = "Find zip archives of panels"
|
||||
author = "Brian Carter"
|
||||
last_modified = "April 19, 2017"
|
||||
|
||||
strings:
|
||||
$txt1 = "cp.php"
|
||||
$txt2 = "gate.php"
|
||||
$txt3 = "botnet_bots.php"
|
||||
$txt4 = "botnet_scripts.php"
|
||||
$magic = { 50 4b 03 04 }
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
||||
|
||||
rule atmos_zip
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
description = "Find zip archives of panels"
|
||||
author = "Brian Carter"
|
||||
last_modified = "April 27, 2017"
|
||||
|
||||
strings:
|
||||
$txt1 = "cp.php"
|
||||
$txt2 = "gate.php"
|
||||
$txt3 = "api.php"
|
||||
$txt4 = "file.php"
|
||||
$txt5 = "ts.php"
|
||||
$txt6 = "index.php"
|
||||
$magic = { 50 4b 03 04 }
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
||||
|
||||
rule new_pony_panel
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
description = "New Pony Zips"
|
||||
|
||||
strings:
|
||||
$txt1 = "includes/design/images/"
|
||||
$txt2 = "includes/design/style.css"
|
||||
$txt3 = "admin.php"
|
||||
$txt4 = "includes/design/images/user.png"
|
||||
$txt5 = "includes/design/images/main_bg.gif"
|
||||
$magic = { 50 4b 03 04 }
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
rule config_php
|
||||
|
||||
{
|
||||
meta:
|
||||
description = "Find config.php files that have details for the db"
|
||||
author = "Brian Carter"
|
||||
last_modified = "March 31, 2017"
|
||||
|
||||
strings:
|
||||
$txt1 = "$mysql_host ="
|
||||
$txt2 = "$mysql_user ="
|
||||
$txt3 = "mysql_pass ="
|
||||
$txt4 = "mysql_database ="
|
||||
$txt5 = "global_filter_list"
|
||||
$txt6 = "white-list"
|
||||
$php1 = "<?php"
|
||||
|
||||
condition:
|
||||
$php1 at 0 and all of ($txt*)
|
||||
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
rule tables_inject
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
description = "Find zip archives of tables inject panel"
|
||||
author = "Brian Carter"
|
||||
last_modified = "August 14, 2017"
|
||||
|
||||
strings:
|
||||
$txt1 = "tinymce"
|
||||
$txt2 = "cunion.js"
|
||||
$txt3 = "tables.php"
|
||||
$txt4 = "sounds/1.mp3"
|
||||
$txt5 = "storage/db.sqlite"
|
||||
$magic = { 50 4b 03 04 }
|
||||
|
||||
condition:
|
||||
$magic at 0 and all of ($txt*)
|
||||
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
rule Pony_gate_php_POST
|
||||
{
|
||||
meta:
|
||||
description = "Possible Pony Sample POST to gate php"
|
||||
author = "Brian Carter"
|
||||
last_modified = "June 14, 2016"
|
||||
|
||||
condition:
|
||||
cuckoo.network.http_post(/gate\.php/)
|
||||
and file_type contains "pe"
|
||||
and positives > 5
|
||||
and new_file
|
||||
|
||||
}
|
|
@ -1,27 +0,0 @@
|
|||
rule CISA_10376640_04 : trojan wiper CADDYWIPER
|
||||
{
|
||||
meta:
|
||||
Author = "CISA Code & Media Analysis"
|
||||
Incident = "10376640"
|
||||
Date = "2022-03-23"
|
||||
Last_Modified = "20220324_1700"
|
||||
Actor = "n/a"
|
||||
Category = "Trojan Wiper"
|
||||
Family = "CADDYWIPER"
|
||||
Description = "Detects Caddy wiper samples"
|
||||
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115c"
|
||||
MD5_1 = "42e52b8daf63e6e26c3aa91e7e971492"
|
||||
SHA256_1 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
|
||||
strings:
|
||||
$s0 = { 44 73 52 6F 6C 65 47 65 74 50 72 69 6D 61 72 79 44 6F 6D 61 69 6E }
|
||||
$s1 = { 50 C6 45 A1 00 C6 45 A2 48 C6 45 A3 00 C6 45 A4 59 C6 }
|
||||
$s2 = { C6 45 A6 53 C6 45 A7 00 C6 45 A8 49 C6 }
|
||||
$s3 = { C6 45 B0 44 C6 45 B1 00 C6 45 B2 52 }
|
||||
$s4 = { C6 45 B8 45 C6 45 B9 00 C6 45 BA 39 }
|
||||
$s5 = { C6 45 AC 43 C6 45 AD 3A C6 45 AE 5C C6 45 AF }
|
||||
$s6 = { 55 C6 45 B0 73 C6 45 B1 65 C6 45 B2 72 C6 45 B3 }
|
||||
$s7 = { C6 45 E0 44 C6 45 E1 3A C6 45 E2 5C C6 45 E3 }
|
||||
$s8 = { 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
|
||||
condition:
|
||||
all of them
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
rule CISA_10328929_01 : trojan webshell exploit CVE_2021_27065
|
||||
{
|
||||
meta:
|
||||
Author = "CISA Code & Media Analysis"
|
||||
Incident = "10328929"
|
||||
Date = "2021-03-17"
|
||||
Last_Modified = "20210317_2200"
|
||||
Actor = "n/a"
|
||||
Category = "Trojan WebShell Exploit CVE-2021-27065"
|
||||
Family = "HAFNIUM"
|
||||
Description = "Detects CVE-2021-27065 Webshellz"
|
||||
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-084b"
|
||||
MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
|
||||
SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
|
||||
strings:
|
||||
$s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
|
||||
$s1 = { 65 76 61 6C 28 }
|
||||
$s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
|
||||
$s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
|
||||
$s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
|
||||
condition:
|
||||
$s0 or ($s1 and $s2) or ($s3 and $s4)
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
rule CISA_10328929_02 : trojan webshell exploit CVE_2021_27065
|
||||
{
|
||||
meta:
|
||||
Author = "CISA Code & Media Analysis"
|
||||
Incident = "10328929"
|
||||
Date = "2021-03-17"
|
||||
Last_Modified = "20210317_2200"
|
||||
Actor = "n/a"
|
||||
Category = "Trojan WebShell Exploit CVE-2021-27065"
|
||||
Family = "HAFNIUM"
|
||||
Description = "Detects CVE-2021-27065 Exchange OAB VD MOD"
|
||||
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-084b"
|
||||
MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
|
||||
SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
|
||||
strings:
|
||||
$s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
|
||||
$s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
|
||||
$s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
|
||||
condition:
|
||||
$s0 and $s1 and $s2
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
rule CISA_10376640_02 : trojan wiper worm HERMETICWIZARD
|
||||
{
|
||||
meta:
|
||||
Author = "CISA Code & Media Analysis"
|
||||
Incident = "10376640"
|
||||
Date = "2022-03-12"
|
||||
Last_Modified = "20220413_1300"
|
||||
Actor = "n/a"
|
||||
Category = "Trojan Wiper Worm"
|
||||
Family = "HERMETICWIZARD"
|
||||
Description = "Detects Hermetic Wizard samples"
|
||||
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
|
||||
MD5_1 = "0959bf541d52b6e2915420442bf44ce8"
|
||||
SHA256_1 = "5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48"
|
||||
strings:
|
||||
$s0 = { 70 00 69 00 70 00 65 00 5C 00 25 00 73 }
|
||||
$s1 = { 6E 00 6D 00 61 00 6E 00 73 00 65 00 72 00 76 }
|
||||
$s2 = { 73 61 6D 72 }
|
||||
$s3 = { 62 72 6F 77 73 65 72 }
|
||||
$s4 = { 6E 65 74 6C 6F 67 6F 6E }
|
||||
$s5 = { 6C 73 61 72 70 63 }
|
||||
$s6 = { 6E 74 73 76 63 73 }
|
||||
$s7 = { 73 76 63 63 74 6C }
|
||||
$s8 = { 73 74 61 72 74 20 63 6D 64 20 2F 63 20 22 70 69 6E 67 20 6C 6F 63 61 6C 68 6F 73 74 }
|
||||
$s9 = { 67 00 75 00 65 00 73 00 74 }
|
||||
$s10 = { 74 00 65 00 73 00 74 }
|
||||
$s11 = { 75 00 73 00 65 00 72 }
|
||||
$s12 = { 61 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F }
|
||||
$s13 = { 51 00 61 00 7A 00 31 00 32 00 33 }
|
||||
$s14 = { 51 00 77 00 65 00 72 00 74 00 79 00 31 00 32 }
|
||||
$s15 = { 63 6D 64 20 2F 63 20 73 74 61 72 74 20 72 65 67 }
|
||||
condition:
|
||||
all of them
|
||||
}
|
|
@ -1,24 +0,0 @@
|
|||
rule CISA_10376640_03 : trojan wiper worm HERMETICWIZARD
|
||||
{
|
||||
meta:
|
||||
Author = "CISA Code & Media Analysis"
|
||||
Incident = "10376640"
|
||||
Date = "2022-03-13"
|
||||
Last_Modified = "20220413_1300"
|
||||
Actor = "n/a"
|
||||
Category = "Trojan Wiper Worm"
|
||||
Family = "HERMETICWIZARD"
|
||||
Description = "Detects Hermetic Wizard samples"
|
||||
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
|
||||
MD5_1 = "58d71fff346017cf8311120c69c9946a"
|
||||
SHA256_1 = "2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b"
|
||||
strings:
|
||||
$s0 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
|
||||
$s1 = { 5C 00 5C 00 25 00 73 00 5C 00 70 00 69 00 70 00 65 00 5C 00 25 00 73 }
|
||||
$s2 = { 64 00 6C 00 6C 00 00 00 2D 00 69 }
|
||||
$s3 = { 2D 00 68 00 00 00 00 00 2D 00 73 }
|
||||
$s4 = { 2D 00 63 00 00 00 00 00 2D 00 61 }
|
||||
$s5 = { 43 6F 6D 6D 61 6E 64 4C 69 6E 65 54 6F 41 72 67 76 57 }
|
||||
condition:
|
||||
all of them
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
rule CISA_10376640_05 : trojan wiper worm HERMETICWIZARD
|
||||
{
|
||||
meta:
|
||||
Author = "CISA Code & Media Analysis"
|
||||
Incident = "10376640"
|
||||
Date = "2022-04-14"
|
||||
Last_Modified = "20220414_1037"
|
||||
Actor = "n/a"
|
||||
Category = "Trojan Wiper Worm"
|
||||
Family = "HERMETICWIZARD"
|
||||
Description = "Detects Hermetic Wizard samples"
|
||||
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
|
||||
MD5_1 = "517d2b385b846d6ea13b75b8adceb061"
|
||||
SHA256 = "a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec"
|
||||
strings:
|
||||
$s0 = { 57 69 7A 61 72 64 2E 64 6C 6C }
|
||||
$s1 = { 69 6E 66 6C 61 74 65 }
|
||||
$s2 = { 4D 61 72 6B 20 41 64 6C 65 72 }
|
||||
condition:
|
||||
all of them and filesize < 2000KB
|
||||
}
|
|
@ -1,29 +0,0 @@
|
|||
ule CISA_10376640_01 : trojan wiper ISAACWIPER
|
||||
{
|
||||
meta:
|
||||
Author = "CISA Code & Media Analysis"
|
||||
Incident = "10376640"
|
||||
Date = "2022-03-14"
|
||||
Last_Modified = "20220418_1900"
|
||||
Actor = "n/a"
|
||||
Category = "Trojan Wiper"
|
||||
Family = "ISAACWIPER"
|
||||
Description = "Detects ISACC Wiper samples"
|
||||
MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
|
||||
SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
|
||||
MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
|
||||
SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
|
||||
MD5_3 = "ecce8845921a91854ab34bff2623151e"
|
||||
SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
|
||||
strings:
|
||||
$s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
|
||||
$s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
|
||||
$s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
|
||||
$s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
|
||||
$s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
|
||||
$s5 = {53 74 61 72 74 40 34}
|
||||
$s6 = {3B 57 34 74 2D 6A}
|
||||
$s7 = {43 6C 65 61 6E 65 72 2E}
|
||||
condition:
|
||||
all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
|
||||
}
|
|
@ -1,30 +0,0 @@
|
|||
rule CISA_10376640_01 : trojan wiper ISAACWIPER
|
||||
{
|
||||
meta:
|
||||
Author = "CISA Code & Media Analysis"
|
||||
Incident = "10376640"
|
||||
Date = "2022-03-14"
|
||||
Last_Modified = "20220418_1900"
|
||||
Actor = "n/a"
|
||||
Category = "Trojan Wiper"
|
||||
Family = "ISAACWIPER"
|
||||
Description = "Detects ISACC Wiper samples"
|
||||
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
|
||||
MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
|
||||
SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
|
||||
MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
|
||||
SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
|
||||
MD5_3 = "ecce8845921a91854ab34bff2623151e"
|
||||
SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
|
||||
strings:
|
||||
$s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
|
||||
$s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
|
||||
$s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
|
||||
$s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
|
||||
$s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
|
||||
$s5 = {53 74 61 72 74 40 34}
|
||||
$s6 = {3B 57 34 74 2D 6A}
|
||||
$s7 = {43 6C 65 61 6E 65 72 2E}
|
||||
condition:
|
||||
all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
rule ElMachete_doc
|
||||
{
|
||||
meta:
|
||||
author = "CPR"
|
||||
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
|
||||
hash1 = "8E1360CC27E95FC47924D9BA3EF84CB8FA9E142CFD16E1503C5277D0C16AE241"
|
||||
strings:
|
||||
$s1 = "You want to continue with the Document" ascii
|
||||
$s2 = "certutil -decode" ascii
|
||||
$s3 = /C:\\ProgramData\\.{1,20}\.txt/
|
||||
$s4 = /C:\\ProgramData\\.{1,20}\.vbe/
|
||||
condition:
|
||||
uint16be(0) == 0xD0CF and 2 of ($s*)
|
||||
}
|
|
@ -1,17 +0,0 @@
|
|||
rule ElMachete_msi
|
||||
{
|
||||
meta:
|
||||
author = "CPR"
|
||||
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
|
||||
hash1 = "ED09DA9D48AFE918F9C7F72FE4466167E2F127A28A7641BA80D6165E82F48431"
|
||||
strings:
|
||||
$s1 = "MSI Wrapper (8.0.26.0)"
|
||||
$s2 = "Windows Installer XML Toolset (3.11.0.1701)"
|
||||
$s3 = "\\Lib\\site-packages\\PIL\\"
|
||||
$s4 = "\\Lib\\site-packages\\pyHook\\"
|
||||
$s5 = "\\Lib\\site-packages\\requests\\"
|
||||
$s6 = "\\Lib\\site-packages\\win32com\\"
|
||||
$s7 = "\\Lib\\site-packages\\Crypto\\"
|
||||
condition:
|
||||
4 of them
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
rule Gozi_JJ_struct: trojan {
|
||||
meta:
|
||||
module = "Gozi_JJ_struct"
|
||||
reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/"
|
||||
strings:
|
||||
$jj = "JJ" ascii
|
||||
$pe_file = "This program cannot be run in DOS mode" ascii
|
||||
$bss = ".bss" ascii
|
||||
condition:
|
||||
#jj >= 2 and (for all i in (1,2) : (@jj[i] < 0x400 and @jj[i] > 0x200)) and (@jj[2] - @jj[1] == 0x14) and ($pe_file in (0..1000)) and ($bss in (0..1000))
|
||||
}
|
File diff suppressed because one or more lines are too long
|
@ -1,16 +0,0 @@
|
|||
rule TeamViwer_backdoor
|
||||
{
|
||||
|
||||
meta:
|
||||
date = "2019-04-14"
|
||||
description = "Detects malicious TeamViewer DLLs"
|
||||
reference = "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/"
|
||||
|
||||
strings:
|
||||
|
||||
// PostMessageW hook function
|
||||
$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}
|
||||
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and $x1
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
rule ZZ_breakwin_config {
|
||||
meta:
|
||||
description = "Detects the header of the encrypted config files, assuming known encryption key."
