more fixing, re-add thread count

This commit is contained in:
Sam Sneed 2024-07-25 13:12:20 -05:00
parent 625190f682
commit 2c6af7acb1
1013 changed files with 13 additions and 140759 deletions

14
main.py
View file

@ -246,7 +246,7 @@ def kill_suspicious_processes():
# Scan files for malware as they launch and kill if potentially malicious.
for file_path in cmdline:
if os.path.isfile(file_path):
if scan_for_malware(file_path) and os.path.basename(bypassed_processes):
if scan_for_malware(file_path):
print(f"Terminating potentially malicious process {proc.info['name']} (PID: {proc.info['pid']} NOW...")
proc.terminate()
proc.wait()
@ -332,12 +332,24 @@ def realtimeAV():
kill_suspicious_processes()
time.sleep(1) # check for malware every second
def threadCounter():
previous_count = 0
current_count = 0
while True:
previous_count = threading.active_count()
print(f"Active AntiMalware Threads: {current_count}")
if current_count < previous_count and previous_count - current_count > -1:
print("WARNING: THREAD KILL DETECTED!")
time.sleep(3) # check for malware every second
current_count = threading.active_count()
# Start Monitoring in Threads
threads = [
threading.Thread(target=start_file_system_monitor),
threading.Thread(target=monitor_cpu_gpu_usage),
threading.Thread(target=monitor_registry_changes),
threading.Thread(target=realtimeAV),
threading.Thread(target=threadCounter),
threading.Thread(target=monitor_tls_certificates),
threading.Thread(target=monitor_browser, args=('chrome',)),
threading.Thread(target=monitor_browser, args=('firefox',))

View file

@ -1,241 +0,0 @@
/*
Rules which detect vulnerabilities in configuration files.
External variables are used so they only work with YARA scanners, that pass them on (e.g. Thor, Loki and Spyre)
*/
rule VULN_Linux_Sudoers_Commands {
meta:
description = "Detects sudoers config with commands which might allow privilege escalation to root"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
reference = "https://gtfobins.github.io/"
date = "2022-11-22"
modified = "2024-04-15"
score = 50
id = "221d90c8-e70e-5214-a03b-57ecabcdd480"
strings:
$command1 = "/sh " ascii
$command2 = "/bash " ascii
$command3 = "/ksh " ascii
$command4 = "/csh " ascii
$command5 = "/tcpdump " ascii
//$command6 = "/cat " ascii
//$command7 = "/head " ascii
$command8 = "/nano " ascii
$command9 = "/pico " ascii
$command10 = "/rview " ascii
$command11 = "/vi " ascii
$command12 = "/vim " ascii
$command13 = "/rvi " ascii
$command14 = "/rvim " ascii
//$command15 = "/more " ascii
$command16 = "/less " ascii
$command17 = "/dd " ascii
/* $command18 = "/mount " ascii prone to FPs */
condition:
( filename == "sudoers" or filepath contains "/etc/sudoers.d" ) and
any of ($command*)
}
rule VULN_Linux_NFS_Exports {
meta:
description = "Detects insecure /etc/exports NFS config which might allow privilege escalation to root or other users. The parameter insecure allows any non-root user to mount NFS shares via e.g. an SSH-tunnel. With no_root_squash SUID root binaries are allowed."
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.errno.fr/nfs_privesc.html"
author = "Arnim Rupp"
date = "2022-11-22"
score = 50
id = "4b7d81d8-1ae1-5fcf-a91c-271477a839db"
strings:
// line has to start with / to avoid triggering on #-comment lines
$conf1 = /\n\/.{2,200}?\binsecure\b/ ascii
$conf2 = /\n\/.{2,200}?\bno_root_squash\b/ ascii
condition:
filename == "exports" and
filepath contains "/etc" and
any of ($conf*)
}
rule SUSP_AES_Key_in_MySql_History {
meta:
description = "Detects AES key outside of key management in .mysql_history"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2022-11-22"
score = 50
id = "28acef39-8606-5d3d-b395-0d8db13f6c9c"
strings:
$c1 = /\bAES_(DE|EN)CRYPT\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii
$c2 = /\baes_(de|en)crypt\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii
condition:
filename == ".mysql_history" and
any of ($c*)
}
rule VULN_Slapd_Conf_with_Default_Password {
meta:
description = "Detects an openldap slapd.conf with the default password test123"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2022-11-22"
reference = "https://www.openldap.org/doc/admin21/slapdconfig.html"
score = 70
id = "1d1319da-125b-5373-88f1-27a23c85729e"
strings:
/* \nrootpw \{SSHA\}fsAEyxlFOtvZBwPLAF68zpUhth8lERoR */
$c1 = { 0A 72 6f 6f 74 70 77 20 7b 53 53 48 41 7d 66 73 41 45 79 78 6c 46 4f 74 76 5a 42 77 50 4c 41 46 36 38 7a 70 55 68 74 68 38 6c 45 52 6f 52 }
condition:
filename == "slapd.conf" and
any of ($c*)
}
rule VULN_Unencrypted_SSH_Private_Key : T1552_004 {
meta:
description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2023-01-06"
reference = "https://attack.mitre.org/techniques/T1552/004/"
score = 50
id = "84b279fc-99c8-5101-b2d8-5c7adbaf753f"
strings:
/*
-----BEGIN RSA PRIVATE KEY-----
MII
*/
$openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 }
/*
-----BEGIN DSA PRIVATE KEY-----
MIIBvAIBAAKBgQ
*/
$openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 }
/*
-----BEGIN EC PRIVATE KEY-----
M
*/
$openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d }
/*
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmU
base64 contains: openssh-key-v1.....none
*/
$openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 }
$putty_start = "PuTTY-User-Key-File" ascii
$putty_noenc = "Encryption: none" ascii
condition:
/*
limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those
private keys for SSL, signing, ... which might be important but aren't usually used for lateral
movement => bad signal noise ratio
*/
(
filepath contains "ssh" or
filepath contains "SSH" or
filepath contains "utty" or
filename contains "ssh" or
filename contains "SSH" or
filename contains "id_" or
filename contains "id2_" or
filename contains ".ppk" or
filename contains ".PPK" or
filename contains "utty"
)
and
(
$openssh_dsa at 0 or
$openssh_rsa at 0 or
$openssh_ecdsa at 0 or
$openssh_ed25519 at 0 or
(
$putty_start at 0 and
$putty_noenc
)
)
and not filepath contains "/root/"
and not filename contains "ssh_host_"
}
rule VULN_Unencrypted_SSH_Private_Key_Root_Folder : T1552_004 {
meta:
description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2023-01-06"
reference = "https://attack.mitre.org/techniques/T1552/004/"
score = 65
id = "9e6a03a1-d95f-5de7-a6c0-a2e77486007c"
strings:
/*
-----BEGIN RSA PRIVATE KEY-----
MII
*/
$openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 }
/*
-----BEGIN DSA PRIVATE KEY-----
MIIBvAIBAAKBgQ
*/
$openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 }
/*
-----BEGIN EC PRIVATE KEY-----
M
*/
$openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d }
/*
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmU
base64 contains: openssh-key-v1.....none
*/
$openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 }
$putty_start = "PuTTY-User-Key-File" ascii
$putty_noenc = "Encryption: none" ascii
condition:
/*
limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those
private keys for SSL, signing, ... which might be important but aren't usually used for lateral
movement => bad signal noise ratio
*/
(
filepath contains "ssh" or
filepath contains "SSH" or
filepath contains "utty" or
filename contains "ssh" or
filename contains "SSH" or
filename contains "id_" or
filename contains "id2_" or
filename contains ".ppk" or
filename contains ".PPK" or
filename contains "utty"
)
and
(
$openssh_dsa at 0 or
$openssh_rsa at 0 or
$openssh_ecdsa at 0 or
$openssh_ed25519 at 0 or
(
$putty_start at 0 and
$putty_noenc
)
)
and filepath contains "/root/"
and not filename contains "ssh_host_"
}

View file

@ -1,102 +0,0 @@
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23 {
meta:
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
author = "Florian Roth"
reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
date = "2023-07-18"
modified = "2023-07-21"
score = 70
id = "07d725cc-2cf2-55e5-8609-486500547f13"
strings:
$sa1 = "216.41.162.172" ascii fullword
$sb1 = "/flash/nsconfig/keys" ascii
$sb2 = "ldapsearch" ascii fullword
$sb3 = "ns_gui/vpn" ascii
$sb4 = "LDAPTLS_REQCERT" ascii fullword
condition:
filesize < 10MB and $sa1
or (
filepath == "/var/log"
and filename matches /^(bash|sh)\.log/
and 1 of ($sb*)
)
}
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2 {
meta:
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
author = "Florian Roth"
reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
date = "2023-07-21"
score = 70
id = "471ce547-0133-5836-b9d1-02c932ecfd1e"
strings:
$s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword
$s2 = "-out /var/tmp/test.tar.gz" ascii
$s3 = "/test.tar.gz /netscaler/"
condition:
filesize < 10MB and 1 of them
}
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3 {
meta:
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
date = "2023-07-24"
score = 70
id = "2f40b423-f1da-5711-ac4f-18de77cd52d0"
strings:
$x1 = "cat /flash/nsconfig/ns.conf >>" ascii
$x2 = "cat /nsconfig/.F1.key >>" ascii
$x3 = "openssl base64 -d < /tmp/" ascii
$x4 = "cp /usr/bin/bash /var/tmp/bash" ascii
$x5 = "chmod 4775 /var/tmp/bash"
$x6 = "pwd;pwd;pwd;pwd;pwd;"
$x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))"
condition:
filesize < 10MB and 1 of them
}
rule LOG_EXPL_Citrix_Netscaler_ADC_Exploitation_Attempt_CVE_2023_3519_Jul23_1 {
meta:
description = "This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful."
author = "Florian Roth"
reference = "https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/"
date = "2023-07-27"
score = 65
id = "7dfe4130-d976-5d6d-a05d-ccadefe45406"
strings:
/* overly long URL - all URLLEN values >= 200 */
$sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/
$s1 = ", type=1; Target: start=0x"
condition:
all of them
}
rule WEBSHELL_SECRETSAUCE_Jul23_1 {
meta:
description = "Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
date = "2023-07-24"
score = 85
id = "db0542e7-648e-5f60-9838-e07498f58b51"
strings:
$sa1 = "for ($x=0; $x<=1; $x++) {" ascii
$sa2 = "$_REQUEST[" ascii
$sa3 = "@eval" ascii
$sb1 = "public $cmd;" ascii
$sb2 = "return @eval($a);" ascii
$sb3 = "$z->run($z->get('openssl_public_decrypt'));"
condition:
filesize < 100KB and (
all of ($sa*) or
2 of ($sb*)
)
}

View file

@ -1,328 +0,0 @@
import "pe"
rule ConnectWise_ScreenConnect_Authentication_Bypass_Feb_2024_Exploitation_IIS_Logs {
meta:
description = "Detects an http request to '/SetupWizard.aspx/' with anything following it, which when found in IIS logs is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Huntress DE&TH Team (modified by Florian Roth)"
reference = "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
date = "2024-02-20"
modified = "2024-02-21"
id = "2886530b-e164-4c4b-b01e-950e3c40acb4"
strings:
$s1 = " GET /SetupWizard.aspx/" ascii
$s2 = " POST /SetupWizard.aspx/" ascii
$s3 = " PUT /SetupWizard.aspx/" ascii
$s4 = " HEAD /SetupWizard.aspx/" ascii
condition:
1 of them
}
rule SUSP_ScreenConnect_User_PoC_Com_Unused_Feb24 {
meta:
description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account wasn't actually used yet to login"
author = "Florian Roth"
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
date = "2024-02-23"
score = 65
id = "c57e6c6a-298f-5ff3-b76a-03127ff88699"
strings:
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "@poc.com</Email>"
$s2 = "<LastLoginDate>0001"
condition:
filesize < 200KB
and all of ($a*)
and all of ($s*)
}
rule SUSP_ScreenConnect_User_PoC_Com_Used_Feb24 {
meta:
description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account was already used yet to login"
author = "Florian Roth"
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
date = "2024-02-23"
score = 75
id = "91990558-f145-5968-9722-b6815f6ad8d5"
strings:
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "@poc.com</Email>"
$f1 = "<LastLoginDate>0001"
condition:
filesize < 200KB
and all of ($a*)
and $s1
and not 1 of ($f*)
}
rule SUSP_ScreenConnect_Exploitation_Artefacts_Feb24 : SCRIPT {
meta:
description = "Detects post exploitation indicators observed by HuntressLabs in relation to the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
id = "079f4153-8bc7-574f-b6fa-af5536b842ab"
strings:
$x01 = "-c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}"
$x02 = ".msi c:\\mpyutd.msi"
$x03 = "/MyUserName_$env:UserName"
$x04 = " -OutFile C:\\Windows\\Help\\"
$x05 = "/Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_"
$x06 = "$e = $r + \"ssh.exe\""
$x07 = "Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id"
$x08 = "-R 9595:localhost:3389 -p 443 -N -oStrictHostKeyChecking=no "
$x09 = "chromeremotedesktophost.msi', $env:ProgramData+"
$x10 = "9595; iwr -UseBasicParsing "
$x11 = "curl https://cmctt.]com/pub/media/wysiwyg/"
$x12 = ":8080/servicetest2.dll"
$x13 = "/msappdata.msi c:\\mpyutd.msi"
$x14 = "/svchost.exe -OutFile "
$x15 = "curl http://minish.wiki.gd"
$x16 = " -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile "
$x17 = "rundll32.exe' -Headers @"
$x18 = "/nssm.exe' -Headers @"
$x19 = "c:\\programdata\\update.dat UpdateSystem"
$x20 = "::size -eq 4){\\\"TVqQAA" ascii wide
$x21 = "::size -eq 4){\"TVqQAA" ascii wide
$x22 = "-nop -c [System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:System_"
/* Persistence */
$xp0 = "/add default test@2021! /domain"
$xp1 = "/add default1 test@2021! /domain"
$xp2 = "oldadmin Pass8080!!"
$xp3 = "temp 123123qwE /add "
$xp4 = "oldadmin \"Pass8080!!\""
$xp5 = "nssm set xmrig AppDirectory "
condition:
1 of ($x*)
}
rule SUSP_Command_Line_Combos_Feb24_2 : SCRIPT {
meta:
description = "Detects suspicious command line combinations often found in post exploitation activities"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
id = "d9bc6083-c3ca-5639-a9df-483fea6d0187"
strings:
$sa1 = " | iex"
$sa2 = "iwr -UseBasicParsing "
condition:
filesize < 2MB and all of them
}
rule SUSP_PS1_Combo_TransferSH_Feb24 : SCRIPT {
meta:
description = "Detects suspicious PowerShell command that downloads content from transfer.sh as often found in loaders"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 70
id = "fd14cca5-9cf8-540b-9d6e-39ca2c267272"
strings:
$x1 = ".DownloadString('https://transfer.sh"
$x2 = ".DownloadString(\"https://transfer.sh"
$x3 = "Invoke-WebRequest -Uri 'https://transfer.sh"
$x4 = "Invoke-WebRequest -Uri \"https://transfer.sh"
condition:
1 of them
}
rule MAL_SUSP_RANSOM_LockBit_RansomNote_Feb24 {
meta:
description = "Detects the LockBit ransom note file 'LockBit-DECRYPT.txt' which is a sign of a LockBit ransomware infection"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
id = "b2fcb2a7-49e8-520c-944f-6acd5ded579b"
strings:
$x1 = ">>>> Your personal DECRYPTION ID:"
condition:
1 of them
}
rule MAL_SUSP_RANSOM_Lazy_RansomNote_Feb24 {
meta:
description = "Detects the Lazy ransom note file 'HowToRestoreYourFiles.txt' which is a sign of a Lazy ransomware infection"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
id = "287dfd67-8d0d-5906-b593-3af42a5a3aa4"
strings:
$x1 = "All Encrypted files can be reversed to original form and become usable"
condition:
1 of them
}
rule SUSP_MAL_SigningCert_Feb24_1 {
meta:
description = "Detects PE files signed with a certificate used to sign malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
hash1 = "37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231b"
hash2 = "e8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793"
id = "f25ea77a-1b4e-5c13-9117-eedf0c20335a"
strings:
$s1 = "Wisdom Promise Security Technology Co." ascii
$s2 = "Globalsign TSA for CodeSign1" ascii
$s3 = { 5D AC 0B 6C 02 5A 4B 21 89 4B A3 C2 }
condition:
uint16(0) == 0x5a4d
and filesize < 70000KB
and all of them
}
rule MAL_CS_Loader_Feb24_1 {
meta:
description = "Detects Cobalt Strike malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
hash1 = "0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fe"
id = "6c9914a4-b079-5a39-9d3b-7b9a2b54dc2b"
strings:
$s1 = "Dll_x86.dll" ascii fullword
condition:
uint16(0) == 0x5a4d
and filesize < 1000KB
and (
pe.exports("UpdateSystem") and (
pe.imphash() == "0dc05c4c21a86d29f1c3bf9cc5b712e0"
or $s1
)
)
}
rule MAL_RANSOM_LockBit_Indicators_Feb24 {
meta:
description = "Detects Lockbit ransomware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
hash1 = "a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0"
id = "108430c8-4fe5-58a1-b709-539b257c120c"
strings:
$op1 = { 76 c1 95 8b 18 00 93 56 bf 2b 88 71 4c 34 af b1 a5 e9 77 46 c3 13 }
$op2 = { e0 02 10 f7 ac 75 0e 18 1b c2 c1 98 ac 46 }
$op3 = { 8b c6 ab 53 ff 15 e4 57 42 00 ff 45 fc eb 92 ff 75 f8 ff 15 f4 57 42 00 }
condition:
uint16(0) == 0x5a4d
and filesize < 500KB
and (
pe.imphash() == "914685b69f2ac2ff61b6b0f1883a054d"
or 2 of them
) or all of them
}
rule MAL_MSI_Mpyutils_Feb24_1 {
meta:
description = "Detects malicious MSI package mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 70
hash1 = "8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600"
id = "e7794336-a325-5b92-8c25-81ed9cb28044"
strings:
$s1 = "crypt64ult.exe" ascii fullword
$s2 = "EXPAND.EXE" wide fullword
$s6 = "ICACLS.EXE" wide fullword
condition:
uint16(0) == 0xcfd0
and filesize < 20000KB
and all of them
}
rule MAL_Beacon_Unknown_Feb24_1 {
meta:
description = "Detects malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709 "
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
hash1 = "6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090"
hash2 = "b0adf3d58fa354dbaac6a2047b6e30bc07a5460f71db5f5975ba7b96de986243"
hash3 = "c0f7970bed203a5f8b2eca8929b4e80ba5c3276206da38c4e0a4445f648f3cec"
id = "9299fd44-5327-5a73-8299-108b710cb16e"
strings:
$s1 = "Driver.dll" wide fullword
$s2 = "X l.dlT" ascii fullword
$s3 = "$928c7481-dd27-8e23-f829-4819aefc728c" ascii fullword
condition:
uint16(0) == 0x5a4d
and filesize < 2000KB
and 3 of ($s*)
}
/* --------------------------------------------------------------------------------- */
/* only usable with THOR or THOR Lite, e.g. in THOR Cloud */
rule SUSP_ScreenConnect_User_Gmail_2024_Feb24 {
meta:
description = "Detects suspicious ScreenConnect user with Gmail address created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Florian Roth"
reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
date = "2024-02-22"
score = 65
id = "3c86f4ee-4e8c-566b-b54e-e94418e4ec7e"
strings:
$a1 = "<Users xmlns:xsi="
$s1 = "@gmail.com</Email>"
$s2 = "<CreationDate>2024-"
condition:
filesize < 200KB
and all of them
and filepath contains "\\ScreenConnect\\App_Data\\"
}
rule SUSP_ScreenConnect_New_User_2024_Feb24 {
meta:
description = "Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Florian Roth"
reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
date = "2024-02-22"
score = 50
id = "f6675ded-39a4-590a-a201-fcfe3c056e60"
strings:
$a1 = "<Users xmlns:xsi="
$s1 = "<CreationDate>2024-"
condition:
filesize < 200KB
and all of them
and filepath contains "\\ScreenConnect\\App_Data\\"
}
rule SUSP_ScreenConnect_User_2024_No_Logon_Feb24 {
meta:
description = "Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Florian Roth"
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
date = "2024-02-23"
score = 60
id = "c0861f1c-08e2-565d-a468-2075c51b4004"
strings:
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "<CreationDate>2024-"
$s2 = "<LastLoginDate>0001-01-01T00:00:00</LastLoginDate>"
condition:
filesize < 200KB
and all of them
and filepath contains "\\ScreenConnect\\App_Data\\"
}

View file

@ -1,68 +0,0 @@
import "pe"
rule SUSP_Fake_AMSI_DLL_Jun23_1 {
meta:
description = "Detects an amsi.dll that has the same exports as the legitimate one but very different contents or file sizes"
author = "Florian Roth"
reference = "https://twitter.com/eversinc33/status/1666121784192581633?s=20"
date = "2023-06-07"
modified = "2023-06-12"
score = 65
id = "b12df9de-ecfb-562b-b599-87fa786a33bc"
strings:
$a1 = "Microsoft.Antimalware.Scan.Interface" ascii
$a2 = "Amsi.pdb" ascii fullword
$a3 = "api-ms-win-core-sysinfo-" ascii
$a4 = "Software\\Microsoft\\AMSI\\Providers" wide
$a5 = "AmsiAntimalware@" ascii
$a6 = "AMSI UAC Scan" ascii
$fp1 = "Wine builtin DLL"
condition:
uint16(0) == 0x5a4d
// AMSI.DLL exports
and (
pe.exports("AmsiInitialize")
and pe.exports("AmsiScanString")
)
// and now the anomalies
and (
filesize > 200KB // files bigger than 100kB
or filesize < 35KB // files smaller than 35kB
or not 4 of ($a*) // files that don't contain the expected strings
)
and not 1 of ($fp*)
}
/* Uses the external variable "filename" and can thus only be used in LOKI or THOR */
rule SUSP_Fake_AMSI_DLL_Jun23_2 {
meta:
description = "Detects an amsi.dll that has very different contents or file sizes than the legitimate"
author = "Florian Roth"
reference = "https://twitter.com/eversinc33/status/1666121784192581633?s=20"
date = "2023-06-07"
modified = "2023-06-14"
score = 65
id = "adec9525-6299-52d5-8f4e-a83366d3dcfd"
strings:
$a1 = "Microsoft.Antimalware.Scan.Interface" ascii
$a2 = "Amsi.pdb" ascii fullword
$a3 = "api-ms-win-core-sysinfo-" ascii
$a4 = "Software\\Microsoft\\AMSI\\Providers" wide
$a5 = "AmsiAntimalware@" ascii
$a6 = "AMSI UAC Scan" ascii
$fp1 = "Wine builtin DLL"
condition:
uint16(0) == 0x5a4d
// AMSI.DLL
and filename == "amsi.dll"
// and now the anomalies
and (
filesize > 200KB // files bigger than 100kB
or filesize < 35KB // files smaller than 35kB
or not 4 of ($a*) // files that don't contain the expected strings
)
and not 1 of ($fp*)
}

