/* Yara Rule Set Author: Florian Roth Date: 2017-07-23 Identifier: Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip */ import "pe" /* Rule Set ----------------------------------------------------------------- */ rule WiltedTulip_Tools_back { meta: description = "Detects Chrome password dumper used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" modified = "2022-12-21" hash1 = "b7faeaa6163e05ad33b310a8fdc696ccf1660c425fa2a962c3909eada5f2c265" id = "3f57bd66-b269-5f59-ade1-f881b1d7dadd" strings: $x1 = "%s.exe -f \"C:\\Users\\Admin\\Google\\Chrome\\TestProfile\" -o \"c:\\passlist.txt\"" fullword ascii $x2 = "\\ChromePasswordDump\\Release\\FireMaster.pdb" ascii $x3 = "//Dump Chrome Passwords to a Output file \"c:\\passlist.txt\"" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) } rule WiltedTulip_Tools_clrlg { meta: description = "Detects Windows eventlog cleaner used in Operation Wilted Tulip - file clrlg.bat" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "b33fd3420bffa92cadbe90497b3036b5816f2157100bf1d9a3b6c946108148bf" id = "6957c97d-2c2d-50ac-8fd5-2f299fc7b5c8" strings: $s1 = "('wevtutil.exe el') DO (call :do_clear" fullword ascii $s2 = "wevtutil.exe cl %1" fullword ascii condition: filesize < 1KB and 1 of them } rule WiltedTulip_powershell { meta: description = "Detects powershell script used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787" id = "b6246508-a6ff-5a02-a0de-9cde139f0acc" strings: $x1 = "powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+" ascii condition: 1 of them } rule WiltedTulip_vminst { meta: description = "Detects malware used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "930118fdf1e6fbffff579e65e1810c8d91d4067cbbce798c5401cf05d7b4c911" id = "5d21e515-eb7b-56ab-acc2-f09065769b2d" strings: $x1 = "\\C++\\Trojan\\Target\\" ascii $s1 = "%s\\system32\\rundll32.exe" fullword wide $s2 = "$C:\\Windows\\temp\\l.tmp" fullword wide $s3 = "%s\\svchost.exe" fullword wide $s4 = "args[10] is %S and command is %S" fullword ascii $s5 = "LOGON USER FAILD " fullword ascii $s6 = "vminst.tmp" fullword wide $s7 = "operator co_await" fullword ascii $s8 = "?ReflectiveLoader@@YGKPAX@Z" fullword ascii $s9 = "%s -k %s" fullword wide $s10 = "ERROR in %S/%d" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 900KB and ( 1 of ($x*) or 5 of ($s*) ) } rule WiltedTulip_Windows_UM_Task { meta: description = "Detects a Windows scheduled task as used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3" id = "d827584e-8298-56e4-8466-90950d1f286e" strings: $r1 = "C:\\Windows\\syswow64\\rundll32.exe" fullword wide $p1 = "\"C:\\Users\\public\\" wide $c1 = "svchost64.swp\",checkUpdate" wide ascii $c2 = "svchost64.swp,checkUpdate" wide ascii condition: ( $r1 and $p1 ) or 1 of ($c*) } rule WiltedTulip_WindowsTask { meta: description = "Detects hack tool used in Operation Wilted Tulip - Windows Tasks" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c" hash2 = "340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d" hash3 = "b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01" hash4 = "5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a" hash5 = "984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34" id = "ad8193f0-e664-50a8-ab05-38027a2e33cd" strings: $x1 = "C:\\Windows\\svchost.exe" fullword wide $x2 = "-nop -w hidden -encodedcommand" wide $x3 = "-encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA" condition: 1 of them } rule WiltedTulip_tdtess { meta: description = "Detects malicious service used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "3fd28b9d1f26bd0cee16a167184c9f4a22fd829454fd89349f2962548f70dc34" id = "0ecb391b-a4f9-5362-bb65-73801ae497de" strings: $x1 = "d2lubG9naW4k" fullword wide /* base64 encoded string 'winlogin$' */ $x2 = "C:\\Users\\admin\\Documents\\visual studio 2015\\Projects\\Export\\TDTESS_ShortOne\\WinService Template\\" ascii $s1 = "\\WinService Template\\obj\\x64\\x64\\winlogin" ascii $s2 = "winlogin.exe" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of them ) ) } rule WiltedTulip_SilverlightMSI { meta: description = "Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "c75906dbc3078ff81092f6a799c31afc79b1dece29db696b2ecf27951a86a1b2" id = "6430d464-b9c7-5f19-b89d-3c70f99af688" strings: $x1 = ".\\Get_AD_Users_Logon_History.ps1 -MaxEvent" fullword ascii $x2 = "if ((Resolve-dnsname $_.