|
||||
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
||||
author = "Check Point Research"
|
||||
date = "22-07-2021"
|
||||
hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed"
|
||||
hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22"
|
||||
hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7"
|
||||
strings:
|
||||
$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}
|
||||
condition:
|
||||
$conf_header at 0
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
rule ZZ_breakwin_meteor_batch_files {
|
||||
meta:
|
||||
description = "Detect the batch files used in the attacks"
|
||||
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
||||
author = "Check Point Research"
|
||||
date = "22-07-2021"
|
||||
strings:
|
||||
$filename_0 = "mscap.bmp"
|
||||
$filename_1 = "mscap.jpg"
|
||||
$filename_2 = "msconf.conf"
|
||||
$filename_3 = "msmachine.reg"
|
||||
$filename_4 = "mssetup.exe"
|
||||
$filename_5 = "msuser.reg"
|
||||
$filename_6 = "msapp.exe"
|
||||
$filename_7 = "bcd.rar"
|
||||
$filename_8 = "bcd.bat"
|
||||
$filename_9 = "msrun.bat"
|
||||
$command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%"
|
||||
$command_line_1 = "start /b \"\" update.bat hackemall"
|
||||
condition:
|
||||
4 of ($filename_*) or
|
||||
any of ($command_line_*)
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
rule ZZ_breakwin_stardust_vbs {
|
||||
meta:
|
||||
description = "Detect the VBS files that where found in the attacks on targets in Syria"
|
||||
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
||||
author = "Check Point Research"
|
||||
date = "22-07-2021"
|
||||
hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933"
|
||||
hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0"
|
||||
hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58"
|
||||
hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0"
|
||||
hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad"
|
||||
strings:
|
||||
$url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st="
|
||||
$compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r"
|
||||
$compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8"
|
||||
$uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN="
|
||||
$is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then"
|
||||
condition:
|
||||
any of them
|
||||
}
|
|
@ -1,120 +0,0 @@
|
|||
rule ZZ_breakwin_wiper {
|
||||
meta:
|
||||
description = "Detects the BreakWin wiper that was used in attacks in Syria"
|
||||
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
||||
author = "Check Point Research"
|
||||
date = "22-07-2021"
|
||||
hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b"
|
||||
hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4"
|
||||
hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e"
|
||||
strings:
|
||||
$debug_str_meteor_1 = "the program received an invalid number of arguments" wide
|
||||
$debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide
|
||||
$debug_str_meteor_0 = "failed to initialize configuration from file" wide
|
||||
$debug_str_meteor_3 = "Meteor is still alive." wide
|
||||
$debug_str_meteor_4 = "Exiting main function because of some error" wide
|
||||
$debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide
|
||||
$debug_str_meteor_6 = "Meteor has started." wide
|
||||
$debug_str_meteor_7 = "Could not hide current console." wide
|
||||
$debug_str_meteor_8 = "Could not get the window handle used by the console." wide
|
||||
$debug_str_meteor_9 = "Failed to find base-64 data size" wide
|
||||
$debug_str_meteor_10 = "Running locker thread" wide
|
||||
$debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide
|
||||
$debug_str_meteor_12 = "Wiper operation failed." wide
|
||||
$debug_str_meteor_13 = "Screen saver disable failed." wide
|
||||
$debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide
|
||||
$debug_str_meteor_15 = "Failed to delete boot configuration" wide
|
||||
$debug_str_meteor_16 = "Could not delete all BCD entries." wide
|
||||
$debug_str_meteor_17 = "Finished deleting BCD entries." wide
|
||||
$debug_str_meteor_18 = "Failed to change lock screen" wide
|
||||
$debug_str_meteor_19 = "Boot configuration deleted successfully" wide
|
||||
$debug_str_meteor_20 = "Failed to kill all winlogon processes" wide
|
||||
$debug_str_meteor_21 = "Changing passwords of all users to" wide
|
||||
$debug_str_meteor_22 = "Failed to change the passwords of all users" wide
|
||||
$debug_str_meteor_23 = "Failed to run the locker thread" wide
|
||||
$debug_str_meteor_24 = "Screen saver disabled successfully." wide
|
||||
$debug_str_meteor_25 = "Generating random password failed" wide
|
||||
$debug_str_meteor_26 = "Locker installation failed" wide
|
||||
$debug_str_meteor_27 = "Failed to set auto logon." wide
|
||||
$debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide
|
||||
$debug_str_meteor_29 = "Succeeded setting auto logon for" wide
|
||||
$debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide
|
||||
$debug_str_meteor_31 = "Failed disabling the first logon animation." wide
|
||||
$debug_str_meteor_32 = "Waiting for new winlogon process" wide
|
||||
$debug_str_meteor_33 = "Failed to isolate from domain" wide
|
||||
$debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide
|
||||
$debug_str_meteor_35 = "Failed to get the new token of winlogon." wide
|
||||
$debug_str_meteor_36 = "Failed adding new admin user." wide
|
||||
$debug_str_meteor_37 = "Failed changing settings for the created new user." wide
|
||||
$debug_str_meteor_38 = "Failed disabling recovery mode." wide
|
||||
$debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide
|
||||
$debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide
|
||||
$debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide
|
||||
$debug_str_meteor_42 = "Succeeded disabling recovery mode" wide
|
||||
$debug_str_meteor_43 = "Failed to log off all sessions" wide
|
||||
$debug_str_meteor_44 = "Failed to delete shadowcopies." wide
|
||||
$debug_str_meteor_45 = "Failed logging off session: " wide
|
||||
$debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide
|
||||
$debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide
|
||||
$debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide
|
||||
$debug_str_meteor_49 = "Killing all winlogon processes" wide
|
||||
$debug_str_meteor_50 = "Logging off users in Windows 7" wide
|
||||
$debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide
|
||||
$debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide
|
||||
$debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide
|
||||
$debug_str_meteor_54 = "Logging off users in Windows XP" wide
|
||||
$debug_str_meteor_55 = "Failed changing settings for the created new user." wide
|
||||
$debug_str_meteor_56 = "Could not open file %s. error message: %s" wide
|
||||
$debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide
|
||||
$debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide
|
||||
$debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide
|
||||
$debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide
|
||||
$debug_str_meteor_61 = "Failed to wipe file %s" wide
|
||||
$debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide
|
||||
$debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide
|
||||
$debug_str_meteor_64 = "Failed to wipe file %s" wide
|
||||
$debug_str_meteor_65 = "failed to get configuration value with key %s" wide
|
||||
$debug_str_meteor_66 = "failed to parse the configuration from file %s" wide
|
||||
$debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide
|
||||
$debug_str_meteor_68 = "Failed posting to server, received std::exception" wide
|
||||
$debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide
|
||||
$debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide
|
||||
$debug_str_meteor_71 = "failed to write message to log file %s" wide
|
||||
$debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide
|
||||
$debug_str_stardust_0 = "Stardust has started." wide
|
||||
$debug_str_stardust_1 = "0Vy0qMGO" ascii wide
|
||||
$debug_str_comet_0 = "Comet has started." wide
|
||||
$debug_str_comet_1 = "Comet has finished." wide
|
||||
$str_lock_my_pc = "Lock My PC 4" ascii wide
|
||||
$config_entry_0 = "state_path" ascii
|
||||
$config_entry_1 = "state_encryption_key" ascii
|
||||
$config_entry_2 = "log_server_port" ascii
|
||||
$config_entry_3 = "log_file_path" ascii
|
||||
$config_entry_4 = "log_encryption_key" ascii
|
||||
$config_entry_5 = "log_server_ip" ascii
|
||||
$config_entry_6 = "processes_to_kill" ascii
|
||||
$config_entry_7 = "process_termination_timeout" ascii
|
||||
$config_entry_8 = "paths_to_wipe" ascii
|
||||
$config_entry_9 = "wiping_stage_logger_interval" ascii
|
||||
$config_entry_10 = "locker_exe_path" ascii
|
||||
$config_entry_11 = "locker_background_image_jpg_path" ascii
|
||||
$config_entry_12 = "auto_logon_path" ascii
|
||||
$config_entry_13 = "locker_installer_path" ascii
|
||||
$config_entry_14 = "locker_password_hash" ascii
|
||||
$config_entry_15 = "users_password" ascii
|
||||
$config_entry_16 = "locker_background_image_bmp_path" ascii
|
||||
$config_entry_17 = "locker_registry_settings_files" ascii
|
||||
$config_entry_18 = "cleanup_script_path" ascii
|
||||
$config_entry_19 = "is_alive_loop_interval" ascii
|
||||
$config_entry_20 = "cleanup_scheduled_task_name" ascii
|
||||
$config_entry_21 = "self_scheduled_task_name" ascii
|
||||
$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}
|
||||
$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}
|
||||
condition:
|
||||
uint16(0) == 0x5A4D and
|
||||
(
|
||||
6 of them or
|
||||
$encryption_asm or
|
||||
$random_string_generation
|
||||
)
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
rule apt3_bemstour_implant_byte_patch
|
||||
{
|
||||
meta:
|
||||
|
||||
description = "Detects an implant used by Bemstour exploitation tool (APT3)"
|
||||
reference = "https://research.checkpoint.com/2019/upsynergy/"
|
||||
author = "Mark Lechtik"
|
||||
company = "Check Point Software Technologies LTD."
|
||||
date = "2019-06-25"
|
||||
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
|
||||
|
||||
/*
|
||||
|
||||
0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55
|
||||
0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec
|
||||
0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b
|
||||
0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9
|
||||
0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c
|
||||
|
||||
*/
|
||||
|
||||
strings:
|
||||
|
||||
$chunk_1 = {
|
||||
|
||||
C7 45 ?? 55 8B EC 83
|
||||
C7 45 ?? EC 74 53 56
|
||||
C7 45 ?? 8B 75 08 33
|
||||
C7 45 ?? C9 57 C7 45
|
||||
C7 45 ?? 8C 4C 6F 61
|
||||
|
||||
}
|
||||
|
||||
condition:
|
||||
any of them
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1,169 +0,0 @@
|
|||
rule apt3_bemstour_implant_command_stack_variable
|
||||
{
|
||||
meta:
|
||||
|
||||
description = "Detecs an implant used by Bemstour exploitation tool (APT3)"
|
||||
reference = "https://research.checkpoint.com/2019/upsynergy/"
|
||||
author = "Mark Lechtik"
|
||||
company = "Check Point Software Technologies LTD."
|
||||
date = "2019-06-25"
|
||||
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
|
||||
|
||||
|
||||
strings:
|
||||
|
||||
|
||||
/*
|
||||
|
||||
0x41ba18L C78534FFFFFF636D642E mov dword ptr [ebp - 0xcc], 0x2e646d63
|
||||
0x41ba22L C78538FFFFFF65786520 mov dword ptr [ebp - 0xc8], 0x20657865
|
||||
0x41ba2cL C7853CFFFFFF2F632063 mov dword ptr [ebp - 0xc4], 0x6320632f
|
||||
0x41ba36L C78540FFFFFF6F707920 mov dword ptr [ebp - 0xc0], 0x2079706f
|
||||
0x41ba40L C78544FFFFFF2577696E mov dword ptr [ebp - 0xbc], 0x6e697725
|
||||
0x41ba4aL C78548FFFFFF64697225 mov dword ptr [ebp - 0xb8], 0x25726964
|
||||
0x41ba54L C7854CFFFFFF5C737973 mov dword ptr [ebp - 0xb4], 0x7379735c
|
||||
0x41ba5eL C78550FFFFFF74656D33 mov dword ptr [ebp - 0xb0], 0x336d6574
|
||||
0x41ba68L C78554FFFFFF325C636D mov dword ptr [ebp - 0xac], 0x6d635c32
|
||||
0x41ba72L C78558FFFFFF642E6578 mov dword ptr [ebp - 0xa8], 0x78652e64
|
||||
0x41ba7cL C7855CFFFFFF65202577 mov dword ptr [ebp - 0xa4], 0x77252065
|
||||
0x41ba86L C78560FFFFFF696E6469 mov dword ptr [ebp - 0xa0], 0x69646e69
|
||||
0x41ba90L C78564FFFFFF72255C73 mov dword ptr [ebp - 0x9c], 0x735c2572
|
||||
0x41ba9aL C78568FFFFFF79737465 mov dword ptr [ebp - 0x98], 0x65747379
|
||||
0x41baa4L C7856CFFFFFF6D33325C mov dword ptr [ebp - 0x94], 0x5c32336d
|
||||
0x41baaeL C78570FFFFFF73657468 mov dword ptr [ebp - 0x90], 0x68746573
|
||||
0x41bab8L C78574FFFFFF632E6578 mov dword ptr [ebp - 0x8c], 0x78652e63
|
||||
0x41bac2L C78578FFFFFF65202F79 mov dword ptr [ebp - 0x88], 0x792f2065
|
||||
0x41baccL 83A57CFFFFFF00 and dword ptr [ebp - 0x84], 0
|
||||
|
||||
*/
|
||||
|
||||
$chunk_1 = {
|
||||
|
||||
C7 85 ?? ?? ?? ?? 63 6D 64 2E
|
||||
C7 85 ?? ?? ?? ?? 65 78 65 20
|
||||
C7 85 ?? ?? ?? ?? 2F 63 20 63
|
||||
C7 85 ?? ?? ?? ?? 6F 70 79 20
|
||||
C7 85 ?? ?? ?? ?? 25 77 69 6E
|
||||
C7 85 ?? ?? ?? ?? 64 69 72 25
|
||||
C7 85 ?? ?? ?? ?? 5C 73 79 73
|
||||
C7 85 ?? ?? ?? ?? 74 65 6D 33
|
||||
C7 85 ?? ?? ?? ?? 32 5C 63 6D
|
||||
C7 85 ?? ?? ?? ?? 64 2E 65 78
|
||||
C7 85 ?? ?? ?? ?? 65 20 25 77
|
||||
C7 85 ?? ?? ?? ?? 69 6E 64 69
|
||||
C7 85 ?? ?? ?? ?? 72 25 5C 73
|
||||
C7 85 ?? ?? ?? ?? 79 73 74 65
|
||||
C7 85 ?? ?? ?? ?? 6D 33 32 5C
|
||||
C7 85 ?? ?? ?? ?? 73 65 74 68
|
||||
C7 85 ?? ?? ?? ?? 63 2E 65 78
|
||||
C7 85 ?? ?? ?? ?? 65 20 2F 79
|
||||
83 A5 ?? ?? ?? ?? 00
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/*
|
||||
|
||||
0x41baeeL C785D8FEFFFF636D6420 mov dword ptr [ebp - 0x128], 0x20646d63
|
||||
0x41baf8L C785DCFEFFFF2F632022 mov dword ptr [ebp - 0x124], 0x2220632f
|
||||
0x41bb02L C785E0FEFFFF6E657420 mov dword ptr [ebp - 0x120], 0x2074656e
|
||||
0x41bb0cL C785E4FEFFFF75736572 mov dword ptr [ebp - 0x11c], 0x72657375
|
||||
0x41bb16L C785E8FEFFFF20636573 mov dword ptr [ebp - 0x118], 0x73656320
|
||||
0x41bb20L C785ECFEFFFF73757070 mov dword ptr [ebp - 0x114], 0x70707573
|
||||
0x41bb2aL C785F0FEFFFF6F727420 mov dword ptr [ebp - 0x110], 0x2074726f
|
||||
0x41bb34L C785F4FEFFFF3171617A mov dword ptr [ebp - 0x10c], 0x7a617131
|
||||
0x41bb3eL C785F8FEFFFF23454443 mov dword ptr [ebp - 0x108], 0x43444523
|
||||
0x41bb48L C785FCFEFFFF202F6164 mov dword ptr [ebp - 0x104], 0x64612f20
|
||||
0x41bb52L C78500FFFFFF64202626 mov dword ptr [ebp - 0x100], 0x26262064
|
||||
0x41bb5cL C78504FFFFFF206E6574 mov dword ptr [ebp - 0xfc], 0x74656e20
|
||||
0x41bb66L C78508FFFFFF206C6F63 mov dword ptr [ebp - 0xf8], 0x636f6c20
|
||||
0x41bb70L C7850CFFFFFF616C6772 mov dword ptr [ebp - 0xf4], 0x72676c61
|
||||
0x41bb7aL C78510FFFFFF6F757020 mov dword ptr [ebp - 0xf0], 0x2070756f
|
||||
0x41bb84L C78514FFFFFF61646D69 mov dword ptr [ebp - 0xec], 0x696d6461
|
||||
0x41bb8eL C78518FFFFFF6E697374 mov dword ptr [ebp - 0xe8], 0x7473696e
|
||||
0x41bb98L C7851CFFFFFF7261746F mov dword ptr [ebp - 0xe4], 0x6f746172
|
||||
0x41bba2L C78520FFFFFF72732063 mov dword ptr [ebp - 0xe0], 0x63207372
|
||||
0x41bbacL C78524FFFFFF65737375 mov dword ptr [ebp - 0xdc], 0x75737365
|
||||
0x41bbb6L C78528FFFFFF70706F72 mov dword ptr [ebp - 0xd8], 0x726f7070
|
||||
0x41bbc0L C7852CFFFFFF74202F61 mov dword ptr [ebp - 0xd4], 0x612f2074
|
||||
0x41bbcaL C78530FFFFFF64642200 mov dword ptr [ebp - 0xd0], 0x226464
|
||||
0x41bbd4L 6A5C push 0x5c
|
||||
|
||||
*/
|
||||
|
||||
$chunk_2 = {
|
||||
|
||||
C7 85 ?? ?? ?? ?? 63 6D 64 20
|
||||
C7 85 ?? ?? ?? ?? 2F 63 20 22
|
||||
C7 85 ?? ?? ?? ?? 6E 65 74 20
|
||||
C7 85 ?? ?? ?? ?? 75 73 65 72
|
||||
C7 85 ?? ?? ?? ?? 20 63 65 73
|
||||
C7 85 ?? ?? ?? ?? 73 75 70 70
|
||||
C7 85 ?? ?? ?? ?? 6F 72 74 20
|
||||
C7 85 ?? ?? ?? ?? 31 71 61 7A
|
||||
C7 85 ?? ?? ?? ?? 23 45 44 43
|
||||
C7 85 ?? ?? ?? ?? 20 2F 61 64
|
||||
C7 85 ?? ?? ?? ?? 64 20 26 26
|
||||
C7 85 ?? ?? ?? ?? 20 6E 65 74
|
||||
C7 85 ?? ?? ?? ?? 20 6C 6F 63
|
||||
C7 85 ?? ?? ?? ?? 61 6C 67 72
|
||||
C7 85 ?? ?? ?? ?? 6F 75 70 20
|
||||
C7 85 ?? ?? ?? ?? 61 64 6D 69
|
||||
C7 85 ?? ?? ?? ?? 6E 69 73 74
|
||||
C7 85 ?? ?? ?? ?? 72 61 74 6F
|
||||
C7 85 ?? ?? ?? ?? 72 73 20 63
|
||||
C7 85 ?? ?? ?? ?? 65 73 73 75
|
||||
C7 85 ?? ?? ?? ?? 70 70 6F 72
|
||||
C7 85 ?? ?? ?? ?? 74 20 2F 61
|
||||
C7 85 ?? ?? ?? ?? 64 64 22 00
|
||||
6A 5C
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
0x41be22L C745D057696E45 mov dword ptr [ebp - 0x30], 0x456e6957
|
||||
0x41be29L C745D478656300 mov dword ptr [ebp - 0x2c], 0x636578
|
||||
0x41be30L C7459C47657450 mov dword ptr [ebp - 0x64], 0x50746547
|
||||
0x41be37L C745A0726F6341 mov dword ptr [ebp - 0x60], 0x41636f72
|
||||
0x41be3eL C745A464647265 mov dword ptr [ebp - 0x5c], 0x65726464
|
||||
0x41be45L C745A873730000 mov dword ptr [ebp - 0x58], 0x7373
|
||||
0x41be4cL C745C443726561 mov dword ptr [ebp - 0x3c], 0x61657243
|
||||
0x41be53L C745C874654669 mov dword ptr [ebp - 0x38], 0x69466574
|
||||
0x41be5aL C745CC6C654100 mov dword ptr [ebp - 0x34], 0x41656c
|
||||
0x41be61L C745B857726974 mov dword ptr [ebp - 0x48], 0x74697257
|
||||
0x41be68L C745BC6546696C mov dword ptr [ebp - 0x44], 0x6c694665
|
||||
0x41be6fL C745C065000000 mov dword ptr [ebp - 0x40], 0x65
|
||||
0x41be76L C745AC436C6F73 mov dword ptr [ebp - 0x54], 0x736f6c43
|
||||
0x41be7dL C745B06548616E mov dword ptr [ebp - 0x50], 0x6e614865
|
||||
0x41be84L C745B4646C6500 mov dword ptr [ebp - 0x4c], 0x656c64
|
||||
0x41be8bL 894DE8 mov dword ptr [ebp - 0x18], ecx
|
||||
|
||||
*/
|
||||
|
||||
$chunk_3 = {
|
||||
|
||||
C7 45 ?? 57 69 6E 45
|
||||
C7 45 ?? 78 65 63 00
|
||||
C7 45 ?? 47 65 74 50
|
||||
C7 45 ?? 72 6F 63 41
|
||||
C7 45 ?? 64 64 72 65
|
||||
C7 45 ?? 73 73 00 00
|
||||
C7 45 ?? 43 72 65 61
|
||||
C7 45 ?? 74 65 46 69
|
||||
C7 45 ?? 6C 65 41 00
|
||||
C7 45 ?? 57 72 69 74
|
||||
C7 45 ?? 65 46 69 6C
|
||||
C7 45 ?? 65 00 00 00
|
||||
C7 45 ?? 43 6C 6F 73
|
||||
C7 45 ?? 65 48 61 6E
|
||||
C7 45 ?? 64 6C 65 00
|
||||
89 4D ??