View file

@ -1,428 +0,0 @@
import "pe"
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {
meta:
description = "Detects malicious DLLs related to 3CX compromise"
author = "X__Junior, Florian Roth (Nextron Systems)"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
date = "2023-03-29"
modified = "2023-04-20"
score = 85
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2"
id = "a6ea3299-fde5-5206-b5db-eb3a3f5944d9"
strings:
$opa1 = { 4C 89 F1 4C 89 EA 41 B8 40 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 F0 FF 15 ?? ?? ?? ?? 4C 8D 4C 24 ?? 45 8B 01 4C 89 F1 4C 89 EA FF 15 } /* VirtualProtect and execute payload*/
$opa2 = { 48 C7 44 24 ?? 00 00 00 00 4C 8D 7C 24 ?? 48 89 F9 48 89 C2 41 89 E8 4D 89 F9 FF 15 ?? ?? ?? ?? 41 83 3F 00 0F 84 ?? ?? ?? ?? 0F B7 03 3D 4D 5A 00 00} /* ReadFile and MZ compare*/
$opa3 = { 41 80 7C 00 ?? FE 75 ?? 41 80 7C 00 ?? ED 75 ?? 41 80 7C 00 ?? FA 75 ?? 41 80 3C 00 CE} /* marker */
$opa4 = { 44 0F B6 CD 46 8A 8C 0C ?? ?? ?? ?? 45 30 0C 0E 48 FF C1} /* xor part in RC4 decryption*/
$opb1 = { 41 B8 40 00 00 00 49 8B D5 49 8B CC FF 15 ?? ?? ?? ?? 85 C0 74 ?? 41 FF D4 44 8B 45 ?? 4C 8D 4D ?? 49 8B D5 49 8B CC FF 15 } /* VirtualProtect and execute payload */
$opb2 = { 44 8B C3 48 89 44 24 ?? 48 8B 5C 24 ?? 4C 8D 4D ?? 48 8B CB 48 89 74 24 ?? 48 8B D0 4C 8B F8 FF 15 } /* ReadFile and MZ compare*/
$opb3 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */
$opb4 = { 49 63 C1 44 0F B6 44 05 ?? 44 88 5C 05 ?? 44 88 02 0F B6 54 05 ?? 49 03 D0 0F B6 C2 0F B6 54 05 ?? 41 30 12} /* xor part in RC4 decryption*/
condition:
uint16(0) == 0x5a4d
and filesize < 5MB
and pe.characteristics & pe.DLL
and ( 2 of ($opa*) or 2 of ($opb*) )
}
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_2 {
meta:
description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/dan__mayer/status/1641170769194672128?s=20"
date = "2023-03-29"
score = 80
hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973"
id = "bf3597ff-d62b-5d21-9c9b-e46e685284cf"
strings:
$s1 = "raw.githubusercontent.com/IconStorages/images/main/icon%d.ico" wide fullword
$s2 = "https://raw.githubusercontent.com/IconStorages" wide fullword
$s3 = "icon%d.ico" wide fullword
$s4 = "__tutmc" ascii fullword
$op1 = { 2d ee a1 00 00 c5 fa e6 f5 e9 40 fe ff ff 0f 1f 44 00 00 75 2e c5 fb 10 0d 46 a0 00 00 44 8b 05 7f a2 00 00 e8 0a 0e 00 00 }
$op4 = { 4c 8d 5c 24 71 0f 57 c0 48 89 44 24 60 89 44 24 68 41 b9 15 cd 5b 07 0f 11 44 24 70 b8 b1 68 de 3a 41 ba a4 7b 93 02 }
$op5 = { f7 f3 03 d5 69 ca e8 03 00 00 ff 15 c9 0a 02 00 48 8d 44 24 30 45 33 c0 4c 8d 4c 24 38 48 89 44 24 20 }
condition:
uint16(0) == 0x5a4d and
filesize < 900KB and 3 of them
or 5 of them
}
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_3 {
meta:
description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)"
author = "Florian Roth , X__Junior (Nextron Systems)"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
date = "2023-03-29"
score = 80
hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973"
id = "d2d361b6-8485-57eb-b6eb-88785f42e93e"
strings:
$opa1 = { 41 81 C0 ?? ?? ?? ?? 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1 41 69 D0 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 ?? ?? ?? ?? 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 } /*lcg chunk */
$opa2 = { 8B C8 41 69 D1 ?? ?? ?? ?? C1 E1 ?? 33 C1 45 8B CA 8B C8 C1 E9 ?? 33 C1 81 C2 ?? ?? ?? ?? 8B C8 C1 E1 ?? 33 C1 41 8B C8 4C 0F AF CF 44 69 C2 ?? ?? ?? ?? 4C 03 C9 45 8B D1 4C 0F AF D7} /*lcg chunk */
$opb1 = { 45 33 C9 48 89 6C 24 ?? 48 8D 44 24 ?? 48 89 6C 24 ?? 8B D3 48 89 B4 24 ?? ?? ?? ?? 48 89 44 24 ?? 45 8D 41 ?? FF 15 } /* base64 decode */
$opb2 = { 44 8B 0F 45 8B C6 48 8B 4D ?? 49 8B D7 44 89 64 24 ?? 48 89 7C 24 ?? 44 89 4C 24 ?? 4C 8D 4D ?? 48 89 44 24 ?? 44 89 64 24 ?? 4C 89 64 24 ?? FF 15} /* AES decryption */
$opb3 = { 48 FF C2 66 44 39 2C 56 75 ?? 4C 8D 4C 24 ?? 45 33 C0 48 8B CE FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 44 0F B7 44 24 ?? 33 F6 48 8B 54 24 ?? 45 33 C9 48 8B 0B 48 89 74 24 ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 74 24 ?? FF 15 } /* internet connection */
$opb4 = { 33 C0 48 8D 6B ?? 4C 8D 4C 24 ?? 89 44 24 ?? BA ?? ?? ?? ?? 48 89 44 24 ?? 48 8B CD 89 44 24 ?? 44 8D 40 ?? 8B F8 FF 15} /* VirtualProtect */
condition:
( all of ($opa*) )
or
( 1 of ($opa*) and 1 of ($opb*) )
or
( 3 of ($opb*) )
}
rule SUSP_APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {
meta:
description = "Detects marker found in malicious DLLs related to 3CX compromise"
author = "X__Junior, Florian Roth (Nextron Systems)"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
date = "2023-03-29"
modified = "2023-04-20"
score = 75
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2"
id = "9fc6eb94-d02f-5bcd-9f55-b6c6a8301b4f"
strings:
$opx1 = { 41 80 7C 00 FD FE 75 ?? 41 80 7C 00 FE ED 75 ?? 41 80 7C 00 FF FA 75 ?? 41 80 3C 00 CE } /* marker */
$opx2 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */
condition:
1 of them
}
rule APT_SUSP_NK_3CX_RC4_Key_Mar23_1 {
meta:
description = "Detects RC4 key used in 3CX binaries known to be malicious"
author = "Florian Roth (Nextron Systems)"
date = "2023-03-29"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
score = 70
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
id = "18ea2185-11a1-51ad-a51a-df9e6357bb58"
strings:
$x1 = "3jB(2bsG#@c7"
condition:
( uint16(0) == 0xcfd0 or uint16(0) == 0x5a4d )
and $x1
}
rule SUSP_3CX_App_Signed_Binary_Mar23_1 {
meta:
description = "Detects 3CX application binaries signed with a certificate and created in a time frame in which other known malicious binaries have been created"
author = "Florian Roth (Nextron Systems)"
date = "2023-03-29"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
score = 65
hash1 = "fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405"
hash2 = "dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc"
id = "b6ce4c1d-1b7b-5e0c-af4c-05cb3ad0a4e0"
strings:
$sa1 = "3CX Ltd1"
$sa2 = "3CX Desktop App" wide
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } // Known compromised cert
condition:
uint16(0) == 0x5a4d
and pe.timestamp > 1669680000 // 29.11.2022 earliest known malicious sample
and pe.timestamp < 1680108505 // 29.03.2023 date of the report
and all of ($sa*)
and $sc1 // serial number of known compromised certificate
}
rule SUSP_3CX_MSI_Signed_Binary_Mar23_1 {
meta:
description = "Detects 3CX MSI installers signed with a known compromised certificate and signed in a time frame in which other known malicious binaries have been signed"
author = "Florian Roth (Nextron Systems)"
date = "2023-03-29"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
score = 60
hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
id = "15d6d8ca-6982-5095-9879-ce97269a71c6"
strings:
$a1 = { 84 10 0C 00 00 00 00 00 C0 00 00 00 00 00 00 46 } // MSI marker
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } // Known compromised cert
$s1 = "3CX Ltd1"
$s2 = "202303" // in
condition:
uint16(0) == 0xcfd0
and $a1
and $sc1
and (
$s1 in (filesize-20000..filesize)
and $s2 in (filesize-20000..filesize)
)
}
rule APT_MAL_macOS_NK_3CX_Malicious_Samples_Mar23_1 {
meta:
description = "Detects malicious macOS application related to 3CX compromise (decrypted payload)"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
date = "2023-03-30"
score = 80
hash1 = "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb"
hash2 = "ac99602999bf9823f221372378f95baa4fc68929bac3a10e8d9a107ec8074eca"
hash3 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72"
id = "ff39e577-7063-5025-bead-68394a86c87c"
strings:
$s1 = "20230313064152Z0"
$s2 = "Developer ID Application: 3CX (33CF4654HL)"
condition:
( uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca ) and all of them
}
/* 30.03.2023 */
rule APT_MAL_MacOS_NK_3CX_DYLIB_Mar23_1 {
meta:
description = "Detects malicious DYLIB files related to 3CX compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
date = "2023-03-30"
score = 80
hash1 = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67"
hash2 = "fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7"
id = "a19904d3-9b2d-561f-b734-20bf09584fa7"
strings:
/* XORed UA 0x7a */
$xc1 = { 37 15 00 13 16 16 1B 55 4F 54 4A 5A 52 2D 13 14
1E 15 0D 09 5A 34 2E 5A 4B 4A 54 4A 41 5A 2D 13
14 4C 4E 41 5A 02 4C 4E 53 5A 3B 0A 0A 16 1F 2D
1F 18 31 13 0E 55 4F 49 4D 54 49 4C 5A 52 31 32
2E 37 36 56 5A 16 13 11 1F 5A 3D 1F 19 11 15 53
5A 39 12 08 15 17 1F 55 4B 4A 42 54 4A 54 4F 49
4F 43 54 4B 48 42 5A 29 1B 1C 1B 08 13 55 4F 49
4D 54 49 4C 7A }
/* /;3cx_auth_token_content=%s;__tutma= */
$xc2 = { 41 49 19 02 25 1b 0f 0e 12 25 0e 15 11 1f 14 25 19 15 14 0e 1f 14 0e 47 5f 09 41 25 25 0e 0f 0e 17 1b 47 }
/* /System/Library/CoreServices/SystemVersion.plist */
$xc3 = { 55 29 03 09 0e 1f 17 55 36 13 18 08 1b 08 03 55 39 15 08 1f 29 1f 08 0c 13 19 1f 09 55 29 03 09 0e 1f 17 2c 1f 08 09 13 15 14 54 0a 16 13 09 0e }
condition:
1 of them
}
rule APT_SUSP_NK_3CX_Malicious_Samples_Mar23_1 {
meta:
description = "Detects indicator (event name) found in samples related to 3CX compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
date = "2023-03-30"
score = 70
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
id = "b233846a-19df-579b-a674-233d66824008"
strings:
$a1 = "AVMonitorRefreshEvent" wide fullword
condition:
1 of them
}
rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_4 {
meta:
author = "MalGamy (Nextron Systems)"
reference = "https://twitter.com/WhichbufferArda/status/1641404343323688964?s=20"
description = "Detects decrypted payload loaded inside 3CXDesktopApp.exe which downloads info stealer"
date = "2023-03-29"
hash = "851c2c99ebafd4e5e9e140cfe3f2d03533846ca16f8151ae8ee0e83c692884b7"
score = 80
id = "d11170df-570c-510c-80ec-39048acd0fbd"
strings:
$op1 = {41 69 D0 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 [4] 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 [4] 33 C1 4C 0F AF CF 4D 03 CA 45 8B D1 4C 0F AF D7 41 8D 0C 11 49 C1 E9 ?? 02 C8} // // xor with mul operation
$op2 = {4D 0F AF CC 44 69 C2 [4] 4C 03 C9 45 8B D1 4D 0F AF D4 41 8D 0C 11 41 81 C0 [4] 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1} // xor with mul operation
$op3 = {33 C1 4C 0F AF C7 8B C8 C1 E1 ?? 4D 03 C2 33 C1} // shift operation
condition:
2 of them
}
rule MAL_3CXDesktopApp_MacOS_Backdoor_Mar23 {
meta:
author = "X__Junior (Nextron Systems)"
reference = "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"
description = "Detects 3CXDesktopApp MacOS Backdoor component"
date = "2023-03-30"
hash = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67"
score = 80
id = "80046c8e-0c2a-5885-b140-a6084f48160d"
strings:
$sa1 = "%s/.main_storage" ascii fullword
$sa2 = "%s/UpdateAgent" ascii fullword
$op1 = { 31 C0 41 80 34 06 ?? 48 FF C0 48 83 F8 ?? 75 ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 89 F7 48 89 D9 E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 89 F7 5B 41 5E 41 5F E9 ?? ?? ?? ?? 5B 41 5E 41 5F C3} /* string decryption */
$op2 = { 0F 11 84 24 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 31 C0 80 B4 04 ?? ?? ?? ?? ?? 48 FF C0} /* string decryption */
condition:
( ( uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca ) and filesize < 6MB
and
(
( 1 of ($sa*) and 1 of ($op* ) )
or all of ($sa*)
)
)
or ( all of ($op*) )
}
/* 31.03.2023 */
rule APT_MAL_NK_3CX_ICONIC_Stealer_Mar23_1 {
meta:
description = "Detects ICONIC stealer payload used in the 3CX incident"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/attachments/iconicstealer.7z"
date = "2023-03-31"
score = 80
hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423"
id = "e92b5b90-1146-5235-9711-a4d42689c49b"
strings:
$s1 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\": \"%d.%d.%d\"}" wide fullword
$s2 = "******************************** %s ******************************" wide fullword
$s3 = "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" wide fullword
$s4 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" wide fullword
$s5 = "SELECT url, title FROM urls ORDER BY id DESC LIMIT 500" wide fullword
$s6 = "TEXT value in %s.%s" ascii fullword
$op1 = { 48 63 d1 48 63 ce 49 03 d1 49 03 cd 4c 63 c7 e8 87 1f 09 00 8b 45 d0 44 8d 04 37 }
$op2 = { 48 8b c8 8b 56 f0 48 89 46 d8 e8 78 8f f8 ff e9 ec 13 00 00 c7 46 20 ff ff ff ff e9 e0 13 00 00 33 ff }
condition:
uint16(0) == 0x5a4d
and filesize < 4000KB
and 4 of them
or 6 of them
}
rule APT_MAL_NK_3CX_macOS_Elextron_App_Mar23_1 {
meta:
description = "Detects macOS malware used in the 3CX incident"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2023-03-31"
score = 80
hash1 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72"
hash2 = "f7ba7f9bf608128894196cf7314f68b78d2a6df10718c8e0cd64dbe3b86bc730"
id = "7a3755d4-37e5-5d3b-93aa-34edb557f2d5"
strings:
$a1 = "com.apple.security.cs.allow-unsigned-executable-memory" ascii
$a2 = "com.electron.3cx-desktop-app" ascii fullword
$s1 = "s8T/RXMlALbXfowom9qk15FgtdI=" ascii
$s2 = "o8NQKPJE6voVZUIGtXihq7lp0cY=" ascii
condition:
uint16(0) == 0xfacf and
filesize < 400KB and (
all of ($a*)
and 1 of ($s*)
)
}
rule MAL_3CXDesktopApp_MacOS_UpdateAgent_Mar23 {
meta:
description = "Detects 3CXDesktopApp MacOS UpdateAgent backdoor component"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/patrickwardle/status/1641692164303515653?s=20"
date = "2023-03-30"
hash = "9e9a5f8d86356796162cee881c843cde9eaedfb3"
score = 80
id = "596eb6d0-f96f-5106-ae67-9372d238e4cf"
strings:
$a1 = "/3CX Desktop App/.main_storage" ascii
$x1 = ";3cx_auth_token_content=%s;__tutma=true"
$s1 = "\"url\": \"https://"
$s3 = "/dev/null"
$s4 = "\"AccountName\": \""
condition:
uint16(0) == 0xfeca
and filesize < 6MB
and (
1 of ($x*)
or ( $a1 and all of ($s*) )
) or all of them
}
rule SUSP_APT_3CX_Regtrans_Anomaly_Apr23 : METARULE {
meta:
description = "Detects suspicious .regtrans-ms files with suspicious size or contents"
author = "Florian Roth"
reference = "https://www.3cx.com/blog/news/mandiant-initial-results/"
date = "2023-04-12"
score = 60
id = "97406b8d-68fe-5f68-a26a-205dd4694e50"
strings:
$fp1 = "REGISTRY" wide
condition:
extension == ".regtrans-ms" and (
filesize < 100KB
and not 1 of ($fp*)
)
}
rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_2 {
meta:
description = "Detects malicious VEILEDSIGNAL backdoor"
author = "X__Junior"
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
date = "2023-04-29"
hash = "c4887a5cd6d98e273ba6e9ea3c1d8f770ef26239819ea24a1bfebd81d6870505"
score = 80
id = "ff1fa0bd-19b7-553a-9506-bc5aa5d29056"
strings:
$sa1 = "\\.\\pipe\\gecko.nativeMessaging" ascii
$sa2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40" ascii
$sa3 = "application/json, text/javascript, */*; q=0.01" ascii
$op1 = { 89 7? 24 ?? 44 8B CD 4C 8B C? 48 89 44 24 ?? 33 D2 33 C9 FF 15} /* MultiByteToWideChar */
$op2 = { 4C 8B CB 4C 89 74 24 ?? 4C 8D 05 ?? ?? ?? ?? 44 89 74 24 ?? 33 D2 33 C9 FF 15} /* create thread*/
$op3 = { 48 89 74 24 ?? 45 33 C0 89 74 24 ?? 41 B9 ?? ?? ?? ?? 89 74 24 ?? 48 8B D8 48 C7 00 ?? ?? ?? ?? 48 8B 0F 41 8D 50 ?? 48 89 44 24 ?? 89 74 24 ?? FF 15} /* CreateNamedPipeW */
condition:
all of ($op*) or all of ($sa*)
}
rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_3 {
meta:
description = "Detects malicious VEILEDSIGNAL backdoor"
author = "X__Junior"
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
date = "2023-04-29"
hash = "595392959b609caf088d027a23443cf2fefd043607ccdec3de19ad3bb43a74b1"
score = 80
id = "6b6f984e-242a-5b84-baa9-6311992cde9b"
strings:
$op1 = { 4C 8B CB 4C 89 74 24 ?? 4C 8D 05 ?? ?? ?? ?? 44 89 74 24 ?? 33 D2 33 C9 FF 15} /* create thread*/
$op2 = { 89 7? 24 ?? 44 8B CD 4C 8B C? 48 89 44 24 ?? 33 D2 33 C9 FF 15} /* MultiByteToWideChar */
$op3 = { 8B 54 24 ?? 4C 8D 4C 24 ?? 45 8D 46 ?? 44 89 74 24 ?? 48 8B CB FF 15} /* virtualprotect */
$op4 = { 48 8D 44 24 ?? 45 33 C9 41 B8 01 00 00 40 48 89 44 24 ?? 41 8B D5 48 8B CF FF 15} /* CryptBinaryToStringA */
condition:
all of them
}
rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_4 {
meta:
description = "Detects malicious VEILEDSIGNAL backdoor"
author = "X__Junior"
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
date = "2023-04-29"
hash = "9b0761f81afb102bb784b398b16faa965594e469a7fcfdfd553ced19cc17e70b"
score = 80
id = "77340ec0-36bb-5c47-995f-4e6f76b68fe1"
strings:
$op1 = { 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 } /* check for certian process */
$op2 = { 48 8B C8 48 8D 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 45 33 C0 4C 8D 4D ?? B2 01 41 8D 48 ?? FF D0} /* RtlAdjustPrivilege */
$op3 = { 33 FF C7 44 24 ?? 38 02 00 00 33 D2 8D 4F ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 FF 74 ?? 48 8D 54 24 ?? 48 8B C8 FF 15 } /* Process32FirstW */
$op4 = { 4C 8D 05 ?? ?? ?? ?? 48 89 4C 24 ?? 4C 8B C8 33 D2 89 4C 24 ?? FF 15 } /* create thread*/
condition:
all of them
}

View file

@ -1,30 +0,0 @@
import "pe"
rule SUSP_VCRuntime_Sideloading_Indicators_Aug23 {
meta:
description = "Detects indicators of .NET based malware sideloading as VCRUNTIME140 with .NET DLL imports"
author = "Jonathan Peters"
date = "2023-08-30"
hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
score = 75
id = "00400122-1343-5051-af31-880a3ef1745d"
condition:
(filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
and pe.imports("mscoree.dll", "_CorDllMain")
}
// rule SUSP_VCRuntime_Sideloading_Indicators_1_Aug23 {
// meta:
// description = "Detects indicators of .NET based malware sideloading as an unsigned VCRUNTIME140"
// author = "Jonathan Peters"
// date = "2023-08-30"
// hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
// score = 75
// strings:
// $fp1 = "Wine builtin DLL" ascii
// condition:
// (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
// and not pe.number_of_signatures == 0
// and not pe.signatures[0].issuer contains "Microsoft Corporation"
// and not $fp1
// }

View file

@ -1,103 +0,0 @@
/*
Webshell rules that use external variables for false positive filtering
*/
rule webshell_php_by_string_obfuscation : FILE {
meta:
description = "PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021/01/09"
modified = "2022-10-25"
hash = "e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc"
id = "be890bf6-de7e-588e-b5cd-72e8081d0b9c"
strings:
$opbs13 = "{\"_P\"./*-/*-*/\"OS\"./*-/*-*/\"T\"}" wide ascii
$opbs14 = "/*-/*-*/\"" wide ascii
$opbs16 = "'ev'.'al'" wide ascii
$opbs17 = "'e'.'val'" wide ascii
$opbs18 = "e'.'v'.'a'.'l" wide ascii
$opbs19 = "bas'.'e6'." wide ascii
$opbs20 = "ba'.'se6'." wide ascii
$opbs21 = "as'.'e'.'6'" wide ascii
$opbs22 = "gz'.'inf'." wide ascii
$opbs23 = "gz'.'un'.'c" wide ascii
$opbs24 = "e'.'co'.'d" wide ascii
$opbs25 = "cr\".\"eat" wide ascii
$opbs26 = "un\".\"ct" wide ascii
$opbs27 = "'c'.'h'.'r'" wide ascii
$opbs28 = "\"ht\".\"tp\".\":/\"" wide ascii
$opbs29 = "\"ht\".\"tp\".\"s:" wide ascii
$opbs31 = "'ev'.'al'" nocase wide ascii
$opbs32 = "eval/*" nocase wide ascii
$opbs33 = "eval(/*" nocase wide ascii
$opbs34 = "eval(\"/*" nocase wide ascii
$opbs36 = "assert/*" nocase wide ascii
$opbs37 = "assert(/*" nocase wide ascii
$opbs38 = "assert(\"/*" nocase wide ascii
$opbs40 = "'ass'.'ert'" nocase wide ascii
$opbs41 = "${'_'.$_}['_'](${'_'.$_}['__'])" wide ascii
$opbs44 = "'s'.'s'.'e'.'r'.'t'" nocase wide ascii
$opbs45 = "'P'.'O'.'S'.'T'" wide ascii
$opbs46 = "'G'.'E'.'T'" wide ascii
$opbs47 = "'R'.'E'.'Q'.'U'" wide ascii
$opbs48 = "se'.(32*2)" nocase
$opbs49 = "'s'.'t'.'r_'" nocase
$opbs50 = "'ro'.'t13'" nocase
$opbs51 = "c'.'od'.'e" nocase
$opbs53 = "e'. 128/2 .'_' .'d"
// move malicious code out of sight if line wrapping not enabled
$opbs54 = "<?php " //here I end
$opbs55 = "=chr(99).chr(104).chr(114);$_"
$opbs56 = "\\x47LOBAL"
$opbs57 = "pay\".\"load"
$opbs58 = "bas'.'e64"
$opbs59 = "dec'.'ode"
$opbs60 = "fla'.'te"
// rot13 of eval($_POST
$opbs70 = "riny($_CBFG["
$opbs71 = "riny($_TRG["
$opbs72 = "riny($_ERDHRFG["
$opbs73 = "eval(str_rot13("
$opbs74 = "\"p\".\"r\".\"e\".\"g\""
$opbs75 = "$_'.'GET"
$opbs76 = "'ev'.'al("
// eval( in hex
$opbs77 = "\\x65\\x76\\x61\\x6c\\x28" wide ascii nocase
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
$fp1 = "NanoSpell TinyMCE Spellchecker for PHP" ascii fullword
condition:
filesize < 500KB and (
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
and any of ( $opbs* )
and not 1 of ($fp*)
and not filepath contains "\\Cache\\" /* generic cache e.g. for Chrome: \User Data\Default\Cache\ */
and not filepath contains "\\User Data\\Default\\Extensions\\" // chrome extensions
and not filepath contains "\\cache2\\" // FF cache
and not filepath contains "\\Microsoft\\Windows\\INetCache\\IE\\" // old IE
and not filepath contains "/com.apple.Safari/WebKitCache/"
and not filepath contains "\\Edge\\User Data\\" // some uncommon Edge path
}

View file

@ -1,153 +0,0 @@
/*
Generic Cloaking
Florian Roth
Nextron Systems GmbH
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
*/
rule EXE_cloaked_as_TXT {
meta:
description = "Executable with TXT extension"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
id = "2188c0fe-71b0-5dee-bde9-f310c66e39c6"
condition:
uint16(0) == 0x5a4d // Executable
and filename matches /\.txt$/is // TXT extension (case insensitive)
}
rule EXE_extension_cloaking {
meta:
description = "Executable showing different extension (Windows default 'hide known extension')"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
id = "78da6129-a11d-5e9e-8eaf-2a18178b7278"
condition:
filename matches /\.txt\.exe$/is or // Special file extensions
filename matches /\.pdf\.exe$/is // Special file extensions
}
rule Cloaked_RAR_File {
meta:
description = "RAR file cloaked by a different extension"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
id = "a3a9ad40-8a39-513d-be95-73f5a909265e"
condition:
uint32be(0) == 0x52617221 // RAR File Magic Header
and not filename matches /(rarnew.dat|\.rar)$/is // not the .RAR extension
and not filename matches /\.[rR][\d]{2}$/ // split RAR file
and not filepath contains "Recycle" // not a deleted RAR file in recycler
}
rule Base64_encoded_Executable : FILE {
meta:
description = "Detects an base64 encoded executable (often embedded)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015-05-28"
score = 40
id = "0bfc5916-3e63-5601-9f14-65f848c9322b"
strings:
$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive
$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive
$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive
$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive
$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive
condition:
1 of them
and not filepath contains "Thunderbird"
and not filepath contains "Internet Explorer"
and not filepath contains "Chrome"
and not filepath contains "Opera"
and not filepath contains "Outlook"
and not filepath contains "Temporary Internet Files"
}
rule Gen_Base64_EXE: HIGHVOL {
meta:
description = "Detects Base64 encoded Executable in Executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "ef919a63-9a29-5624-a084-b92e3578e3a6"
strings:
$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" wide ascii // 14 samples
$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" wide ascii // 26 samples
$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" wide ascii // 75 samples
$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" wide ascii // 168 samples
$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" wide ascii // 28,529 samples
$fp1 = "BAM Management class library"
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and 1 of ($s*)
and not 1 of ($fp*)
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule StegoKatz {
meta:
description = "Encoded Mimikatz in other file types"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/jWPBBY"
date = "2015-09-11"
score = 70
id = "78868bb0-af69-573d-afd2-350a46f69137"
strings:
$s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
$s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
condition:
filesize < 1000KB and 1 of them
}
rule Obfuscated_VBS_April17 {
meta:
description = "Detects cloaked Mimikatz in VBS obfuscation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "ca60b885-bb56-55ee-a2b3-dea6958883c2"
strings:
$s1 = "::::::ExecuteGlobal unescape(unescape(" ascii
condition:
filesize < 500KB and all of them
}
rule Obfuscated_JS_April17 {
meta:
description = "Detects cloaked Mimikatz in JS obfuscation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "44abd2c0-5f8d-5a8c-b282-a09853e12054"
strings:
$s1 = "\";function Main(){for(var " ascii
$s2 = "=String.fromCharCode(parseInt(" ascii
$s3 = "));(new Function(" ascii
condition:
filesize < 500KB and all of them
}

