08e8d462fe
RED PILL 🔴 💊
63 lines
3.7 KiB
Text
63 lines
3.7 KiB
Text
|
|
rule PowerShell_Suite_Hacktools_Gen_Strings {
|
|
meta:
|
|
description = "Detects strings from scripts in the PowerShell-Suite repo"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/FuzzySecurity/PowerShell-Suite"
|
|
date = "2017-12-27"
|
|
hash1 = "79071ba5a984ee05903d566130467483c197cbc2537f25c1e3d7ae4772211fe0"
|
|
hash2 = "db31367410d0a9ffc9ed37f423a4b082639591be7f46aca91f5be261b23212d5"
|
|
hash3 = "4f51e7676a4d54c1962760ca0ac81beb28008451511af96652c31f4f40e8eb8e"
|
|
hash4 = "17ac9bb0c46838c65303f42a4a346fcba838ebd5833b875e81dd65c82701d8a8"
|
|
hash5 = "fa33aef619e620a88ecccb990e71c1e11ce2445f799979d23be2d1ad4321b6c6"
|
|
hash6 = "5542bd89005819bc4eef8dfc8a158183e5fd7a1438c84da35102588f5813a225"
|
|
hash7 = "c6a99faeba098eb411f0a9fcb772abac2af438fc155131ebfc93a00e3dcfad50"
|
|
hash8 = "a8e06ecf5a8c25619ce85f8a23f2416832cabb5592547609cfea8bd7fcfcc93d"
|
|
hash9 = "6aa5abf58904d347d441ac8852bd64b2bad3b5b03b518bdd06510931a6564d08"
|
|
hash10 = "5608f25930f99d78804be8c9c39bd33f4f8d14360dd1e4cc88139aa34c27376d"
|
|
hash11 = "68b6c0b5479ecede3050a2f44f8bb8783a22beeef4a258c4ff00974f5909b714"
|
|
hash12 = "da25010a22460bbaabff0f7004204aae7d830348e8a4543177b1f3383b2c3100"
|
|
id = "afccdd99-da83-5fde-9e21-52220ded1e47"
|
|
strings:
|
|
$ = "[!] NtCreateThreadEx failed.." fullword ascii
|
|
$ = "[?] Executing mmc.." ascii
|
|
$ = "[!] This method is only supported on 64-bit!" fullword ascii
|
|
$ = "$LNK = [ShellLink.Shortcut]::FromByteArray($LNKHeader.GetBytes())" fullword ascii
|
|
$ = "$CallResult = [UACTokenMagic]::TerminateProcess($ShellExecuteInfo.hProcess, 1)" fullword ascii
|
|
$ = "[!] Unable to open process (as Administrator), this may require SYSTEM access." fullword ascii
|
|
$ = "[!] Error, NTSTATUS Value: " ascii
|
|
$ = "[!] UAC artifact: " ascii
|
|
$ = "[>] Process dump success!" ascii
|
|
$ = "[!] Process dump failed!" ascii
|
|
$ = "[+] Eidolon entry point:" fullword ascii
|
|
$ = "Wait for shellcode to run" fullword ascii
|
|
$ = "$Command = Read-Host \"`nSMB shell\"" fullword ascii
|
|
$ = "Use Netapi32::NetSessionEnum to enumerate active sessions on domain joined machines." fullword ascii
|
|
$ = "Invoke-CreateProcess -Binary C:\\Windows\\System32\\" ascii
|
|
$ = "[?] Thread belongs to: " ascii
|
|
$ = "[?] Operating system core count: " ascii
|
|
$ = "[>] Calling Advapi32::LookupPrivilegeValue --> SeDebugPrivilege" fullword ascii
|
|
$ = "Calling Advapi32::OpenProcessToken --> LSASS" ascii
|
|
$ = "[!] Mmm, something went wrong! GetLastError returned:" ascii
|
|
$ = "if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ')" fullword ascii
|
|
condition:
|
|
filesize < 100KB and 1 of them
|
|
}
|
|
|
|
rule PowerShell_Suite_Eidolon {
|
|
meta:
|
|
description = "Detects PowerShell Suite Eidolon script - file Start-Eidolon.ps1"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/FuzzySecurity/PowerShell-Suite"
|
|
date = "2017-12-27"
|
|
hash1 = "db31367410d0a9ffc9ed37f423a4b082639591be7f46aca91f5be261b23212d5"
|
|
id = "5440d8fc-b939-556f-a8a0-ef5feb29e32f"
|
|
strings:
|
|
$ = "[+] Eidolon entry point:" ascii
|
|
$ = "C:\\PS> Start-Eidolon -Target C:\\Some\\File.Path -Mimikatz -Verbose" fullword ascii
|
|
$ = "[Int16]$PEArch = '0x{0}' -f ((($PayloadBytes[($OptOffset+1)..($OptOffset)]) | % {$_.ToString('X2')}) -join '')" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x7566 and filesize < 13000KB and 1 of them
|
|
}
|