|
||||
|
||||
}
|
||||
|
||||
|
||||
condition:
|
||||
any of them
|
||||
}
|
|
@ -1,68 +0,0 @@
|
|||
rule apt3_bemstour_strings
|
||||
{
|
||||
meta:
|
||||
|
||||
description = "Detects strings used by the Bemstour exploitation tool"
|
||||
reference = "https://research.checkpoint.com/2019/upsynergy/"
|
||||
author = "Mark Lechtik"
|
||||
company = "Check Point Software Technologies LTD."
|
||||
date = "2019-06-25"
|
||||
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
|
||||
strings:
|
||||
|
||||
$dbg_print_1 = "leaked address is 0x%llx" ascii wide
|
||||
$dbg_print_2 = "========== %s ==========" ascii wide
|
||||
$dbg_print_3 = "detailVersion:%d" ascii wide
|
||||
$dbg_print_4 = "create pipe twice failed" ascii wide
|
||||
$dbg_print_5 = "WSAStartup function failed with error: %d" ascii wide
|
||||
$dbg_print_6 = "can't open input file." ascii wide
|
||||
$dbg_print_7 = "Allocate Buffer Failed." ascii wide
|
||||
$dbg_print_8 = "Connect to target failed." ascii wide
|
||||
$dbg_print_9 = "connect successful." ascii wide
|
||||
$dbg_print_10 = "not supported Platform" ascii wide
|
||||
$dbg_print_11 = "Wait several seconds." ascii wide
|
||||
$dbg_print_12 = "not set where to write ListEntry ." ascii wide
|
||||
$dbg_print_13 = "backdoor not installed." ascii wide
|
||||
$dbg_print_14 = "REConnect to target failed." ascii wide
|
||||
$dbg_print_15 = "Construct TreeConnectAndX Request Failed." ascii wide
|
||||
$dbg_print_16 = "Construct NTCreateAndXRequest Failed." ascii wide
|
||||
$dbg_print_17 = "Construct Trans2 Failed." ascii wide
|
||||
$dbg_print_18 = "Construct ConsWXR Failed." ascii wide
|
||||
$dbg_print_19 = "Construct ConsTransSecondary Failed." ascii wide
|
||||
$dbg_print_20 = "if you don't want to input password , use server2003 version.." ascii wide
|
||||
|
||||
$cmdline_1 = "Command format %s TargetIp domainname username password 2" ascii wide
|
||||
$cmdline_2 = "Command format %s TargetIp domainname username password 1" ascii wide
|
||||
$cmdline_3 = "cmd.exe /c net user test test /add && cmd.exe /c net localgroup administrators test /add" ascii wide
|
||||
$cmdline_4 = "hello.exe \"C:\\WINDOWS\\DEBUG\\test.exe\"" ascii wide
|
||||
$cmdline_5 = "parameter not right" ascii wide
|
||||
|
||||
$smb_param_1 = "browser" ascii wide
|
||||
$smb_param_2 = "spoolss" ascii wide
|
||||
$smb_param_3 = "srvsvc" ascii wide
|
||||
$smb_param_4 = "\\PIPE\\LANMAN" ascii wide
|
||||
$smb_param_5 = "Werttys for Workgroups 3.1a" ascii wide
|
||||
$smb_param_6 = "PC NETWORK PROGRAM 1.0" ascii wide
|
||||
$smb_param_7 = "LANMAN1.0" ascii wide
|
||||
$smb_param_8 = "LM1.2X002" ascii wide
|
||||
$smb_param_9 = "LANMAN2.1" ascii wide
|
||||
$smb_param_10 = "NT LM 0.12" ascii wide
|
||||
$smb_param_12 = "WORKGROUP" ascii wide
|
||||
$smb_param_13 = "Windows Server 2003 3790 Service Pack 2" ascii wide
|
||||
$smb_param_14 = "Windows Server 2003 5.2" ascii wide
|
||||
$smb_param_15 = "Windows 2002 Service Pack 2 2600" ascii wide
|
||||
$smb_param_16 = "Windows 2002 5.1" ascii wide
|
||||
$smb_param_17 = "PC NETWORK PROGRAM 1.0" ascii wide
|
||||
$smb_param_18 = "Windows 2002 5.1" ascii wide
|
||||
$smb_param_19 = "Windows for Workgroups 3.1a" ascii wide
|
||||
|
||||
$unique_str_1 = "WIN-NGJ7GKNROVS"
|
||||
$unique_str_2 = "XD-A31C2E0087B2"
|
||||
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and (5 of ($dbg_print*) or 2 of ($cmdline*) or 1 of ($unique_str*)) and 3 of ($smb_param*)
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
rule apt_CN_TwistedPanda_64bit_Loader {
|
||||
meta:
|
||||
author = "Check Point Research"
|
||||
description = "Detect the 64bit Loader DLL used by TwistedPanda"
|
||||
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
|
||||
date = "2022-04-14"
|
||||
hash = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f"
|
||||
|
||||
strings:
|
||||
// 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]
|
||||
// 48 8B C1 mov rax, rcx
|
||||
// 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h
|
||||
// 72 ?? jb short loc_7FFDF0BA1B48
|
||||
$path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }
|
||||
// 48 8B D0 mov rdx, rax ; lpBuffer
|
||||
// 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead
|
||||
// 48 8B CF mov rcx, rdi ; hFile
|
||||
// 48 8B D8 mov rbx, rax
|
||||
// FF ?? ?? ?? ?? call cs:ReadFile
|
||||
$shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}
|
||||
// BA F0 16 00 00 mov edx, 16F0h ; dwSize
|
||||
// 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect
|
||||
// 33 C9 xor ecx, ecx ; lpAddress
|
||||
// 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType
|
||||
// FF ?? ?? ?? ?? ?? call cs:VirtualAlloc
|
||||
$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }
|
||||
condition:
|
||||
// MZ signature at offset 0 and ...
|
||||
uint16(0) == 0x5A4D and
|
||||
|
||||
// ... PE signature at offset stored in MZ header at 0x3C
|
||||
uint32(uint32(0x3C)) == 0x00004550 and
|
||||
filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read
|
||||
}
|
|
@ -1,33 +0,0 @@
|
|||
rule apt_CN_TwistedPanda_SPINNER_1 {
|
||||
meta:
|
||||
author = "Check Point Research"
|
||||
description = "Detect the obfuscated variant of SPINNER payload used by TwistedPanda"
|
||||
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
|
||||
date = "2022-04-14"
|
||||
hash = "a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81"
|
||||
|
||||
strings:
|
||||
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
|
||||
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
|
||||
// C6 mov byte ptr [eax], 0
|
||||
$config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 }
|
||||
$c2_cmd_1 = { 01 00 03 10}
|
||||
$c2_cmd_2 = { 02 00 01 10}
|
||||
$c2_cmd_3 = { 01 00 01 10}
|
||||
// 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx]
|
||||
// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
|
||||
// 89 F1 mov ecx, esi ; this
|
||||
// 6A 01 push 1 ; Size
|
||||
// 50 push eax ; Src
|
||||
// E8 ?? ?? ?? ?? call str_append
|
||||
// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
|
||||
$decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 }
|
||||
|
||||
condition:
|
||||
// MZ signature at offset 0 and ...
|
||||
uint16(0) == 0x5A4D and
|
||||
|
||||
// ... PE signature at offset stored in MZ header at 0x3C
|
||||
uint32(uint32(0x3C)) == 0x00004550 and
|
||||
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
|
||||
}
|
|
@ -1,35 +0,0 @@
|
|||
rule apt_CN_TwistedPanda_SPINNER_2 {
|
||||
meta:
|
||||
author = "Check Point Research"
|
||||
description = "Detect an older variant of SPINNER payload used by TwistedPanda"
|
||||
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
|
||||
date = "2022-04-14"
|
||||
hash = "28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8"
|
||||
|
||||
strings:
|
||||
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
|
||||
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
|
||||
// C6 mov byte ptr [eax], 0
|
||||
$config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 }
|
||||
$c2_cmd_1 = { 01 00 03 10 }
|
||||
$c2_cmd_2 = { 02 00 01 10 }
|
||||
$c2_cmd_3 = { 01 00 01 10 }
|
||||
$c2_cmd_4 = { 01 00 00 10 }
|
||||
$c2_cmd_5 = { 02 00 00 10 }
|
||||
// 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h
|
||||
// 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx]
|
||||
// 8B 56 14 mov edx, [esi+14h]
|
||||
// 8B C2 mov eax, edx
|
||||
// 8B 4E 10 mov ecx, [esi+10h]
|
||||
// 2B C1 sub eax, ecx
|
||||
// 83 F8 01 cmp eax, 1
|
||||
$decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 }
|
||||
|
||||
condition:
|
||||
// MZ signature at offset 0 and ...
|
||||
uint16(0) == 0x5A4D and
|
||||
|
||||
// ... PE signature at offset stored in MZ header at 0x3C
|
||||
uint32(uint32(0x3C)) == 0x00004550 and
|
||||
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
|
||||
}
|
|
@ -1,36 +0,0 @@
|
|||
rule apt_CN_TwistedPanda_droppers {
|
||||
meta:
|
||||
author = "Check Point Research"
|
||||
description = "Detect droppers used by TwistedPanda"
|
||||
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
|
||||
date = "2022-04-14"
|
||||
hash = "59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291"
|
||||
hash = "8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248"
|
||||
hash = "f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66"
|
||||
|
||||
strings:
|
||||
// 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h
|
||||
// 75 ?? jnz short loc_140001829
|
||||
// E8 ?? ?? ?? ?? call sub_1400019D0
|
||||
// 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax
|
||||
// E? ?? ?? ?? ?? jmp loc_1400018DD
|
||||
$switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? }
|
||||
// 41 0F ?? ?? movsx edx, byte ptr [r9]
|
||||
// 44 ?? ?? or r8d, edx
|
||||
// 41 ?? ?? 03 rol r8d, 3
|
||||
// 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h
|
||||
// 41 ?? ?? mov eax, r10d
|
||||
$byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 }
|
||||
// %public%
|
||||
$stack_strings_1 = { 25 00 70 00 }
|
||||
$stack_strings_2 = { 75 00 62 00 }
|
||||
$stack_strings_3 = { 6C 00 69 00 }
|
||||
$stack_strings_4 = { 63 00 25 00 }
|
||||
condition:
|
||||
// MZ signature at offset 0 and ...
|
||||
uint16(0) == 0x5A4D and
|
||||
|
||||
// ... PE signature at offset stored in MZ header at 0x3C
|
||||
uint32(uint32(0x3C)) == 0x00004550 and
|
||||
filesize < 3000KB and #switch_control > 8 and all of ($stack_strings_*) and $byte_manipulation
|
||||
}
|
|
@ -1,42 +0,0 @@
|
|||
rule apt_CN_TwistedPanda_loader {
|
||||
meta:
|
||||
author = "Check Point Research"
|
||||
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
|
||||
description = "Detect loader used by TwistedPanda"
|
||||
date = "2022-04-14"
|
||||
hash = "5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0"
|
||||
hash = "efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198"
|
||||
|
||||
strings:
|
||||
|
||||
// 6A 40 push 40h ; '@'
|
||||
// 68 00 30 00 00 push 3000h
|
||||
$seq1 = { 6A 40 68 00 30 00 00 }
|
||||
|
||||
// 6A 00 push 0 ; lpOverlapped
|
||||
// 50 push eax ; lpNumberOfBytesRead
|
||||
// 6A 14 push 14h ; nNumberOfBytesToRead
|
||||
// 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer]
|
||||
// 50 push eax ; lpBuffer
|
||||
// 53 push ebx ; hFile
|
||||
// FF 15 04 D0 4C 70 call ds:ReadFile
|
||||
$seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF }
|
||||
// 6A 00 push 0
|
||||
// 6A 00 push 0
|
||||
// 6A 03 push 3
|
||||
// 6A 00 push 0
|
||||
// 6A 03 push 3
|
||||
// 68 00 00 00 80 push 80000000h
|
||||
$seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }
|
||||
|
||||
// Decryption sequence
|
||||
$decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? }
|
||||
|
||||
condition:
|
||||
// MZ signature at offset 0 and ...
|
||||
uint16(0) == 0x5A4D and
|
||||
|
||||
// ... PE signature at offset stored in MZ header at 0x3C
|
||||
uint32(uint32(0x3C)) == 0x00004550 and
|
||||
filesize < 3000KB and all of ($seq*) and $decryption
|
||||
}
|
|
@ -1,17 +0,0 @@
|
|||
rule apt_WebAssistant_TcahfUpdate {
|
||||
meta:
|
||||
description = "Rule for detecting the fake WebAssistant and TcahfUpdate applications used to target the Uyghur minority"
|
||||
reference = "https://research.checkpoint.com/2021/uyghurs-a-turkic-ethnic-minority-in-china-targeted-via-fake-foundations/"
|
||||
version = "1.0"
|
||||
last_modified = "2021-05-06"
|
||||
hash = "2f7492423586a3061e5641b5b271ca54"
|
||||
hash = "1b5dbd351bb7159eb08868c46a3fe3a6"
|
||||
hash = "90fcbd5c904326466c3b6af1ca34aae1"
|
||||
strings:
|
||||
$url = {2f 00 63 00 67 00 69 00 2d 00 62 00 69 00 6e 00 2f [0-50] 2e 00 70 00 79 00 3f 00}
|
||||
$lib = "Newtonsoft.Json"
|
||||
$mac = "MACAddress Is Not NULL" wide
|
||||
condition:
|
||||
uint16(0)==0x5A4D and $url and $lib and $mac
|
||||
and filesize < 1MB
|
||||
}
|
|
@ -1,32 +0,0 @@
|
|||
rule apt_nazar_component_guids
|
||||
{
|
||||
meta:
|
||||
description = "Detect Nazar Components by COM Objects' GUID"
|
||||
author = "Itay Cohen"
|
||||
date = "2020-04-27"
|
||||
reference = "<https://www.epicturla.com/blog/the-lost-nazar>"
|
||||
reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
|
||||
hash = "1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f"
|
||||
hash = "1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390"
|
||||
hash = "2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e"
|
||||
hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
|
||||
hash = "460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8"
|
||||
hash = "4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca"
|
||||
hash = "75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6"
|
||||
hash = "8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec"
|
||||
hash = "967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b"
|
||||
hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
|
||||
hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65"
|
||||
hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61"
|
||||
hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3"
|
||||
strings:
|
||||
$guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID
|
||||
$guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID
|
||||
$guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown
|
||||
$guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID
|
||||
$guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID
|
||||
$guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll
|
||||
|
||||
condition:
|
||||
any of them
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
rule apt_nazar_svchost_commands
|
||||
{
|
||||
meta:
|
||||
description = "Detect Nazar's svchost based on supported commands"
|
||||
author = "Itay Cohen"
|
||||
date = "2020-04-26"
|
||||
reference = "<https://www.epicturla.com/blog/the-lost-nazar>"
|
||||
reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
|
||||
hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
|
||||
hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
|
||||
strings:
|
||||
$str1 = { 33 31 34 00 36 36 36 00 33 31 33 00 }
|
||||
$str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 }
|
||||
$str3 = { 39 39 39 00 35 39 39 00 34 39 39 00 }
|
||||
$str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 }
|
||||
$str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39 00 33 31 31 00 }
|
||||
condition:
|
||||
4 of them
|
||||
}
|
|
@ -1,206 +0,0 @@
|
|||
rule explosive_exe
|
||||
{
|
||||
meta:
|
||||
author = "Check Point Software Technologies Inc."