View file

@ -1,518 +0,0 @@
/*
Generic Anomalies
Florian Roth
Nextron Systems GmbH
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
*/
/* Performance killer - value isn't big enough
rule Embedded_EXE_Cloaking {
meta:
description = "Detects an embedded executable in a non-executable file"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015/02/27"
score = 65
strings:
$noex_png = { 89 50 4E 47 }
$noex_pdf = { 25 50 44 46 }
$noex_rtf = { 7B 5C 72 74 66 31 }
$noex_jpg = { FF D8 FF E0 }
$noex_gif = { 47 49 46 38 }
$mz = { 4D 5A }
$a1 = "This program cannot be run in DOS mode"
$a2 = "This program must be run under Win32"
condition:
(
( $noex_png at 0 ) or
( $noex_pdf at 0 ) or
( $noex_rtf at 0 ) or
( $noex_jpg at 0 ) or
( $noex_gif at 0 )
)
and
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
}
*/
// whitelist-approach failed : reworked in SUSP_Known_Type_Cloaked_as_JPG
// rule Cloaked_as_JPG {
// meta:
// description = "Detects a non-JPEG file cloaked as JPG"
// author = "Florian Roth (Nextron Systems)"
// date = "2015/03/02"
// modified = "2022-09-16"
// score = 40
// strings:
// $fp1 = "<!DOCTYPE" ascii
// $fp2 = "Sophos Encrypted File Format" ascii
// $fp3 = "This is a critical resource file used by WatchGuard/TDR" ascii
// condition:
// uint16be(0) != 0xFFD8 and extension == ".jpg"
// and filetype != "GIF"
// and filetype != "PDF"
// and not $fp1 in (0..30)
// and not $fp2 at 0
// and not $fp3
// and not uint16(0) == 0x8b1f /* GZIP */
// and not uint16(0) == 0x4d42 /* BMP */
// and not uint32(0) == 0x474E5089 /* PNG Header */
// and not uint32(0) == 0x002A4949 /* TIFF Header */
// and not uint32be(0) == 0x3c737667 /* <svg */
// and not uint32be(0) == 0x52494646 /* RIFF (WebP) */
// and not uint32be(0x4) == 0x66747970 /* HEIF Header https://github.com/strukturag/libheif/commit/6ca8e2548dbfe21200bae3a7c2c315a1796e3852 */
// and not uint32be(0xe) == 0x4a464946 /* JFIF distributed by Matlab */
// and not filename matches /\$[Ii][A-Z0-9]{6}/
// and not filepath contains "WinSxS"
// and not filepath contains "Package_for_RollupFix"
// and not filename matches /^\._/
// and not filepath contains "$Recycle.Bin"
// and not filepath contains "\\Cache\\" /* generic cache e.g. for Chrome: \User Data\Default\Cache\ */
// and not filepath contains "\\User Data\\Default\\Extensions\\" // chrome extensions
// and not filepath contains "\\cache2\\" // FF cache
// and not filepath contains "\\Microsoft\\Windows\\INetCache\\IE\\" // old IE
// and not filepath contains "/com.apple.Safari/WebKitCache/"
// and not filepath contains "\\Edge\\User Data\\" // some uncommon Edge path
// and not filepath contains "/Code/"
// and not filepath contains "\\Code\\"
// }
rule SUSP_Known_Type_Cloaked_as_JPG {
meta:
description = "Detects a non-JPEG file type cloaked as .jpg"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - replacement for Cloaked_as_JPG rule"
date = "2022-09-16"
score = 60
id = "728908a6-74cf-5bab-a23f-cd03ed209430"
condition:
( extension == ".jpg" or extension == ".jpeg" ) and (
filetype == "EXE" or
filetype == "ELF" or
filetype == "MACH-O" or
filetype == "VBS" or
filetype == "PHP" or
filetype == "JSP" or
filetype == "Python" or
filetype == "LSASS Dump File" or
filetype == "ASP" or
filetype == "BATCH" or
filetype == "RTF" or
filetype == "MDMP" or
filetype contains "PowerShell" or
filetype contains "Base64"
)
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-12-21
Identifier: Uncommon File Sizes
*/
rule Suspicious_Size_explorer_exe {
meta:
description = "Detects uncommon file size of explorer.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth (Nextron Systems)"
score = 60
nodeepdive = 1
date = "2015-12-21"
modified = "2022-04-27"
noarchivescan = 1
id = "408bdb95-3b15-5f4e-a948-949ea4ce0477"
strings:
$fp = "Wine placeholder DLL"
condition:
uint16(0) == 0x5a4d
and filename == "explorer.exe"
and not filepath contains "teamviewer"
and not filepath contains "/lib/wine/fakedlls"
and ( filesize < 800KB or filesize > 6500KB )
and not $fp
}
rule Suspicious_Size_chrome_exe {
meta:
description = "Detects uncommon file size of chrome.exe"
author = "Florian Roth (Nextron Systems)"
score = 60
nodeepdive = 1
date = "2015-12-21"
modified = "2022-09-15"
noarchivescan = 1
id = "f164394a-5c02-5056-aceb-044ee118578d"
strings:
$fp1 = "HP Sure Click Chromium Launcher" wide
$fp2 = "BrChromiumLauncher.exe" wide fullword
condition:
uint16(0) == 0x5a4d
and filename == "chrome.exe"
and ( filesize < 500KB or filesize > 5000KB )
and not 1 of ($fp*)
}
rule Suspicious_Size_csrss_exe {
meta:
description = "Detects uncommon file size of csrss.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-21"
modified = "2022-01-28"
noarchivescan = 1
id = "5a247b51-6c91-5753-95b3-4a4c2b2286eb"
condition:
uint16(0) == 0x5a4d
and filename == "csrss.exe"
and ( filesize > 50KB )
}
rule Suspicious_Size_iexplore_exe {
meta:
description = "Detects uncommon file size of iexplore.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-21"
noarchivescan = 1
id = "d097a599-0fad-574f-8281-46c910e8e54d"
condition:
uint16(0) == 0x5a4d
and filename == "iexplore.exe"
and not filepath contains "teamviewer"
and ( filesize < 75KB or filesize > 910KB )
}
rule Suspicious_Size_firefox_exe {
meta:
description = "Detects uncommon file size of firefox.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-21"
noarchivescan = 1
id = "73c4b838-9277-5756-a35d-4a644be5ad5d"
condition:
uint16(0) == 0x5a4d
and filename == "firefox.exe"
and ( filesize < 265KB or filesize > 910KB )
}
rule Suspicious_Size_java_exe {
meta:
description = "Detects uncommon file size of java.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-21"
noarchivescan = 1
id = "b6dc297b-8388-5e39-ba77-c027cdea7afa"
condition:
uint16(0) == 0x5a4d
and filename == "java.exe"
and ( filesize < 30KB or filesize > 900KB )
}
rule Suspicious_Size_lsass_exe {
meta:
description = "Detects uncommon file size of lsass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-21"
noarchivescan = 1
id = "005661c7-7576-5c13-9534-b49c12b2faad"
condition:
uint16(0) == 0x5a4d
and filename == "lsass.exe"
and ( filesize < 10KB or filesize > 100KB )
}
rule Suspicious_Size_svchost_exe {
meta:
description = "Detects uncommon file size of svchost.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-21"
noarchivescan = 1
id = "31a8d00e-ebfc-5001-9c58-d3a2580f16b3"
condition:
uint16(0) == 0x5a4d
and filename == "svchost.exe"
and ( filesize < 14KB or filesize > 100KB )
}
rule Suspicious_Size_winlogon_exe {
meta:
description = "Detects uncommon file size of winlogon.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-21"
noarchivescan = 1
id = "8665e8d0-3b5f-5227-8879-cdd614123439"
condition:
uint16(0) == 0x5a4d
and filename == "winlogon.exe"
and ( filesize < 279KB or filesize > 970KB )
}
rule Suspicious_Size_igfxhk_exe {
meta:
description = "Detects uncommon file size of igfxhk.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-21"
modified = "2022-03-08"
noarchivescan = 1
id = "18cc167a-3e65-567f-adcf-d2d311520c1d"
condition:
uint16(0) == 0x5a4d
and filename == "igfxhk.exe"
and ( filesize < 200KB or filesize > 300KB )
}
rule Suspicious_Size_servicehost_dll {
meta:
description = "Detects uncommon file size of servicehost.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-23"
noarchivescan = 1
id = "ac71393c-a475-59e0-b22a-d5ee3d25084b"
condition:
uint16(0) == 0x5a4d
and filename == "servicehost.dll"
and filesize > 150KB
}
rule Suspicious_Size_rundll32_exe {
meta:
description = "Detects uncommon file size of rundll32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-23"
noarchivescan = 1
id = "5b9feae7-17d8-56e4-870a-ef865f2d09bf"
condition:
uint16(0) == 0x5a4d
and filename == "rundll32.exe"
and ( filesize < 30KB or filesize > 120KB )
}
rule Suspicious_Size_taskhost_exe {
meta:
description = "Detects uncommon file size of taskhost.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-23"
noarchivescan = 1
id = "71b6c853-f490-5d5a-b481-909f6f3a8798"
condition:
uint16(0) == 0x5a4d
and filename == "taskhost.exe"
and ( filesize < 45KB or filesize > 120KB )
}
rule Suspicious_Size_spoolsv_exe {
meta:
description = "Detects uncommon file size of spoolsv.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-23"
noarchivescan = 1
id = "14bb3463-b99f-57e1-8cff-fe9a34771093"
condition:
uint16(0) == 0x5a4d
and filename == "spoolsv.exe"
and ( filesize < 50KB or filesize > 1000KB )
}
rule Suspicious_Size_smss_exe {
meta:
description = "Detects uncommon file size of smss.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-23"
noarchivescan = 1
id = "7bdc8953-9240-5d22-b2a6-fe95fbc101c2"
condition:
uint16(0) == 0x5a4d
and filename == "smss.exe"
and ( filesize < 40KB or filesize > 5000KB )
}
rule Suspicious_Size_wininit_exe {
meta:
description = "Detects uncommon file size of wininit.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "2015-12-23"
noarchivescan = 1
id = "7b58f497-f214-5bf3-8a5c-8edb52749d09"
condition:
uint16(0) == 0x5a4d
and filename == "wininit.exe"
and ( filesize < 90KB or filesize > 800KB )
}
rule Suspicious_AutoIt_by_Microsoft {
meta:
description = "Detects a AutoIt script with Microsoft identification"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - VT"
date = "2017-12-14"
score = 60
hash1 = "c0cbcc598d4e8b501aa0bd92115b4c68ccda0993ca0c6ce19edd2e04416b6213"
id = "69b1c93d-ab12-5fdc-b6eb-fb135796d3a9"
strings:
$s1 = "Microsoft Corporation. All rights reserved" fullword wide
$s2 = "AutoIt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
rule SUSP_Size_of_ASUS_TuningTool {
meta:
description = "Detects an ASUS tuning tool with a suspicious size"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
date = "2018-10-17"
modified = "2022-12-21"
score = 60
noarchivescan = 1
hash1 = "d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a"
id = "d22a1bf9-55d6-5cb4-9537-ad13b23af4d1"
strings:
$s1 = "\\Release\\ASGT.pdb" ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and filesize > 70KB and all of them
}
rule SUSP_PiratedOffice_2007 {
meta:
description = "Detects an Office document that was created with a pirated version of MS Office 2007"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/pwnallthethings/status/743230570440826886?lang=en"
date = "2018-12-04"
score = 40
hash1 = "210448e58a50da22c0031f016ed1554856ed8abe79ea07193dc8f5599343f633"
id = "b36e9a59-7617-503b-968d-5b6b72b227ea"
strings:
$s7 = "<Company>Grizli777</Company>" ascii
condition:
uint16(0) == 0xcfd0 and filesize < 300KB and all of them
}
rule SUSP_Scheduled_Task_BigSize {
meta:
description = "Detects suspiciously big scheduled task XML file as seen in combination with embedded base64 encoded PowerShell code"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-12-06"
id = "61b07b30-1058-5a53-99e7-2c48ec9d23b5"
strings:
$a0 = "<Task version=" ascii wide
$a1 = "xmlns=\"http://schemas.microsoft.com/windows/" ascii wide
$fp1 = "</Counter><Counter>" wide
$fp2 = "Office Feature Updates Logon" wide
$fp3 = "Microsoft Shared" fullword wide
condition:
uint16(0) == 0xfeff and filesize > 20KB and all of ($a*) and not 1 of ($fp*)
}
rule SUSP_Putty_Unnormal_Size {
meta:
description = "Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware)"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2019-01-07"
modified = "2022-06-30"
score = 50
hash1 = "e5e89bdff733d6db1cffe8b3527e823c32a78076f8eadc2f9fd486b74a0e9d88"
hash2 = "ce4c1b718b54973291aefdd63d1cca4e4d8d4f5353a2be7f139a290206d0c170"
hash3 = "adb72ea4eab7b2efc2da6e72256b5a3bb388e9cdd4da4d3ff42a9fec080aa96f"
hash4 = "1c0bd6660fa43fa90bd88b56cdd4a4c2ffb4ef9d04e8893109407aa7039277db"
id = "576b118c-d4be-5ce2-994a-ce3f943dda88"
strings:
$s1 = "SSH, Telnet and Rlogin client" fullword wide
$v1 = "Release 0.6" wide
$v2 = "Release 0.70" wide
$fp1 = "KiTTY fork" fullword wide
condition:
uint16(0) == 0x5a4d
and $s1 and 1 of ($v*)
and not 1 of ($fp*)
// has offset
and filesize != 524288
and filesize != 495616
and filesize != 483328
and filesize != 524288
and filesize != 712176
and filesize != 828400
and filesize != 569328
and filesize != 454656
and filesize != 531368
and filesize != 524288
and filesize != 483328
and filesize != 713592
and filesize != 829304
and filesize != 571256
and filesize != 774200
and filesize != 854072
and filesize != 665144
and filesize != 774200
and filesize != 854072
and filesize != 665144
and filesize != 640000 /* putty provided by Safenet https://thalesdocs.com/gphsm/luna/7.1/docs/network/Content/install/sa_hw_install/hardware_installation_lunasa.htm */
and filesize != 650720 /* Citrix XenCenter */
and filesize != 662808 /* Citrix XenCenter */
and filesize != 651256 /* Citrix XenCenter */
and filesize != 664432 /* Citrix XenCenter */
}
rule SUSP_RTF_Header_Anomaly {
meta:
description = "Detects malformed RTF header often used to trick mechanisms that check for a full RTF header"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/ItsReallyNick/status/975705759618158593"
date = "2019-01-20"
modified = "2022-09-15"
score = 50
id = "fb362640-9a45-5ee5-8749-3980e0549932"
condition:
uint32(0) == 0x74725c7b and /* {\rt */
not uint8(4) == 0x66 /* not f */
}
rule WEBSHELL_ASPX_ProxyShell_Aug21_1 {
meta:
description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST) and extension"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/"
date = "2021-08-13"
id = "8f01cbda-b1cf-5556-9f6a-e709df6dadb2"
condition:
uint32(0) == 0x4e444221 /* PST header: !BDN */
and extension == ".aspx"
}

View file

@ -1,581 +0,0 @@
/*
THOR Yara Inverse Matches
> Detect system file manipulations and common APT anomalies
This is an extract from the THOR signature database
Reference:
http://www.bsk-consulting.de/2014/05/27/inverse-yara-signature-matching/
https://www.bsk-consulting.de/2014/08/28/scan-system-files-manipulations-yara-inverse-matching-22/
Notice: These rules require an external variable called "filename"
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
*/
import "pe"
private rule WINDOWS_UPDATE_BDC
{
meta:
score = 0
condition:
(uint32be(0) == 0x44434d01 and // magic: DCM PA30
uint32be(4) == 0x50413330)
or
(uint32be(0) == 0x44434401 and
uint32be(12)== 0x50413330) // magic: DCD PA30
}
/* Rules -------------------------------------------------------------------- */
rule iexplore_ANOMALY {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Abnormal iexplore.exe - typical strings not found in file"
date = "23/04/2014"
score = 55
nodeepdive = 1
id = "ea436608-d191-5058-b844-025e48082edc"
strings:
$win2003_win7_u1 = "IEXPLORE.EXE" wide nocase
$win2003_win7_u2 = "Internet Explorer" wide fullword
$win2003_win7_u3 = "translation" wide fullword nocase
$win2003_win7_u4 = "varfileinfo" wide fullword nocase
condition:
filename == "iexplore.exe"
and uint16(0) == 0x5a4d
and not filepath contains "teamviewer"
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
and filepath contains "C:\\"
and not filepath contains "Package_for_RollupFix"
}
rule svchost_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal svchost.exe - typical strings not found in file"
date = "23/04/2014"
score = 55
id = "5630054d-9fa4-587f-ba78-cda4478f9cc1"
strings:
$win2003_win7_u1 = "svchost.exe" wide nocase
$win2003_win7_u3 = "coinitializesecurityparam" wide fullword nocase
$win2003_win7_u4 = "servicedllunloadonstop" wide fullword nocase
$win2000 = "Generic Host Process for Win32 Services" wide fullword
$win2012 = "Host Process for Windows Services" wide fullword
condition:
filename == "svchost.exe"
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
/* removed 1 rule here */
rule explorer_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal explorer.exe - typical strings not found in file"
date = "27/05/2014"
score = 55
id = "ecadd78f-21a1-5a9f-8f3f-cb51e872805b"
strings:
$s1 = "EXPLORER.EXE" wide fullword
$s2 = "Windows Explorer" wide fullword
condition:
filename == "explorer.exe"
and uint16(0) == 0x5a4d
and not filepath contains "teamviewer"
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule sethc_ANOMALY {
meta:
description = "Sethc.exe has been replaced - Indicates Remote Access Hack RDP"
author = "F. Roth"
reference = "http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf"
date = "2014/01/23"
score = 70
id = "9dfbab4e-3dc8-5246-a051-1618f2ca5f39"
strings:
$s1 = "stickykeys" fullword nocase
$s2 = "stickykeys" wide nocase
$s3 = "Control_RunDLL access.cpl" wide fullword
$s4 = "SETHC.EXE" wide fullword
condition:
filename == "sethc.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule Utilman_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal utilman.exe - typical strings not found in file"
date = "01/06/2014"
score = 70
id = "98daff9b-1600-56b3-87ff-637deaa6808c"
strings:
$win7 = "utilman.exe" wide fullword
$win2000 = "Start with Utility Manager" fullword wide
$win2012 = "utilman2.exe" fullword wide
condition:
( filename == "utilman.exe" or filename == "Utilman.exe" )
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
rule osk_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file"
date = "01/06/2014"
score = 55
id = "6b78b001-f863-5a24-a9d1-ee5e8305766b"
strings:
$s1 = "Accessibility On-Screen Keyboard" wide fullword
$s2 = "\\oskmenu" wide fullword
$s3 = "&About On-Screen Keyboard..." wide fullword
$s4 = "Software\\Microsoft\\Osk" wide
condition:
filename == "osk.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule magnify_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal magnify.exe (Magnifier) - typical strings not found in file"
date = "01/06/2014"
score = 55
id = "db75201e-81a3-5f82-bf6f-ba155bfbcf81"
strings:
$win7 = "Microsoft Screen Magnifier" wide fullword
$win2000 = "Microsoft Magnifier" wide fullword
$winxp = "Software\\Microsoft\\Magnify" wide
condition:
filename =="magnify.exe"
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
rule narrator_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal narrator.exe - typical strings not found in file"
date = "01/06/2014"
score = 55
id = "a51f1916-f89a-58a9-b65c-91bf99575b80"
strings:
$win7 = "Microsoft-Windows-Narrator" wide fullword
$win2000 = "&About Narrator..." wide fullword
$win2012 = "Screen Reader" wide fullword
$winxp = "Software\\Microsoft\\Narrator"
$winxp_en = "SOFTWARE\\Microsoft\\Speech\\Voices" wide
condition:
filename == "narrator.exe"
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
rule notepad_ANOMALY {
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
description = "Abnormal notepad.exe - typical strings not found in file"
date = "01/06/2014"
score = 55
id = "16ddcd9e-ab6f-593e-80e0-a90399cbc3df"
strings:
$win7 = "HELP_ENTRY_ID_NOTEPAD_HELP" wide fullword
$win2000 = "Do you want to create a new file?" wide fullword
$win2003 = "Do you want to save the changes?" wide
$winxp = "Software\\Microsoft\\Notepad" wide
$winxp_de = "Software\\Microsoft\\Notepad" wide
condition:
filename == "notepad.exe"
and uint16(0) == 0x5a4d
and not 1 of ($win*) and not WINDOWS_UPDATE_BDC
}
/* NEW ---------------------------------------------------------------------- */
rule csrss_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "17542707a3d9fa13c569450fd978272ef7070a77"
id = "bbd2841a-ec72-5eb4-b34a-5ecbf9c5b517"
strings:
$s1 = "Client Server Runtime Process" fullword wide
$s4 = "name=\"Microsoft.Windows.CSRSS\"" fullword ascii
$s5 = "CSRSRV.dll" fullword ascii
$s6 = "CsrServerInitialization" fullword ascii
condition:
filename == "csrss.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule conhost_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "1bd846aa22b1d63a1f900f6d08d8bfa8082ae4db"
id = "9803fa1b-bcaf-5451-831b-fc0dc9d711f2"
strings:
$s2 = "Console Window Host" fullword wide
condition:
filename == "conhost.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule wininit_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "2de5c051c0d7d8bcc14b1ca46be8ab9756f29320"
id = "a251984f-c667-55ec-8cc3-3888e80ddf1e"
strings:
$s1 = "Windows Start-Up Application" fullword wide
condition:
filename == "wininit.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule winlogon_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "af210c8748d77c2ff93966299d4cd49a8c722ef6"
id = "ee424459-8048-52b8-ba97-4d09265a881f"
strings:
$s1 = "AuthzAccessCheck failed" fullword
$s2 = "Windows Logon Application" fullword wide
condition:
filename == "winlogon.exe"
and not 1 of ($s*)
and uint16(0) == 0x5a4d
and not WINDOWS_UPDATE_BDC
and not filepath contains "Malwarebytes"
}
rule SndVol_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "e057c90b675a6da19596b0ac458c25d7440b7869"
id = "0c4d705f-4b24-55f9-bcf4-3f65eea0b7af"
strings:
$s1 = "Volume Control Applet" fullword wide
condition:
filename == "sndvol.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule doskey_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file doskey.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "f2d1995325df0f3ca6e7b11648aa368b7e8f1c7f"
id = "be9c239a-2918-5330-bbd0-33cc17067f70"
strings:
$s3 = "Keyboard History Utility" fullword wide
condition:
filename == "doskey.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule lsass_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
hash = "04abf92ac7571a25606edfd49dca1041c41bef21"
id = "0c0f6129-3e01-56d3-b297-cee231567759"
strings:
$s1 = "LSA Shell" fullword wide
$s2 = "<description>Local Security Authority Process</description>" fullword ascii
$s3 = "Local Security Authority Process" fullword wide
$s4 = "LsapInitLsa" fullword
condition:
filename == "lsass.exe"
and uint16(0) == 0x5a4d
and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
}
rule taskmgr_ANOMALY {
meta:
description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2015/03/16"
nodeepdive = 1
hash = "e8b4d84a28e5ea17272416ec45726964fdf25883"
id = "e1c3a150-6e7e-5ead-a338-0bac6f43185d"
strings:
$s0 = "Windows Task Manager" fullword wide
$s1 = "taskmgr.chm" fullword
$s2 = "TmEndTaskHandler::" ascii
$s3 = "CM_Request_Eject_PC" /* Win XP */
$s4 = "NTShell Taskman Startup Mutex" fullword wide
condition:
( filename == "taskmgr.exe" or filename == "Taskmgr.exe" ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC
and uint16(0) == 0x5a4d
and filepath contains "C:\\"
and not filepath contains "Package_for_RollupFix"
}
/* removed 22 rules here */
/* APT ---------------------------------------------------------------------- */
rule APT_Cloaked_PsExec
{
meta:
description = "Looks like a cloaked PsExec. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3"
strings:
$s0 = "psexesvc.exe" wide fullword
$s1 = "Sysinternals PsExec" wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1
and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is
and not filepath matches /RECYCLE.BIN\\S-1/
}
/* removed 6 rules here */
rule APT_Cloaked_SuperScan
{
meta:
description = "Looks like a cloaked SuperScan Port Scanner. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 50
id = "96027f7d-822c-5c5e-acd9-cde8289c6b50"
strings:
$s0 = "SuperScan4.exe" wide fullword
$s1 = "Foundstone Inc." wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1 and not filename contains "superscan"
}
rule APT_Cloaked_ScanLine
{
meta:
description = "Looks like a cloaked ScanLine Port Scanner. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 50
id = "78041dc0-491b-5a44-a125-3ad72b266cf8"
strings:
$s0 = "ScanLine" wide fullword
$s1 = "Command line port scanner" wide fullword
$s2 = "sl.exe" wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1 and $s2 and not filename == "sl.exe"
}
rule SUSP_Renamed_Dot1Xtray {
meta:
description = "Detects a legitimate renamed dot1ctray.exe, which is often used by PlugX for DLL side-loading"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-11-15"
hash1 = "f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68"
id = "3685a79e-7dd6-5221-b58a-6ec1c61030cc"
strings:
$a1 = "\\Symantec_Network_Access_Control\\" ascii
$a2 = "\\dot1xtray.pdb" ascii
$a3 = "DOT1X_NAMED_PIPE_CONNECT" fullword wide /* Goodware String - occured 2 times */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
and not filename matches /dot1xtray.exe/i
and not filepath matches /Recycle.Bin/i
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule APT_SUSP_Solarwinds_Orion_Config_Anomaly_Dec20 {
meta:
description = "Detects a suspicious renamed Afind.exe as used by different attackers"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/iisresetme/status/1339546337390587905?s=12"
date = "2020-12-15"
score = 70
nodeepdive = 1
id = "440a3eb9-b573-53ea-ab26-c44d9cf62401"
strings:
$s1 = "ReportWatcher" fullword wide ascii
$fp1 = "ReportStatus" fullword wide ascii
condition:
filename == "SolarWindows.Orion.Core.BusinessLayer.dll.config"
and $s1
and not $fp1
}
rule PAExec_Cloaked {
meta:
description = "Detects a renamed remote access tool PAEXec (like PsExec)"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 70
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) )
and not filename == "paexec.exe"
and not filename == "PAExec.exe"
and not filename == "PAEXEC.EXE"
and not filename matches /Install/
and not filename matches /uninstall/
}
rule SUSP_VULN_DRV_PROCEXP152_May23 {
meta:
description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS), often used by attackers to elevate privileges (false positives are possible in cases in which old versions of process explorer are still present on the system)"
author = "Florian Roth"
reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
date = "2023-05-05"
modified = "2023-07-28"
score = 50
hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
id = "748eb390-f320-5045-bed2-24ae70471f43"
strings:
$a1 = "\\ProcExpDriver.pdb" ascii
$a2 = "\\Device\\PROCEXP152" wide fullword
$a3 = "procexp.Sys" wide fullword
condition:
uint16(0) == 0x5a4d
and filesize < 200KB
and all of them
}
rule SUSP_VULN_DRV_PROCEXP152_Renamed_May23 {
meta:
description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS) that has been renamed (often used by attackers to elevate privileges)"
author = "Florian Roth"
reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
date = "2023-05-05"
score = 70
hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
id = "af2ec5d5-3453-5d35-8d19-4f37c61fabce"
strings:
$a1 = "\\ProcExpDriver.pdb" ascii
$a2 = "\\Device\\PROCEXP152" wide fullword
$a3 = "procexp.Sys" wide fullword
condition:
uint16(0) == 0x5a4d
and filesize < 200KB
and all of them
and not filename matches /PROCEXP152\.SYS/i
}
rule SUSP_ANOMALY_Teams_Binary_Nov23 : SCRIPT {
meta:
description = "Detects a suspicious binary with the name teams.exe, update.exe or squirrel.exe in the AppData folder of Microsoft Teams that is unsigned or signed by a different CA"
author = "Florian Roth"
score = 60
reference = "https://twitter.com/steve_noel/status/1722698479636476325/photo/1"
date = "2023-11-11"
id = "60557ed1-ac16-5e3b-b105-157dc34f6ad7"
strings:
$a1 = "Microsoft Code Signing PCA" ascii
condition:
(
filename iequals "teams.exe" or
filename iequals "update.exe" or
filename iequals "squirrel.exe"
)
and filepath icontains "\\AppData\\Local\\Microsoft\\Teams"
and pe.number_of_signatures == 0
and not $a1
}
rule SAM_Hive_Backup {
meta:
description = "Detects a SAM hive backup file - SAM is the Security Account Manager - contains password hashes"
author = "Florian Roth"
reference = "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry"
score = 60
nodeepdive = 1
date = "2015-03-31"
modified = "2023-12-12"
id = "31fb6c0c-966d-5002-bf8c-4129964c81ff"
strings:
$s1 = "\\SystemRoot\\System32\\Config\\SAM" wide
condition:
uint32(0) == 0x66676572 and $s1 in (0..200)
and not filepath contains "\\System32\\Config"
and not filepath contains "\\System32\\config"
and not filepath contains "System Volume Information"
and not filepath contains "\\config\\RegBack"
}

