Sneed-Reactivity/yara-Neo23x0/gen_recon_indicators.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

74 lines
2.4 KiB
Text

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-07-10
Identifier: Hacking Attempts
Reference: https://blogs.rsa.com/wp-content/uploads/2017/07/Fig8-netstat_dropped_more.png
*/
/* Rule Set ----------------------------------------------------------------- */
rule Recon_Commands_Windows_Gen1 {
meta:
description = "Detects a set of reconnaissance commands on Windows systems"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-07-10"
score = 60
reference = "https://goo.gl/MSJCxP"
id = "bc95265c-780d-5451-bd12-d14495877e46"
strings:
$s1 = "netstat -an" ascii
$s2 = "net view" ascii fullword
$s3 = "net user" ascii fullword
$s4 = "whoami" ascii
$s5 = "tasklist /v" ascii
$s6 = "systeminfo" ascii
$s7 = "net localgroup administrators" ascii
$s8 = "net user administrator" ascii
$s9 = "regedit -e " ascii
$s10 = "tasklist /svc" ascii
$s11 = "regsvr32 /s /u " ascii
$s12 = "CreateObject(\"WScript.Shell\").RegWrite" ascii
$s13 = "bitsadmin /rawreturn /transfer getfile" ascii
$s14 = "wmic qfe list full" ascii
$s15 = "schtasks.exe /create " ascii nocase
$s16 = "wmic share get" ascii
$s17 = "wmic nteventlog get" ascii
$s18 = "wevtutil cl " ascii
$s19 = "sc query type= service" ascii
$s20 = "arp -a " ascii
$fp1 = "avdapp.dll" fullword wide
$fp2 = "keyword.command.batchfile" ascii
$fp3 = ".sublime-settings" ascii
condition:
filesize < 1000KB and 4 of them
and not 1 of ($fp*)
}
rule SUSP_Recon_Outputs_Jun20_1 {
meta:
description = "Detects outputs of many different commands often used for reconnaissance purposes"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/cycldek-bridging-the-air-gap/97157/"
date = "2020-06-04"
score = 60
id = "ec3759aa-212f-52ce-9f38-636accd35749"
strings:
/* ipconfig /all */
$s1 = ". . . . : Yes" ascii
/* ping */
$s2 = "with 32 bytes of data:" ascii
/* arp -a */
$s3 = "ff-ff-ff-ff-ff-ff static" ascii
/* netstat */
$s4 = " TCP 0.0.0.0:445" ascii
/* tasklist */
$s5 = "System Idle Process" ascii
condition:
filesize < 150KB and
4 of them
}