|
||||
info = "Explosive EXE"
|
||||
strings:
|
||||
$MZ = "MZ"
|
||||
$DLD_S = "DLD-S:"
|
||||
$DLD_E = "DLD-E:"
|
||||
condition:
|
||||
$MZ at 0 and all of them
|
||||
}
|
||||
|
||||
import "pe"
|
||||
rule explosive_dll
|
||||
|
||||
{
|
||||
meta:
|
||||
author = "Check Point Software Technologies Inc."
|
||||
info = "Explosive DLL"
|
||||
reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
|
||||
|
||||
|
||||
condition:
|
||||
pe.DLL
|
||||
and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and
|
||||
pe.exports("CON")
|
||||
}
|
||||
|
||||
rule ZZ_breakwin_config {
|
||||
meta:
|
||||
description = "Detects the header of the encrypted config files, assuming known encryption key."
|
||||
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
||||
author = "Check Point Research"
|
||||
date = "22-07-2021"
|
||||
hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed"
|
||||
hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22"
|
||||
hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7"
|
||||
strings:
|
||||
$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}
|
||||
condition:
|
||||
$conf_header at 0
|
||||
}
|
||||
rule ZZ_breakwin_wiper {
|
||||
meta:
|
||||
description = "Detects the BreakWin wiper that was used in attacks in Syria"
|
||||
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
||||
author = "Check Point Research"
|
||||
date = "22-07-2021"
|
||||
hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b"
|
||||
hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4"
|
||||
hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e"
|
||||
strings:
|
||||
$debug_str_meteor_1 = "the program received an invalid number of arguments" wide
|
||||
$debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide
|
||||
$debug_str_meteor_0 = "failed to initialize configuration from file" wide
|
||||
$debug_str_meteor_3 = "Meteor is still alive." wide
|
||||
$debug_str_meteor_4 = "Exiting main function because of some error" wide
|
||||
$debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide
|
||||
$debug_str_meteor_6 = "Meteor has started." wide
|
||||
$debug_str_meteor_7 = "Could not hide current console." wide
|
||||
$debug_str_meteor_8 = "Could not get the window handle used by the console." wide
|
||||
$debug_str_meteor_9 = "Failed to find base-64 data size" wide
|
||||
$debug_str_meteor_10 = "Running locker thread" wide
|
||||
$debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide
|
||||
$debug_str_meteor_12 = "Wiper operation failed." wide
|
||||
$debug_str_meteor_13 = "Screen saver disable failed." wide
|
||||
$debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide
|
||||
$debug_str_meteor_15 = "Failed to delete boot configuration" wide
|
||||
$debug_str_meteor_16 = "Could not delete all BCD entries." wide
|
||||
$debug_str_meteor_17 = "Finished deleting BCD entries." wide
|
||||
$debug_str_meteor_18 = "Failed to change lock screen" wide
|
||||
$debug_str_meteor_19 = "Boot configuration deleted successfully" wide
|
||||
$debug_str_meteor_20 = "Failed to kill all winlogon processes" wide
|
||||
$debug_str_meteor_21 = "Changing passwords of all users to" wide
|
||||
$debug_str_meteor_22 = "Failed to change the passwords of all users" wide
|
||||
$debug_str_meteor_23 = "Failed to run the locker thread" wide
|
||||
$debug_str_meteor_24 = "Screen saver disabled successfully." wide
|
||||
$debug_str_meteor_25 = "Generating random password failed" wide
|
||||
$debug_str_meteor_26 = "Locker installation failed" wide
|
||||
$debug_str_meteor_27 = "Failed to set auto logon." wide
|
||||
$debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide
|
||||
$debug_str_meteor_29 = "Succeeded setting auto logon for" wide
|
||||
$debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide
|
||||
$debug_str_meteor_31 = "Failed disabling the first logon animation." wide
|
||||
$debug_str_meteor_32 = "Waiting for new winlogon process" wide
|
||||
$debug_str_meteor_33 = "Failed to isolate from domain" wide
|
||||
$debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide
|
||||
$debug_str_meteor_35 = "Failed to get the new token of winlogon." wide
|
||||
$debug_str_meteor_36 = "Failed adding new admin user." wide
|
||||
$debug_str_meteor_37 = "Failed changing settings for the created new user." wide
|
||||
$debug_str_meteor_38 = "Failed disabling recovery mode." wide
|
||||
$debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide
|
||||
$debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide
|
||||
$debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide
|
||||
$debug_str_meteor_42 = "Succeeded disabling recovery mode" wide
|
||||
$debug_str_meteor_43 = "Failed to log off all sessions" wide
|
||||
$debug_str_meteor_44 = "Failed to delete shadowcopies." wide
|
||||
$debug_str_meteor_45 = "Failed logging off session: " wide
|
||||
$debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide
|
||||
$debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide
|
||||
$debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide
|
||||
$debug_str_meteor_49 = "Killing all winlogon processes" wide
|
||||
$debug_str_meteor_50 = "Logging off users in Windows 7" wide
|
||||
$debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide
|
||||
$debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide
|
||||
$debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide
|
||||
$debug_str_meteor_54 = "Logging off users in Windows XP" wide
|
||||
$debug_str_meteor_55 = "Failed changing settings for the created new user." wide
|
||||
$debug_str_meteor_56 = "Could not open file %s. error message: %s" wide
|
||||
$debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide
|
||||
$debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide
|
||||
$debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide
|
||||
$debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide
|
||||
$debug_str_meteor_61 = "Failed to wipe file %s" wide
|
||||
$debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide
|
||||
$debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide
|
||||
$debug_str_meteor_64 = "Failed to wipe file %s" wide
|
||||
$debug_str_meteor_65 = "failed to get configuration value with key %s" wide
|
||||
$debug_str_meteor_66 = "failed to parse the configuration from file %s" wide
|
||||
$debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide
|
||||
$debug_str_meteor_68 = "Failed posting to server, received std::exception" wide
|
||||
$debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide
|
||||
$debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide
|
||||
$debug_str_meteor_71 = "failed to write message to log file %s" wide
|
||||
$debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide
|
||||
$debug_str_stardust_0 = "Stardust has started." wide
|
||||
$debug_str_stardust_1 = "0Vy0qMGO" ascii wide
|
||||
$debug_str_comet_0 = "Comet has started." wide
|
||||
$debug_str_comet_1 = "Comet has finished." wide
|
||||
$str_lock_my_pc = "Lock My PC 4" ascii wide
|
||||
$config_entry_0 = "state_path" ascii
|
||||
$config_entry_1 = "state_encryption_key" ascii
|
||||
$config_entry_2 = "log_server_port" ascii
|
||||
$config_entry_3 = "log_file_path" ascii
|
||||
$config_entry_4 = "log_encryption_key" ascii
|
||||
$config_entry_5 = "log_server_ip" ascii
|
||||
$config_entry_6 = "processes_to_kill" ascii
|
||||
$config_entry_7 = "process_termination_timeout" ascii
|
||||
$config_entry_8 = "paths_to_wipe" ascii
|
||||
$config_entry_9 = "wiping_stage_logger_interval" ascii
|
||||
$config_entry_10 = "locker_exe_path" ascii
|
||||
$config_entry_11 = "locker_background_image_jpg_path" ascii
|
||||
$config_entry_12 = "auto_logon_path" ascii
|
||||
$config_entry_13 = "locker_installer_path" ascii
|
||||
$config_entry_14 = "locker_password_hash" ascii
|
||||
$config_entry_15 = "users_password" ascii
|
||||
$config_entry_16 = "locker_background_image_bmp_path" ascii
|
||||
$config_entry_17 = "locker_registry_settings_files" ascii
|
||||
$config_entry_18 = "cleanup_script_path" ascii
|
||||
$config_entry_19 = "is_alive_loop_interval" ascii
|
||||
$config_entry_20 = "cleanup_scheduled_task_name" ascii
|
||||
$config_entry_21 = "self_scheduled_task_name" ascii
|
||||
$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}
|
||||
$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}
|
||||
condition:
|
||||
uint16(0) == 0x5A4D and
|
||||
(
|
||||
6 of them or
|
||||
$encryption_asm or
|
||||
$random_string_generation
|
||||
)
|
||||
}
|
||||
rule ZZ_breakwin_stardust_vbs {
|
||||
meta:
|
||||
description = "Detect the VBS files that where found in the attacks on targets in Syria"
|
||||
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
||||
author = "Check Point Research"
|
||||
date = "22-07-2021"
|
||||
hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933"
|
||||
hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0"
|
||||
hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58"
|
||||
hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0"
|
||||
hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad"
|
||||
strings:
|
||||
$url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st="
|
||||
$compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r"
|
||||
$compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8"
|
||||
$uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN="
|
||||
$is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then"
|
||||
condition:
|
||||
any of them
|
||||
}
|
||||
rule ZZ_breakwin_meteor_batch_files {
|
||||
meta:
|
||||
description = "Detect the batch files used in the attacks"
|
||||
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
||||
author = "Check Point Research"
|
||||
date = "22-07-2021"
|
||||
strings:
|
||||
$filename_0 = "mscap.bmp"
|
||||
$filename_1 = "mscap.jpg"
|
||||
$filename_2 = "msconf.conf"
|
||||
$filename_3 = "msmachine.reg"
|
||||
$filename_4 = "mssetup.exe"
|
||||
$filename_5 = "msuser.reg"
|
||||
$filename_6 = "msapp.exe"
|
||||
$filename_7 = "bcd.rar"
|
||||
$filename_8 = "bcd.bat"
|
||||
$filename_9 = "msrun.bat"
|
||||
$command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%"
|
||||
$command_line_1 = "start /b \"\" update.bat hackemall"
|
||||
condition:
|
||||
4 of ($filename_*) or
|
||||
any of ($command_line_*)
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
import "pe"
|
||||
rule explosive_dll
|
||||
|
||||
{
|
||||
meta:
|
||||
author = "Check Point Software Technologies Inc."
|
||||
info = "Explosive DLL"
|
||||
reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
|
||||
|
||||
|
||||
condition:
|
||||
pe.DLL
|
||||
and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and
|
||||
pe.exports("CON")
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
rule explosive_exe
|
||||
{
|
||||
meta:
|
||||
author = "Check Point Software Technologies Inc."
|
||||
info = "Explosive EXE"
|
||||
reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
|
||||
|
||||
strings:
|
||||
$MZ = "MZ"
|
||||
$DLD_S = "DLD-S:"
|
||||
$DLD_E = "DLD-E:"
|
||||
|
||||
condition:
|
||||
$MZ at 0 and all of them
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
rule goziv3: trojan {
|
||||
meta:
|
||||
module = "goziv3"
|
||||
reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/"
|
||||
strings:
|
||||
$dec_bss = {D3 C0 83 F3 01 89 02 83 C2 04 FF 4C 24 0C}
|
||||
$gen_serpent = {33 44 24 04 33 44 24 08 C2 08 00}
|
||||
condition:
|
||||
($dec_bss and $gen_serpent) and (uint16(0) == 0x5A4D or uint16(0) == 0x5850 )
|
||||
}
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
rule injector_ZZ_dotRunpeX {
|
||||
meta:
|
||||
description = "Detects new version of dotRunpeX - configurable .NET injector"
|
||||
author = "Jiri Vinopal (jiriv)"
|
||||
date = "2022-10-30"
|
||||
hash1 = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook
|
||||
hash2 = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook
|
||||
hash3 = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat
|
||||
hash4 = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos
|
||||
hash5 = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook
|
||||
hash6 = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla
|
||||
hash7 = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat
|
||||
hash8 = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger
|
||||
report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/"
|
||||
strings:
|
||||
// Used ImplMap imports (PInvoke)
|
||||
$implmap1 = "VirtualAllocEx"
|
||||
$implmap2 = "CreateProcess"
|
||||
$implmap3 = "CreateRemoteThread"
|
||||
$implmap4 = "Wow64SetThreadContext"
|
||||
$implmap5 = "Wow64GetThreadContext"
|
||||
$implmap6 = "NtResumeThread"
|
||||
$implmap7 = "ZwUnmapViewOfSection"
|
||||
$implmap8 = "NtWriteVirtualMemory"
|
||||
$implmap9 = "MessageBox" // ImplMap not presented in all samples - maybe different versions?