File diff suppressed because it is too large Load diff

View file

@ -1,556 +0,0 @@
/*
This is a collection of rules that use external variables
They work with scanners that support the use of external variables, like
THOR, LOKI or SPARK
https://www.nextron-systems.com/compare-our-scanners/
*/
import "pe"
import "math"
rule Acrotray_Anomaly {
meta:
description = "Detects an acrotray.exe that does not contain the usual strings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 75
id = "e3fef644-e535-5137-ac98-2fd1b7ca4361"
strings:
$s1 = "PDF/X-3:2002" fullword wide
$s2 = "AcroTray - Adobe Acrobat Distiller helper application" fullword wide
$s3 = "MS Sans Serif" fullword wide
$s4 = "COOLTYPE.DLL" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB
and ( filename == "acrotray.exe" or filename == "AcroTray.exe" )
and not all of ($s*)
}
rule COZY_FANCY_BEAR_modified_VmUpgradeHelper {
meta:
description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
date = "2016-06-14"
id = "97b844a4-0fa4-5850-8803-2212a69e3d16"
strings:
$s1 = "VMware, Inc." wide fullword
$s2 = "Virtual hardware upgrade helper service" fullword wide
$s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii
condition:
uint16(0) == 0x5a4d and
filename == "VmUpgradeHelper.exe" and
not all of ($s*)
}
rule IronTiger_Gh0stRAT_variant
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "This is a detection for a s.exe variant seen in Op. Iron Tiger"
reference = "http://goo.gl/T5fSJC"
id = "e7eeee0f-d7a1-5359-bc1f-5a2a883c7227"
strings:
$str1 = "Game Over Good Luck By Wind" nocase wide ascii
$str2 = "ReleiceName" nocase wide ascii
$str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii
$str4 = "Winds Update" nocase wide ascii fullword
condition:
uint16(0) == 0x5a4d and (any of ($str*))
and not filename == "UpdateSystemMib.exe"
}
rule OpCloudHopper_Cloaked_PSCP {
meta:
description = "Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
date = "2017-04-07"
score = 90
id = "c1e2e456-dbdd-54cf-b0e0-b356f291cfcd"
strings:
$s1 = "AES-256 SDCTR" ascii
$s2 = "direct-tcpip" ascii
condition:
all of them and filename == "rundll32.exe"
}
rule msi_dll_Anomaly {
meta:
description = "Detetcs very small and supicious msi.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
date = "2017-02-10"
hash1 = "8c9048e2f5ea2ef9516cac06dc0fba8a7e97754468c0d9dc1e5f7bce6dbda2cc"
id = "92cd5c51-ed84-5428-9105-50139f9289c8"
strings:
$x1 = "msi.dll.eng" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 15KB and filename == "msi.dll" and $x1
}
rule PoS_Malware_MalumPOS_Config
{
meta:
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015-06-25"
description = "MalumPOS Config File"
reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/"
id = "0fd2b9c2-d016-5db2-8fcc-618df6c815de"
strings:
$s1 = "[PARAMS]"
$s2 = "Name="
$s3 = "InterfacesIP="
$s4 = "Port="
condition:
all of ($s*) and filename == "log.ini" and filesize < 20KB
}
rule Malware_QA_update_test {
meta:
description = "VT Research QA uploaded malware - file update_.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research QA"
date = "2016-08-29"
score = 80
hash1 = "3b3392bc730ded1f97c51e23611740ff8b218abf0a1100903de07819eeb449aa"
id = "8f319277-1eaf-559e-87ad-f4ab89b04ca5"
strings:
$s1 = "test.exe" fullword ascii
$s2 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == "update.exe"
}
/* These only work with external variable "filename" ------------------------ */
/* as used in LOKI, THOR, SPARK --------------------------------------------- */
rule SysInterals_PipeList_NameChanged {
meta:
description = "Detects NirSoft PipeList"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/Mr6M2J"
date = "2016-06-04"
score = 90
hash1 = "83f0352c14fa62ae159ab532d85a2b481900fed50d32cc757aa3f4ccf6a13bee"
id = "01afcf29-a74c-5be2-8b24-694a2802ef34"
strings:
$s1 = "PipeList" ascii fullword
$s2 = "Sysinternals License" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 170KB and all of them
and not filename contains "pipelist.exe"
and not filename contains "PipeList.exe"
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-04-26
Identifier: regsvr32 issue
*/
/* Rule Set ----------------------------------------------------------------- */
rule SCT_Scriptlet_in_Temp_Inet_Files {
meta:
description = "Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/KAB8Jw"
date = "2016-04-26"
id = "8b729257-3676-59b2-961c-dae1085cbbf6"
strings:
$s1 = "<scriptlet>" fullword ascii nocase
$s2 = "ActiveXObject(\"WScript.Shell\")" ascii
condition:
( uint32(0) == 0x4D583F3C or uint32(0) == 0x6D78F3C ) /* <?XM or <?xm */
and $s1 and $s2
and filepath contains "Temporary Internet Files"
}
rule GIFCloaked_Webshell_A {
meta:
description = "Looks like a webshell cloaked as GIF"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
score = 60
id = "4fdef65c-204a-5019-9b4f-c5877c3e39d4"
strings:
$s0 = "input type"
$s1 = "<%eval request"
$s2 = "<%eval(Request.Item["
$s3 = "LANGUAGE='VBScript'"
$s4 = "$_REQUEST" fullword
$s5 = ";eval("
$s6 = "base64_decode"
$fp1 = "<form name=\"social_form\""
condition:
uint32(0) == 0x38464947 and ( 1 of ($s*) )
and not 1 of ($fp*)
}
/* causes FPs and relevancy is limited
rule exploit_ole_stdolelink {
meta:
author = "David Cannings"
description = "StdOleLink, potential 0day in April 2017"
score = 55
strings:
// Parsers will open files without the full 'rtf'
$header_rtf = "{\\rt" nocase
$header_office = { D0 CF 11 E0 }
$header_xml = "<?xml version=" nocase wide ascii
// Marks of embedded data (reduce FPs)
// RTF format
$embedded_object = "\\object" nocase
$embedded_objdata = "\\objdata" nocase
$embedded_ocx = "\\objocx" nocase
$embedded_objclass = "\\objclass" nocase
$embedded_oleclass = "\\oleclsid" nocase
// XML Office documents
$embedded_axocx = "<ax:ocx" nocase wide ascii
$embedded_axclassid = "ax:classid" nocase wide ascii
// OLE format
$embedded_root_entry = "Root Entry" wide
$embedded_comp_obj = "Comp Obj" wide
$embedded_obj_info = "Obj Info" wide
$embedded_ole10 = "Ole10Native" wide
$data0 = "00000300-0000-0000-C000-000000000046" nocase wide ascii
$data2 = "OLE2Link" nocase wide ascii
$data3 = "4f4c45324c696e6b" nocase wide ascii
$data4 = "StdOleLink" nocase wide ascii
$data5 = "5374644f6c654c696e6b" nocase wide ascii
condition:
// Mandatory header plus sign of embedding, then any of the others
for any of ($header*) : ( @ == 0 ) and 1 of ($embedded*)
and (1 of ($data*))
and extension != ".msi"
}
*/
rule HackTool_Producers {
meta:
description = "Hacktool Producers String"
threat_level = 5
score = 50
nodeepdive = 1
id = "75cb2c86-0eaa-5cf5-96d8-85b91054de36"
strings:
$a1 = "www.oxid.it"
$a2 = "www.analogx.com"
$a3 = "ntsecurity.nu"
$a4 = "gentilkiwi.com"
$a6 = "Marcus Murray"
$a7 = "Nsasoft US LLC0"
$a8 = " Nir Sofer"
condition:
uint16(0) == 0x5a4d and 1 of ($a*) and
not extension contains ".ini" and
not extension contains ".xml" and
not extension contains ".sqlite"
}
rule Exe_Cloaked_as_ThumbsDb
{
meta:
description = "Detects an executable cloaked as thumbs.db - Malware"
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 50
id = "ff09f8cf-de5a-50fc-aa0b-c54f7667e246"
condition:
uint16(0) == 0x5a4d and filename matches /[Tt]humbs\.db/
}
rule Fake_AdobeReader_EXE
{
meta:
description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file"
date = "2014-09-11"
author = "Florian Roth (Nextron Systems)"
score = 50
nodeepdive = 1
nodeepdive = 1
id = "e3dd9d94-9f4b-5ff9-bfec-29abfb3555bb"
strings:
$s1 = "Adobe Systems" ascii
$fp1 = "Adobe Reader" ascii wide
$fp2 = "Xenocode Virtual Appliance Runtime" ascii wide
condition:
uint16(0) == 0x5a4d and
filename matches /AcroRd32.exe/i and
not $s1 in (filesize-2500..filesize)
and not 1 of ($fp*)
}
rule mimikatz_lsass_mdmp
{
meta:
description = "LSASS minidump file for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
id = "3d850dbe-1342-55ac-b0f7-91343d88f147"
strings:
$lsass = "System32\\lsass.exe" wide nocase
condition:
(uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /WER/
}
rule lsadump {
meta:
description = "LSA dump programe (bootkey/syskey) - pwdump and others"
author = "Benjamin DELPY (gentilkiwi)"
score = 80
nodeepdive = 1
id = "3bfa8dd8-720d-5326-ac92-0fb96cf21219"
strings:
$str_sam_inc = "\\Domains\\Account" ascii nocase
$str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
$hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
$str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
$hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
$fp1 = "Sysinternals" ascii
$fp2 = "Apple Inc." ascii wide
$fp3 = "Kaspersky Lab" ascii fullword
$fp4 = "ESET Security" ascii
$fp5 = "Disaster Recovery Module" wide
$fp6 = "Bitdefender" wide fullword
condition:
uint16(0) == 0x5a4d and
(($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey )
and not 1 of ($fp*)
and not filename contains "Regdat"
and not filetype == "EXE"
and not filepath contains "Dr Watson"
and not extension == "vbs"
}
rule SUSP_ServU_SSH_Error_Pattern_Jul21_1 {
meta:
description = "Detects suspicious SSH component exceptions that could be an indicator of exploitation attempts as described in advisory addressing CVE-2021-35211 in ServU services"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ"
date = "2021-07-12"
score = 60
id = "1a89f0b0-445c-5867-94cd-f07ba1becad6"
strings:
$s1 = "EXCEPTION: C0000005;" ascii
$s2 = "CSUSSHSocket::ProcessReceive();" ascii
condition:
filename == "DebugSocketlog.txt"
and all of ($s*)
}
rule SUSP_ServU_Known_Mal_IP_Jul21_1 {
meta:
description = "Detects suspicious IP addresses used in exploitation of ServU services CVE-2021-35211 and reported by Solarwinds"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ"
date = "2021-07-12"
score = 60
id = "118272a7-7ec9-568b-99e0-8cfe97f3f64e"
strings:
$xip1 = "98.176.196.89" ascii fullword
$xip2 = "68.235.178.32" ascii fullword
$xip3 = "208.113.35.58" ascii fullword
$xip4 = "144.34.179.162" ascii fullword
$xip5 = "97.77.97.58" ascii fullword
condition:
filename == "DebugSocketlog.txt"
and 1 of them
}
rule SUSP_EXPL_Confluence_RCE_CVE_2021_26084_Indicators_Sep21 {
meta:
description = "Detects ELF binaries owner by the confluence user but outside usual confluence directories"
author = "Florian Roth (Nextron Systems)"
reference = "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis"
date = "2021-09-01"
score = 55
id = "395d37ea-1986-5fdd-b58c-562ae0d8be35"
condition:
uint32be(0) == 0x7f454c46 /* ELF binary */
and owner == "confluence"
and not filepath contains "/confluence/"
}
rule SUSP_Blocked_Download_Proxy_Replacement_Jan23_1 {
meta:
description = "Detects a file that has been replaced with a note by a security solution like an Antivirus or a filtering proxy server"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/gui/search/filename%253A*.exe%2520tag%253Ahtml%2520size%253A10kb-%2520size%253A2kb%252B/files"
date = "2023-01-28"
score = 60
id = "58bc8288-6bdb-57d5-9de5-a54a39584838"
strings:
$x01 = "Web Filter Violation"
$x02 = "Google Drive can't scan this file for viruses."
$x03 = " target=\"_blank\">Cloudflare <img "
$x04 = "Sorry, this file is infected with a virus.</p>"
$x05 = "-- Sophos Warn FileType Page -->"
$x06 = "<p>Certain Sophos products may not be exported for use by government end-users" // accept EULA
$x07 = "<p class=\"content-list\">Bitly displays this warning when a link has been flagged as suspect. There are many"
$x08 = "Something went wrong. Don't worry, your files are still safe and the Dropbox team has been notified."
$x09 = "<p>sinkhole</p>"
$x10 = "The requested short link is blocked by website administration due to violation of the website policy terms."
$x11 = "<img src=\"https://www.malwarebytes.com/images/"
$x12 = "<title>Malwarebytes</title>"
$x13 = "<title>Blocked by VIPRE</title>"
$x14 = "<title>Your request appears to be from an automated process</title>"
$x15 = "<p>Advanced Security blocked access to"
$x16 = "<title>Suspected phishing site | Cloudflare</title>"
$x17 = ">This link has been flagged "
$x18 = "<h1>Trend Micro Apex One</h1>"
$x19 = "Hitachi ID Identity and Access Management Suite"
$x20 = ">http://www.fortinet.com/ve?vn="
$x21 = "access to URL with fixed IP not allowed" // FritzBox
$x23 = "<title>Web Page Blocked</title>"
$x24 = "<title>Malicious Website Blocked</title>"
$x25 = "<h2>STOPzilla has detected"
$x26 = ">Seqrite Endpoint Security</span>"
$x27 = "<TITLE>K7 Safe Surf</TITLE>"
$x28 = "<title>Blocked by VIPRE</title>"
$g01 = "blocked access" fullword
$g02 = "policy violation" fullword
$g03 = "violation of "
$g04 = "blocked by" fullword
$g05 = "Blocked by" fullword
$g07 = "Suspected Phishing"
$g08 = "ile quarantined"
$g09 = " is infected "
$g10 = "Blocked</title>"
$g11 = "site blocked" fullword
$g12 = "Site Blocked" fullword
$g13 = "blocked for" fullword
$g14 = "is blocked" fullword
$g15 = "potentially harmful"
$g16 = "Page Blocked" fullword
$g17 = "page blocked" fullword
condition:
extension == ".exe" and not uint16(0) == 0x5a4d and 1 of them
or (
extension == ".rar" or
extension == ".ps1" or
extension == ".vbs" or
extension == ".bat"
)
and 1 of ($x*)
}
/* too many FPs
rule APT_MAL_RU_WIN_Snake_Malware_PeIconSizes_May23_1 {
meta:
description = "Detects Comadmin file that houses Snake's kernel driver and the driver's loader"
author = "CSA"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 75
condition:
uint16(0) == 0x5a4d
and (
filename == "WerFault.exe"
or filename == "werfault.exe"
)
and filepath contains "\\WinSxS\\"
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 3240
)
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 1384
)
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 7336
)
}
*/
rule APT_MAL_RU_Snake_Malware_Queue_File_May23_1 {
meta:
description = "Detects Queue files used by Snake malware"
author = "Florian Roth"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 80
id = "c7ed554e-b55e-5c3f-aa8b-231cb1073f34"
condition:
filename matches /(\{[0-9A-Fa-f]{8}\-([0-9A-Fa-f]{4}\-){3}[0-9A-Fa-f]{12}\}\.){2}crmlog/
/* and filepath contains "\\Registration\\" // not needed - already specific enough */
// we reduce the range for the entropy calculation to the first 1024 for performance
// reasons. In a fully encrypted file - as used by Snake - this should already be specific enough
//and math.entropy(0, filesize) >= 7.0
and math.entropy(0, 1024) >= 7.0
}
rule SUSP_Password_XLS_Unencrypted {
meta:
description = "Detects files named e.g. password.xls, which might contain unportected clear text passwords"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2023-10-04"
score = 60
id = "41096ef1-dd02-5956-9053-3d7fb1a5092c"
condition:
// match password and the german passwort:
(
filename istartswith "passwor" or /* EN / DE */
filename istartswith "contrase" or /* ES */
filename istartswith "mot de pass" or /* FR */
filename istartswith "mot_de_pass" or /* FR */
filename istartswith "motdepass" or /* FR */
filename istartswith "wachtwoord" /* NL */
)
and (
// no need to check if an xls is password protected, because it's trivial to break
(
filename iendswith ".xls"
and uint32be(0) == 0xd0cf11e0 // xls
)
or
(
filename iendswith ".xlsx"
and uint32be(0) == 0x504b0304 // unencrypted xlsx = pkzip
)
)
}
rule SUSP_Password_XLS_Encrypted {
meta:
description = "Detects files named e.g. password.xlsx, which might contain clear text passwords, but are password protected from MS Office"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2023-10-04"
score = 50
id = "d3334923-3396-524d-9111-8ccb754ab99e"
condition:
// match password and the german passwort:
(
filename istartswith "passwor" or /* EN / DE */
filename istartswith "contrase" or /* ES */
filename istartswith "mot de pass" or /* FR */
filename istartswith "mot_de_pass" or /* FR */
filename istartswith "motdepass" or /* FR */
filename istartswith "wachtwoord" /* NL */
)
and filename iendswith ".xlsx"
and uint32be(0) == 0xd0cf11e0 // encrypted xlsx = CDFV2
}

View file

@ -1,28 +0,0 @@
rule AnomaliLABS_Lazarus_wipe_file_routine {
meta:
author = "aaron shelmire"
date = "2015 May 26"
desc = “Yara sig to detect File Wiping routine of the Lazarus group”
reference = "https://blog.anomali.com/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks"
strings:
$rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }
/* imports for overwrite function */
$imp_getTick = "GetTickCount"
$imp_srand = "srand"
$imp_CreateFile = "CreateFileA"
$imp_SetFilePointer = "SetFilePointer"
$imp_WriteFile = "WriteFile"
$imp_FlushFileBuffers = "FlushFileBuffers"
$imp_GetFileSizeEx = "GetFileSizeEx"
$imp_CloseHandle = "CloseHandle"
/* imports for rename function */
$imp_strrchr = "strrchr"
$imp_rand = "rand"
$Move_File = "MoveFileA"
$Move_FileEx = "MoveFileEx"
$imp_RemoveDir = "RemoveDirectoryA"
$imp_DeleteFile = "DeleteFileA"
$imp_GetLastError = "GetLastError"
condition:
$rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))
}

View file

@ -1,16 +0,0 @@
rule PyInstaller_Binary
{
meta:
author = "Nicholas Albright, ThreatStream"
desc = "Generic rule to identify PyInstaller Compiled Binaries"
reference = "https://blog.anomali.com/crushing-python-malware"
strings:
$string0 = "zout00-PYZ.pyz"
$string1 = "python"
$string2 = "Python DLL"
$string3 = "Py_OptimizeFlag"
$string4 = "pyi_carchive"
$string5 = ".manifest"
condition:
all of them // and new_file
}

View file

@ -1,18 +0,0 @@
rule chinapic_zip
{
meta:
description = "Find zip archives of pony panels that have china.jpg"
author = "Brian Carter"
last_modified = "March 31, 2017"
strings:
$txt1 = "china.jpg"
$txt2 = "config.php"
$magic = { 50 4b 03 04 }
condition:
$magic at 0 and all of ($txt*)
}

View file

@ -1,20 +0,0 @@
rule PotentiallyCompromisedCert
{
meta:
description = "Search for PE files using cert issued to DEMUZA "
author = "Brian Carter"
last_modified = "July 21, 2017"
sample = "7ef8f5e0ca92a0f3a5bd8cdc52236564"
TLP = "WHITE"
strings:
$magic = { 50 4b 03 04 (14 | 0a) 00 }
$txt1 = "demuza@yandex.ru" nocase
$txt2 = "https://secure.comodo.net/CPS0C" nocase
$txt3 = "COMODO CA Limited1"
condition:
$magic at 0 and all of ($txt*)
}

View file

@ -1,21 +0,0 @@
rule INJECTOR_PANEL_SQLITE
{
meta:
description = "Find sqlite dbs used with tables inject panel"
author = "Brian Carter"
last_modified = "August 14, 2017"
strings:
$magic = { 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00 }
$txt1 = "CREATE TABLE Settings"
$txt2 = "CREATE TABLE Jabber"
$txt3 = "CREATE TABLE Users"
$txt4 = "CREATE TABLE Log"
$txt5 = "CREATE TABLE Fakes"
$txt6 = "CREATE TABLE ATS_links"
condition:
$magic at 0 and all of ($txt*)
}

View file

@ -1,19 +0,0 @@
rule PDF_EMBEDDED_DOCM
{
meta:
description = "Find pdf files that have an embedded docm with openaction"
author = "Brian Carter"
last_modified = "May 11, 2017"
strings:
$magic = { 25 50 44 46 2d }
$txt1 = "EmbeddedFile"
$txt2 = "docm)"
$txt3 = "JavaScript" nocase
condition:
$magic at 0 and all of ($txt*)
}

View file

@ -1,128 +0,0 @@
rule chinapic_zip
{
meta:
description = "Find zip archives of pony panels that have china.jpg"
author = "Brian Carter"
last_modified = "March 31, 2017"
strings:
$txt1 = "china.jpg"
$txt2 = "config.php"
$txt3 = "setup.php"
$magic = { 50 4b 03 04 }
condition:
$magic at 0 and all of ($txt*)
}
rule diamondfox_zip
{
meta:
description = "Find zip archives of panels"
author = "Brian Carter"
last_modified = "March 31, 2017"
strings:
$txt1 = "gate.php"
$txt2 = "install.php"
$txt3 = "post.php"
$txt4 = "plugins"
$txt5 = "statistics.php"
$magic = { 50 4b 03 04 }
$not1 = "joomla" nocase
condition:
$magic at 0 and all of ($txt*) and not any of ($not*)
}
rule keybase_zip
{
meta:
description = "Find zip archives of panels"
author = "Brian Carter"
last_modified = "March 31, 2017"
strings:
$txt1 = "clipboard.php"
$txt2 = "config.php"
$txt3 = "create.php"
$txt4 = "login.php"
$txt5 = "screenshots.php"
$magic = { 50 4b 03 04 }
condition:
$magic at 0 and all of ($txt*)
}
rule zeus_zip
{
meta:
description = "Find zip archives of panels"
author = "Brian Carter"
last_modified = "April 19, 2017"
strings:
$txt1 = "cp.php"
$txt2 = "gate.php"
$txt3 = "botnet_bots.php"
$txt4 = "botnet_scripts.php"
$magic = { 50 4b 03 04 }
condition:
$magic at 0 and all of ($txt*)
}
rule atmos_zip
{
meta:
description = "Find zip archives of panels"
author = "Brian Carter"
last_modified = "April 27, 2017"
strings:
$txt1 = "cp.php"
$txt2 = "gate.php"
$txt3 = "api.php"
$txt4 = "file.php"
$txt5 = "ts.php"
$txt6 = "index.php"
$magic = { 50 4b 03 04 }
condition:
$magic at 0 and all of ($txt*)
}
rule new_pony_panel
{
meta:
description = "New Pony Zips"
strings:
$txt1 = "includes/design/images/"
$txt2 = "includes/design/style.css"
$txt3 = "admin.php"
$txt4 = "includes/design/images/user.png"
$txt5 = "includes/design/images/main_bg.gif"
$magic = { 50 4b 03 04 }
condition:
$magic at 0 and all of ($txt*)
}