\"IP Address\" -Type PTR -TcpOnly -DnsOnly -ErrorAction \"SilentlyContinue\").Type -eq \"PTR\")" fullword ascii $x3 = "$Client_Name = (Resolve-dnsname $_.\"IP Address\" -Type PTR -TcpOnly -DnsOnly).NameHost " fullword ascii $x4 = "########## Find the Computer account in AD and if not found, throw an exception ###########" fullword ascii condition: ( filesize < 20KB and 1 of them ) } rule WiltedTulip_matryoshka_Injector { meta: description = "Detects hack tool used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "c41e97b3b22a3f0264f10af2e71e3db44e53c6633d0d690ac4d2f8f5005708ed" hash2 = "b93b5d6716a4f8eee450d9f374d0294d1800784bc99c6934246570e4baffe509" id = "e4cf2a31-33c8-5db1-84ca-f63b65a0a0a3" strings: $s1 = "Injector.dll" fullword ascii $s2 = "ReflectiveLoader" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) or ( pe.exports("__dec") and pe.exports("_check") and pe.exports("_dec") and pe.exports("start") and pe.exports("test") ) } rule WiltedTulip_Zpp { meta: description = "Detects hack tool used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" modified = "2022-12-21" hash1 = "10ec585dc1304436821a11e35473c0710e844ba18727b302c6bd7f8ebac574bb" hash2 = "7d046a3ed15035ea197235980a72d133863c372cc27545af652e1b2389c23918" hash3 = "6d6816e0b9c24e904bc7c5fea5951d53465c478cc159ab900d975baf8a0921cf" id = "7d833cb2-485e-5a26-be2f-aaebde7fdef2" strings: $x1 = "[ERROR] Error Main -i -s -d -gt -lt -mb" fullword wide $x2 = "[ERROR] Error Main -i(with.) -s -d -gt -lt -mb -o -e" fullword wide $s1 = "LT Time invalid" fullword wide $s2 = "doCompressInNetWorkDirectory" fullword ascii $s3 = "files remaining ,total file save = " fullword wide $s4 = "$ec996350-79a4-477b-87ae-2d5b9dbe20fd" fullword ascii $s5 = "Destinition Directory Not Found" fullword wide $s6 = "\\obj\\Release\\ZPP.pdb" ascii condition: uint16(0) == 0x5a4d and filesize < 30KB and ( 1 of ($x*) or 3 of them ) } rule WiltedTulip_Netsrv_netsrvs { meta: description = "Detects sample from Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "a062cb4364125427b54375d51e9e9afb0baeb09b05a600937f70c9d6d365f4e5" hash2 = "afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77" hash3 = "acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a" hash4 = "bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361" hash5 = "07ab795eeb16421a50c36257e6e703188a0fef9ed87647e588d0cd2fcf56fe43" id = "4b58bb08-88da-535c-8ce5-e7113e5b7045" strings: $s1 = "Process %d Created" fullword ascii $s2 = "%s\\system32\\rundll32.exe" fullword wide $s3 = "%s\\SysWOW64\\rundll32.exe" fullword wide $c1 = "slbhttps" fullword ascii $c2 = "/slbhttps" fullword wide $c3 = "/slbdnsk1" fullword wide $c4 = "netsrv" fullword wide $c5 = "/slbhttps" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) and 1 of ($c*) ) ) } rule WiltedTulip_ReflectiveLoader { meta: description = "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904" hash2 = "1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a" hash3 = "a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f" hash4 = "cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0" hash5 = "eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89" id = "0c7dfb44-8acb-5f36-9683-745560f1f795" strings: $x1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii $x2 = "%d is an x86 process (can't inject x64 content)" fullword ascii $x3 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii $x4 = "Failed to impersonate token from %d (%u)" fullword ascii $x5 = "Failed to impersonate logged on user %d (%u)" fullword ascii $x6 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) or ( 2 of them ) or pe.exports("_ReflectiveLoader@4") } rule WiltedTulip_Matryoshka_RAT { meta: description = "Detects Matryoshka RAT used in Operation Wilted Tulip" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "6f208473df0d31987a4999eeea04d24b069fdb6a8245150aa91dfdc063cd64ab" hash2 = "6cc1f4ecd28b833c978c8e21a20a002459b4a6c21a4fbaad637111aa9d5b1a32" id = "e851e212-bb71-55c9-9bc1-0041bb04bef5" strings: $s1 = "%S:\\Users\\public" fullword wide $s2 = "ntuser.dat.swp" fullword wide $s3 = "Job Save / Load Config" fullword wide $s4 = ".?AVPSCL_CLASS_JOB_SAVE_CONFIG@@" fullword ascii $s5 = "winupdate64.com" fullword ascii $s6 = "Job Save KeyLogger" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them ) }