|
||||
$implmap10 = "Wow64DisableWow64FsRedirection"
|
||||
$implmap11 = "Wow64RevertWow64FsRedirection"
|
||||
$implmap12 = "CreateFile"
|
||||
$implmap13 = "RtlInitUnicodeString"
|
||||
$implmap14 = "NtLoadDriver"
|
||||
$implmap15 = "NtUnloadDriver"
|
||||
$implmap16 = "OpenProcessToken"
|
||||
$implmap17 = "LookupPrivilegeValue"
|
||||
$implmap18 = "AdjustTokenPrivileges"
|
||||
$implmap19 = "CloseHandle"
|
||||
$implmap20 = "NtQuerySystemInformation"
|
||||
$implmap21 = "DeviceIoControl"
|
||||
$implmap22 = "GetProcessHeap"
|
||||
$implmap23 = "HeapFree"
|
||||
$implmap24 = "HeapAlloc"
|
||||
$implmap25 = "GetProcAddress"
|
||||
$implmap26 = "CopyMemory" // ImplMap added by KoiVM Protector used by this injector
|
||||
$modulerefKernel1 = "Kernel32"
|
||||
$modulerefKernel2 = "kernel32"
|
||||
$modulerefNtdll1 = "Ntdll"
|
||||
$modulerefNtdll2 = "ntdll"
|
||||
$modulerefAdvapi1 = "Advapi32"
|
||||
$modulerefAdvapi2 = "advapi32"
|
||||
|
||||
$regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver
|
||||
$rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide
|
||||
$koiVM1 = "KoiVM"
|
||||
$koiVM2 = "#Koi"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and
|
||||
24 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*) and 1 of ($modulerefAdvapi*)
|
||||
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
rule injector_ZZ_dotRunpeX_oldnew {
|
||||
meta:
|
||||
description = "Detects new and old version of dotRunpeX - configurable .NET injector"
|
||||
author = "Jiri Vinopal (jiriv)"
|
||||
date = "2022-10-30"
|
||||
hash1_New = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook
|
||||
hash2_New = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook
|
||||
hash3_New = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat
|
||||
hash4_New = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos
|
||||
hash5_New = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook
|
||||
hash6_New = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla
|
||||
hash7_New = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat
|
||||
hash8_New = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger
|
||||
hash1_Old = "1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc" // injects Lokibot
|
||||
hash2_Old = "317e6817bba0f54e1547dd9acf24ee17a4cda1b97328cc69dc1ec16e11c258fc" // injects Redline
|
||||
hash3_Old = "65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b" // injects SnakeKeylogger
|
||||
hash4_Old = "68ae2ee5ed7e793c1a49cbf1b0dd7f5a3de9cb783b51b0953880994a79037326" // injects Lokibot
|
||||
hash5_Old = "81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e" // injects SnakeKeylogger
|
||||
report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/"
|
||||
strings:
|
||||
// Used ImplMap imports (PInvoke)
|
||||
$implmap1 = "VirtualAllocEx"
|
||||
$implmap2 = "CreateProcess"
|
||||
$implmap3 = "CreateRemoteThread"
|
||||
$implmap4 = "Wow64SetThreadContext"
|
||||
$implmap5 = "Wow64GetThreadContext"
|
||||
$implmap6 = "RtlInitUnicodeString"
|
||||
$implmap7 = "NtLoadDriver"
|
||||
$implmap8 = "LoadLibrary"
|
||||
$implmap9 = "VirtualProtect"
|
||||
$implmap10 = "AdjustTokenPrivileges"
|
||||
$implmap11 = "GetProcAddress"
|
||||
$modulerefKernel1 = "Kernel32"
|
||||
$modulerefKernel2 = "kernel32"
|
||||
$modulerefNtdll1 = "Ntdll"
|
||||
$modulerefNtdll2 = "ntdll"
|
||||
|
||||
$regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver
|
||||
$rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide
|
||||
$koiVM1 = "KoiVM"
|
||||
$koiVM2 = "#Koi"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and
|
||||
9 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*)
|
||||
}
|
|
@ -1,29 +0,0 @@
|
|||
rule lyceum_dotnet_dns_backdoor
|
||||
{
|
||||
meta:
|
||||
author = "CPR"
|
||||
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
|
||||
hash1 = "8199f14502e80581000bd5b3bda250ee"
|
||||
hash2 = "d79687676d2d152aec4143c852bdbc4a"
|
||||
hash3 = "bcb465cc2257e5777bab431690ca5039"
|
||||
hash4 = "2bc2abefc1a721908bc805894b62227d"
|
||||
hash5 = "37a1514a7a5f9b2c6786096129a30721"
|
||||
strings:
|
||||
$log1 = "MSG SIZE rcvd" wide
|
||||
$log2 = "Empty output" wide
|
||||
$log3 = "Big Output. lines: " wide
|
||||
$com1 = "Enddd" wide
|
||||
$com2 = "uploaddd" wide
|
||||
$com3 = "downloaddd" wide
|
||||
$dga = "trailers.apple.com" wide
|
||||
$replace1 = "BackSlashh" wide
|
||||
$replace2 = "QuotationMarkk" wide
|
||||
$re_pattern = "60\\s+IN\\s+TXT" wide
|
||||
$func1 = "comRun"
|
||||
$func2 = "PlaceDot"
|
||||
$func3 = "sendAns"
|
||||
$heijden1 = "Heijden.DNS"
|
||||
$heijden2 = "DnsHeijden"
|
||||
condition:
|
||||
uint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($func*) or (any of ($heijden*) and $re_pattern and $dga))
|
||||
}
|
|
@ -1,52 +0,0 @@
|
|||
rule lyceum_dotnet_http_backdoor
|
||||
{
|
||||
meta:
|
||||
author = "CPR"
|
||||
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
|
||||
hash1 = "1c444ebeba24dcba8628b7dfe5fec7c6"
|
||||
hash2 = "85ca334f87667bd7fa0c47ae6149353e"
|
||||
hash3 = "73bddd5f1a0847ae5f5d55e7d9c177f6"
|
||||
hash4 = "9fb86915db1b7c00f1a4587de4e052de"
|
||||
hash5 = "37fe608983d4b06a5549247f0e16bc11"
|
||||
hash6 = "5916e5189ef0050dfcc3cc19382d08d5"
|
||||
strings:
|
||||
$class1 = "Funcss"
|
||||
$class2 = "Constantss"
|
||||
$class3 = "Reqss"
|
||||
$class4 = "Screenss"
|
||||
$class5 = "Shll"
|
||||
$class6 = "test_A1"
|
||||
$class7 = "Uploadss"
|
||||
$class8 = "WebDL"
|
||||
$cnc_uri1 = "/upload" wide
|
||||
$cnc_uri2 = "/screenshot" wide
|
||||
$cnc_pattern_hex1 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 0d 0a 0d 0a}
|
||||
$cnc_pattern_hex2 = {6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d 7b 30 7d}
|
||||
$cnc_pattern_hex3 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 7b 31 7d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 7b 32 7d 0d 0a 0d 0a}
|
||||
$constant1 = "FILE_DIR_SEPARATOR"
|
||||
$constant2 = "APPS_PARAMS_SEPARATOR"
|
||||
$constant3 = "TYPE_SENDTOKEN"
|
||||
$constant4 = "TYPE_DATA1"
|
||||
$constant5 = "TYPE_SEND_RESPONSE_IN_SOCKET"
|
||||
$constant6 = "TYPE_FILES_LIST"
|
||||
$constant7 = "TYPE_FILES_DELETE"
|
||||
$constant8 = "TYPE_FILES_RUN"
|
||||
$constant9 = "TYPE_FILES_UPLOAD_TO_SERVER"
|
||||
$constant10 = "TYPE_FILES_DELETE_FOLDER"
|
||||
$constant11 = "TYPE_FILES_CREATE_FOLDER"
|
||||
$constant12 = "TYPE_FILES_DOWNLOAD_URL"
|
||||
$constant13 = "TYPE_OPEN_CMD"
|
||||
$constant14 = "TYPE_CMD_RES"
|
||||
$constant15 = "TYPE_CLOSE_CMD"
|
||||
$constant16 = "TYPE_CMD_REQ"
|
||||
$constant17 = "TYPE_INSTALLED_APPS"
|
||||
$constant18 = "TYPE_SCREENSHOT"
|
||||
$constant19 = "_RG_APP_NAME_"
|
||||
$constant20 = "_RG_APP_VERSION_"
|
||||
$constant21 = "_RG_APP_DATE_"
|
||||
$constant22 = "_RG_APP_PUB_"
|
||||
$constant23 = "_RG_APP_SEP_"
|
||||
$constant24 = "_SC_EXT_"
|
||||
condition:
|
||||
uint16(0)==0x5a4d and (4 of ($class*) or 4 of ($cnc_*) or 4 of ($constant*))
|
||||
}
|
|
@ -1,37 +0,0 @@
|
|||
rule lyceum_golang_backdoor
|
||||
{
|
||||
meta:
|
||||
author = "CPR"
|
||||
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
|
||||
hash1 = "a437f997d45bc14e76d0f2482f572a34"
|
||||
hash2 = "23d174e6a0905fd59b2613d5ac106261"
|
||||
hash3 = "bcb465cc2257e5777bab431690ca5039"
|
||||
strings:
|
||||
$func1 = "main.Ase256"
|
||||
$func2 = "main.DecryptAse256"
|
||||
$func3 = "main.IsServerUp"
|
||||
$func4 = "main.register"
|
||||
$func5 = "main.commandforrun"
|
||||
$func6 = "main.UPLOAD"
|
||||
$func7 = "main.commandforanswer"
|
||||
$func8 = "main.GetMD5Hash"
|
||||
$func9 = "main.get_uid"
|
||||
$func10 = "main.commandrun"
|
||||
$func11 = "main.download"
|
||||
$func12 = "main.postFile"
|
||||
$func13 = "main.sendAns"
|
||||
$func14 = "main.comRun"
|
||||
$cnc_uri1 = "/GO/1.php"
|
||||
$cnc_uri2 = "/GO/2.php"
|
||||
$cnc_uri3 = "/GO/3.php"
|
||||
$auth_token = "auth_token=\"XXXXXXX\""
|
||||
$log1 = "client registred"
|
||||
$log2 = "no command"
|
||||
$log3 = "can not create file"
|
||||
$log4 = "errorGettingUserName"
|
||||
$log5 = "New record created successfully"
|
||||
$log6 = "SERVER_IS_DOWN"
|
||||
$dga = "trailers.apple.com."
|
||||
condition:
|
||||
uint16(0)==0x5a4d and ((10 of ($func*) or any of ($cnc_uri*) or $auth_token or 3 of ($log*)) or ($dga and 4 of them))
|
||||
}
|
|
@ -1,31 +0,0 @@
|
|||
rule malware_bumblebee_packed {
|
||||
meta:
|
||||
author = "Marc Salinas @ CheckPoint Research"
|
||||
malware_family = "BumbleBee"
|
||||
date = "13/07/2022"
|
||||
description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic."
|
||||
dll_jul = "6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db"
|
||||
dll_jun = "82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb"
|
||||
dll_may = "a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c"
|
||||
iso_jul = "ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa"
|
||||
iso_jun = "13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78"
|
||||
iso_may = "b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e"
|
||||
zip_jun = "7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad"
|
||||
zip_may = "68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce"
|
||||
report = "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/"
|
||||
strings:
|
||||
$heapalloc = {
|
||||
48 8? EC [1-6] // sub rsp, 80h
|
||||
FF 15 ?? ?? 0? 00 [0-5] // call cs:GetProcessHeap
|
||||
33 D2 // xor edx, edx ; dwFlags
|
||||
4? [2-5] // mov rcx, rax ; hHeap
|
||||
4? ?? ?? // mov r8d, ebx ; dwBytes
|
||||
FF 15 ?? ?? 0? 00 // call cs:HeapAlloc
|
||||
[8 - 11] // (load params)
|
||||
48 89 05 ?? ?? ?? 00 // mov cs:HeapBufferPtr, rax
|
||||
E8 ?? ?? ?? ?? // call memset
|
||||
4? 8B ?? ?? ?? ?? 00 // mov r14, cs:HeapBufferPtr
|
||||
}
|
||||
condition:
|
||||
$heapalloc
|
||||
}
|
|
@ -1,32 +0,0 @@
|
|||
rule apt_nazar_component_guids
|
||||
{
|
||||
meta:
|
||||
description = "Detect Nazar Components by COM Objects' GUID"
|
||||
author = "Itay Cohen"
|
||||
date = "2020-04-27"
|
||||
reference = "<https://www.epicturla.com/blog/the-lost-nazar>"
|
||||
reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
|
||||
hash = "1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f"
|
||||
hash = "1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390"
|
||||
hash = "2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e"
|
||||
hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
|
||||
hash = "460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8"
|
||||
hash = "4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca"
|
||||
hash = "75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6"
|
||||
hash = "8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec"
|
||||
hash = "967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b"
|
||||
hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
|
||||
hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65"
|
||||
hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61"
|
||||
hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3"
|
||||
strings:
|
||||
$guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID
|
||||
$guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID
|
||||
$guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown
|
||||
$guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID
|
||||
$guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID
|
||||
$guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll
|
||||
|
||||
condition:
|
||||
any of them
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
rule qbot_vbs
|
||||
{
|
||||
meta:
|
||||
description = "Catches QBot VBS files"
|
||||
reference = "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/"
|
||||
author = "Alex Ilgayev"
|
||||
date = "2020-06-07"
|
||||
strings:
|
||||
$s3 = "ms.Send"
|
||||
$s4 = "for i=1 to 6"
|
||||
$s5 = "if ms.readyState = 4 Then"
|
||||
$s6 = "if len(ms.responseBody) <> 0 then"
|
||||
$s7 = /if left\(ms.responseText, \w*?\) = \"MZ\" then/
|
||||
condition:
|
||||
filesize > 20MB and $s3 and $s4 and $s5 and $s6 and $s7
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
import "pe"
|
||||
|
||||
rule ransomware_ZZ_azov_wiper {
|
||||
meta:
|
||||
description = "Detects original and backdoored files with new and old versions of azov ransomware - polymorphic wiper"
|
||||
author = "Jiri Vinopal (jiriv)"
|
||||
date = "2022-11-14"
|
||||
hash_azov_new = "650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e"
|
||||
hash_azov_old = "b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801"
|
||||
report = "https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/"
|
||||
strings:
|
||||
// Opcodes of allocating and decrypting shellcode routine
|
||||
$unpacking_azov_new = { 48 83 ec ?? 58 48 01 c8 48 81 ec ?? ?? ?? ?? 48 83 ec ?? 40 80 e4 ?? c6 45 ?? 56 c6 45 ?? 69 c6 45 ?? 72 c6 45 ?? 74 c6 45 ?? 75 c6 45 ?? 61 c6 45 ?? 6c c6 45 ?? 41 c6 45 ?? 6c c6 45 ?? 6c c6 45 ?? 6f c6 45 ?? 63 c6 45 ?? 00 48 89 74 24 ?? 48 83 ec ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 8d 55 ?? ff d0 48 83 ec ?? 48 c7 04 24 ?? ?? ?? ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 c7 c2 ?? ?? ?? ?? 49 c7 c0 ?? ?? ?? ?? 49 c7 c1 ?? ?? ?? ?? ff d0 48 c7 c1 ?? ?? ?? ?? 4c 8d 0d ?? ?? ?? ?? 48 ff c9 41 8a 14 09 88 14 08 48 85 c9 75 ?? 48 c7 c1 ?? ?? ?? ?? 41 b9 ?? ?? ?? ?? 41 ba ?? ?? ?? ?? 48 ff c9 8a 14 08 44 30 ca 88 14 08 41 81 ea ?? ?? ?? ?? 45 01 d1 41 81 c1 ?? ?? ?? ?? 41 81 c2 ?? ?? ?? ?? 41 d1 c1 48 85 c9 }
|
||||
$unpacking_azov_old = { 48 01 c8 48 05 ?? ?? ?? ?? 48 81 c1 ?? ?? ?? ?? 48 81 ec ?? ?? ?? ?? 48 83 ec ?? 40 80 e4 ?? c6 45 ?? 56 c6 45 ?? 69 c6 45 ?? 72 c6 45 ?? 74 c6 45 ?? 75 c6 45 ?? 61 c6 45 ?? 6c c6 45 ?? 41 c6 45 ?? 6c c6 45 ?? 6c c6 45 ?? 6f c6 45 ?? 63 c6 45 ?? 00 48 83 e1 ?? 48 01 f1 48 8d 55 ?? ff d0 48 83 ec ?? 48 c7 04 24 ?? ?? ?? ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 c7 c2 ?? ?? ?? ?? 49 c7 c0 ?? ?? ?? ?? 49 c7 c1 ?? ?? ?? ?? ff d0 48 c7 c1 ?? ?? ?? ?? 4c 8d 0d ?? ?? ?? ?? 48 ff c9 41 8a 14 09 88 14 08 48 85 c9 }
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and pe.is_64bit() and
|
||||
any of ($unpacking_azov_*)
|
||||
}
|
|
@ -1,22 +0,0 @@
|
|||
rule installmonstr {
|
||||
meta:
|
||||
description = "adware, trojan, riskware"
|
||||
author = "Monty St John"
|
||||
company = "Cyberdefenses, inc."
|
||||
date = "2017/01/25"
|
||||
hash1 = "000be3b9991eaf28b3794d96ce08e883"
|
||||
hash2 = "1c21a4b1151921398b2c2fe9ea9892f8"
|
||||
hash3 = "be6eb42ea9e789d2a4425f61155f4664"
|
||||
hash4 = "001dd4fdd6973f4e6cb9d11bd9ba7eb3"
|
||||
|
||||
strings:
|
||||
$a = "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0; URL=%0:s\">"
|
||||
$b = "%s<input type=\"hidden\" name=\"%s\" value=\"%s\">%s"
|
||||
$c = "GoIdHTTPWork"
|
||||
$d = "sslvSSLv2sslvSSLv23sslvSSLv3sslvTLSv1"
|
||||
$e = "sslvSSLv23 sslvSSLv3 sslvTLSv1"
|
||||
$f = "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH"
|
||||
|
||||
condition:
|
||||
5 of them
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
rule php_shell_U34 {
|
||||
meta:
|
||||
description = "Web Shell - file ans.php"
|
||||
author = "Monty St John"
|
||||
company = "Cyberdefenses, inc."
|
||||
date = "2017/01/25"
|
||||
hash = "5be3b1bc76677a70553a66575f289a0a"
|
||||
strings:
|
||||
$a = "'\".((strpos(@$_POST['"
|
||||
$b = "'],\"\\n\")!==false)?'':htmlspecialchars(@$_POST['"
|
||||
$c = "'],ENT_QUOTES)).\"';"
|
||||
$d = "posix_getpwuid"
|
||||
condition:
|
||||
all of them
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
rule wirenet_dropper
|
||||
{
|
||||
meta:
|
||||
description = "Wirenet backdoor dropper Invoice_SKMBT_20170601.doc"
|
||||
author = "Chris Rogers"
|
||||
company = "Cyberdefenses, inc."