View file

@ -1,21 +0,0 @@
rule config_php
{
meta:
description = "Find config.php files that have details for the db"
author = "Brian Carter"
last_modified = "March 31, 2017"
strings:
$txt1 = "$mysql_host ="
$txt2 = "$mysql_user ="
$txt3 = "mysql_pass ="
$txt4 = "mysql_database ="
$txt5 = "global_filter_list"
$txt6 = "white-list"
$php1 = "<?php"
condition:
$php1 at 0 and all of ($txt*)
}

View file

@ -1,21 +0,0 @@
rule tables_inject
{
meta:
description = "Find zip archives of tables inject panel"
author = "Brian Carter"
last_modified = "August 14, 2017"
strings:
$txt1 = "tinymce"
$txt2 = "cunion.js"
$txt3 = "tables.php"
$txt4 = "sounds/1.mp3"
$txt5 = "storage/db.sqlite"
$magic = { 50 4b 03 04 }
condition:
$magic at 0 and all of ($txt*)
}

View file

@ -1,14 +0,0 @@
rule Pony_gate_php_POST
{
meta:
description = "Possible Pony Sample POST to gate php"
author = "Brian Carter"
last_modified = "June 14, 2016"
condition:
cuckoo.network.http_post(/gate\.php/)
and file_type contains "pe"
and positives > 5
and new_file
}

View file

@ -1,27 +0,0 @@
rule CISA_10376640_04 : trojan wiper CADDYWIPER
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10376640"
Date = "2022-03-23"
Last_Modified = "20220324_1700"
Actor = "n/a"
Category = "Trojan Wiper"
Family = "CADDYWIPER"
Description = "Detects Caddy wiper samples"
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115c"
MD5_1 = "42e52b8daf63e6e26c3aa91e7e971492"
SHA256_1 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
strings:
$s0 = { 44 73 52 6F 6C 65 47 65 74 50 72 69 6D 61 72 79 44 6F 6D 61 69 6E }
$s1 = { 50 C6 45 A1 00 C6 45 A2 48 C6 45 A3 00 C6 45 A4 59 C6 }
$s2 = { C6 45 A6 53 C6 45 A7 00 C6 45 A8 49 C6 }
$s3 = { C6 45 B0 44 C6 45 B1 00 C6 45 B2 52 }
$s4 = { C6 45 B8 45 C6 45 B9 00 C6 45 BA 39 }
$s5 = { C6 45 AC 43 C6 45 AD 3A C6 45 AE 5C C6 45 AF }
$s6 = { 55 C6 45 B0 73 C6 45 B1 65 C6 45 B2 72 C6 45 B3 }
$s7 = { C6 45 E0 44 C6 45 E1 3A C6 45 E2 5C C6 45 E3 }
$s8 = { 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
condition:
all of them
}

View file

@ -1,23 +0,0 @@
rule CISA_10328929_01 : trojan webshell exploit CVE_2021_27065
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10328929"
Date = "2021-03-17"
Last_Modified = "20210317_2200"
Actor = "n/a"
Category = "Trojan WebShell Exploit CVE-2021-27065"
Family = "HAFNIUM"
Description = "Detects CVE-2021-27065 Webshellz"
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-084b"
MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
strings:
$s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
$s1 = { 65 76 61 6C 28 }
$s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
$s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
$s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
condition:
$s0 or ($s1 and $s2) or ($s3 and $s4)
}

View file

@ -1,21 +0,0 @@
rule CISA_10328929_02 : trojan webshell exploit CVE_2021_27065
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10328929"
Date = "2021-03-17"
Last_Modified = "20210317_2200"
Actor = "n/a"
Category = "Trojan WebShell Exploit CVE-2021-27065"
Family = "HAFNIUM"
Description = "Detects CVE-2021-27065 Exchange OAB VD MOD"
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-084b"
MD5_1 = "ab3963337cf24dc2ade6406f11901e1f"
SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
strings:
$s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
$s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
$s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
condition:
$s0 and $s1 and $s2
}

View file

@ -1,34 +0,0 @@
rule CISA_10376640_02 : trojan wiper worm HERMETICWIZARD
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10376640"
Date = "2022-03-12"
Last_Modified = "20220413_1300"
Actor = "n/a"
Category = "Trojan Wiper Worm"
Family = "HERMETICWIZARD"
Description = "Detects Hermetic Wizard samples"
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
MD5_1 = "0959bf541d52b6e2915420442bf44ce8"
SHA256_1 = "5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48"
strings:
$s0 = { 70 00 69 00 70 00 65 00 5C 00 25 00 73 }
$s1 = { 6E 00 6D 00 61 00 6E 00 73 00 65 00 72 00 76 }
$s2 = { 73 61 6D 72 }
$s3 = { 62 72 6F 77 73 65 72 }
$s4 = { 6E 65 74 6C 6F 67 6F 6E }
$s5 = { 6C 73 61 72 70 63 }
$s6 = { 6E 74 73 76 63 73 }
$s7 = { 73 76 63 63 74 6C }
$s8 = { 73 74 61 72 74 20 63 6D 64 20 2F 63 20 22 70 69 6E 67 20 6C 6F 63 61 6C 68 6F 73 74 }
$s9 = { 67 00 75 00 65 00 73 00 74 }
$s10 = { 74 00 65 00 73 00 74 }
$s11 = { 75 00 73 00 65 00 72 }
$s12 = { 61 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F }
$s13 = { 51 00 61 00 7A 00 31 00 32 00 33 }
$s14 = { 51 00 77 00 65 00 72 00 74 00 79 00 31 00 32 }
$s15 = { 63 6D 64 20 2F 63 20 73 74 61 72 74 20 72 65 67 }
condition:
all of them
}

View file

@ -1,24 +0,0 @@
rule CISA_10376640_03 : trojan wiper worm HERMETICWIZARD
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10376640"
Date = "2022-03-13"
Last_Modified = "20220413_1300"
Actor = "n/a"
Category = "Trojan Wiper Worm"
Family = "HERMETICWIZARD"
Description = "Detects Hermetic Wizard samples"
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
MD5_1 = "58d71fff346017cf8311120c69c9946a"
SHA256_1 = "2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b"
strings:
$s0 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
$s1 = { 5C 00 5C 00 25 00 73 00 5C 00 70 00 69 00 70 00 65 00 5C 00 25 00 73 }
$s2 = { 64 00 6C 00 6C 00 00 00 2D 00 69 }
$s3 = { 2D 00 68 00 00 00 00 00 2D 00 73 }
$s4 = { 2D 00 63 00 00 00 00 00 2D 00 61 }
$s5 = { 43 6F 6D 6D 61 6E 64 4C 69 6E 65 54 6F 41 72 67 76 57 }
condition:
all of them
}

View file

@ -1,21 +0,0 @@
rule CISA_10376640_05 : trojan wiper worm HERMETICWIZARD
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10376640"
Date = "2022-04-14"
Last_Modified = "20220414_1037"
Actor = "n/a"
Category = "Trojan Wiper Worm"
Family = "HERMETICWIZARD"
Description = "Detects Hermetic Wizard samples"
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
MD5_1 = "517d2b385b846d6ea13b75b8adceb061"
SHA256 = "a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec"
strings:
$s0 = { 57 69 7A 61 72 64 2E 64 6C 6C }
$s1 = { 69 6E 66 6C 61 74 65 }
$s2 = { 4D 61 72 6B 20 41 64 6C 65 72 }
condition:
all of them and filesize < 2000KB
}

View file

@ -1,29 +0,0 @@
ule CISA_10376640_01 : trojan wiper ISAACWIPER
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10376640"
Date = "2022-03-14"
Last_Modified = "20220418_1900"
Actor = "n/a"
Category = "Trojan Wiper"
Family = "ISAACWIPER"
Description = "Detects ISACC Wiper samples"
MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
MD5_3 = "ecce8845921a91854ab34bff2623151e"
SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
strings:
$s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
$s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
$s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
$s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
$s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
$s5 = {53 74 61 72 74 40 34}
$s6 = {3B 57 34 74 2D 6A}
$s7 = {43 6C 65 61 6E 65 72 2E}
condition:
all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
}

View file

@ -1,30 +0,0 @@
rule CISA_10376640_01 : trojan wiper ISAACWIPER
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10376640"
Date = "2022-03-14"
Last_Modified = "20220418_1900"
Actor = "n/a"
Category = "Trojan Wiper"
Family = "ISAACWIPER"
Description = "Detects ISACC Wiper samples"
Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b"
MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
MD5_3 = "ecce8845921a91854ab34bff2623151e"
SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
strings:
$s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
$s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
$s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
$s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
$s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
$s5 = {53 74 61 72 74 40 34}
$s6 = {3B 57 34 74 2D 6A}
$s7 = {43 6C 65 61 6E 65 72 2E}
condition:
all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
}

View file

@ -1,14 +0,0 @@
rule ElMachete_doc
{
meta:
author = "CPR"
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
hash1 = "8E1360CC27E95FC47924D9BA3EF84CB8FA9E142CFD16E1503C5277D0C16AE241"
strings:
$s1 = "You want to continue with the Document" ascii
$s2 = "certutil -decode" ascii
$s3 = /C:\\ProgramData\\.{1,20}\.txt/
$s4 = /C:\\ProgramData\\.{1,20}\.vbe/
condition:
uint16be(0) == 0xD0CF and 2 of ($s*)
}

View file

@ -1,17 +0,0 @@
rule ElMachete_msi
{
meta:
author = "CPR"
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
hash1 = "ED09DA9D48AFE918F9C7F72FE4466167E2F127A28A7641BA80D6165E82F48431"
strings:
$s1 = "MSI Wrapper (8.0.26.0)"
$s2 = "Windows Installer XML Toolset (3.11.0.1701)"
$s3 = "\\Lib\\site-packages\\PIL\\"
$s4 = "\\Lib\\site-packages\\pyHook\\"
$s5 = "\\Lib\\site-packages\\requests\\"
$s6 = "\\Lib\\site-packages\\win32com\\"
$s7 = "\\Lib\\site-packages\\Crypto\\"
condition:
4 of them
}

View file

@ -1,11 +0,0 @@
rule Gozi_JJ_struct: trojan {
meta:
module = "Gozi_JJ_struct"
reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/"
strings:
$jj = "JJ" ascii
$pe_file = "This program cannot be run in DOS mode" ascii
$bss = ".bss" ascii
condition:
#jj >= 2 and (for all i in (1,2) : (@jj[i] < 0x400 and @jj[i] > 0x200)) and (@jj[2] - @jj[1] == 0x14) and ($pe_file in (0..1000)) and ($bss in (0..1000))
}

File diff suppressed because one or more lines are too long

View file

@ -1,16 +0,0 @@
rule TeamViwer_backdoor
{
meta:
date = "2019-04-14"
description = "Detects malicious TeamViewer DLLs"
reference = "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/"
strings:
// PostMessageW hook function
$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}
condition:
uint16(0) == 0x5a4d and $x1
}

View file

@ -1,14 +0,0 @@
rule ZZ_breakwin_config {
meta:
description = "Detects the header of the encrypted config files, assuming known encryption key."
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed"
hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22"
hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7"
strings:
$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}
condition:
$conf_header at 0
}

View file

@ -1,23 +0,0 @@
rule ZZ_breakwin_meteor_batch_files {
meta:
description = "Detect the batch files used in the attacks"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
strings:
$filename_0 = "mscap.bmp"
$filename_1 = "mscap.jpg"
$filename_2 = "msconf.conf"
$filename_3 = "msmachine.reg"
$filename_4 = "mssetup.exe"
$filename_5 = "msuser.reg"
$filename_6 = "msapp.exe"
$filename_7 = "bcd.rar"
$filename_8 = "bcd.bat"
$filename_9 = "msrun.bat"
$command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%"
$command_line_1 = "start /b \"\" update.bat hackemall"
condition:
4 of ($filename_*) or
any of ($command_line_*)
}

View file

@ -1,20 +0,0 @@
rule ZZ_breakwin_stardust_vbs {
meta:
description = "Detect the VBS files that where found in the attacks on targets in Syria"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933"
hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0"
hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58"
hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0"
hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad"
strings:
$url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st="
$compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r"
$compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8"
$uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN="
$is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then"
condition:
any of them
}

View file

@ -1,120 +0,0 @@
rule ZZ_breakwin_wiper {
meta:
description = "Detects the BreakWin wiper that was used in attacks in Syria"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b"
hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4"
hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e"
strings:
$debug_str_meteor_1 = "the program received an invalid number of arguments" wide
$debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide
$debug_str_meteor_0 = "failed to initialize configuration from file" wide
$debug_str_meteor_3 = "Meteor is still alive." wide
$debug_str_meteor_4 = "Exiting main function because of some error" wide
$debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide
$debug_str_meteor_6 = "Meteor has started." wide
$debug_str_meteor_7 = "Could not hide current console." wide
$debug_str_meteor_8 = "Could not get the window handle used by the console." wide
$debug_str_meteor_9 = "Failed to find base-64 data size" wide
$debug_str_meteor_10 = "Running locker thread" wide
$debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide
$debug_str_meteor_12 = "Wiper operation failed." wide
$debug_str_meteor_13 = "Screen saver disable failed." wide
$debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide
$debug_str_meteor_15 = "Failed to delete boot configuration" wide
$debug_str_meteor_16 = "Could not delete all BCD entries." wide
$debug_str_meteor_17 = "Finished deleting BCD entries." wide
$debug_str_meteor_18 = "Failed to change lock screen" wide
$debug_str_meteor_19 = "Boot configuration deleted successfully" wide
$debug_str_meteor_20 = "Failed to kill all winlogon processes" wide
$debug_str_meteor_21 = "Changing passwords of all users to" wide
$debug_str_meteor_22 = "Failed to change the passwords of all users" wide
$debug_str_meteor_23 = "Failed to run the locker thread" wide
$debug_str_meteor_24 = "Screen saver disabled successfully." wide
$debug_str_meteor_25 = "Generating random password failed" wide
$debug_str_meteor_26 = "Locker installation failed" wide
$debug_str_meteor_27 = "Failed to set auto logon." wide
$debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide
$debug_str_meteor_29 = "Succeeded setting auto logon for" wide
$debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide
$debug_str_meteor_31 = "Failed disabling the first logon animation." wide
$debug_str_meteor_32 = "Waiting for new winlogon process" wide
$debug_str_meteor_33 = "Failed to isolate from domain" wide
$debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide
$debug_str_meteor_35 = "Failed to get the new token of winlogon." wide
$debug_str_meteor_36 = "Failed adding new admin user." wide
$debug_str_meteor_37 = "Failed changing settings for the created new user." wide
$debug_str_meteor_38 = "Failed disabling recovery mode." wide
$debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide
$debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide
$debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide
$debug_str_meteor_42 = "Succeeded disabling recovery mode" wide
$debug_str_meteor_43 = "Failed to log off all sessions" wide
$debug_str_meteor_44 = "Failed to delete shadowcopies." wide
$debug_str_meteor_45 = "Failed logging off session: " wide
$debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide
$debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide
$debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide
$debug_str_meteor_49 = "Killing all winlogon processes" wide
$debug_str_meteor_50 = "Logging off users in Windows 7" wide
$debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide
$debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide
$debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide
$debug_str_meteor_54 = "Logging off users in Windows XP" wide
$debug_str_meteor_55 = "Failed changing settings for the created new user." wide
$debug_str_meteor_56 = "Could not open file %s. error message: %s" wide
$debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide
$debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide
$debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide
$debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide
$debug_str_meteor_61 = "Failed to wipe file %s" wide
$debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide
$debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide
$debug_str_meteor_64 = "Failed to wipe file %s" wide
$debug_str_meteor_65 = "failed to get configuration value with key %s" wide
$debug_str_meteor_66 = "failed to parse the configuration from file %s" wide
$debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide
$debug_str_meteor_68 = "Failed posting to server, received std::exception" wide
$debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide
$debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide
$debug_str_meteor_71 = "failed to write message to log file %s" wide
$debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide
$debug_str_stardust_0 = "Stardust has started." wide
$debug_str_stardust_1 = "0Vy0qMGO" ascii wide
$debug_str_comet_0 = "Comet has started." wide
$debug_str_comet_1 = "Comet has finished." wide
$str_lock_my_pc = "Lock My PC 4" ascii wide
$config_entry_0 = "state_path" ascii
$config_entry_1 = "state_encryption_key" ascii
$config_entry_2 = "log_server_port" ascii
$config_entry_3 = "log_file_path" ascii
$config_entry_4 = "log_encryption_key" ascii
$config_entry_5 = "log_server_ip" ascii
$config_entry_6 = "processes_to_kill" ascii
$config_entry_7 = "process_termination_timeout" ascii
$config_entry_8 = "paths_to_wipe" ascii
$config_entry_9 = "wiping_stage_logger_interval" ascii
$config_entry_10 = "locker_exe_path" ascii
$config_entry_11 = "locker_background_image_jpg_path" ascii
$config_entry_12 = "auto_logon_path" ascii
$config_entry_13 = "locker_installer_path" ascii
$config_entry_14 = "locker_password_hash" ascii
$config_entry_15 = "users_password" ascii
$config_entry_16 = "locker_background_image_bmp_path" ascii
$config_entry_17 = "locker_registry_settings_files" ascii
$config_entry_18 = "cleanup_script_path" ascii
$config_entry_19 = "is_alive_loop_interval" ascii
$config_entry_20 = "cleanup_scheduled_task_name" ascii
$config_entry_21 = "self_scheduled_task_name" ascii
$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}
$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}
condition:
uint16(0) == 0x5A4D and
(
6 of them or
$encryption_asm or
$random_string_generation
)
}

View file

@ -1,39 +0,0 @@
rule apt3_bemstour_implant_byte_patch
{
meta:
description = "Detects an implant used by Bemstour exploitation tool (APT3)"
reference = "https://research.checkpoint.com/2019/upsynergy/"
author = "Mark Lechtik"
company = "Check Point Software Technologies LTD."
date = "2019-06-25"
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
/*
0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55
0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec
0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b
0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9
0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c
*/
strings:
$chunk_1 = {
C7 45 ?? 55 8B EC 83
C7 45 ?? EC 74 53 56
C7 45 ?? 8B 75 08 33
C7 45 ?? C9 57 C7 45
C7 45 ?? 8C 4C 6F 61
}
condition:
any of them
}

View file

@ -1,169 +0,0 @@
rule apt3_bemstour_implant_command_stack_variable
{
meta:
description = "Detecs an implant used by Bemstour exploitation tool (APT3)"
reference = "https://research.checkpoint.com/2019/upsynergy/"
author = "Mark Lechtik"
company = "Check Point Software Technologies LTD."
date = "2019-06-25"
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
strings:
/*
0x41ba18L C78534FFFFFF636D642E mov dword ptr [ebp - 0xcc], 0x2e646d63
0x41ba22L C78538FFFFFF65786520 mov dword ptr [ebp - 0xc8], 0x20657865
0x41ba2cL C7853CFFFFFF2F632063 mov dword ptr [ebp - 0xc4], 0x6320632f
0x41ba36L C78540FFFFFF6F707920 mov dword ptr [ebp - 0xc0], 0x2079706f
0x41ba40L C78544FFFFFF2577696E mov dword ptr [ebp - 0xbc], 0x6e697725
0x41ba4aL C78548FFFFFF64697225 mov dword ptr [ebp - 0xb8], 0x25726964
0x41ba54L C7854CFFFFFF5C737973 mov dword ptr [ebp - 0xb4], 0x7379735c
0x41ba5eL C78550FFFFFF74656D33 mov dword ptr [ebp - 0xb0], 0x336d6574
0x41ba68L C78554FFFFFF325C636D mov dword ptr [ebp - 0xac], 0x6d635c32
0x41ba72L C78558FFFFFF642E6578 mov dword ptr [ebp - 0xa8], 0x78652e64
0x41ba7cL C7855CFFFFFF65202577 mov dword ptr [ebp - 0xa4], 0x77252065
0x41ba86L C78560FFFFFF696E6469 mov dword ptr [ebp - 0xa0], 0x69646e69
0x41ba90L C78564FFFFFF72255C73 mov dword ptr [ebp - 0x9c], 0x735c2572
0x41ba9aL C78568FFFFFF79737465 mov dword ptr [ebp - 0x98], 0x65747379
0x41baa4L C7856CFFFFFF6D33325C mov dword ptr [ebp - 0x94], 0x5c32336d
0x41baaeL C78570FFFFFF73657468 mov dword ptr [ebp - 0x90], 0x68746573
0x41bab8L C78574FFFFFF632E6578 mov dword ptr [ebp - 0x8c], 0x78652e63
0x41bac2L C78578FFFFFF65202F79 mov dword ptr [ebp - 0x88], 0x792f2065
0x41baccL 83A57CFFFFFF00 and dword ptr [ebp - 0x84], 0
*/
$chunk_1 = {
C7 85 ?? ?? ?? ?? 63 6D 64 2E
C7 85 ?? ?? ?? ?? 65 78 65 20
C7 85 ?? ?? ?? ?? 2F 63 20 63
C7 85 ?? ?? ?? ?? 6F 70 79 20
C7 85 ?? ?? ?? ?? 25 77 69 6E
C7 85 ?? ?? ?? ?? 64 69 72 25
C7 85 ?? ?? ?? ?? 5C 73 79 73
C7 85 ?? ?? ?? ?? 74 65 6D 33
C7 85 ?? ?? ?? ?? 32 5C 63 6D
C7 85 ?? ?? ?? ?? 64 2E 65 78
C7 85 ?? ?? ?? ?? 65 20 25 77
C7 85 ?? ?? ?? ?? 69 6E 64 69
C7 85 ?? ?? ?? ?? 72 25 5C 73
C7 85 ?? ?? ?? ?? 79 73 74 65
C7 85 ?? ?? ?? ?? 6D 33 32 5C
C7 85 ?? ?? ?? ?? 73 65 74 68
C7 85 ?? ?? ?? ?? 63 2E 65 78
C7 85 ?? ?? ?? ?? 65 20 2F 79
83 A5 ?? ?? ?? ?? 00
}
/*
0x41baeeL C785D8FEFFFF636D6420 mov dword ptr [ebp - 0x128], 0x20646d63
0x41baf8L C785DCFEFFFF2F632022 mov dword ptr [ebp - 0x124], 0x2220632f
0x41bb02L C785E0FEFFFF6E657420 mov dword ptr [ebp - 0x120], 0x2074656e
0x41bb0cL C785E4FEFFFF75736572 mov dword ptr [ebp - 0x11c], 0x72657375
0x41bb16L C785E8FEFFFF20636573 mov dword ptr [ebp - 0x118], 0x73656320
0x41bb20L C785ECFEFFFF73757070 mov dword ptr [ebp - 0x114], 0x70707573
0x41bb2aL C785F0FEFFFF6F727420 mov dword ptr [ebp - 0x110], 0x2074726f
0x41bb34L C785F4FEFFFF3171617A mov dword ptr [ebp - 0x10c], 0x7a617131
0x41bb3eL C785F8FEFFFF23454443 mov dword ptr [ebp - 0x108], 0x43444523
0x41bb48L C785FCFEFFFF202F6164 mov dword ptr [ebp - 0x104], 0x64612f20
0x41bb52L C78500FFFFFF64202626 mov dword ptr [ebp - 0x100], 0x26262064
0x41bb5cL C78504FFFFFF206E6574 mov dword ptr [ebp - 0xfc], 0x74656e20
0x41bb66L C78508FFFFFF206C6F63 mov dword ptr [ebp - 0xf8], 0x636f6c20
0x41bb70L C7850CFFFFFF616C6772 mov dword ptr [ebp - 0xf4], 0x72676c61
0x41bb7aL C78510FFFFFF6F757020 mov dword ptr [ebp - 0xf0], 0x2070756f
0x41bb84L C78514FFFFFF61646D69 mov dword ptr [ebp - 0xec], 0x696d6461
0x41bb8eL C78518FFFFFF6E697374 mov dword ptr [ebp - 0xe8], 0x7473696e
0x41bb98L C7851CFFFFFF7261746F mov dword ptr [ebp - 0xe4], 0x6f746172
0x41bba2L C78520FFFFFF72732063 mov dword ptr [ebp - 0xe0], 0x63207372
0x41bbacL C78524FFFFFF65737375 mov dword ptr [ebp - 0xdc], 0x75737365
0x41bbb6L C78528FFFFFF70706F72 mov dword ptr [ebp - 0xd8], 0x726f7070
0x41bbc0L C7852CFFFFFF74202F61 mov dword ptr [ebp - 0xd4], 0x612f2074
0x41bbcaL C78530FFFFFF64642200 mov dword ptr [ebp - 0xd0], 0x226464
0x41bbd4L 6A5C push 0x5c
*/
$chunk_2 = {
C7 85 ?? ?? ?? ?? 63 6D 64 20
C7 85 ?? ?? ?? ?? 2F 63 20 22
C7 85 ?? ?? ?? ?? 6E 65 74 20
C7 85 ?? ?? ?? ?? 75 73 65 72
C7 85 ?? ?? ?? ?? 20 63 65 73
C7 85 ?? ?? ?? ?? 73 75 70 70
C7 85 ?? ?? ?? ?? 6F 72 74 20
C7 85 ?? ?? ?? ?? 31 71 61 7A
C7 85 ?? ?? ?? ?? 23 45 44 43
C7 85 ?? ?? ?? ?? 20 2F 61 64
C7 85 ?? ?? ?? ?? 64 20 26 26
C7 85 ?? ?? ?? ?? 20 6E 65 74
C7 85 ?? ?? ?? ?? 20 6C 6F 63
C7 85 ?? ?? ?? ?? 61 6C 67 72
C7 85 ?? ?? ?? ?? 6F 75 70 20
C7 85 ?? ?? ?? ?? 61 64 6D 69
C7 85 ?? ?? ?? ?? 6E 69 73 74
C7 85 ?? ?? ?? ?? 72 61 74 6F
C7 85 ?? ?? ?? ?? 72 73 20 63
C7 85 ?? ?? ?? ?? 65 73 73 75
C7 85 ?? ?? ?? ?? 70 70 6F 72
C7 85 ?? ?? ?? ?? 74 20 2F 61
C7 85 ?? ?? ?? ?? 64 64 22 00
6A 5C
}
/*
0x41be22L C745D057696E45 mov dword ptr [ebp - 0x30], 0x456e6957
0x41be29L C745D478656300 mov dword ptr [ebp - 0x2c], 0x636578
0x41be30L C7459C47657450 mov dword ptr [ebp - 0x64], 0x50746547
0x41be37L C745A0726F6341 mov dword ptr [ebp - 0x60], 0x41636f72
0x41be3eL C745A464647265 mov dword ptr [ebp - 0x5c], 0x65726464
0x41be45L C745A873730000 mov dword ptr [ebp - 0x58], 0x7373
0x41be4cL C745C443726561 mov dword ptr [ebp - 0x3c], 0x61657243
0x41be53L C745C874654669 mov dword ptr [ebp - 0x38], 0x69466574
0x41be5aL C745CC6C654100 mov dword ptr [ebp - 0x34], 0x41656c
0x41be61L C745B857726974 mov dword ptr [ebp - 0x48], 0x74697257
0x41be68L C745BC6546696C mov dword ptr [ebp - 0x44], 0x6c694665
0x41be6fL C745C065000000 mov dword ptr [ebp - 0x40], 0x65
0x41be76L C745AC436C6F73 mov dword ptr [ebp - 0x54], 0x736f6c43
0x41be7dL C745B06548616E mov dword ptr [ebp - 0x50], 0x6e614865
0x41be84L C745B4646C6500 mov dword ptr [ebp - 0x4c], 0x656c64
0x41be8bL 894DE8 mov dword ptr [ebp - 0x18], ecx
*/
$chunk_3 = {
C7 45 ?? 57 69 6E 45
C7 45 ?? 78 65 63 00
C7 45 ?? 47 65 74 50
C7 45 ?? 72 6F 63 41
C7 45 ?? 64 64 72 65
C7 45 ?? 73 73 00 00
C7 45 ?? 43 72 65 61
C7 45 ?? 74 65 46 69
C7 45 ?? 6C 65 41 00
C7 45 ?? 57 72 69 74
C7 45 ?? 65 46 69 6C
C7 45 ?? 65 00 00 00
C7 45 ?? 43 6C 6F 73
C7 45 ?? 65 48 61 6E
C7 45 ?? 64 6C 65 00
89 4D ??
}
condition:
any of them
}

