/* Generic Anomalies Florian Roth BSK Consulting GmbH License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/ */ rule Embedded_EXE_Cloaking { meta: description = "Detects an embedded executable in a non-executable file" author = "Florian Roth" date = "2015/02/27" score = 65 strings: $noex_png = { 89 50 4E 47 } $noex_pdf = { 25 50 44 46 } $noex_rtf = { 7B 5C 72 74 66 31 } $noex_jpg = { FF D8 FF E0 } $noex_gif = { 47 49 46 38 } $mz = { 4D 5A } $a1 = "This program cannot be run in DOS mode" $a2 = "This program must be run under Win32" condition: ( ( $noex_png at 0 ) or ( $noex_pdf at 0 ) or ( $noex_rtf at 0 ) or ( $noex_jpg at 0 ) or ( $noex_gif at 0 ) ) and for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) ) } rule Cloaked_as_JPG { meta: description = "Detects a cloaked file as JPG" author = "Florian Roth (eval section from Didier Stevens)" date = "2015/02/29" score = 40 condition: uint16be(0x00) != 0xFFD8 and extension matches /\.jpg/i and filetype != "GIF" /* and not filepath contains "ASP.NET" */ } rule GIFCloaked_Webshell { meta: description = "Detects a webshell that cloakes itself with GIF header(s) - Based on Dark Security Team Webshell" author = "Florian Roth" hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24" score = 60 strings: $magic = "GIF" $s0 = "input type" $s1 = "<%eval request" $s2 = "<%eval(Request.Item[" $s3 = "LANGUAGE='VBScript'" condition: ( $magic at 0 ) and ( 1 of ($s*) ) } /* Yara Rule Set Author: Florian Roth Date: 2015-12-21 Identifier: Uncommon File Sizes */ rule Suspicious_Size_explorer_exe { meta: description = "Detects uncommon file size of explorer.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "explorer.exe" and not filepath contains "teamviewer" and ( filesize < 1000KB or filesize > 3500KB ) } rule Suspicious_Size_chrome_exe { meta: description = "Detects uncommon file size of chrome.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "chrome.exe" and ( filesize < 500KB or filesize > 1300KB ) } rule Suspicious_Size_csrss_exe { meta: description = "Detects uncommon file size of csrss.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "csrss.exe" and ( filesize > 18KB ) } rule Suspicious_Size_iexplore_exe { meta: description = "Detects uncommon file size of iexplore.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "iexplore.exe" and not filepath contains "teamviewer" and ( filesize < 75KB or filesize > 910KB ) } rule Suspicious_Size_firefox_exe { meta: description = "Detects uncommon file size of firefox.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "firefox.exe" and ( filesize < 265KB or filesize > 910KB ) } rule Suspicious_Size_java_exe { meta: description = "Detects uncommon file size of java.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "java.exe" and ( filesize < 42KB or filesize > 900KB ) } rule Suspicious_Size_lsass_exe { meta: description = "Detects uncommon file size of lsass.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "lsass.exe" and ( filesize < 10KB or filesize > 58KB ) } rule Suspicious_Size_svchost_exe { meta: description = "Detects uncommon file size of svchost.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "svchost.exe" and ( filesize < 14KB or filesize > 40KB ) } rule Suspicious_Size_winlogon_exe { meta: description = "Detects uncommon file size of winlogon.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "winlogon.exe" and ( filesize < 279KB or filesize > 580KB ) } rule Suspicious_Size_igfxhk_exe { meta: description = "Detects uncommon file size of igfxhk.exe" author = "Florian Roth" score = 60 date = "2015-12-21" condition: uint16(0) == 0x5a4d and filename == "igfxhk.exe" and ( filesize < 200KB or filesize > 265KB ) } rule Suspicious_Size_servicehost_dll { meta: description = "Detects uncommon file size of servicehost.dll" author = "Florian Roth" score = 60 date = "2015-12-23" condition: uint16(0) == 0x5a4d and filename == "servicehost.dll" and filesize > 150KB } rule Suspicious_Size_rundll32_exe { meta: description = "Detects uncommon file size of rundll32.exe" author = "Florian Roth" score = 60 date = "2015-12-23" condition: uint16(0) == 0x5a4d and filename == "rundll32.exe" and ( filesize < 30KB or filesize > 60KB ) } rule Suspicious_Size_taskhost_exe { meta: description = "Detects uncommon file size of taskhost.exe" author = "Florian Roth" score = 60 date = "2015-12-23" condition: uint16(0) == 0x5a4d and filename == "taskhost.exe" and ( filesize < 45KB or filesize > 85KB ) } rule Suspicious_Size_spoolsv_exe { meta: description = "Detects uncommon file size of spoolsv.exe" author = "Florian Roth" score = 60 date = "2015-12-23" condition: uint16(0) == 0x5a4d and filename == "spoolsv.exe" and ( filesize < 50KB or filesize > 930KB ) } rule Suspicious_Size_smss_exe { meta: description = "Detects uncommon file size of smss.exe" author = "Florian Roth" score = 60 date = "2015-12-23" condition: uint16(0) == 0x5a4d and filename == "smss.exe" and ( filesize < 40KB or filesize > 320KB ) } rule Suspicious_Size_wininit_exe { meta: description = "Detects uncommon file size of wininit.exe" author = "Florian Roth" score = 60 date = "2015-12-23" condition: uint16(0) == 0x5a4d and filename == "wininit.exe" and ( filesize < 90KB or filesize > 300KB ) }