|
||||
date = "2017/07/11"
|
||||
hash = "954d7c15577f118171cc8adcc9f9ac94"
|
||||
strings:
|
||||
$a = "C:\Users\user\Desktop\JAVA\docinvoice.exe"
|
||||
$b = "C:\Users\user\AppData\Local\Temp\docinvoice.exe"
|
||||
$c = "ZTUWVSPRTj"
|
||||
$d = "IE(AL("%s",4),"AL(\"%0:s\",3)""
|
||||
condition:
|
||||
all of them
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
rule AlienSpy {
|
||||
meta:
|
||||
description = "AlienSpy"
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "Fidelis Threat Advisory #1015 - Ratting on AlienSpy - Apr 08, 2015"
|
||||
|
||||
strings:
|
||||
$sa_1 = "META-INF/MANIFEST.MF"
|
||||
$sa_2 = "Main.classPK"
|
||||
$sa_3 = "plugins/Server.classPK"
|
||||
$sa_4 = "IDPK"
|
||||
|
||||
$sb_1 = "config.iniPK"
|
||||
$sb_2 = "password.iniPK"
|
||||
$sb_3 = "plugins/Server.classPK"
|
||||
$sb_4 = "LoadStub.classPK"
|
||||
$sb_5 = "LoadStubDecrypted.classPK"
|
||||
$sb_7 = "LoadPassword.classPK"
|
||||
$sb_8 = "DecryptStub.classPK"
|
||||
$sb_9 = "ClassLoaders.classPK"
|
||||
|
||||
$sc_1 = "config.xml"
|
||||
$sc_2 = "options"
|
||||
$sc_3 = "plugins"
|
||||
$sc_4 = "util"
|
||||
$sc_5 = "util/OSHelper"
|
||||
$sc_6 = "Start.class"
|
||||
$sc_7 = "AlienSpy"
|
||||
$sc_8 = "PK"
|
||||
|
||||
condition:
|
||||
(all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*))
|
||||
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
rule DarkComet
|
||||
{
|
||||
meta:
|
||||
description = "DarkComet RAT"
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "Fidelis Threat Advisory #1018 - Looking at the Sky for a DarkComet - August 4, 2015"
|
||||
date = "2015-07-22"
|
||||
|
||||
strings:
|
||||
$s1 = "#KCMDDC"
|
||||
$s2 = "DCDATA"
|
||||
$s3 = "#BOT#CloseServer"
|
||||
$s4 = "#BOT#SvrUninstall"
|
||||
$s5 = "#BOT#URLDownload"
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 50MB and all of ($s*)
|
||||
}
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
rule DarkCometDownloader {
|
||||
meta:
|
||||
description = "DarkComet RAT Downloader"
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "Fidelis Threat Advisory #1018 - Looking at the Sky for a DarkComet - August 4, 2015"
|
||||
date = "2015-07-22"
|
||||
|
||||
strings:
|
||||
$s1 = {6A00FF15F0304000A30D1040006A0A68261040006A00FF15F4304000A311104000FF 35111040006A00FF15F8304000A315104000FF35111040006A00FF15FC304000A3191 04000FF3515104000FF1500314000A31D104000FF3519104000FF351D104000682C11 4000FF1508314000FF3515104000FF150C31400031C0682C104000682C104000FF151 43140006805104000682C104000FF1510314000682C104000FF15183140006A006A00 682C104000682C1140006A00FF15803040006A056A006A00682C10400068001040006 A00FF15A83040006A00FF1504314000}
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 10KB and all of them
|
||||
}
|
|
@ -1,44 +0,0 @@
|
|||
rule apt_all_JavaScript_ScanboxFramework_obfuscated
|
||||
|
||||
{
|
||||
meta:
|
||||
author = "Fidelis Security"
|
||||
reference = "https://www.fidelissecurity.com/TradeSecret"
|
||||
|
||||
strings:
|
||||
|
||||
$sa1 = /(var|new|return)\s[_\$]+\s?/
|
||||
|
||||
$sa2 = "function"
|
||||
|
||||
$sa3 = "toString"
|
||||
|
||||
$sa4 = "toUpperCase"
|
||||
|
||||
$sa5 = "arguments.length"
|
||||
|
||||
$sa6 = "return"
|
||||
|
||||
$sa7 = "while"
|
||||
|
||||
$sa8 = "unescape("
|
||||
|
||||
$sa9 = "365*10*24*60*60*1000"
|
||||
|
||||
$sa10 = ">> 2"
|
||||
|
||||
$sa11 = "& 3) << 4"
|
||||
|
||||
$sa12 = "& 15) << 2"
|
||||
|
||||
$sa13 = ">> 6) | 192"
|
||||
|
||||
$sa14 = "& 63) | 128"
|
||||
|
||||
$sa15 = ">> 12) | 224"
|
||||
|
||||
condition:
|
||||
|
||||
all of them
|
||||
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
rule Ursnif_report_variant_memory
|
||||
{
|
||||
meta:
|
||||
description = "Ursnif"
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "New Ursnif Variant Targeting Italy and U.S - June 7, 2016"
|
||||
|
||||
strings:
|
||||
$isfb1 = "/data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s"
|
||||
$isfb2 = "client.dll"
|
||||
$ursnif1 = "soft=1&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x"
|
||||
$a1 = "grabs="
|
||||
$a2 = "HIDDEN"
|
||||
$ursnif2 = "/images/"
|
||||
$randvar = "%s=%s&"
|
||||
$specialchar = "%c%02X" nocase
|
||||
$serpent_setkey = {8b 70 ec 33 70 f8 33 70 08 33 30 33 f1 81 f6 b9 79 37 9e c1 c6 0b 89 70 08 41 81 f9 84 [0-3] 72 db}
|
||||
condition:
|
||||
7 of them
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
rule XenonCrypter
|
||||
{
|
||||
meta:
|
||||
author = "jason reaves"
|
||||
author2 = "Fidelis Cybersecurity"
|
||||
description = "Xenon Crypter"
|
||||
strings:
|
||||
$b1 = "Xenon2FF\\Bin\\StubNew.pdb” nocase
|
||||
$b2 = “XenonNew\\Bin\\StubNew.pdb” nocase
|
||||
condition:
|
||||
any of ($b*)
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
|
||||
{
|
||||
meta:
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
|
||||
strings:
|
||||
$byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
|
||||
condition:
|
||||
(uint32(0) == 0x464C457F) and (any of them)
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
rule apt_nix_elf_Derusbi_Linux_Strings
|
||||
{
|
||||
meta:
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
|
||||
strings:
|
||||
$a1 = "loadso" wide ascii fullword
|
||||
$a2 = "\nuname -a\n\n" wide ascii
|
||||
$a3 = "/dev/shm/.x11.id" wide ascii
|
||||
$a4 = "LxMain64" wide ascii nocase
|
||||
$a5 = "# \\u@\\h:\\w \\$ " wide ascii
|
||||
$b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
|
||||
$b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
|
||||
$b3 = "ret %d" wide fullword
|
||||
$b4 = "uname -a\n\n" wide ascii
|
||||
$b5 = "/proc/%u/cmdline" wide ascii
|
||||
$b6 = "/proc/self/exe" wide ascii
|
||||
$b7 = "cp -a %s %s" wide ascii
|
||||
$c1 = "/dev/pts/4" wide ascii fullword
|
||||
$c2 = "/tmp/1408.log" wide ascii fullword
|
||||
condition:
|
||||
uint32(0) == 0x464C457F and
|
||||
((1 of ($a*) and 4 of ($b*)) or
|
||||
(1 of ($a*) and 1 of ($c*)) or
|
||||
2 of ($a*) or
|
||||
all of ($b*))
|
||||
}
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
rule apt_nix_elf_derusbi
|
||||
{
|
||||
meta:
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
|
||||
strings:
|
||||
$ = "LxMain"
|
||||
$ = "execve"
|
||||
$ = "kill"
|
||||
$ = "cp -a %s %s"
|
||||
$ = "%s &"
|
||||
$ = "dbus-daemon"
|
||||
$ = "--noprofile"
|
||||
$ = "--norc"
|
||||
$ = "TERM=vt100"
|
||||
$ = "/proc/%u/cmdline"
|
||||
$ = "loadso"
|
||||
$ = "/proc/self/exe"
|
||||
$ = "Proxy-Connection: Keep-Alive"
|
||||
$ = "Connection: Keep-Alive"
|
||||
$ = "CONNECT %s"
|
||||
$ = "HOST: %s:%d"
|
||||
$ = "User-Agent: Mozilla/4.0"
|
||||
$ = "Proxy-Authorization: Basic %s"
|
||||
$ = "Server: Apache"
|
||||
$ = "Proxy-Authenticate"
|
||||
$ = "gettimeofday"
|
||||
$ = "pthread_create"
|
||||
$ = "pthread_join"
|
||||
$ = "pthread_mutex_init"
|
||||
$ = "pthread_mutex_destroy"
|
||||
$ = "pthread_mutex_lock"
|
||||
$ = "getsockopt"
|
||||
$ = "socket"
|
||||
$ = "setsockopt"
|
||||
$ = "select"
|
||||
$ = "bind"
|
||||
$ = "shutdown"
|
||||
$ = "listen"
|
||||
$ = "opendir"
|
||||
$ = "readdir"
|
||||
$ = "closedir"
|
||||
$ = "rename"
|
||||
|
||||
condition:
|
||||
(uint32(0) == 0x4464c457f) and (all of them)
|
||||
}
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
rule apt_nix_elf_derusbi_kernelModule
|
||||
{
|
||||
meta:
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
|
||||
strings:
|
||||
$ = "__this_module"
|
||||
$ = "init_module"
|
||||
$ = "unhide_pid"
|
||||
$ = "is_hidden_pid"
|
||||
$ = "clear_hidden_pid"
|
||||
$ = "hide_pid"
|
||||
$ = "license"
|
||||
$ = "description"
|
||||
$ = "srcversion="
|
||||
$ = "depends="
|
||||
$ = "vermagic="
|
||||
$ = "current_task"
|
||||
$ = "sock_release"
|
||||
$ = "module_layout"
|
||||
$ = "init_uts_ns"
|
||||
$ = "init_net"
|
||||
$ = "init_task"
|
||||
$ = "filp_open"
|
||||
$ = "__netlink_kernel_create"
|
||||
$ = "kfree_skb"
|
||||
|
||||
condition:
|
||||
(uint32(0) == 0x4464c457f) and (all of them)
|
||||
}
|
|
@ -1,40 +0,0 @@
|
|||
rule apt_win32_dll_bergard_pgv_pvid_variant
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
copyright = “Fidelis Cybersecurity”
|
||||
reference = "http://www.threatgeek.com/2016/05/"
|
||||
|
||||
strings:
|
||||
|
||||
$ = "Accept:"
|
||||
|
||||
$ = "User-Agent: %s"
|
||||
|
||||
$ = "Host: %s:%d"
|
||||
|
||||
$ = "Cache-Control: no-cache"
|
||||
|
||||
$ = "Connection: Keep-Alive"
|
||||
|
||||
$ = "Cookie: pgv_pvid="
|
||||
|
||||
$ = "Content-Type: application/x-octet-stream"
|
||||
|
||||
$ = "User-Agent: %s"
|
||||
|
||||
$ = "Host: %s:%d"
|
||||
|
||||
$ = "Pragma: no-cache"
|
||||
|
||||
$ = "Connection: Keep-Alive"
|
||||
|
||||
$ = "HTTP/1.0"
|
||||
|
||||
condition:
|
||||
|
||||
(uint16(0) == 0x5A4D) and (all of them)
|
||||
|
||||
}
|
|
@ -1,30 +0,0 @@
|
|||
rule apt_win32_dll_rat_hiZorRAT
|
||||
{
|
||||
meta:
|
||||
hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
|
||||
hash2 = "d9821468315ccd3b9ea03161566ef18e"
|
||||
hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
|
||||
ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
|
||||
ref2 = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
|
||||
|
||||
strings:
|
||||
|
||||
// Part of the encoded User-Agent = Mozilla
|
||||
$ = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 }
|
||||
|
||||
// XOR to decode User-Agent after string stacking 0x10001630
|
||||
$ = { 66 [7] 0d 40 83 ?? ?? 7c ?? }
|
||||
|
||||
// XOR with 0x2E - 0x10002EF6
|
||||
|
||||
$ = { 80 [2] 2e 40 3b ?? 72 ?? }
|
||||
|
||||
$ = "CmdProcessExited" wide ascii
|
||||
$ = "rootDir" wide ascii
|
||||
$ = "DllRegisterServer" wide ascii
|
||||
$ = "GetNativeSystemInfo" wide ascii
|
||||
$ = "%08x%08x%08x%08x" wide ascii
|
||||
|
||||
condition:
|
||||
(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
|
||||
}
|
|
@ -1,61 +0,0 @@
|
|||
rule apt_win_exe_trojan_derusbi
|
||||
{
|
||||
meta:
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
|
||||
strings:
|
||||
$sa_1 = "USB" wide ascii
|
||||
$sa_2 = "RAM" wide ascii
|
||||
$sa_3 = "SHARE" wide ascii
|
||||
$sa_4 = "HOST: %s:%d"
|
||||
$sa_5 = "POST"
|
||||
$sa_6 = "User-Agent: Mozilla"
|
||||
$sa_7 = "Proxy-Connection: Keep-Alive"
|
||||
$sa_8 = "Connection: Keep-Alive"
|
||||
$sa_9 = "Server: Apache"
|
||||
$sa_10 = "HTTP/1.1"
|
||||
$sa_11 = "ImagePath"
|
||||
$sa_12 = "ZwUnloadDriver"
|
||||
$sa_13 = "ZwLoadDriver"
|
||||
$sa_14 = "ServiceMain"
|
||||
$sa_15 = "regsvr32.exe"
|
||||
$sa_16 = "/s /u" wide ascii
|
||||
$sa_17 = "rand"
|
||||
$sa_18 = "_time64"
|
||||
$sa_19 = "DllRegisterServer"
|
||||
$sa_20 = "DllUnregisterServer"
|
||||
$sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver
|
||||
|
||||
$sb_1 = "PCC_CMD_PACKET"
|
||||
$sb_2 = "PCC_CMD"
|
||||
$sb_3 = "PCC_BASEMOD"
|
||||
$sb_4 = "PCC_PROXY"
|
||||
$sb_5 = "PCC_SYS"
|
||||
$sb_6 = "PCC_PROCESS"
|
||||
$sb_7 = "PCC_FILE"
|
||||
$sb_8 = "PCC_SOCK"
|
||||
|
||||
$sc_1 = "bcdedit -set testsigning" wide ascii
|
||||
$sc_2 = "update.microsoft.com" wide ascii
|
||||
$sc_3 = "_crt_debugger_hook" wide ascii
|
||||
$sc_4 = "ue8G5" wide ascii
|
||||
|
||||
$sd_1 = "NET" wide ascii
|
||||
$sd_2 = "\\\\.\\pipe\\%s" wide ascii
|
||||
$sd_3 = ".dat" wide ascii
|
||||
$sd_4 = "CONNECT %s:%d" wide ascii
|
||||
$sd_5 = "\\Device\\" wide ascii
|
||||
|
||||
$se_1 = "-%s-%04d" wide ascii
|
||||
$se_2 = "-%04d" wide ascii
|
||||
$se_3 = "FAL" wide ascii
|
||||
$se_4 = "OK" wide ascii
|
||||
$se_5 = "2.03" wide ascii
|
||||
$se_6 = "XXXXXXXXXXXXXXX" wide ascii
|
||||
|
||||
condition:
|
||||
(uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or (
|
||||
(13 of ($sa_*)) and
|
||||
( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or
|
||||
( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) )
|
||||
}
|
|
@ -1,51 +0,0 @@
|
|||
rule crime_win32_exe_rat_netwire{
|
||||
meta:
|
||||
description = "AlienSpy"
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "Fidelis Threat Advisory #1017 - Phishing in Plain Sight - June 9, 2015"
|
||||
hash = "fd5a753347416484ab01712786c407c4"
|
||||
|
||||
strings:
|
||||
$sa = "StubPath"
|
||||
$sa = "CONNECT"
|
||||
$sa = "200 OK"
|
||||
$sa = "GET"
|
||||
$sa = "Host"
|
||||
$sa = "Connection"
|
||||
$sa = "Firefox"
|
||||
$sa = "Chrome"
|
||||
$sa = "Opera"
|
||||
$sa = "Outlook"
|
||||
$sa = "NSS_Shutdown"
|
||||
$sa = "NSSBase64_DecodeBuffer"
|
||||
$sa = "NSS_Init"
|
||||
$sa = "NSS_Shutdown"
|
||||
$sa = "name" nocase
|
||||
$sa = "password"
|
||||
$sa = "Server"
|
||||
$sa = "LANMANNT"
|
||||
$sa = "SERVERNT"
|
||||
$sa = "[Backspace]"
|
||||
$sa = "[Enter]"
|
||||
$sa = "[Tab]"
|
||||
$sa = "[Print Screen]"
|
||||
$sa = "mozsqlite"
|
||||
$sa = "nssutil"
|
||||
$sa = "sqlite"
|
||||
$sa = "Email"
|
||||
$sa = "POP3 User"
|
||||
$sa = "POP3 Server"
|
||||
$sa = "POP3 Password"
|
||||
$sa = "IMAP User"
|
||||
$sa = "IMAP Server"
|
||||
$sa = "IMAP Password"
|
||||
$sa = "HTTP User"
|
||||
$sa = "HTTP Server"
|
||||
$sa = "HTTP Password"
|
||||
$sa = "SMTP User"
|
||||
$sa = "SMTP Server"
|
||||
$sa = "SMTP Password"
|
||||
|
||||
condition:
|
||||
(uint16(0) == 0x5A4D) and (all of them)
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
rule crime_win_PWS_Fareit
|
||||
{
|
||||
meta:
|
||||
description = "Fareit password stealer"
|
||||
author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
|
||||
reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdf"
|
||||
date = "20150414"
|
||||
filetype = "exe"
|
||||
hash_1 = "e93799591429756b7a5ad6e44197c020"
|
||||
hash_2 = "891823de9b05e17def459e04fb574f94"
|
||||
hash_3 = "6e54267c787fc017a2b2cc5dc5273a0a"
|
||||
hash_4 = "40165ee6b1d69c58d3c0d2f4701230fa"
|
||||
hash_5 = "de3b206a8066db48e9d7b0a42d50c5cd"
|
||||
hash_6 = "b988944f831c478f5a6d71f9e06fbc22"
|
||||
hash_7 = "7b7584d86efa2df42fe504213a3d1d2c"
|
||||
hash_8 = "f088b291af1a3710f99c33fa37f68602"
|
||||
strings:
|
||||
$mz = {4d5a}
|
||||
$s1 = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins"
|
||||
$s2 = "gate.php"
|
||||
$s3 = "STATUS-IMPORT-OK"
|
||||
$s4 = "Client Hash"
|
||||
$s5 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
|
||||
$c1 = "wiseftpsrvs.bin"
|
||||
$c2 = "out.bin"
|
||||
condition:
|
||||
$mz at 0 and filesize < 105KB and all of ($s*) and ($c1 or $c2)
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
rule network_traffic_njRAT
|
||||
{
|
||||
meta:
|
||||
author = "info@fidelissecurity.com"
|
||||
descripion = "njRAT - Remote Access Trojan"
|
||||
comment = "Rule to alert on network traffic indicators"
|
||||
filetype = "PCAP - Network Traffic"
|
||||
date = "2013-07-15"