View file

@ -1,68 +0,0 @@
rule apt3_bemstour_strings
{
meta:
description = "Detects strings used by the Bemstour exploitation tool"
reference = "https://research.checkpoint.com/2019/upsynergy/"
author = "Mark Lechtik"
company = "Check Point Software Technologies LTD."
date = "2019-06-25"
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
strings:
$dbg_print_1 = "leaked address is 0x%llx" ascii wide
$dbg_print_2 = "========== %s ==========" ascii wide
$dbg_print_3 = "detailVersion:%d" ascii wide
$dbg_print_4 = "create pipe twice failed" ascii wide
$dbg_print_5 = "WSAStartup function failed with error: %d" ascii wide
$dbg_print_6 = "can't open input file." ascii wide
$dbg_print_7 = "Allocate Buffer Failed." ascii wide
$dbg_print_8 = "Connect to target failed." ascii wide
$dbg_print_9 = "connect successful." ascii wide
$dbg_print_10 = "not supported Platform" ascii wide
$dbg_print_11 = "Wait several seconds." ascii wide
$dbg_print_12 = "not set where to write ListEntry ." ascii wide
$dbg_print_13 = "backdoor not installed." ascii wide
$dbg_print_14 = "REConnect to target failed." ascii wide
$dbg_print_15 = "Construct TreeConnectAndX Request Failed." ascii wide
$dbg_print_16 = "Construct NTCreateAndXRequest Failed." ascii wide
$dbg_print_17 = "Construct Trans2 Failed." ascii wide
$dbg_print_18 = "Construct ConsWXR Failed." ascii wide
$dbg_print_19 = "Construct ConsTransSecondary Failed." ascii wide
$dbg_print_20 = "if you don't want to input password , use server2003 version.." ascii wide
$cmdline_1 = "Command format %s TargetIp domainname username password 2" ascii wide
$cmdline_2 = "Command format %s TargetIp domainname username password 1" ascii wide
$cmdline_3 = "cmd.exe /c net user test test /add && cmd.exe /c net localgroup administrators test /add" ascii wide
$cmdline_4 = "hello.exe \"C:\\WINDOWS\\DEBUG\\test.exe\"" ascii wide
$cmdline_5 = "parameter not right" ascii wide
$smb_param_1 = "browser" ascii wide
$smb_param_2 = "spoolss" ascii wide
$smb_param_3 = "srvsvc" ascii wide
$smb_param_4 = "\\PIPE\\LANMAN" ascii wide
$smb_param_5 = "Werttys for Workgroups 3.1a" ascii wide
$smb_param_6 = "PC NETWORK PROGRAM 1.0" ascii wide
$smb_param_7 = "LANMAN1.0" ascii wide
$smb_param_8 = "LM1.2X002" ascii wide
$smb_param_9 = "LANMAN2.1" ascii wide
$smb_param_10 = "NT LM 0.12" ascii wide
$smb_param_12 = "WORKGROUP" ascii wide
$smb_param_13 = "Windows Server 2003 3790 Service Pack 2" ascii wide
$smb_param_14 = "Windows Server 2003 5.2" ascii wide
$smb_param_15 = "Windows 2002 Service Pack 2 2600" ascii wide
$smb_param_16 = "Windows 2002 5.1" ascii wide
$smb_param_17 = "PC NETWORK PROGRAM 1.0" ascii wide
$smb_param_18 = "Windows 2002 5.1" ascii wide
$smb_param_19 = "Windows for Workgroups 3.1a" ascii wide
$unique_str_1 = "WIN-NGJ7GKNROVS"
$unique_str_2 = "XD-A31C2E0087B2"
condition:
uint16(0) == 0x5a4d and (5 of ($dbg_print*) or 2 of ($cmdline*) or 1 of ($unique_str*)) and 3 of ($smb_param*)
}

View file

@ -1,34 +0,0 @@
rule apt_CN_TwistedPanda_64bit_Loader {
meta:
author = "Check Point Research"
description = "Detect the 64bit Loader DLL used by TwistedPanda"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
date = "2022-04-14"
hash = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f"
strings:
// 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]
// 48 8B C1 mov rax, rcx
// 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h
// 72 ?? jb short loc_7FFDF0BA1B48
$path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }
// 48 8B D0 mov rdx, rax ; lpBuffer
// 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead
// 48 8B CF mov rcx, rdi ; hFile
// 48 8B D8 mov rbx, rax
// FF ?? ?? ?? ?? call cs:ReadFile
$shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}
// BA F0 16 00 00 mov edx, 16F0h ; dwSize
// 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect
// 33 C9 xor ecx, ecx ; lpAddress
// 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType
// FF ?? ?? ?? ?? ?? call cs:VirtualAlloc
$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read
}

View file

@ -1,33 +0,0 @@
rule apt_CN_TwistedPanda_SPINNER_1 {
meta:
author = "Check Point Research"
description = "Detect the obfuscated variant of SPINNER payload used by TwistedPanda"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
date = "2022-04-14"
hash = "a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81"
strings:
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C6 mov byte ptr [eax], 0
$config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 }
$c2_cmd_1 = { 01 00 03 10}
$c2_cmd_2 = { 02 00 01 10}
$c2_cmd_3 = { 01 00 01 10}
// 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx]
// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
// 89 F1 mov ecx, esi ; this
// 6A 01 push 1 ; Size
// 50 push eax ; Src
// E8 ?? ?? ?? ?? call str_append
// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h
$decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
}

View file

@ -1,35 +0,0 @@
rule apt_CN_TwistedPanda_SPINNER_2 {
meta:
author = "Check Point Research"
description = "Detect an older variant of SPINNER payload used by TwistedPanda"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
date = "2022-04-14"
hash = "28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8"
strings:
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??
// C6 mov byte ptr [eax], 0
$config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 }
$c2_cmd_1 = { 01 00 03 10 }
$c2_cmd_2 = { 02 00 01 10 }
$c2_cmd_3 = { 01 00 01 10 }
$c2_cmd_4 = { 01 00 00 10 }
$c2_cmd_5 = { 02 00 00 10 }
// 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h
// 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx]
// 8B 56 14 mov edx, [esi+14h]
// 8B C2 mov eax, edx
// 8B 4E 10 mov ecx, [esi+10h]
// 2B C1 sub eax, ecx
// 83 F8 01 cmp eax, 1
$decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption
}

View file

@ -1,36 +0,0 @@
rule apt_CN_TwistedPanda_droppers {
meta:
author = "Check Point Research"
description = "Detect droppers used by TwistedPanda"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
date = "2022-04-14"
hash = "59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291"
hash = "8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248"
hash = "f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66"
strings:
// 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h
// 75 ?? jnz short loc_140001829
// E8 ?? ?? ?? ?? call sub_1400019D0
// 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax
// E? ?? ?? ?? ?? jmp loc_1400018DD
$switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? }
// 41 0F ?? ?? movsx edx, byte ptr [r9]
// 44 ?? ?? or r8d, edx
// 41 ?? ?? 03 rol r8d, 3
// 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h
// 41 ?? ?? mov eax, r10d
$byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 }
// %public%
$stack_strings_1 = { 25 00 70 00 }
$stack_strings_2 = { 75 00 62 00 }
$stack_strings_3 = { 6C 00 69 00 }
$stack_strings_4 = { 63 00 25 00 }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and #switch_control > 8 and all of ($stack_strings_*) and $byte_manipulation
}

View file

@ -1,42 +0,0 @@
rule apt_CN_TwistedPanda_loader {
meta:
author = "Check Point Research"
reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
description = "Detect loader used by TwistedPanda"
date = "2022-04-14"
hash = "5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0"
hash = "efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198"
strings:
// 6A 40 push 40h ; '@'
// 68 00 30 00 00 push 3000h
$seq1 = { 6A 40 68 00 30 00 00 }
// 6A 00 push 0 ; lpOverlapped
// 50 push eax ; lpNumberOfBytesRead
// 6A 14 push 14h ; nNumberOfBytesToRead
// 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer]
// 50 push eax ; lpBuffer
// 53 push ebx ; hFile
// FF 15 04 D0 4C 70 call ds:ReadFile
$seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF }
// 6A 00 push 0
// 6A 00 push 0
// 6A 03 push 3
// 6A 00 push 0
// 6A 03 push 3
// 68 00 00 00 80 push 80000000h
$seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }
// Decryption sequence
$decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? }
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 3000KB and all of ($seq*) and $decryption
}

View file

@ -1,17 +0,0 @@
rule apt_WebAssistant_TcahfUpdate {
meta:
description = "Rule for detecting the fake WebAssistant and TcahfUpdate applications used to target the Uyghur minority"
reference = "https://research.checkpoint.com/2021/uyghurs-a-turkic-ethnic-minority-in-china-targeted-via-fake-foundations/"
version = "1.0"
last_modified = "2021-05-06"
hash = "2f7492423586a3061e5641b5b271ca54"
hash = "1b5dbd351bb7159eb08868c46a3fe3a6"
hash = "90fcbd5c904326466c3b6af1ca34aae1"
strings:
$url = {2f 00 63 00 67 00 69 00 2d 00 62 00 69 00 6e 00 2f [0-50] 2e 00 70 00 79 00 3f 00}
$lib = "Newtonsoft.Json"
$mac = "MACAddress Is Not NULL" wide
condition:
uint16(0)==0x5A4D and $url and $lib and $mac
and filesize < 1MB
}

View file

@ -1,32 +0,0 @@
rule apt_nazar_component_guids
{
meta:
description = "Detect Nazar Components by COM Objects' GUID"
author = "Itay Cohen"
date = "2020-04-27"
reference = "<https://www.epicturla.com/blog/the-lost-nazar>"
reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
hash = "1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f"
hash = "1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390"
hash = "2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e"
hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
hash = "460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8"
hash = "4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca"
hash = "75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6"
hash = "8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec"
hash = "967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b"
hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65"
hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61"
hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3"
strings:
$guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID
$guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID
$guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown
$guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID
$guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID
$guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll
condition:
any of them
}

View file

@ -1,19 +0,0 @@
rule apt_nazar_svchost_commands
{
meta:
description = "Detect Nazar's svchost based on supported commands"
author = "Itay Cohen"
date = "2020-04-26"
reference = "<https://www.epicturla.com/blog/the-lost-nazar>"
reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
strings:
$str1 = { 33 31 34 00 36 36 36 00 33 31 33 00 }
$str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 }
$str3 = { 39 39 39 00 35 39 39 00 34 39 39 00 }
$str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 }
$str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39 00 33 31 31 00 }
condition:
4 of them
}

View file

@ -1,206 +0,0 @@
rule explosive_exe
{
meta:
author = "Check Point Software Technologies Inc."
info = "Explosive EXE"
strings:
$MZ = "MZ"
$DLD_S = "DLD-S:"
$DLD_E = "DLD-E:"
condition:
$MZ at 0 and all of them
}
import "pe"
rule explosive_dll
{
meta:
author = "Check Point Software Technologies Inc."
info = "Explosive DLL"
reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
condition:
pe.DLL
and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and
pe.exports("CON")
}
rule ZZ_breakwin_config {
meta:
description = "Detects the header of the encrypted config files, assuming known encryption key."
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed"
hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22"
hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7"
strings:
$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}
condition:
$conf_header at 0
}
rule ZZ_breakwin_wiper {
meta:
description = "Detects the BreakWin wiper that was used in attacks in Syria"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b"
hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4"
hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e"
strings:
$debug_str_meteor_1 = "the program received an invalid number of arguments" wide
$debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide
$debug_str_meteor_0 = "failed to initialize configuration from file" wide
$debug_str_meteor_3 = "Meteor is still alive." wide
$debug_str_meteor_4 = "Exiting main function because of some error" wide
$debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide
$debug_str_meteor_6 = "Meteor has started." wide
$debug_str_meteor_7 = "Could not hide current console." wide
$debug_str_meteor_8 = "Could not get the window handle used by the console." wide
$debug_str_meteor_9 = "Failed to find base-64 data size" wide
$debug_str_meteor_10 = "Running locker thread" wide
$debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide
$debug_str_meteor_12 = "Wiper operation failed." wide
$debug_str_meteor_13 = "Screen saver disable failed." wide
$debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide
$debug_str_meteor_15 = "Failed to delete boot configuration" wide
$debug_str_meteor_16 = "Could not delete all BCD entries." wide
$debug_str_meteor_17 = "Finished deleting BCD entries." wide
$debug_str_meteor_18 = "Failed to change lock screen" wide
$debug_str_meteor_19 = "Boot configuration deleted successfully" wide
$debug_str_meteor_20 = "Failed to kill all winlogon processes" wide
$debug_str_meteor_21 = "Changing passwords of all users to" wide
$debug_str_meteor_22 = "Failed to change the passwords of all users" wide
$debug_str_meteor_23 = "Failed to run the locker thread" wide
$debug_str_meteor_24 = "Screen saver disabled successfully." wide
$debug_str_meteor_25 = "Generating random password failed" wide
$debug_str_meteor_26 = "Locker installation failed" wide
$debug_str_meteor_27 = "Failed to set auto logon." wide
$debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide
$debug_str_meteor_29 = "Succeeded setting auto logon for" wide
$debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide
$debug_str_meteor_31 = "Failed disabling the first logon animation." wide
$debug_str_meteor_32 = "Waiting for new winlogon process" wide
$debug_str_meteor_33 = "Failed to isolate from domain" wide
$debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide
$debug_str_meteor_35 = "Failed to get the new token of winlogon." wide
$debug_str_meteor_36 = "Failed adding new admin user." wide
$debug_str_meteor_37 = "Failed changing settings for the created new user." wide
$debug_str_meteor_38 = "Failed disabling recovery mode." wide
$debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide
$debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide
$debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide
$debug_str_meteor_42 = "Succeeded disabling recovery mode" wide
$debug_str_meteor_43 = "Failed to log off all sessions" wide
$debug_str_meteor_44 = "Failed to delete shadowcopies." wide
$debug_str_meteor_45 = "Failed logging off session: " wide
$debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide
$debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide
$debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide
$debug_str_meteor_49 = "Killing all winlogon processes" wide
$debug_str_meteor_50 = "Logging off users in Windows 7" wide
$debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide
$debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide
$debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide
$debug_str_meteor_54 = "Logging off users in Windows XP" wide
$debug_str_meteor_55 = "Failed changing settings for the created new user." wide
$debug_str_meteor_56 = "Could not open file %s. error message: %s" wide
$debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide
$debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide
$debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide
$debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide
$debug_str_meteor_61 = "Failed to wipe file %s" wide
$debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide
$debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide
$debug_str_meteor_64 = "Failed to wipe file %s" wide
$debug_str_meteor_65 = "failed to get configuration value with key %s" wide
$debug_str_meteor_66 = "failed to parse the configuration from file %s" wide
$debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide
$debug_str_meteor_68 = "Failed posting to server, received std::exception" wide
$debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide
$debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide
$debug_str_meteor_71 = "failed to write message to log file %s" wide
$debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide
$debug_str_stardust_0 = "Stardust has started." wide
$debug_str_stardust_1 = "0Vy0qMGO" ascii wide
$debug_str_comet_0 = "Comet has started." wide
$debug_str_comet_1 = "Comet has finished." wide
$str_lock_my_pc = "Lock My PC 4" ascii wide
$config_entry_0 = "state_path" ascii
$config_entry_1 = "state_encryption_key" ascii
$config_entry_2 = "log_server_port" ascii
$config_entry_3 = "log_file_path" ascii
$config_entry_4 = "log_encryption_key" ascii
$config_entry_5 = "log_server_ip" ascii
$config_entry_6 = "processes_to_kill" ascii
$config_entry_7 = "process_termination_timeout" ascii
$config_entry_8 = "paths_to_wipe" ascii
$config_entry_9 = "wiping_stage_logger_interval" ascii
$config_entry_10 = "locker_exe_path" ascii
$config_entry_11 = "locker_background_image_jpg_path" ascii
$config_entry_12 = "auto_logon_path" ascii
$config_entry_13 = "locker_installer_path" ascii
$config_entry_14 = "locker_password_hash" ascii
$config_entry_15 = "users_password" ascii
$config_entry_16 = "locker_background_image_bmp_path" ascii
$config_entry_17 = "locker_registry_settings_files" ascii
$config_entry_18 = "cleanup_script_path" ascii
$config_entry_19 = "is_alive_loop_interval" ascii
$config_entry_20 = "cleanup_scheduled_task_name" ascii
$config_entry_21 = "self_scheduled_task_name" ascii
$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}
$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}
condition:
uint16(0) == 0x5A4D and
(
6 of them or
$encryption_asm or
$random_string_generation
)
}
rule ZZ_breakwin_stardust_vbs {
meta:
description = "Detect the VBS files that where found in the attacks on targets in Syria"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933"
hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0"
hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58"
hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0"
hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad"
strings:
$url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st="
$compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r"
$compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8"
$uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN="
$is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then"
condition:
any of them
}
rule ZZ_breakwin_meteor_batch_files {
meta:
description = "Detect the batch files used in the attacks"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
strings:
$filename_0 = "mscap.bmp"
$filename_1 = "mscap.jpg"
$filename_2 = "msconf.conf"
$filename_3 = "msmachine.reg"
$filename_4 = "mssetup.exe"
$filename_5 = "msuser.reg"
$filename_6 = "msapp.exe"
$filename_7 = "bcd.rar"
$filename_8 = "bcd.bat"
$filename_9 = "msrun.bat"
$command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%"
$command_line_1 = "start /b \"\" update.bat hackemall"
condition:
4 of ($filename_*) or
any of ($command_line_*)
}

View file

@ -1,15 +0,0 @@
import "pe"
rule explosive_dll
{
meta:
author = "Check Point Software Technologies Inc."
info = "Explosive DLL"
reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
condition:
pe.DLL
and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and
pe.exports("CON")
}

View file

@ -1,15 +0,0 @@
rule explosive_exe
{
meta:
author = "Check Point Software Technologies Inc."
info = "Explosive EXE"
reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
strings:
$MZ = "MZ"
$DLD_S = "DLD-S:"
$DLD_E = "DLD-E:"
condition:
$MZ at 0 and all of them
}

View file

@ -1,11 +0,0 @@
rule goziv3: trojan {
meta:
module = "goziv3"
reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/"
strings:
$dec_bss = {D3 C0 83 F3 01 89 02 83 C2 04 FF 4C 24 0C}
$gen_serpent = {33 44 24 04 33 44 24 08 C2 08 00}
condition:
($dec_bss and $gen_serpent) and (uint16(0) == 0x5A4D or uint16(0) == 0x5850 )
}

View file

@ -1,58 +0,0 @@
rule injector_ZZ_dotRunpeX {
meta:
description = "Detects new version of dotRunpeX - configurable .NET injector"
author = "Jiri Vinopal (jiriv)"
date = "2022-10-30"
hash1 = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook
hash2 = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook
hash3 = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat
hash4 = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos
hash5 = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook
hash6 = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla
hash7 = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat
hash8 = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger
report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/"
strings:
// Used ImplMap imports (PInvoke)
$implmap1 = "VirtualAllocEx"
$implmap2 = "CreateProcess"
$implmap3 = "CreateRemoteThread"
$implmap4 = "Wow64SetThreadContext"
$implmap5 = "Wow64GetThreadContext"
$implmap6 = "NtResumeThread"
$implmap7 = "ZwUnmapViewOfSection"
$implmap8 = "NtWriteVirtualMemory"
$implmap9 = "MessageBox" // ImplMap not presented in all samples - maybe different versions?
$implmap10 = "Wow64DisableWow64FsRedirection"
$implmap11 = "Wow64RevertWow64FsRedirection"
$implmap12 = "CreateFile"
$implmap13 = "RtlInitUnicodeString"
$implmap14 = "NtLoadDriver"
$implmap15 = "NtUnloadDriver"
$implmap16 = "OpenProcessToken"
$implmap17 = "LookupPrivilegeValue"
$implmap18 = "AdjustTokenPrivileges"
$implmap19 = "CloseHandle"
$implmap20 = "NtQuerySystemInformation"
$implmap21 = "DeviceIoControl"
$implmap22 = "GetProcessHeap"
$implmap23 = "HeapFree"
$implmap24 = "HeapAlloc"
$implmap25 = "GetProcAddress"
$implmap26 = "CopyMemory" // ImplMap added by KoiVM Protector used by this injector
$modulerefKernel1 = "Kernel32"
$modulerefKernel2 = "kernel32"
$modulerefNtdll1 = "Ntdll"
$modulerefNtdll2 = "ntdll"
$modulerefAdvapi1 = "Advapi32"
$modulerefAdvapi2 = "advapi32"
$regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver
$rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide
$koiVM1 = "KoiVM"
$koiVM2 = "#Koi"
condition:
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and
24 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*) and 1 of ($modulerefAdvapi*)
}

View file

@ -1,45 +0,0 @@
rule injector_ZZ_dotRunpeX_oldnew {
meta:
description = "Detects new and old version of dotRunpeX - configurable .NET injector"
author = "Jiri Vinopal (jiriv)"
date = "2022-10-30"
hash1_New = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook
hash2_New = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook
hash3_New = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat
hash4_New = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos
hash5_New = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook
hash6_New = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla
hash7_New = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat
hash8_New = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger
hash1_Old = "1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc" // injects Lokibot
hash2_Old = "317e6817bba0f54e1547dd9acf24ee17a4cda1b97328cc69dc1ec16e11c258fc" // injects Redline
hash3_Old = "65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b" // injects SnakeKeylogger
hash4_Old = "68ae2ee5ed7e793c1a49cbf1b0dd7f5a3de9cb783b51b0953880994a79037326" // injects Lokibot
hash5_Old = "81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e" // injects SnakeKeylogger
report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/"
strings:
// Used ImplMap imports (PInvoke)
$implmap1 = "VirtualAllocEx"
$implmap2 = "CreateProcess"
$implmap3 = "CreateRemoteThread"
$implmap4 = "Wow64SetThreadContext"
$implmap5 = "Wow64GetThreadContext"
$implmap6 = "RtlInitUnicodeString"
$implmap7 = "NtLoadDriver"
$implmap8 = "LoadLibrary"
$implmap9 = "VirtualProtect"
$implmap10 = "AdjustTokenPrivileges"
$implmap11 = "GetProcAddress"
$modulerefKernel1 = "Kernel32"
$modulerefKernel2 = "kernel32"
$modulerefNtdll1 = "Ntdll"
$modulerefNtdll2 = "ntdll"
$regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver
$rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide
$koiVM1 = "KoiVM"
$koiVM2 = "#Koi"
condition:
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and
9 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*)
}

