/* Yara Rule Set Author: Florian Roth Date: 2017-02-09 Identifier: MSF Payloads */ /* Rule Set ----------------------------------------------------------------- */ rule Msfpayloads_msf { meta: description = "Metasploit Payloads - file msf.sh" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" modified = "2022-08-18" hash1 = "320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c" id = "c56dbb8e-1e03-5112-b2ef-a0adfd14dffa" strings: $s1 = "export buf=\\" ascii condition: filesize < 5MB and $s1 } rule Msfpayloads_msf_2 { meta: description = "Metasploit Payloads - file msf.asp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "e52f98466b92ee9629d564453af6f27bd3645e00a9e2da518f5a64a33ccf8eb5" id = "ec1ae1b6-18a3-5590-ae15-1e2b362c545a" strings: $s1 = "& \"\\\" & \"svchost.exe\"" fullword ascii $s2 = "CreateObject(\"Wscript.Shell\")" fullword ascii $s3 = "<% @language=\"VBScript\" %>" fullword ascii condition: all of them } rule Msfpayloads_msf_psh { meta: description = "Metasploit Payloads - file msf-psh.vba" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f" id = "5b760f03-b0f8-5871-bd34-e7e44443530c" strings: $s1 = "powershell.exe -nop -w hidden -e" ascii $s2 = "Call Shell(" ascii $s3 = "Sub Workbook_Open()" fullword ascii condition: all of them } rule Msfpayloads_msf_exe { meta: description = "Metasploit Payloads - file msf-exe.vba" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd" id = "fd07240e-0ee0-5318-a436-d97054e92414" strings: $s1 = "'* PAYLOAD DATA" fullword ascii $s2 = " = Shell(" ascii $s3 = "= Environ(\"USERPROFILE\")" fullword ascii $s4 = "'**************************************************************" fullword ascii $s5 = "ChDir (" ascii $s6 = "'* MACRO CODE" fullword ascii condition: 4 of them } rule Msfpayloads_msf_3 { meta: description = "Metasploit Payloads - file msf.psh" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054" id = "ad09167f-a12a-5f07-940b-df679fa8e6c0" strings: $s1 = "[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(" ascii $s2 = "public enum MemoryProtection { ExecuteReadWrite = 0x40 }" fullword ascii $s3 = ".func]::VirtualAlloc(0," $s4 = ".func+AllocationType]::Reserve -bOr [" ascii $s5 = "New-Object System.CodeDom.Compiler.CompilerParameters" fullword ascii $s6 = "ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))" fullword ascii $s7 = "public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }" fullword ascii $s8 = ".func]::CreateThread(0,0,$" fullword ascii $s9 = "public enum Time : uint { Infinite = 0xFFFFFFFF }" fullword ascii $s10 = "= [System.Convert]::FromBase64String(\"/" ascii $s11 = "{ $global:result = 3; return }" fullword ascii condition: 4 of them } rule Msfpayloads_msf_4 { meta: description = "Metasploit Payloads - file msf.aspx" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef" id = "00d7681b-6041-5fe1-adbb-8b7c40df0193" strings: $s1 = "= VirtualAlloc(IntPtr.Zero,(UIntPtr)" ascii $s2 = ".Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);" ascii $s3 = "[System.Runtime.InteropServices.DllImport(\"kernel32\")]" fullword ascii $s4 = "private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;" fullword ascii $s5 = "private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);" fullword ascii condition: 4 of them } rule Msfpayloads_msf_exe_2 { meta: description = "Metasploit Payloads - file msf-exe.aspx" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "3a2f7a654c1100e64d8d3b4cd39165fba3b101bbcce6dd0f70dae863da338401" id = "a55a33e1-8f04-5417-af0c-b7e2da36fb46" strings: $x1 = "= new System.Diagnostics.Process();" fullword ascii $x2 = ".StartInfo.UseShellExecute = true;" fullword ascii $x3 = ", \"svchost.exe\");" ascii $s4 = " = Path.GetTempPath();" ascii condition: all of them } rule Msfpayloads_msf_5 { meta: description = "Metasploit Payloads - file msf.msi" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "7a6c66dfc998bf5838993e40026e1f400acd018bde8d4c01ef2e2e8fba507065" id = "030d1982-c9a8-539d-a995-7901ae425857" strings: $s1 = "required to install Foobar 1.0." fullword ascii $s2 = "Copyright 2009 The Apache Software Foundation." fullword wide $s3 = "{50F36D89-59A8-4A40-9689-8792029113AC}" fullword ascii condition: all of them } rule Msfpayloads_msf_6 { meta: description = "Metasploit Payloads - file msf.vbs" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f" id = "5485102b-e709-5111-814a-e6878b4bd889" strings: $s1 = "= CreateObject(\"Wscript.Shell\")" fullword ascii $s2 = "= CreateObject(\"Scripting.FileSystemObject\")" fullword ascii $s3 = ".GetSpecialFolder(2)" ascii $s4 = ".Write Chr(CLng(\"" ascii $s5 = "= \"4d5a90000300000004000000ffff00" ascii $s6 = "For i = 1 to Len(" ascii $s7 = ") Step 2" ascii condition: 5 of them } rule Msfpayloads_msf_7 { meta: description = "Metasploit Payloads - file msf.vba" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "425beff61a01e2f60773be3fcb74bdfc7c66099fe40b9209745029b3c19b5f2f" id = "8d1b742e-510a-5807-ad3f-f10cc325d292" strings: $s1 = "Private Declare PtrSafe Function CreateThread Lib \"kernel32\" (ByVal" ascii $s2 = "= VirtualAlloc(0, UBound(Tsw), &H1000, &H40)" fullword ascii $s3 = "= RtlMoveMemory(" ascii condition: all of them } rule Msfpayloads_msf_8 { meta: description = "Metasploit Payloads - file msf.ps1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "519717e01f0cb3f460ef88cd70c3de8c7f00fb7c564260bd2908e97d11fde87f" id = "54466663-12ef-5fa4-a13c-e80ddbc0f4f8" strings: $s1 = "[DllImport(\"kernel32.dll\")]" fullword ascii $s2 = "[DllImport(\"msvcrt.dll\")]" fullword ascii $s3 = "-Name \"Win32\" -namespace Win32Functions -passthru" fullword ascii $s4 = "::VirtualAlloc(0,[Math]::Max($" ascii $s5 = ".Length,0x1000),0x3000,0x40)" ascii $s6 = "public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);" fullword ascii $s7 = "::memset([IntPtr]($" ascii condition: 6 of them } rule Msfpayloads_msf_cmd { meta: description = "Metasploit Payloads - file msf-cmd.ps1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f" id = "71d42c34-a0b0-5173-8f2f-f48a7af0e4ff" strings: $x1 = "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e" ascii condition: all of them } rule Msfpayloads_msf_9 { meta: description = "Metasploit Payloads - file msf.war - contents" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81" id = "488a2e97-ebc2-5ccf-ab5d-dfed4b534b52" strings: $s1 = "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1)" fullword ascii $s2 = ".concat(\".exe\");" fullword ascii $s3 = "[0] = \"chmod\";" ascii $s4 = "= Runtime.getRuntime().exec(" ascii $s5 = ", 16) & 0xff;" ascii $x1 = "4d5a9000030000000" ascii condition: 4 of ($s*) or ( uint32(0) == 0x61356434 and $x1 at 0 ) } rule Msfpayloads_msf_10 { meta: description = "Metasploit Payloads - file msf.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082" id = "3bc3b66a-9f8a-55c2-ae2a-00faa778cef7" strings: $s1 = { 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff ac 3c 61 } $s2 = { 01 c7 38 e0 75 f6 03 7d f8 3b 7d 24 75 e4 58 8b } $s3 = { 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 5f 5f } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule Msfpayloads_msf_svc { meta: description = "Metasploit Payloads - file msf-svc.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "2b02c9c10577ee0c7590d3dadc525c494122747a628a7bf714879b8e94ae5ea1" id = "45d1c527-1f90-50f3-8e64-e77d69386b0a" strings: $s1 = "PAYLOAD:" fullword ascii $s2 = ".exehll" ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and all of them ) } rule Msfpayloads_msf_11 { meta: description = "Metasploit Payloads - file msf.hta" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "d1daf7bc41580322333a893133d103f7d67f5cd8a3e0f919471061d41cf710b6" id = "59b0cced-ffdc-5f2f-878c-856883ee275f" strings: $s1 = ".ExpandEnvironmentStrings(\"%PSModulePath%\") + \"..\\powershell.exe\") Then" fullword ascii $s2 = "= CreateObject(\"Scripting.FileSystemObject\")" fullword ascii $s3 = "= CreateObject(\"Wscript.Shell\") " fullword ascii condition: all of them } rule Msfpayloads_msf_ref { meta: description = "Metasploit Payloads - file msf-ref.ps1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-02-09" hash1 = "4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87" id = "517ed365-03c6-5563-984b-dae10464671a" strings: $s1 = "kernel32.dll WaitForSingleObject)," ascii $s2 = "= ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')" ascii $s3 = "GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object" ascii $s4 = ".DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual'," ascii $s5 = "= [System.Convert]::FromBase64String(" ascii $s6 = "[Parameter(Position = 0, Mandatory = $True)] [Type[]]" fullword ascii $s7 = "DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard," ascii condition: 5 of them } rule MAL_Metasploit_Framework_UA { meta: description = "Detects User Agent used in Metasploit Framework" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7" date = "2018-08-16" score = 65 hash1 = "1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29" id = "e5a18456-3a07-5b58-ad95-086152298a1f" strings: $s3 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 400KB and 1 of them } rule HKTL_Meterpreter_inMemory { meta: description = "Detects Meterpreter in-memory" author = "netbiosX, Florian Roth" reference = "https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/" date = "2020-06-29" modified = "2023-04-21" score = 85 id = "29c3bb7e-4da8-5924-ada7-2f28d9352009" strings: $sxc1 = { 6D 65 74 73 72 76 2E 64 6C 6C 00 00 52 65 66 6C 65 63 74 69 76 65 4C 6F 61 64 65 72 } $sxs1 = "metsrv.x64.dll" ascii fullword $ss1 = "WS2_32.dll" ascii fullword $ss2 = "ReflectiveLoader" ascii fullword $fp1 = "SentinelOne" ascii wide $fp2 = "fortiESNAC" ascii wide $fp3 = "PSNMVHookMS" ascii wide condition: ( 1 of ($sx*) or 2 of ($s*) ) and not 1 of ($fp*) }