|
||||
version = "1.0"
|
||||
hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
|
||||
hash2 ="3576d40ce18bb0349f9dfa42b8911c3a"
|
||||
hash3 ="24cc5b811a7f9591e7f2cb9a818be104"
|
||||
hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
|
||||
hash5 = "a98b4c99f64315aac9dd992593830f35"
|
||||
hash6 = "5fcb5282da1a2a0f053051c8da1686ef"
|
||||
hash7 = "a669c0da6309a930af16381b18ba2f9d"
|
||||
hash8 = "79dce17498e1997264346b162b09bde8"
|
||||
hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
|
||||
ref1 = "http://bit.ly/19tlf4s"
|
||||
ref2 = "http://www.fidelissecurity.com/threatadvisory"
|
||||
ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html"
|
||||
ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"
|
||||
|
||||
strings:
|
||||
$string1 = "FM|'|'|" // File Manager
|
||||
$string2 = "nd|'|'|" // File Manager
|
||||
$string3 = "rn|'|'|" // Run File
|
||||
$string4 = "sc~|'|'|" // Remote Desktop
|
||||
$string5 = "scPK|'|'|" // Remote Desktop
|
||||
$string6 = "CAM|'|'|" // Remote Cam
|
||||
$string7 = "USB Video Device[endof]" // Remote Cam
|
||||
$string8 = "rs|'|'|" // Reverse Shell
|
||||
$string9 = "proc|'|'|" // Process Manager
|
||||
$string10 = "k|'|'|" // Process Manager
|
||||
$string11 = "RG|'|'|~|'|'|" // Registry Manipulation
|
||||
$string12 = "kl|'|'|" // Keylogger file
|
||||
$string13 = "ret|'|'|" // Get Browser Passwords
|
||||
$string14 = "pl|'|'|" // Get Browser Passwords
|
||||
$string15 = "lv|'|'|" // General
|
||||
$string16 = "prof|'|'|~|'|'|" // Server rename
|
||||
$string17 = "un|'|'|~[endof]" // Uninstall
|
||||
$idle_string = "P[endof]" // Idle Connection
|
||||
|
||||
condition:
|
||||
any of ($string*) or #idle_string > 4
|
||||
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
rule win_exe_njRAT
|
||||
{
|
||||
meta:
|
||||
author = "info@fidelissecurity.com"
|
||||
descripion = "njRAT - Remote Access Trojan"
|
||||
comment = "Variants have also been observed obfuscated with .NET Reactor"
|
||||
filetype = "pe"
|
||||
date = "2013-07-15"
|
||||
version = "1.0"
|
||||
hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
|
||||
hash2 = "3576d40ce18bb0349f9dfa42b8911c3a"
|
||||
hash3 = "24cc5b811a7f9591e7f2cb9a818be104"
|
||||
hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
|
||||
hash5 = "a98b4c99f64315aac9dd992593830f35"
|
||||
hash6 ="5fcb5282da1a2a0f053051c8da1686ef"
|
||||
hash7 = "a669c0da6309a930af16381b18ba2f9d"
|
||||
hash8 = "79dce17498e1997264346b162b09bde8"
|
||||
hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
|
||||
ref1 = "http://bit.ly/19tlf4s"
|
||||
ref2 = "http://www.fidelissecurity.com/threatadvisory"
|
||||
ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njratuncovered.html"
|
||||
ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"
|
||||
|
||||
strings:
|
||||
$magic = "MZ"
|
||||
$string_setA_1 = "FromBase64String"
|
||||
$string_setA_2 = "Base64String"
|
||||
$string_setA_3 = "Connected" wide ascii
|
||||
$string_setA_4 = "Receive"
|
||||
$string_setA_5 = "DeleteSubKey" wide ascii
|
||||
$string_setA_6 = "get_MachineName"
|
||||
$string_setA_7 = "get_UserName"
|
||||
$string_setA_8 = "get_LastWriteTime"
|
||||
$string_setA_9 = "GetVolumeInformation"
|
||||
|
||||
$string_setB_1 = "OSFullName" wide ascii
|
||||
$string_setB_2 = "Send" wide ascii
|
||||
$string_setB_3 = "Connected" wide ascii
|
||||
$string_setB_4 = "DownloadData" wide ascii
|
||||
$string_setB_5 = "netsh firewall" wide
|
||||
$string_setB_6 = "cmd.exe /k ping 0 & del" wide
|
||||
|
||||
condition:
|
||||
($magic at 0) and ( all of ($string_setA*) or all of ($string_setB*) )
|
||||
}
|
|
@ -1,128 +0,0 @@
|
|||
rule win_vbs_rat_hworm
|
||||
|
||||
{
|
||||
meta:
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html"
|
||||
strings:
|
||||
|
||||
$sa1 = "CONFIG"
|
||||
|
||||
$sa2 = "MYCODE"
|
||||
|
||||
$sa3 = "SHELLOBJ.EXPANDENVIRONMENTSTRINGS"
|
||||
|
||||
$sa4 = "BASE64TOHEX"
|
||||
|
||||
$sa5 = "DCOM.VIRTUALALLOC"
|
||||
|
||||
$sa6 = "LOADER_"
|
||||
|
||||
$sa7 = "PE_PTR"
|
||||
|
||||
$sa8 = "OBJWMISERVICE.EXECQUERY"
|
||||
|
||||
$sa9 = "WSCRIPT.EXE" nocase
|
||||
|
||||
$sa10 = "FUNCTION"
|
||||
|
||||
$sa11 = "DIM"
|
||||
|
||||
$sa12 = "END SUB"
|
||||
|
||||
$sb1 = "HOST_FILE"
|
||||
|
||||
$sb2 = "FILE_NAME"
|
||||
|
||||
$sb3 = "INSTALL_DIR"
|
||||
|
||||
$sb4 = "START_UP_REG"
|
||||
|
||||
$sb5 = "START_UP_TASK"
|
||||
|
||||
$sb6 = "START_UP_FOLDER"
|
||||
|
||||
$sc1 = "DCOM_DATA"
|
||||
|
||||
$sc2 = "LOADER_DATA"
|
||||
|
||||
$sc3 = "FILE_DATA"
|
||||
|
||||
$sc4 = "(1)"
|
||||
|
||||
$sc5 = "(2)"
|
||||
|
||||
$sc6 = "(3)"
|
||||
|
||||
$sc7 = "FILE_SIZE"
|
||||
|
||||
condition:
|
||||
|
||||
(all of ($sa*)) and ( (all of ($sb*)) or (all of ($sc*)) )
|
||||
|
||||
}
|
||||
|
||||
rule win_exe_rat_hworm
|
||||
|
||||
{
|
||||
meta:
|
||||
author = "Fidelis Cybersecurity"
|
||||
reference = "http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html"
|
||||
strings:
|
||||
|
||||
$sa1 = "connection_host" wide ascii
|
||||
|
||||
$sa2 = "connection_port" wide ascii
|
||||
|
||||
$sa3 = "install_folder" wide ascii
|
||||
|
||||
$sa4 = "install_name" wide ascii
|
||||
|
||||
$sa5 = "nickname_id" wide ascii
|
||||
|
||||
$sa6 = "password" wide ascii
|
||||
|
||||
$sa7 = "injection" wide ascii
|
||||
|
||||
$sa8 = "startup_registry" wide ascii
|
||||
|
||||
$sa9 = "startup_folder" wide ascii
|
||||
|
||||
$sa10 = "startup_task" wide ascii
|
||||
|
||||
$sa11 = "process_name" wide ascii
|
||||
|
||||
$sa12 = "fkeylogger_host" wide ascii
|
||||
|
||||
$sa13 = "fkeylogger_port" wide ascii
|
||||
|
||||
$sa14 = "keylogger_init" wide ascii
|
||||
|
||||
$sa15 = "keylogger_offline" wide ascii
|
||||
|
||||
$sa16 = "file_manager" wide ascii
|
||||
|
||||
$sa17 = "usb" wide ascii
|
||||
|
||||
$sa18 = "password" wide ascii
|
||||
|
||||
$sa19 = "filemanager" wide ascii
|
||||
|
||||
$sa20 = "keylogger" wide ascii
|
||||
|
||||
$sa21 = "screenshot" wide ascii
|
||||
|
||||
$sa22 = "show" nocase wide ascii
|
||||
|
||||
$sa23 = "open" wide ascii
|
||||
|
||||
$sa25 = "create" wide ascii
|
||||
|
||||
$sa26 = "Self" wide ascii
|
||||
|
||||
$sa27 = "createsuspended" wide ascii
|
||||
|
||||
condition:
|
||||
|
||||
(uint16(0) == 0x5A4D) and (all of them)
|
||||
|
|
@ -1,113 +0,0 @@
|
|||
rule FE_LEGALSTRIKE_MACRO {
|
||||
meta:version=".1"
|
||||
filetype="MACRO"
|
||||
author="Ian.Ahl@fireeye.com @TekDefense"
|
||||
date="2017-06-02"
|
||||
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
|
||||
reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
|
||||
strings:
|
||||
// OBSFUCATION
|
||||
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
|
||||
$ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide
|
||||
$ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide
|
||||
$ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide
|
||||
$ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide
|
||||
$ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide
|
||||
$ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide
|
||||
$ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide
|
||||
$obreg1 = /(\w{5}\s&\s){7}\w{5}/
|
||||
$obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
|
||||
// wscript
|
||||
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
|
||||
$wsobj2 = "Obj.Run " ascii wide
|
||||
|
||||
condition:
|
||||
(
|
||||
(
|
||||
(uint16(0) != 0x5A4D)
|
||||
)
|
||||
and
|
||||
(
|
||||
all of ($wsobj*) and 3 of ($ob*)
|
||||
or
|
||||
all of ($wsobj*) and all of ($obreg*)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
rule FE_LEGALSTRIKE_MACRO_2 {
|
||||
meta:version=".1"
|
||||
filetype="MACRO"
|
||||
author="Ian.Ahl@fireeye.com @TekDefense"
|
||||
date="2017-06-02"
|
||||
description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."
|
||||
reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
|
||||
strings:
|
||||
// Setting the environment
|
||||
$env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide
|
||||
$env2 = "windir = Environ(\"windir\")" ascii wide
|
||||
$env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide
|
||||
// powershell command fragments
|
||||
$ps1 = "-NoP" ascii wide
|
||||
$ps2 = "-NonI" ascii wide
|
||||
$ps3 = "-W Hidden" ascii wide
|
||||
$ps4 = "-Command" ascii wide
|
||||
$ps5 = "New-Object IO.StreamReader" ascii wide
|
||||
$ps6 = "IO.Compression.DeflateStream" ascii wide
|
||||
$ps7 = "IO.MemoryStream" ascii wide
|
||||
$ps8 = ",$([Convert]::FromBase64String" ascii wide
|
||||
$ps9 = "ReadToEnd();" ascii wide
|
||||
$psregex1 = /\W\w+\s+\s\".+\"/
|
||||
condition:
|
||||
(
|
||||
(
|
||||
(uint16(0) != 0x5A4D)
|
||||
)
|
||||
and
|
||||
(
|
||||
all of ($env*) and 6 of ($ps*)
|
||||
or
|
||||
all of ($env*) and 4 of ($ps*) and all of ($psregex*)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
rule FE_LEGALSTRIKE_RTF {
|
||||
meta:
|
||||
version=".1"
|
||||
filetype="MACRO"
|
||||
author="joshua.kim@FireEye.com"
|
||||
date="2017-06-02"
|
||||
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
|
||||
reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
|
||||
|
||||
strings:
|
||||
$header = "{\\rt"
|
||||
|
||||
$lnkinfo = "4c0069006e006b0049006e0066006f"
|
||||
|
||||
$encoded1 = "4f4c45324c696e6b"
|
||||
$encoded2 = "52006f006f007400200045006e007400720079"
|
||||
$encoded3 = "4f0062006a0049006e0066006f"
|
||||
$encoded4 = "4f006c0065"
|
||||
|
||||
$http1 = "68{"
|
||||
$http2 = "74{"
|
||||
$http3 = "07{"
|
||||
|
||||
// 2bunny.com
|
||||
$domain1 = "32{\\"
|
||||
$domain2 = "62{\\"
|
||||
$domain3 = "75{\\"
|
||||
$domain4 = "6e{\\"
|
||||
$domain5 = "79{\\"
|
||||
$domain6 = "2e{\\"
|
||||
$domain7 = "63{\\"
|
||||
$domain8 = "6f{\\"
|
||||
$domain9 = "6d{\\"
|
||||
|
||||
$datastore = "\\*\\datastore"
|
||||
|
||||
condition:
|
||||
$header at 0 and all of them
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
rule APT32_ActiveMime_Lure{
|
||||
meta:
|
||||
filetype = "MIME entity"
|
||||
author = "Ian Ahl (@TekDefense) and Nick Carr (@ItsReallyNick)"
|
||||
date = "2017-03-02"
|
||||
description = "Developed to detect APT32 (OceanLotus Group phishing lures used to target Fireeye Customers in 2016 and 2017"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
|
||||
strings:
|
||||
$a1 = "office_text" wide ascii
|
||||
$a2 = "schtasks /create /tn" wide ascii
|
||||
$a3 = "scrobj.dll" wide ascii
|
||||
$a4 = "new-object net.webclient" wide ascii
|
||||
$a5 = "GetUserName" wide ascii
|
||||
$a6 = "WSHnet.UserDomain" wide ascii
|
||||
$a7 = "WSHnet.UserName" wide ascii
|
||||
condition:
|
||||
4 of them
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
rule APT_DeputyDog_Strings
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "FireEye Labs"
|
||||
version = "1.0"
|
||||
description = "detects string seen in samples used in 2013-3893 0day attacks"
|
||||
reference = "8aba4b5184072f2a50cbc5ecfe326701"
|
||||
|
||||
strings:
|
||||
|
||||
$mz = {4d 5a}
|
||||
$a = "DGGYDSYRL"
|
||||
|
||||
condition:
|
||||
|
||||
($mz at 0) and $a
|
||||
|
||||
}
|
|
@ -1,120 +0,0 @@
|
|||
rule FE_Hunting_BADRABBIT {
|
||||
meta:version=".2"
|
||||
filetype="PE"
|
||||
author="ian.ahl @TekDefense & nicholas.carr @itsreallynick"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
|
||||
date="2017-10-24"
|
||||
md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
|
||||
strings:
|
||||
// Messages
|
||||
$msg1 = "Incorrect password" nocase ascii wide
|
||||
$msg2 = "Oops! Your files have been encrypted." ascii wide
|
||||
$msg3 = "If you see this text, your files are no longer accessible." ascii wide
|
||||
$msg4 = "You might have been looking for a way to recover your files." ascii wide
|
||||
$msg5 = "Don't waste your time. No one will be able to recover them without our" ascii wide
|
||||
$msg6 = "Visit our web service at" ascii wide
|
||||
$msg7 = "Your personal installation key#1:" ascii wide
|
||||
$msg8 = "Run DECRYPT app at your desktop after system boot" ascii wide
|
||||
$msg9 = "Password#1" nocase ascii wide
|
||||
$msg10 = "caforssztxqzf2nm.onion" nocase ascii wide
|
||||
$msg11 = /partition (unbootable|not (found|mounted))/ nocase ascii wide
|
||||
|
||||
// File references
|
||||
$fref1 = "C:\\Windows\\cscc.dat" nocase ascii wide
|
||||
$fref2 = "\\\\.\\dcrypt" nocase ascii wide
|
||||
$fref3 = "Readme.txt" ascii wide
|
||||
$fref4 = "\\Desktop\\DECRYPT.lnk" nocase ascii wide
|
||||
$fref5 = "dispci.exe" nocase ascii wide
|
||||
$fref6 = "C:\\Windows\\infpub.dat" nocase ascii wide
|
||||
// META
|
||||
$meta1 = "http://diskcryptor.net/" nocase ascii wide
|
||||
$meta2 = "dispci.exe" nocase ascii wide
|
||||
$meta3 = "GrayWorm" ascii wide
|
||||
$meta4 = "viserion" nocase ascii wide
|
||||
//commands
|
||||
$com1 = "ComSpec" ascii wide
|
||||
$com2 = "\\cmd.exe" nocase ascii wide
|
||||
$com3 = "schtasks /Create" nocase ascii wide
|
||||
$com4 = "schtasks /Delete /F /TN %ws" nocase ascii wide
|
||||
condition:
|
||||
(uint16(0) == 0x5A4D)
|
||||
and
|
||||
(8 of ($msg*) and 3 of ($fref*) and 2 of ($com*))
|
||||
or
|
||||
(all of ($meta*) and 8 of ($msg*))
|
||||
}
|
||||
|
||||
rule FE_Trojan_BADRABBIT_DROPPER
|
||||
{
|
||||
meta:
|
||||
author = "muhammad.umair"
|
||||
md5 = "fbbdc39af1139aebba4da004475e8839"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
|
||||
rev = 1
|
||||
strings:
|
||||
$api1 = "GetSystemDirectoryW" fullword
|
||||
$api2 = "GetModuleFileNameW" fullword
|
||||
$dropped_dll = "infpub.dat" ascii fullword wide
|
||||
$exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide
|
||||
$extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D 8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
|
||||
condition:
|
||||
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
|
||||
}
|
||||
|
||||
rule FE_Worm_BADRABBIT
|
||||
{
|
||||
meta:
|
||||
author = "muhammad.umair"
|
||||
md5 = "1d724f95c61f1055f0d02c2154bbccd3"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
|
||||
rev = 1
|
||||
strings:
|
||||
$api1 = "WNetAddConnection2W" fullword
|
||||
$api2 = "CredEnumerateW" fullword
|
||||
$api3 = "DuplicateTokenEx" fullword
|
||||
$api4 = "GetIpNetTable"
|
||||
$del_tasks = "schtasks /Delete /F /TN drogon" ascii fullword wide
|
||||
$dropped_driver = "cscc.dat" ascii fullword wide
|
||||
$exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide
|
||||
$iter_encrypt = { 8D 44 24 3C 50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66 3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ?? }
|
||||