View file

@ -1,29 +0,0 @@
rule lyceum_dotnet_dns_backdoor
{
meta:
author = "CPR"
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
hash1 = "8199f14502e80581000bd5b3bda250ee"
hash2 = "d79687676d2d152aec4143c852bdbc4a"
hash3 = "bcb465cc2257e5777bab431690ca5039"
hash4 = "2bc2abefc1a721908bc805894b62227d"
hash5 = "37a1514a7a5f9b2c6786096129a30721"
strings:
$log1 = "MSG SIZE rcvd" wide
$log2 = "Empty output" wide
$log3 = "Big Output. lines: " wide
$com1 = "Enddd" wide
$com2 = "uploaddd" wide
$com3 = "downloaddd" wide
$dga = "trailers.apple.com" wide
$replace1 = "BackSlashh" wide
$replace2 = "QuotationMarkk" wide
$re_pattern = "60\\s+IN\\s+TXT" wide
$func1 = "comRun"
$func2 = "PlaceDot"
$func3 = "sendAns"
$heijden1 = "Heijden.DNS"
$heijden2 = "DnsHeijden"
condition:
uint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($func*) or (any of ($heijden*) and $re_pattern and $dga))
}

View file

@ -1,52 +0,0 @@
rule lyceum_dotnet_http_backdoor
{
meta:
author = "CPR"
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
hash1 = "1c444ebeba24dcba8628b7dfe5fec7c6"
hash2 = "85ca334f87667bd7fa0c47ae6149353e"
hash3 = "73bddd5f1a0847ae5f5d55e7d9c177f6"
hash4 = "9fb86915db1b7c00f1a4587de4e052de"
hash5 = "37fe608983d4b06a5549247f0e16bc11"
hash6 = "5916e5189ef0050dfcc3cc19382d08d5"
strings:
$class1 = "Funcss"
$class2 = "Constantss"
$class3 = "Reqss"
$class4 = "Screenss"
$class5 = "Shll"
$class6 = "test_A1"
$class7 = "Uploadss"
$class8 = "WebDL"
$cnc_uri1 = "/upload" wide
$cnc_uri2 = "/screenshot" wide
$cnc_pattern_hex1 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 0d 0a 0d 0a}
$cnc_pattern_hex2 = {6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d 7b 30 7d}
$cnc_pattern_hex3 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 7b 31 7d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 7b 32 7d 0d 0a 0d 0a}
$constant1 = "FILE_DIR_SEPARATOR"
$constant2 = "APPS_PARAMS_SEPARATOR"
$constant3 = "TYPE_SENDTOKEN"
$constant4 = "TYPE_DATA1"
$constant5 = "TYPE_SEND_RESPONSE_IN_SOCKET"
$constant6 = "TYPE_FILES_LIST"
$constant7 = "TYPE_FILES_DELETE"
$constant8 = "TYPE_FILES_RUN"
$constant9 = "TYPE_FILES_UPLOAD_TO_SERVER"
$constant10 = "TYPE_FILES_DELETE_FOLDER"
$constant11 = "TYPE_FILES_CREATE_FOLDER"
$constant12 = "TYPE_FILES_DOWNLOAD_URL"
$constant13 = "TYPE_OPEN_CMD"
$constant14 = "TYPE_CMD_RES"
$constant15 = "TYPE_CLOSE_CMD"
$constant16 = "TYPE_CMD_REQ"
$constant17 = "TYPE_INSTALLED_APPS"
$constant18 = "TYPE_SCREENSHOT"
$constant19 = "_RG_APP_NAME_"
$constant20 = "_RG_APP_VERSION_"
$constant21 = "_RG_APP_DATE_"
$constant22 = "_RG_APP_PUB_"
$constant23 = "_RG_APP_SEP_"
$constant24 = "_SC_EXT_"
condition:
uint16(0)==0x5a4d and (4 of ($class*) or 4 of ($cnc_*) or 4 of ($constant*))
}

View file

@ -1,37 +0,0 @@
rule lyceum_golang_backdoor
{
meta:
author = "CPR"
reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/"
hash1 = "a437f997d45bc14e76d0f2482f572a34"
hash2 = "23d174e6a0905fd59b2613d5ac106261"
hash3 = "bcb465cc2257e5777bab431690ca5039"
strings:
$func1 = "main.Ase256"
$func2 = "main.DecryptAse256"
$func3 = "main.IsServerUp"
$func4 = "main.register"
$func5 = "main.commandforrun"
$func6 = "main.UPLOAD"
$func7 = "main.commandforanswer"
$func8 = "main.GetMD5Hash"
$func9 = "main.get_uid"
$func10 = "main.commandrun"
$func11 = "main.download"
$func12 = "main.postFile"
$func13 = "main.sendAns"
$func14 = "main.comRun"
$cnc_uri1 = "/GO/1.php"
$cnc_uri2 = "/GO/2.php"
$cnc_uri3 = "/GO/3.php"
$auth_token = "auth_token=\"XXXXXXX\""
$log1 = "client registred"
$log2 = "no command"
$log3 = "can not create file"
$log4 = "errorGettingUserName"
$log5 = "New record created successfully"
$log6 = "SERVER_IS_DOWN"
$dga = "trailers.apple.com."
condition:
uint16(0)==0x5a4d and ((10 of ($func*) or any of ($cnc_uri*) or $auth_token or 3 of ($log*)) or ($dga and 4 of them))
}

View file

@ -1,31 +0,0 @@
rule malware_bumblebee_packed {
meta:
author = "Marc Salinas @ CheckPoint Research"
malware_family = "BumbleBee"
date = "13/07/2022"
description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic."
dll_jul = "6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db"
dll_jun = "82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb"
dll_may = "a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c"
iso_jul = "ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa"
iso_jun = "13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78"
iso_may = "b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e"
zip_jun = "7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad"
zip_may = "68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce"
report = "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/"
strings:
$heapalloc = {
48 8? EC [1-6] // sub rsp, 80h
FF 15 ?? ?? 0? 00 [0-5] // call cs:GetProcessHeap
33 D2 // xor edx, edx ; dwFlags
4? [2-5] // mov rcx, rax ; hHeap
4? ?? ?? // mov r8d, ebx ; dwBytes
FF 15 ?? ?? 0? 00 // call cs:HeapAlloc
[8 - 11] // (load params)
48 89 05 ?? ?? ?? 00 // mov cs:HeapBufferPtr, rax
E8 ?? ?? ?? ?? // call memset
4? 8B ?? ?? ?? ?? 00 // mov r14, cs:HeapBufferPtr
}
condition:
$heapalloc
}

View file

@ -1,32 +0,0 @@
rule apt_nazar_component_guids
{
meta:
description = "Detect Nazar Components by COM Objects' GUID"
author = "Itay Cohen"
date = "2020-04-27"
reference = "<https://www.epicturla.com/blog/the-lost-nazar>"
reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
hash = "1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f"
hash = "1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390"
hash = "2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e"
hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
hash = "460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8"
hash = "4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca"
hash = "75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6"
hash = "8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec"
hash = "967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b"
hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65"
hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61"
hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3"
strings:
$guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID
$guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID
$guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown
$guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID
$guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID
$guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll
condition:
any of them
}

View file

@ -1,16 +0,0 @@
rule qbot_vbs
{
meta:
description = "Catches QBot VBS files"
reference = "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/"
author = "Alex Ilgayev"
date = "2020-06-07"
strings:
$s3 = "ms.Send"
$s4 = "for i=1 to 6"
$s5 = "if ms.readyState = 4 Then"
$s6 = "if len(ms.responseBody) <> 0 then"
$s7 = /if left\(ms.responseText, \w*?\) = \"MZ\" then/
condition:
filesize > 20MB and $s3 and $s4 and $s5 and $s6 and $s7
}

View file

@ -1,18 +0,0 @@
import "pe"
rule ransomware_ZZ_azov_wiper {
meta:
description = "Detects original and backdoored files with new and old versions of azov ransomware - polymorphic wiper"
author = "Jiri Vinopal (jiriv)"
date = "2022-11-14"
hash_azov_new = "650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e"
hash_azov_old = "b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801"
report = "https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/"
strings:
// Opcodes of allocating and decrypting shellcode routine
$unpacking_azov_new = { 48 83 ec ?? 58 48 01 c8 48 81 ec ?? ?? ?? ?? 48 83 ec ?? 40 80 e4 ?? c6 45 ?? 56 c6 45 ?? 69 c6 45 ?? 72 c6 45 ?? 74 c6 45 ?? 75 c6 45 ?? 61 c6 45 ?? 6c c6 45 ?? 41 c6 45 ?? 6c c6 45 ?? 6c c6 45 ?? 6f c6 45 ?? 63 c6 45 ?? 00 48 89 74 24 ?? 48 83 ec ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 8d 55 ?? ff d0 48 83 ec ?? 48 c7 04 24 ?? ?? ?? ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 c7 c2 ?? ?? ?? ?? 49 c7 c0 ?? ?? ?? ?? 49 c7 c1 ?? ?? ?? ?? ff d0 48 c7 c1 ?? ?? ?? ?? 4c 8d 0d ?? ?? ?? ?? 48 ff c9 41 8a 14 09 88 14 08 48 85 c9 75 ?? 48 c7 c1 ?? ?? ?? ?? 41 b9 ?? ?? ?? ?? 41 ba ?? ?? ?? ?? 48 ff c9 8a 14 08 44 30 ca 88 14 08 41 81 ea ?? ?? ?? ?? 45 01 d1 41 81 c1 ?? ?? ?? ?? 41 81 c2 ?? ?? ?? ?? 41 d1 c1 48 85 c9 }
$unpacking_azov_old = { 48 01 c8 48 05 ?? ?? ?? ?? 48 81 c1 ?? ?? ?? ?? 48 81 ec ?? ?? ?? ?? 48 83 ec ?? 40 80 e4 ?? c6 45 ?? 56 c6 45 ?? 69 c6 45 ?? 72 c6 45 ?? 74 c6 45 ?? 75 c6 45 ?? 61 c6 45 ?? 6c c6 45 ?? 41 c6 45 ?? 6c c6 45 ?? 6c c6 45 ?? 6f c6 45 ?? 63 c6 45 ?? 00 48 83 e1 ?? 48 01 f1 48 8d 55 ?? ff d0 48 83 ec ?? 48 c7 04 24 ?? ?? ?? ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 c7 c2 ?? ?? ?? ?? 49 c7 c0 ?? ?? ?? ?? 49 c7 c1 ?? ?? ?? ?? ff d0 48 c7 c1 ?? ?? ?? ?? 4c 8d 0d ?? ?? ?? ?? 48 ff c9 41 8a 14 09 88 14 08 48 85 c9 }
condition:
uint16(0) == 0x5a4d and pe.is_64bit() and
any of ($unpacking_azov_*)
}

View file

@ -1,22 +0,0 @@
rule installmonstr {
meta:
description = "adware, trojan, riskware"
author = "Monty St John"
company = "Cyberdefenses, inc."
date = "2017/01/25"
hash1 = "000be3b9991eaf28b3794d96ce08e883"
hash2 = "1c21a4b1151921398b2c2fe9ea9892f8"
hash3 = "be6eb42ea9e789d2a4425f61155f4664"
hash4 = "001dd4fdd6973f4e6cb9d11bd9ba7eb3"
strings:
$a = "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0; URL=%0:s\">"
$b = "%s<input type=\"hidden\" name=\"%s\" value=\"%s\">%s"
$c = "GoIdHTTPWork"
$d = "sslvSSLv2sslvSSLv23sslvSSLv3sslvTLSv1"
$e = "sslvSSLv23 sslvSSLv3 sslvTLSv1"
$f = "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH"
condition:
5 of them
}

View file

@ -1,15 +0,0 @@
rule php_shell_U34 {
meta:
description = "Web Shell - file ans.php"
author = "Monty St John"
company = "Cyberdefenses, inc."
date = "2017/01/25"
hash = "5be3b1bc76677a70553a66575f289a0a"
strings:
$a = "'\".((strpos(@$_POST['"
$b = "'],\"\\n\")!==false)?'':htmlspecialchars(@$_POST['"
$c = "'],ENT_QUOTES)).\"';"
$d = "posix_getpwuid"
condition:
all of them
}

View file

@ -1,16 +0,0 @@
rule wirenet_dropper
{
meta:
description = "Wirenet backdoor dropper Invoice_SKMBT_20170601.doc"
author = "Chris Rogers"
company = "Cyberdefenses, inc."
date = "2017/07/11"
hash = "954d7c15577f118171cc8adcc9f9ac94"
strings:
$a = "C:\Users\user\Desktop\JAVA\docinvoice.exe"
$b = "C:\Users\user\AppData\Local\Temp\docinvoice.exe"
$c = "ZTUWVSPRTj"
$d = "IE(AL("%s",4),"AL(\"%0:s\",3)""
condition:
all of them
}

View file

@ -1,34 +0,0 @@
rule AlienSpy {
meta:
description = "AlienSpy"
author = "Fidelis Cybersecurity"
reference = "Fidelis Threat Advisory #1015 - Ratting on AlienSpy - Apr 08, 2015"
strings:
$sa_1 = "META-INF/MANIFEST.MF"
$sa_2 = "Main.classPK"
$sa_3 = "plugins/Server.classPK"
$sa_4 = "IDPK"
$sb_1 = "config.iniPK"
$sb_2 = "password.iniPK"
$sb_3 = "plugins/Server.classPK"
$sb_4 = "LoadStub.classPK"
$sb_5 = "LoadStubDecrypted.classPK"
$sb_7 = "LoadPassword.classPK"
$sb_8 = "DecryptStub.classPK"
$sb_9 = "ClassLoaders.classPK"
$sc_1 = "config.xml"
$sc_2 = "options"
$sc_3 = "plugins"
$sc_4 = "util"
$sc_5 = "util/OSHelper"
$sc_6 = "Start.class"
$sc_7 = "AlienSpy"
$sc_8 = "PK"
condition:
(all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*))
}

View file

@ -1,18 +0,0 @@
rule DarkComet
{
meta:
description = "DarkComet RAT"
author = "Fidelis Cybersecurity"
reference = "Fidelis Threat Advisory #1018 - Looking at the Sky for a DarkComet - August 4, 2015"
date = "2015-07-22"
strings:
$s1 = "#KCMDDC"
$s2 = "DCDATA"
$s3 = "#BOT#CloseServer"
$s4 = "#BOT#SvrUninstall"
$s5 = "#BOT#URLDownload"
condition:
uint16(0) == 0x5a4d and filesize < 50MB and all of ($s*)
}

View file

@ -1,12 +0,0 @@
rule DarkCometDownloader {
meta:
description = "DarkComet RAT Downloader"
author = "Fidelis Cybersecurity"
reference = "Fidelis Threat Advisory #1018 - Looking at the Sky for a DarkComet - August 4, 2015"
date = "2015-07-22"
strings:
$s1 = {6A00FF15F0304000A30D1040006A0A68261040006A00FF15F4304000A311104000FF 35111040006A00FF15F8304000A315104000FF35111040006A00FF15FC304000A3191 04000FF3515104000FF1500314000A31D104000FF3519104000FF351D104000682C11 4000FF1508314000FF3515104000FF150C31400031C0682C104000682C104000FF151 43140006805104000682C104000FF1510314000682C104000FF15183140006A006A00 682C104000682C1140006A00FF15803040006A056A006A00682C10400068001040006 A00FF15A83040006A00FF1504314000}
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}

View file

@ -1,44 +0,0 @@
rule apt_all_JavaScript_ScanboxFramework_obfuscated
{
meta:
author = "Fidelis Security"
reference = "https://www.fidelissecurity.com/TradeSecret"
strings:
$sa1 = /(var|new|return)\s[_\$]+\s?/
$sa2 = "function"
$sa3 = "toString"
$sa4 = "toUpperCase"
$sa5 = "arguments.length"
$sa6 = "return"
$sa7 = "while"
$sa8 = "unescape("
$sa9 = "365*10*24*60*60*1000"
$sa10 = ">> 2"
$sa11 = "& 3) << 4"
$sa12 = "& 15) << 2"
$sa13 = ">> 6) | 192"
$sa14 = "& 63) | 128"
$sa15 = ">> 12) | 224"
condition:
all of them
}

View file

@ -1,20 +0,0 @@
rule Ursnif_report_variant_memory
{
meta:
description = "Ursnif"
author = "Fidelis Cybersecurity"
reference = "New Ursnif Variant Targeting Italy and U.S - June 7, 2016"
strings:
$isfb1 = "/data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s"
$isfb2 = "client.dll"
$ursnif1 = "soft=1&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x"
$a1 = "grabs="
$a2 = "HIDDEN"
$ursnif2 = "/images/"
$randvar = "%s=%s&"
$specialchar = "%c%02X" nocase
$serpent_setkey = {8b 70 ec 33 70 f8 33 70 08 33 30 33 f1 81 f6 b9 79 37 9e c1 c6 0b 89 70 08 41 81 f9 84 [0-3] 72 db}
condition:
7 of them
}

View file

@ -1,12 +0,0 @@
rule XenonCrypter
{
meta:
author = "jason reaves"
author2 = "Fidelis Cybersecurity"
description = "Xenon Crypter"
strings:
$b1 = "Xenon2FF\\Bin\\StubNew.pdb” nocase
$b2 = “XenonNew\\Bin\\StubNew.pdb” nocase
condition:
any of ($b*)
}

View file

@ -1,13 +0,0 @@
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
{
meta:
author = "Fidelis Cybersecurity"
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
strings:
$byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
condition:
(uint32(0) == 0x464C457F) and (any of them)
}

View file

@ -1,28 +0,0 @@
rule apt_nix_elf_Derusbi_Linux_Strings
{
meta:
author = "Fidelis Cybersecurity"
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
strings:
$a1 = "loadso" wide ascii fullword
$a2 = "\nuname -a\n\n" wide ascii
$a3 = "/dev/shm/.x11.id" wide ascii
$a4 = "LxMain64" wide ascii nocase
$a5 = "# \\u@\\h:\\w \\$ " wide ascii
$b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
$b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
$b3 = "ret %d" wide fullword
$b4 = "uname -a\n\n" wide ascii
$b5 = "/proc/%u/cmdline" wide ascii
$b6 = "/proc/self/exe" wide ascii
$b7 = "cp -a %s %s" wide ascii
$c1 = "/dev/pts/4" wide ascii fullword
$c2 = "/tmp/1408.log" wide ascii fullword
condition:
uint32(0) == 0x464C457F and
((1 of ($a*) and 4 of ($b*)) or
(1 of ($a*) and 1 of ($c*)) or
2 of ($a*) or
all of ($b*))
}

View file

@ -1,48 +0,0 @@
rule apt_nix_elf_derusbi
{
meta:
author = "Fidelis Cybersecurity"
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
strings:
$ = "LxMain"
$ = "execve"
$ = "kill"
$ = "cp -a %s %s"
$ = "%s &"
$ = "dbus-daemon"
$ = "--noprofile"
$ = "--norc"
$ = "TERM=vt100"
$ = "/proc/%u/cmdline"
$ = "loadso"
$ = "/proc/self/exe"
$ = "Proxy-Connection: Keep-Alive"
$ = "Connection: Keep-Alive"
$ = "CONNECT %s"
$ = "HOST: %s:%d"
$ = "User-Agent: Mozilla/4.0"
$ = "Proxy-Authorization: Basic %s"
$ = "Server: Apache"
$ = "Proxy-Authenticate"
$ = "gettimeofday"
$ = "pthread_create"
$ = "pthread_join"
$ = "pthread_mutex_init"
$ = "pthread_mutex_destroy"
$ = "pthread_mutex_lock"
$ = "getsockopt"
$ = "socket"
$ = "setsockopt"
$ = "select"
$ = "bind"
$ = "shutdown"
$ = "listen"
$ = "opendir"
$ = "readdir"
$ = "closedir"
$ = "rename"
condition:
(uint32(0) == 0x4464c457f) and (all of them)
}

View file

@ -1,30 +0,0 @@
rule apt_nix_elf_derusbi_kernelModule
{
meta:
author = "Fidelis Cybersecurity"
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
strings:
$ = "__this_module"
$ = "init_module"
$ = "unhide_pid"
$ = "is_hidden_pid"
$ = "clear_hidden_pid"
$ = "hide_pid"
$ = "license"
$ = "description"
$ = "srcversion="
$ = "depends="
$ = "vermagic="
$ = "current_task"
$ = "sock_release"
$ = "module_layout"
$ = "init_uts_ns"
$ = "init_net"
$ = "init_task"
$ = "filp_open"
$ = "__netlink_kernel_create"
$ = "kfree_skb"
condition:
(uint32(0) == 0x4464c457f) and (all of them)
}

View file

@ -1,40 +0,0 @@
rule apt_win32_dll_bergard_pgv_pvid_variant
{
meta:
copyright = “Fidelis Cybersecurity”
reference = "http://www.threatgeek.com/2016/05/"
strings:
$ = "Accept:"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Cache-Control: no-cache"
$ = "Connection: Keep-Alive"
$ = "Cookie: pgv_pvid="
$ = "Content-Type: application/x-octet-stream"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Pragma: no-cache"
$ = "Connection: Keep-Alive"
$ = "HTTP/1.0"
condition:
(uint16(0) == 0x5A4D) and (all of them)
}

View file

@ -1,30 +0,0 @@
rule apt_win32_dll_rat_hiZorRAT
{
meta:
hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
hash2 = "d9821468315ccd3b9ea03161566ef18e"
hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
ref2 = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
strings:
// Part of the encoded User-Agent = Mozilla
$ = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 }
// XOR to decode User-Agent after string stacking 0x10001630
$ = { 66 [7] 0d 40 83 ?? ?? 7c ?? }
// XOR with 0x2E - 0x10002EF6
$ = { 80 [2] 2e 40 3b ?? 72 ?? }
$ = "CmdProcessExited" wide ascii
$ = "rootDir" wide ascii
$ = "DllRegisterServer" wide ascii
$ = "GetNativeSystemInfo" wide ascii
$ = "%08x%08x%08x%08x" wide ascii
condition:
(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
}

View file

@ -1,61 +0,0 @@
rule apt_win_exe_trojan_derusbi
{
meta:
author = "Fidelis Cybersecurity"
reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux"
strings:
$sa_1 = "USB" wide ascii
$sa_2 = "RAM" wide ascii
$sa_3 = "SHARE" wide ascii
$sa_4 = "HOST: %s:%d"
$sa_5 = "POST"
$sa_6 = "User-Agent: Mozilla"
$sa_7 = "Proxy-Connection: Keep-Alive"
$sa_8 = "Connection: Keep-Alive"
$sa_9 = "Server: Apache"
$sa_10 = "HTTP/1.1"
$sa_11 = "ImagePath"
$sa_12 = "ZwUnloadDriver"
$sa_13 = "ZwLoadDriver"
$sa_14 = "ServiceMain"
$sa_15 = "regsvr32.exe"
$sa_16 = "/s /u" wide ascii
$sa_17 = "rand"
$sa_18 = "_time64"
$sa_19 = "DllRegisterServer"
$sa_20 = "DllUnregisterServer"
$sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver
$sb_1 = "PCC_CMD_PACKET"
$sb_2 = "PCC_CMD"
$sb_3 = "PCC_BASEMOD"
$sb_4 = "PCC_PROXY"
$sb_5 = "PCC_SYS"
$sb_6 = "PCC_PROCESS"
$sb_7 = "PCC_FILE"
$sb_8 = "PCC_SOCK"
$sc_1 = "bcdedit -set testsigning" wide ascii
$sc_2 = "update.microsoft.com" wide ascii
$sc_3 = "_crt_debugger_hook" wide ascii
$sc_4 = "ue8G5" wide ascii
$sd_1 = "NET" wide ascii
$sd_2 = "\\\\.\\pipe\\%s" wide ascii
$sd_3 = ".dat" wide ascii
$sd_4 = "CONNECT %s:%d" wide ascii
$sd_5 = "\\Device\\" wide ascii
$se_1 = "-%s-%04d" wide ascii
$se_2 = "-%04d" wide ascii
$se_3 = "FAL" wide ascii
$se_4 = "OK" wide ascii
$se_5 = "2.03" wide ascii
$se_6 = "XXXXXXXXXXXXXXX" wide ascii
condition:
(uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or (
(13 of ($sa_*)) and
( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or
( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) )
}

View file

@ -1,51 +0,0 @@
rule crime_win32_exe_rat_netwire{
meta:
description = "AlienSpy"
author = "Fidelis Cybersecurity"
reference = "Fidelis Threat Advisory #1017 - Phishing in Plain Sight - June 9, 2015"
hash = "fd5a753347416484ab01712786c407c4"
strings:
$sa = "StubPath"
$sa = "CONNECT"
$sa = "200 OK"
$sa = "GET"
$sa = "Host"
$sa = "Connection"
$sa = "Firefox"
$sa = "Chrome"
$sa = "Opera"
$sa = "Outlook"
$sa = "NSS_Shutdown"
$sa = "NSSBase64_DecodeBuffer"
$sa = "NSS_Init"
$sa = "NSS_Shutdown"
$sa = "name" nocase
$sa = "password"
$sa = "Server"
$sa = "LANMANNT"
$sa = "SERVERNT"
$sa = "[Backspace]"
$sa = "[Enter]"
$sa = "[Tab]"
$sa = "[Print Screen]"
$sa = "mozsqlite"
$sa = "nssutil"
$sa = "sqlite"
$sa = "Email"
$sa = "POP3 User"
$sa = "POP3 Server"
$sa = "POP3 Password"
$sa = "IMAP User"
$sa = "IMAP Server"
$sa = "IMAP Password"
$sa = "HTTP User"
$sa = "HTTP Server"
$sa = "HTTP Password"
$sa = "SMTP User"
$sa = "SMTP Server"
$sa = "SMTP Password"
condition:
(uint16(0) == 0x5A4D) and (all of them)
}

View file

@ -1,28 +0,0 @@
rule crime_win_PWS_Fareit
{
meta:
description = "Fareit password stealer"
author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdf"
date = "20150414"
filetype = "exe"
hash_1 = "e93799591429756b7a5ad6e44197c020"
hash_2 = "891823de9b05e17def459e04fb574f94"
hash_3 = "6e54267c787fc017a2b2cc5dc5273a0a"
hash_4 = "40165ee6b1d69c58d3c0d2f4701230fa"
hash_5 = "de3b206a8066db48e9d7b0a42d50c5cd"
hash_6 = "b988944f831c478f5a6d71f9e06fbc22"
hash_7 = "7b7584d86efa2df42fe504213a3d1d2c"
hash_8 = "f088b291af1a3710f99c33fa37f68602"
strings:
$mz = {4d5a}
$s1 = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins"
$s2 = "gate.php"
$s3 = "STATUS-IMPORT-OK"
$s4 = "Client Hash"
$s5 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
$c1 = "wiseftpsrvs.bin"
$c2 = "out.bin"
condition:
$mz at 0 and filesize < 105KB and all of ($s*) and ($c1 or $c2)
}

View file

@ -1,47 +0,0 @@
rule network_traffic_njRAT
{
meta:
author = "info@fidelissecurity.com"
descripion = "njRAT - Remote Access Trojan"
comment = "Rule to alert on network traffic indicators"
filetype = "PCAP - Network Traffic"
date = "2013-07-15"
version = "1.0"
hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
hash2 ="3576d40ce18bb0349f9dfa42b8911c3a"
hash3 ="24cc5b811a7f9591e7f2cb9a818be104"
hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
hash5 = "a98b4c99f64315aac9dd992593830f35"
hash6 = "5fcb5282da1a2a0f053051c8da1686ef"
hash7 = "a669c0da6309a930af16381b18ba2f9d"
hash8 = "79dce17498e1997264346b162b09bde8"
hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
ref1 = "http://bit.ly/19tlf4s"
ref2 = "http://www.fidelissecurity.com/threatadvisory"
ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html"
ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"
strings:
$string1 = "FM|'|'|" // File Manager
$string2 = "nd|'|'|" // File Manager
$string3 = "rn|'|'|" // Run File
$string4 = "sc~|'|'|" // Remote Desktop
$string5 = "scPK|'|'|" // Remote Desktop
$string6 = "CAM|'|'|" // Remote Cam
$string7 = "USB Video Device[endof]" // Remote Cam
$string8 = "rs|'|'|" // Reverse Shell
$string9 = "proc|'|'|" // Process Manager
$string10 = "k|'|'|" // Process Manager
$string11 = "RG|'|'|~|'|'|" // Registry Manipulation
$string12 = "kl|'|'|" // Keylogger file
$string13 = "ret|'|'|" // Get Browser Passwords
$string14 = "pl|'|'|" // Get Browser Passwords
$string15 = "lv|'|'|" // General
$string16 = "prof|'|'|~|'|'|" // Server rename
$string17 = "un|'|'|~[endof]" // Uninstall
$idle_string = "P[endof]" // Idle Connection
condition:
any of ($string*) or #idle_string > 4
}

View file

@ -1,45 +0,0 @@
rule win_exe_njRAT
{
meta:
author = "info@fidelissecurity.com"
descripion = "njRAT - Remote Access Trojan"
comment = "Variants have also been observed obfuscated with .NET Reactor"
filetype = "pe"
date = "2013-07-15"
version = "1.0"
hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
hash2 = "3576d40ce18bb0349f9dfa42b8911c3a"
hash3 = "24cc5b811a7f9591e7f2cb9a818be104"
hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
hash5 = "a98b4c99f64315aac9dd992593830f35"
hash6 ="5fcb5282da1a2a0f053051c8da1686ef"
hash7 = "a669c0da6309a930af16381b18ba2f9d"
hash8 = "79dce17498e1997264346b162b09bde8"
hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
ref1 = "http://bit.ly/19tlf4s"
ref2 = "http://www.fidelissecurity.com/threatadvisory"
ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njratuncovered.html"
ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"
strings:
$magic = "MZ"
$string_setA_1 = "FromBase64String"
$string_setA_2 = "Base64String"
$string_setA_3 = "Connected" wide ascii
$string_setA_4 = "Receive"
$string_setA_5 = "DeleteSubKey" wide ascii
$string_setA_6 = "get_MachineName"
$string_setA_7 = "get_UserName"
$string_setA_8 = "get_LastWriteTime"
$string_setA_9 = "GetVolumeInformation"
$string_setB_1 = "OSFullName" wide ascii
$string_setB_2 = "Send" wide ascii
$string_setB_3 = "Connected" wide ascii
$string_setB_4 = "DownloadData" wide ascii
$string_setB_5 = "netsh firewall" wide
$string_setB_6 = "cmd.exe /k ping 0 & del" wide
condition:
($magic at 0) and ( all of ($string_setA*) or all of ($string_setB*) )
}

View file

@ -1,128 +0,0 @@
rule win_vbs_rat_hworm
{
meta:
author = "Fidelis Cybersecurity"
reference = "http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html"
strings:
$sa1 = "CONFIG"
$sa2 = "MYCODE"
$sa3 = "SHELLOBJ.EXPANDENVIRONMENTSTRINGS"
$sa4 = "BASE64TOHEX"
$sa5 = "DCOM.VIRTUALALLOC"
$sa6 = "LOADER_"
$sa7 = "PE_PTR"
$sa8 = "OBJWMISERVICE.EXECQUERY"
$sa9 = "WSCRIPT.EXE" nocase
$sa10 = "FUNCTION"
$sa11 = "DIM"
$sa12 = "END SUB"
$sb1 = "HOST_FILE"
$sb2 = "FILE_NAME"
$sb3 = "INSTALL_DIR"
$sb4 = "START_UP_REG"
$sb5 = "START_UP_TASK"
$sb6 = "START_UP_FOLDER"
$sc1 = "DCOM_DATA"
$sc2 = "LOADER_DATA"
$sc3 = "FILE_DATA"
$sc4 = "(1)"
$sc5 = "(2)"
$sc6 = "(3)"
$sc7 = "FILE_SIZE"
condition:
(all of ($sa*)) and ( (all of ($sb*)) or (all of ($sc*)) )
}
rule win_exe_rat_hworm
{
meta:
author = "Fidelis Cybersecurity"
reference = "http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html"
strings:
$sa1 = "connection_host" wide ascii
$sa2 = "connection_port" wide ascii
$sa3 = "install_folder" wide ascii
$sa4 = "install_name" wide ascii
$sa5 = "nickname_id" wide ascii
$sa6 = "password" wide ascii
$sa7 = "injection" wide ascii
$sa8 = "startup_registry" wide ascii
$sa9 = "startup_folder" wide ascii
$sa10 = "startup_task" wide ascii
$sa11 = "process_name" wide ascii
$sa12 = "fkeylogger_host" wide ascii
$sa13 = "fkeylogger_port" wide ascii
$sa14 = "keylogger_init" wide ascii
$sa15 = "keylogger_offline" wide ascii
$sa16 = "file_manager" wide ascii
$sa17 = "usb" wide ascii
$sa18 = "password" wide ascii
$sa19 = "filemanager" wide ascii
$sa20 = "keylogger" wide ascii
$sa21 = "screenshot" wide ascii
$sa22 = "show" nocase wide ascii
$sa23 = "open" wide ascii
$sa25 = "create" wide ascii
$sa26 = "Self" wide ascii
$sa27 = "createsuspended" wide ascii
condition:
(uint16(0) == 0x5A4D) and (all of them)

View file

@ -1,113 +0,0 @@
rule FE_LEGALSTRIKE_MACRO {
meta:version=".1"
filetype="MACRO"
author="Ian.Ahl@fireeye.com @TekDefense"
date="2017-06-02"
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
strings:
// OBSFUCATION
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
$ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide
$ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide
$ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide
$ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide
$ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide
$ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide
$ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide
$obreg1 = /(\w{5}\s&\s){7}\w{5}/
$obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
// wscript
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
$wsobj2 = "Obj.Run " ascii wide
condition:
(
(
(uint16(0) != 0x5A4D)
)
and
(
all of ($wsobj*) and 3 of ($ob*)
or
all of ($wsobj*) and all of ($obreg*)
)
)
}
rule FE_LEGALSTRIKE_MACRO_2 {
meta:version=".1"
filetype="MACRO"
author="Ian.Ahl@fireeye.com @TekDefense"
date="2017-06-02"
description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."
reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
strings:
// Setting the environment
$env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide
$env2 = "windir = Environ(\"windir\")" ascii wide
$env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide
// powershell command fragments
$ps1 = "-NoP" ascii wide
$ps2 = "-NonI" ascii wide
$ps3 = "-W Hidden" ascii wide
$ps4 = "-Command" ascii wide
$ps5 = "New-Object IO.StreamReader" ascii wide
$ps6 = "IO.Compression.DeflateStream" ascii wide
$ps7 = "IO.MemoryStream" ascii wide
$ps8 = ",$([Convert]::FromBase64String" ascii wide
$ps9 = "ReadToEnd();" ascii wide
$psregex1 = /\W\w+\s+\s\".+\"/
condition:
(
(
(uint16(0) != 0x5A4D)
)
and
(
all of ($env*) and 6 of ($ps*)
or
all of ($env*) and 4 of ($ps*) and all of ($psregex*)
)
)
}
rule FE_LEGALSTRIKE_RTF {
meta:
version=".1"
filetype="MACRO"
author="joshua.kim@FireEye.com"
date="2017-06-02"
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
strings:
$header = "{\\rt"
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
$encoded2 = "52006f006f007400200045006e007400720079"
$encoded3 = "4f0062006a0049006e0066006f"
$encoded4 = "4f006c0065"
$http1 = "68{"
$http2 = "74{"
$http3 = "07{"
// 2bunny.com
$domain1 = "32{\\"
$domain2 = "62{\\"
$domain3 = "75{\\"
$domain4 = "6e{\\"
$domain5 = "79{\\"
$domain6 = "2e{\\"
$domain7 = "63{\\"
$domain8 = "6f{\\"
$domain9 = "6d{\\"
$datastore = "\\*\\datastore"
condition:
$header at 0 and all of them
}

View file

@ -1,18 +0,0 @@
rule APT32_ActiveMime_Lure{
meta:
filetype = "MIME entity"
author = "Ian Ahl (@TekDefense) and Nick Carr (@ItsReallyNick)"
date = "2017-03-02"
description = "Developed to detect APT32 (OceanLotus Group phishing lures used to target Fireeye Customers in 2016 and 2017"
reference = "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
strings:
$a1 = "office_text" wide ascii
$a2 = "schtasks /create /tn" wide ascii
$a3 = "scrobj.dll" wide ascii
$a4 = "new-object net.webclient" wide ascii
$a5 = "GetUserName" wide ascii
$a6 = "WSHnet.UserDomain" wide ascii
$a7 = "WSHnet.UserName" wide ascii
condition:
4 of them
}

View file

@ -1,20 +0,0 @@
rule APT_DeputyDog_Strings
{
meta:
author = "FireEye Labs"
version = "1.0"
description = "detects string seen in samples used in 2013-3893 0day attacks"
reference = "8aba4b5184072f2a50cbc5ecfe326701"
strings:
$mz = {4d 5a}
$a = "DGGYDSYRL"
condition:
($mz at 0) and $a
}

View file

@ -1,120 +0,0 @@
rule FE_Hunting_BADRABBIT {
meta:version=".2"
filetype="PE"
author="ian.ahl @TekDefense & nicholas.carr @itsreallynick"
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
date="2017-10-24"
md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
strings:
// Messages
$msg1 = "Incorrect password" nocase ascii wide
$msg2 = "Oops! Your files have been encrypted." ascii wide
$msg3 = "If you see this text, your files are no longer accessible." ascii wide
$msg4 = "You might have been looking for a way to recover your files." ascii wide
$msg5 = "Don't waste your time. No one will be able to recover them without our" ascii wide
$msg6 = "Visit our web service at" ascii wide
$msg7 = "Your personal installation key#1:" ascii wide
$msg8 = "Run DECRYPT app at your desktop after system boot" ascii wide
$msg9 = "Password#1" nocase ascii wide
$msg10 = "caforssztxqzf2nm.onion" nocase ascii wide
$msg11 = /partition (unbootable|not (found|mounted))/ nocase ascii wide
// File references
$fref1 = "C:\\Windows\\cscc.dat" nocase ascii wide
$fref2 = "\\\\.\\dcrypt" nocase ascii wide
$fref3 = "Readme.txt" ascii wide
$fref4 = "\\Desktop\\DECRYPT.lnk" nocase ascii wide
$fref5 = "dispci.exe" nocase ascii wide
$fref6 = "C:\\Windows\\infpub.dat" nocase ascii wide
// META
$meta1 = "http://diskcryptor.net/" nocase ascii wide
$meta2 = "dispci.exe" nocase ascii wide
$meta3 = "GrayWorm" ascii wide
$meta4 = "viserion" nocase ascii wide
//commands
$com1 = "ComSpec" ascii wide
$com2 = "\\cmd.exe" nocase ascii wide
$com3 = "schtasks /Create" nocase ascii wide
$com4 = "schtasks /Delete /F /TN %ws" nocase ascii wide
condition:
(uint16(0) == 0x5A4D)
and
(8 of ($msg*) and 3 of ($fref*) and 2 of ($com*))
or
(all of ($meta*) and 8 of ($msg*))
}
rule FE_Trojan_BADRABBIT_DROPPER
{
meta:
author = "muhammad.umair"
md5 = "fbbdc39af1139aebba4da004475e8839"
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
rev = 1
strings:
$api1 = "GetSystemDirectoryW" fullword
$api2 = "GetModuleFileNameW" fullword
$dropped_dll = "infpub.dat" ascii fullword wide
$exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide
$extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D 8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}
rule FE_Worm_BADRABBIT
{
meta:
author = "muhammad.umair"
md5 = "1d724f95c61f1055f0d02c2154bbccd3"
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
rev = 1
strings:
$api1 = "WNetAddConnection2W" fullword
$api2 = "CredEnumerateW" fullword
$api3 = "DuplicateTokenEx" fullword
$api4 = "GetIpNetTable"
$del_tasks = "schtasks /Delete /F /TN drogon" ascii fullword wide
$dropped_driver = "cscc.dat" ascii fullword wide
$exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide
$iter_encrypt = { 8D 44 24 3C 50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66 3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ?? }
$share_fmt_str = "\\\\%ws\\admin$\\%ws" ascii fullword wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}
rule FE_Trojan_BADRABBIT_MIMIKATZ
{
meta:
author = "muhammad.umair"
md5 = "37945c44a897aa42a66adcab68f560e0"
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
rev = 1
strings:
$api1 = "WriteProcessMemory" fullword
$api2 = "SetSecurityDescriptorDacl" fullword
$api_str1 = "BCryptDecrypt" ascii fullword wide
$mimi_str = "CredentialKeys" ascii fullword wide
$wait_pipe_seq = { FF 15 ?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24 1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 75 3B }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them
}
rule FE_Trojan_BADRABBIT_DISKENCRYPTOR
{
meta:
author = "muhammad.umair"
md5 = "b14d8faf7f0cbcfad051cefe5f39645f"
reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html"
rev = 1
strings:
$api1 = "CryptAcquireContextW" fullword
$api2 = "CryptEncrypt" fullword
$api3 = "NetWkstaGetInfo" fullword
$decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8 00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8 56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F }
$msg1 = "Disk decryption progress..." ascii fullword wide
$task_fmt_str = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" ascii fullword wide
$tok1 = "\\\\.\\dcrypt" ascii fullword wide
$tok2 = "C:\\Windows\\cscc.dat" ascii fullword wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 150KB and all of them
}

View file

@ -1,19 +0,0 @@
rule FE_APT_9002_rat
{
meta:
author = "FireEye Labs"
reference = "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html"
strings:
$mz = {4d 5a}
$a = "rat_UnInstall" wide ascii
condition:
($mz at 0) and $a
}

View file

@ -1,75 +0,0 @@
rule FE_CPE_MS17_010_RANSOMWARE {
meta:version="1.1"
//filetype="PE"
author="Ian.Ahl@fireeye.com @TekDefense, Nicholas.Carr@mandiant.com @ItsReallyNick"
date="2017-06-27"
description="Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec"
reference = "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html"
strings:
// DRIVE USAGE
$dmap01 = "\\\\.\\PhysicalDrive" nocase ascii wide
$dmap02 = "\\\\.\\PhysicalDrive0" nocase ascii wide
$dmap03 = "\\\\.\\C:" nocase ascii wide
$dmap04 = "TERMSRV" nocase ascii wide
$dmap05 = "\\admin$" nocase ascii wide
$dmap06 = "GetLogicalDrives" nocase ascii wide
$dmap07 = "GetDriveTypeW" nocase ascii wide
// RANSOMNOTE
$msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" nocase ascii wide
$msg02 = "IF YOU ABORT THIS PROCESS" nocase ascii wide
$msg03 = "DESTROY ALL OF YOUR DATA!" nocase ascii wide
$msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" nocase ascii wide
$msg05 = "your important files are encrypted" ascii wide
$msg06 = "Your personal installation key" nocase ascii wide
$msg07 = "worth of Bitcoin to following address" nocase ascii wide
$msg08 = "CHKDSK is repairing sector" nocase ascii wide
$msg09 = "Repairing file system on " nocase ascii wide
$msg10 = "Bitcoin wallet ID" nocase ascii wide
$msg11 = "wowsmith123456@posteo.net" nocase ascii wide
$msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" nocase ascii wide
$msg_pcre = /(en|de)crypt(ion|ed\.)/
// FUNCTIONALITY, APIS
$functions01 = "need dictionary" nocase ascii wide
$functions02 = "comspec" nocase ascii wide
$functions03 = "OpenProcessToken" nocase ascii wide
$functions04 = "CloseHandle" nocase ascii wide
$functions05 = "EnterCriticalSection" nocase ascii wide
$functions06 = "ExitProcess" nocase ascii wide
$functions07 = "GetCurrentProcess" nocase ascii wide
$functions08 = "GetProcAddress" nocase ascii wide
$functions09 = "LeaveCriticalSection" nocase ascii wide
$functions10 = "MultiByteToWideChar" nocase ascii wide
$functions11 = "WideCharToMultiByte" nocase ascii wide
$functions12 = "WriteFile" nocase ascii wide
$functions13 = "CoTaskMemFree" nocase ascii wide
$functions14 = "NamedPipe" nocase ascii wide
$functions15 = "Sleep" nocase ascii wide // imported, not in strings
// COMMANDS
// -- Clearing event logs & USNJrnl
$cmd01 = "wevtutil cl Setup" ascii wide nocase
$cmd02 = "wevtutil cl System" ascii wide nocase
$cmd03 = "wevtutil cl Security" ascii wide nocase
$cmd04 = "wevtutil cl Application" ascii wide nocase
$cmd05 = "fsutil usn deletejournal" ascii wide nocase
// -- Scheduled task
$cmd06 = "schtasks " nocase ascii wide
$cmd07 = "/Create /SC " nocase ascii wide
$cmd08 = " /TN " nocase ascii wide
$cmd09 = "at %02d:%02d %ws" nocase ascii wide
$cmd10 = "shutdown.exe /r /f" nocase ascii wide
// -- Sysinternals/PsExec and WMIC
$cmd11 = "-accepteula -s" nocase ascii wide
$cmd12 = "wmic"
$cmd13 = "/node:" nocase ascii wide
$cmd14 = "process call create" nocase ascii wide
condition:
// (uint16(0) == 0x5A4D)
3 of ($dmap*)
and 2 of ($msg*)
and 9 of ($functions*)
and 7 of ($cmd*)
}

File diff suppressed because it is too large Load diff

View file

@ -1,141 +0,0 @@
rule APT_DeputyDog_Strings
{
meta:
author = "FireEye Labs"
version = "1.0"
description = "detects string seen in samples used in 2013-3893 0day attacks"
reference = "8aba4b5184072f2a50cbc5ecfe326701"
strings:
$mz = {4d 5a}
$a = "DGGYDSYRL"
condition:
($mz at 0) and $a
}
rule callTogether_certificate
{
meta:
author = "Fireeye Labs"
version = "1.0"
reference_hash = "d08e038d318b94764d199d7a85047637"
reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
description = "detects binaries signed with the CallTogether certificate"
strings:
$serial = {452156C3B3FB0176365BDB5B7715BC4C}
$o = "CallTogether, Inc."
condition:
$serial and $o
}
rule FE_APT_9002_rat
{
meta:
author = "FireEye Labs"
reference = "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html"
strings:
$mz = {4d 5a}
$a = "rat_UnInstall" wide ascii
condition:
($mz at 0) and $a
}
rule MACROCHECK
{
meta:
description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
author = "Fireeye Labs"
version = "1.0"
strings:
$PARAMpword = "pword=" ascii wide
$PARAMmsg = "msg=" ascii wide
$PARAMuname = "uname=" ascii
$userform = "UserForm" ascii wide
$userloginform = "UserLoginForm" ascii wide
$invalid = "Invalid username or password" ascii wide
$up1 = "uploadPOST" ascii wide
$up2 = "postUpload" ascii wide
condition:
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}
rule Molerats_certs
{
meta:
author = "FireEye Labs"
description = "this rule detections code signed with certificates used by the Molerats actor"
reference = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
strings:
$cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75}
$cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28}
$cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d}
condition:
1 of ($cert*)
}
rule qti_certificate
{
meta:
author = "Fireeye Labs"
reference_hash = "cfa3e3471430a0096a4e7ea2e3da6195"
reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
description = "detects binaries signed with the QTI International Inc certificate"
strings:
$cn = "QTI International Inc"
$serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }
condition:
$cn and $serial
}

View file

@ -1,20 +0,0 @@
rule MACROCHECK
{
meta:
description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
author = "Fireeye Labs"
version = "1.0"
strings:
$PARAMpword = "pword=" ascii wide
$PARAMmsg = "msg=" ascii wide
$PARAMuname = "uname=" ascii
$userform = "UserForm" ascii wide
$userloginform = "UserLoginForm" ascii wide
$invalid = "Invalid username or password" ascii wide
$up1 = "uploadPOST" ascii wide
$up2 = "postUpload" ascii wide
condition:
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}

View file

@ -1,25 +0,0 @@
rule Molerats_certs
{
meta:
author = "FireEye Labs"
description = "this rule detections code signed with certificates used by the Molerats actor"
reference = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
strings:
$cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75}
$cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28}
$cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d}
condition:
1 of ($cert*)
}

View file

@ -1,63 +0,0 @@
rule TRITON_ICS_FRAMEWORK
{
meta:
author = "nicholas.carr @itsreallynick"
md5 = "0face841f7b2953e7c29c064d6886523"
description = "TRITON framework recovered during Mandiant ICS incident response"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
strings:
$python_compiled = ".pyc" nocase ascii wide
$python_module_01 = "__module__" nocase ascii wide
$python_module_02 = "<module>" nocase ascii wide
$python_script_01 = "import Ts" nocase ascii wide
$python_script_02 = "def ts_" nocase ascii wide
$py_cnames_01 = "TS_cnames.py" nocase ascii wide
$py_cnames_02 = "TRICON" nocase ascii wide
$py_cnames_03 = "TriStation " nocase ascii wide
$py_cnames_04 = " chassis " nocase ascii wide
$py_tslibs_01 = "GetCpStatus" nocase ascii wide
$py_tslibs_02 = "ts_" ascii wide
$py_tslibs_03 = " sequence" nocase ascii wide
$py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
$py_tslibs_05 = /module\s?version/ nocase ascii wide
$py_tslibs_06 = "bad " nocase ascii wide
$py_tslibs_07 = "prog_cnt" nocase ascii wide
$py_tsbase_01 = "TsBase.py" nocase ascii wide
$py_tsbase_02 = ".TsBase(" nocase ascii wide
$py_tshi_01 = "TsHi.py" nocase ascii wide
$py_tshi_02 = "keystate" nocase ascii wide
$py_tshi_03 = "GetProjectInfo" nocase ascii wide
$py_tshi_04 = "GetProgramTable" nocase ascii wide
$py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
$py_tshi_06 = ".TsHi(" ascii nocase wide
$py_tslow_01 = "TsLow.py" nocase ascii wide
$py_tslow_02 = "print_last_error" ascii nocase wide
$py_tslow_03 = ".TsLow(" ascii nocase wide
$py_tslow_04 = "tcm_" ascii wide
$py_tslow_05 = " TCM found" nocase ascii wide
$py_crc_01 = "crc.pyc" nocase ascii wide
$py_crc_02 = "CRC16_MODBUS" ascii wide
$py_crc_03 = "Kotov Alaxander" nocase ascii wide
$py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
$py_crc_05 = "crc16ret" ascii wide
$py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
$py_crc_07 = /CRC16_CCITT[^_]/ ascii wide
$py_sh_01 = "sh.pyc" nocase ascii wide
$py_keyword_01 = " FAILURE" ascii wide
$py_keyword_02 = "symbol table" nocase ascii wide
$py_TRIDENT_01 = "inject.bin" ascii nocase wide
$py_TRIDENT_02 = "imain.bin" ascii nocase wide
condition:
2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}

View file

@ -1,26 +0,0 @@
rule callTogether_certificate
{
meta:
author = "Fireeye Labs"
version = "1.0"
reference_hash = "d08e038d318b94764d199d7a85047637"
reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
description = "detects binaries signed with the CallTogether certificate"
strings:
$serial = {452156C3B3FB0176365BDB5B7715BC4C}
$o = "CallTogether, Inc."
condition:
$serial and $o
}

View file

@ -1,25 +0,0 @@
rule Trojan_Hastati
{
meta:
author = "Fireeye"
description = "Korean campaign"
reference = "https://www.fireeye.com/blog/technical/botnet-activities-research/2013/03/more-insights-on-the-recent-korean-cyber-attacks-trojan-hastati.html"
strings:
$str11 = "taskkill /F /IM clisvc.exe" nocase ascii wide
$str2 = "taskkill /F /IM pasvc.exe" nocase ascii wide
$str3 = "shutdown -r -t 0″ nocase ascii wide
condition:
all of them
}

View file

@ -1,25 +0,0 @@
rule qti_certificate
{
meta:
author = "Fireeye Labs"
reference_hash = "cfa3e3471430a0096a4e7ea2e3da6195"
reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"
description = "detects binaries signed with the QTI International Inc certificate"
strings:
$cn = "QTI International Inc"
$serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }
condition:
$cn and $serial
}

File diff suppressed because it is too large Load diff

Some files were not shown because too many files have changed in this diff Show more