$share_fmt_str = "\\\\%ws\\admin$\\%ws" ascii fullword wide
|
||||
condition:
|
||||
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
|
||||
}
|
||||
|
||||
rule FE_Trojan_BADRABBIT_MIMIKATZ
|
||||
{
|
||||
meta:
|
||||
author = "muhammad.umair"
|
||||
md5 = "37945c44a897aa42a66adcab68f560e0"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
|
||||
rev = 1
|
||||
strings:
|
||||
$api1 = "WriteProcessMemory" fullword
|
||||
$api2 = "SetSecurityDescriptorDacl" fullword
|
||||
$api_str1 = "BCryptDecrypt" ascii fullword wide
|
||||
$mimi_str = "CredentialKeys" ascii fullword wide
|
||||
$wait_pipe_seq = { FF 15 ?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24 1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 75 3B }
|
||||
condition:
|
||||
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
|
||||
}
|
||||
|
||||
rule FE_Trojan_BADRABBIT_DISKENCRYPTOR
|
||||
{
|
||||
meta:
|
||||
author = "muhammad.umair"
|
||||
md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
|
||||
rev = 1
|
||||
strings:
|
||||
$api1 = "CryptAcquireContextW" fullword
|
||||
$api2 = "CryptEncrypt" fullword
|
||||
$api3 = "NetWkstaGetInfo" fullword
|
||||
$decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8 00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8 56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F }
|
||||
$msg1 = "Disk decryption progress..." ascii fullword wide
|
||||
$task_fmt_str = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" ascii fullword wide
|
||||
$tok1 = "\\\\.\\dcrypt" ascii fullword wide
|
||||
$tok2 = "C:\\Windows\\cscc.dat" ascii fullword wide
|
||||
condition:
|
||||
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 150KB and all of them
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
rule FE_APT_9002_rat
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
author = "FireEye Labs"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html"
|
||||
|
||||
strings:
|
||||
|
||||
$mz = {4d 5a}
|
||||
|
||||
$a = "rat_UnInstall" wide ascii
|
||||
|
||||
condition:
|
||||
|
||||
($mz at 0) and $a
|
||||
|
||||
}
|
|
@ -1,75 +0,0 @@
|
|||
rule FE_CPE_MS17_010_RANSOMWARE {
|
||||
meta:version="1.1"
|
||||
//filetype="PE"
|
||||
author="Ian.Ahl@fireeye.com @TekDefense, Nicholas.Carr@mandiant.com @ItsReallyNick"
|
||||
date="2017-06-27"
|
||||
description="Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html"
|
||||
strings:
|
||||
// DRIVE USAGE
|
||||
$dmap01 = "\\\\.\\PhysicalDrive" nocase ascii wide
|
||||
$dmap02 = "\\\\.\\PhysicalDrive0" nocase ascii wide
|
||||
$dmap03 = "\\\\.\\C:" nocase ascii wide
|
||||
$dmap04 = "TERMSRV" nocase ascii wide
|
||||
$dmap05 = "\\admin$" nocase ascii wide
|
||||
$dmap06 = "GetLogicalDrives" nocase ascii wide
|
||||
$dmap07 = "GetDriveTypeW" nocase ascii wide
|
||||
|
||||
// RANSOMNOTE
|
||||
$msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" nocase ascii wide
|
||||
$msg02 = "IF YOU ABORT THIS PROCESS" nocase ascii wide
|
||||
$msg03 = "DESTROY ALL OF YOUR DATA!" nocase ascii wide
|
||||
$msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" nocase ascii wide
|
||||
$msg05 = "your important files are encrypted" ascii wide
|
||||
$msg06 = "Your personal installation key" nocase ascii wide
|
||||
$msg07 = "worth of Bitcoin to following address" nocase ascii wide
|
||||
$msg08 = "CHKDSK is repairing sector" nocase ascii wide
|
||||
$msg09 = "Repairing file system on " nocase ascii wide
|
||||
$msg10 = "Bitcoin wallet ID" nocase ascii wide
|
||||
$msg11 = "wowsmith123456@posteo.net" nocase ascii wide
|
||||
$msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" nocase ascii wide
|
||||
$msg_pcre = /(en|de)crypt(ion|ed\.)/
|
||||
|
||||
// FUNCTIONALITY, APIS
|
||||
$functions01 = "need dictionary" nocase ascii wide
|
||||
$functions02 = "comspec" nocase ascii wide
|
||||
$functions03 = "OpenProcessToken" nocase ascii wide
|
||||
$functions04 = "CloseHandle" nocase ascii wide
|
||||
$functions05 = "EnterCriticalSection" nocase ascii wide
|
||||
$functions06 = "ExitProcess" nocase ascii wide
|
||||
$functions07 = "GetCurrentProcess" nocase ascii wide
|
||||
$functions08 = "GetProcAddress" nocase ascii wide
|
||||
$functions09 = "LeaveCriticalSection" nocase ascii wide
|
||||
$functions10 = "MultiByteToWideChar" nocase ascii wide
|
||||
$functions11 = "WideCharToMultiByte" nocase ascii wide
|
||||
$functions12 = "WriteFile" nocase ascii wide
|
||||
$functions13 = "CoTaskMemFree" nocase ascii wide
|
||||
$functions14 = "NamedPipe" nocase ascii wide
|
||||
$functions15 = "Sleep" nocase ascii wide // imported, not in strings
|
||||
|
||||
// COMMANDS
|
||||
// -- Clearing event logs & USNJrnl
|
||||
$cmd01 = "wevtutil cl Setup" ascii wide nocase
|
||||
$cmd02 = "wevtutil cl System" ascii wide nocase
|
||||
$cmd03 = "wevtutil cl Security" ascii wide nocase
|
||||
$cmd04 = "wevtutil cl Application" ascii wide nocase
|
||||
$cmd05 = "fsutil usn deletejournal" ascii wide nocase
|
||||
// -- Scheduled task
|
||||
$cmd06 = "schtasks " nocase ascii wide
|
||||
$cmd07 = "/Create /SC " nocase ascii wide
|
||||
$cmd08 = " /TN " nocase ascii wide
|
||||
$cmd09 = "at %02d:%02d %ws" nocase ascii wide
|
||||
$cmd10 = "shutdown.exe /r /f" nocase ascii wide
|
||||
// -- Sysinternals/PsExec and WMIC
|
||||
$cmd11 = "-accepteula -s" nocase ascii wide
|
||||
$cmd12 = "wmic"
|
||||
$cmd13 = "/node:" nocase ascii wide
|
||||
$cmd14 = "process call create" nocase ascii wide
|
||||
|
||||
condition:
|
||||
// (uint16(0) == 0x5A4D)
|
||||
3 of ($dmap*)
|
||||
and 2 of ($msg*)
|
||||
and 9 of ($functions*)
|
||||
and 7 of ($cmd*)
|
||||
}
|
File diff suppressed because it is too large
Load diff
|
@ -1,141 +0,0 @@
|
|||
rule APT_DeputyDog_Strings
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "FireEye Labs"
|
||||
version = "1.0"
|
||||
description = "detects string seen in samples used in 2013-3893 0day attacks"
|
||||
reference = "8aba4b5184072f2a50cbc5ecfe326701"
|
||||
|
||||
strings:
|
||||
|
||||
$mz = {4d 5a}
|
||||
$a = "DGGYDSYRL"
|
||||
|
||||
condition:
|
||||
|
||||
($mz at 0) and $a
|
||||
|
||||
}
|
||||
|
||||
rule callTogether_certificate
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "Fireeye Labs"
|
||||
|
||||
version = "1.0"
|
||||
|
||||
reference_hash = "d08e038d318b94764d199d7a85047637"
|
||||
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
|
||||
|
||||
description = "detects binaries signed with the CallTogether certificate"
|
||||
|
||||
strings:
|
||||
|
||||
$serial = {452156C3B3FB0176365BDB5B7715BC4C}
|
||||
|
||||
$o = "CallTogether, Inc."
|
||||
|
||||
condition:
|
||||
|
||||
$serial and $o
|
||||
|
||||
}
|
||||
|
||||
rule FE_APT_9002_rat
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
author = "FireEye Labs"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html"
|
||||
|
||||
strings:
|
||||
|
||||
$mz = {4d 5a}
|
||||
|
||||
$a = "rat_UnInstall" wide ascii
|
||||
|
||||
condition:
|
||||
|
||||
($mz at 0) and $a
|
||||
|
||||
}
|
||||
|
||||
rule MACROCHECK
|
||||
{
|
||||
meta:
|
||||
description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
|
||||
author = "Fireeye Labs"
|
||||
version = "1.0"
|
||||
|
||||
strings:
|
||||
$PARAMpword = "pword=" ascii wide
|
||||
$PARAMmsg = "msg=" ascii wide
|
||||
$PARAMuname = "uname=" ascii
|
||||
$userform = "UserForm" ascii wide
|
||||
$userloginform = "UserLoginForm" ascii wide
|
||||
$invalid = "Invalid username or password" ascii wide
|
||||
$up1 = "uploadPOST" ascii wide
|
||||
$up2 = "postUpload" ascii wide
|
||||
|
||||
condition:
|
||||
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
|
||||
}
|
||||
|
||||
|
||||
rule Molerats_certs
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "FireEye Labs"
|
||||
|
||||
description = "this rule detections code signed with certificates used by the Molerats actor"
|
||||
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
|
||||
|
||||
strings:
|
||||
|
||||
$cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75}
|
||||
$cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28}
|
||||
$cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d}
|
||||
|
||||
|
||||
|
||||
condition:
|
||||
|
||||
1 of ($cert*)
|
||||
|
||||
}
|
||||
|
||||
rule qti_certificate
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "Fireeye Labs"
|
||||
|
||||
reference_hash = "cfa3e3471430a0096a4e7ea2e3da6195"
|
||||
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
|
||||
|
||||
description = "detects binaries signed with the QTI International Inc certificate"
|
||||
|
||||
strings:
|
||||
|
||||
$cn = "QTI International Inc"
|
||||
|
||||
$serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }
|
||||
|
||||
condition:
|
||||
|
||||
$cn and $serial
|
||||
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
rule MACROCHECK
|
||||
{
|
||||
meta:
|
||||
description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
|
||||
author = "Fireeye Labs"
|
||||
version = "1.0"
|
||||
|
||||
strings:
|
||||
$PARAMpword = "pword=" ascii wide
|
||||
$PARAMmsg = "msg=" ascii wide
|
||||
$PARAMuname = "uname=" ascii
|
||||
$userform = "UserForm" ascii wide
|
||||
$userloginform = "UserLoginForm" ascii wide
|
||||
$invalid = "Invalid username or password" ascii wide
|
||||
$up1 = "uploadPOST" ascii wide
|
||||
$up2 = "postUpload" ascii wide
|
||||
|
||||
condition:
|
||||
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
|
||||
}
|
|
@ -1,25 +0,0 @@
|
|||
rule Molerats_certs
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "FireEye Labs"
|
||||
|
||||
description = "this rule detections code signed with certificates used by the Molerats actor"
|
||||
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
|
||||
|
||||
strings:
|
||||
|
||||
$cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75}
|
||||
$cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28}
|
||||
$cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d}
|
||||
|
||||
|
||||
|
||||
condition:
|
||||
|
||||
1 of ($cert*)
|
||||
|
||||
}
|
|
@ -1,63 +0,0 @@
|
|||
rule TRITON_ICS_FRAMEWORK
|
||||
{
|
||||
meta:
|
||||
author = "nicholas.carr @itsreallynick"
|
||||
md5 = "0face841f7b2953e7c29c064d6886523"
|
||||
description = "TRITON framework recovered during Mandiant ICS incident response"
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
|
||||
|
||||
strings:
|
||||
$python_compiled = ".pyc" nocase ascii wide
|
||||
$python_module_01 = "__module__" nocase ascii wide
|
||||
$python_module_02 = "<module>" nocase ascii wide
|
||||
$python_script_01 = "import Ts" nocase ascii wide
|
||||
$python_script_02 = "def ts_" nocase ascii wide
|
||||
|
||||
$py_cnames_01 = "TS_cnames.py" nocase ascii wide
|
||||
$py_cnames_02 = "TRICON" nocase ascii wide
|
||||
$py_cnames_03 = "TriStation " nocase ascii wide
|
||||
$py_cnames_04 = " chassis " nocase ascii wide
|
||||
|
||||
$py_tslibs_01 = "GetCpStatus" nocase ascii wide
|
||||
$py_tslibs_02 = "ts_" ascii wide
|
||||
$py_tslibs_03 = " sequence" nocase ascii wide
|
||||
$py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
|
||||
$py_tslibs_05 = /module\s?version/ nocase ascii wide
|
||||
$py_tslibs_06 = "bad " nocase ascii wide
|
||||
$py_tslibs_07 = "prog_cnt" nocase ascii wide
|
||||
|
||||
$py_tsbase_01 = "TsBase.py" nocase ascii wide
|
||||
$py_tsbase_02 = ".TsBase(" nocase ascii wide
|
||||
|
||||
$py_tshi_01 = "TsHi.py" nocase ascii wide
|
||||
$py_tshi_02 = "keystate" nocase ascii wide
|
||||
$py_tshi_03 = "GetProjectInfo" nocase ascii wide
|
||||
$py_tshi_04 = "GetProgramTable" nocase ascii wide
|
||||
$py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
|
||||
$py_tshi_06 = ".TsHi(" ascii nocase wide
|
||||
|
||||
$py_tslow_01 = "TsLow.py" nocase ascii wide
|
||||
$py_tslow_02 = "print_last_error" ascii nocase wide
|
||||
$py_tslow_03 = ".TsLow(" ascii nocase wide
|
||||
$py_tslow_04 = "tcm_" ascii wide
|
||||
$py_tslow_05 = " TCM found" nocase ascii wide
|
||||
|
||||
$py_crc_01 = "crc.pyc" nocase ascii wide
|
||||
$py_crc_02 = "CRC16_MODBUS" ascii wide
|
||||
$py_crc_03 = "Kotov Alaxander" nocase ascii wide
|
||||
$py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
|
||||
$py_crc_05 = "crc16ret" ascii wide
|
||||
$py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
|
||||
$py_crc_07 = /CRC16_CCITT[^_]/ ascii wide
|
||||
|
||||
$py_sh_01 = "sh.pyc" nocase ascii wide
|
||||
|
||||
$py_keyword_01 = " FAILURE" ascii wide
|
||||
$py_keyword_02 = "symbol table" nocase ascii wide
|
||||
|
||||
$py_TRIDENT_01 = "inject.bin" ascii nocase wide
|
||||
$py_TRIDENT_02 = "imain.bin" ascii nocase wide
|
||||
|
||||
condition:
|
||||
2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
|
||||
}
|
|
@ -1,26 +0,0 @@
|
|||
rule callTogether_certificate
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "Fireeye Labs"
|
||||
|
||||
version = "1.0"
|
||||
|
||||
reference_hash = "d08e038d318b94764d199d7a85047637"
|
||||
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
|
||||
|
||||
description = "detects binaries signed with the CallTogether certificate"
|
||||
|
||||
strings:
|
||||
|
||||
$serial = {452156C3B3FB0176365BDB5B7715BC4C}
|
||||
|
||||
$o = "CallTogether, Inc."
|
||||
|
||||
condition:
|
||||
|
||||
$serial and $o
|
||||
|
||||
}
|
|
@ -1,25 +0,0 @@
|
|||
rule Trojan_Hastati
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "Fireeye"
|
||||
|
||||
description = "Korean campaign"
|
||||
|
||||
reference = "https://www.fireeye.com/blog/technical/botnet-activities-research/2013/03/more-insights-on-the-recent-korean-cyber-attacks-trojan-hastati.html"
|
||||
|
||||
|
||||
strings:
|
||||
|
||||
$str11 = "taskkill /F /IM clisvc.exe" nocase ascii wide
|
||||
|
||||
$str2 = "taskkill /F /IM pasvc.exe" nocase ascii wide
|
||||
|
||||
$str3 = "shutdown -r -t 0″ nocase ascii wide
|
||||
|
||||
condition:
|
||||
|
||||
all of them
|
||||
|
||||
}
|
|
@ -1,25 +0,0 @@
|
|||
rule qti_certificate
|
||||
|
||||
{
|
||||
|
||||
meta:
|
||||
|
||||
author = "Fireeye Labs"
|
||||
|
||||
reference_hash = "cfa3e3471430a0096a4e7ea2e3da6195"
|
||||
|
||||
reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
|
||||
|
||||
description = "detects binaries signed with the QTI International Inc certificate"
|
||||
|
||||
strings:
|
||||
|
||||
$cn = "QTI International Inc"
|
||||
|
||||
$serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }
|
||||
|
||||
condition:
|
||||
|
||||
$cn and $serial
|
||||
|
||||
}
|
File diff suppressed because it is too large
Load diff
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue