08e8d462fe
RED PILL 🔴 💊
66 lines
2.3 KiB
Text
66 lines
2.3 KiB
Text
|
|
rule SUSP_LNK_lnkfileoverRFC {
|
|
meta:
|
|
description = "Detects APT lnk files that run double extraction and launch routines with autoruns"
|
|
author = "@Grotezinfosec, modified by Florian Roth"
|
|
date = "2018-09-18"
|
|
id = "19c393af-ff7c-5345-a3ef-c06372344baf"
|
|
strings:
|
|
$command = "C:\\Windows\\System32\\cmd.exe" fullword ascii //cmd is precursor to findstr
|
|
$command2 = {2F 00 63 00 20 00 66 00 69 00 6E 00 64 00 73 00 74 00 72} //findstr in hex
|
|
$base64 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD" ascii //some base64 filler, needed to work with routine
|
|
$cert = " -decode " ascii //base64 decoder
|
|
condition:
|
|
uint16(0) == 0x004c and uint32(4) == 0x00021401 and
|
|
filesize > 15KB and (
|
|
2 of them
|
|
)
|
|
}
|
|
|
|
rule SUSP_LNK_SuspiciousCommands {
|
|
meta:
|
|
description = "Detects LNK file with suspicious content"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
date = "2018-09-18"
|
|
score = 60
|
|
id = "8bfb1322-8e33-50bc-a389-2d8bdfec9ca7"
|
|
strings:
|
|
$s1 = " -decode " ascii wide
|
|
$s2 = " -enc " ascii wide
|
|
$s3 = " -w hidden " ascii wide
|
|
$s4 = " -ep bypass " ascii wide
|
|
$s5 = " -noni " ascii nocase wide
|
|
/* $s6 = " bypass " ascii wide */
|
|
$s7 = " -noprofile " ascii wide
|
|
$s8 = ".DownloadString(" ascii wide
|
|
$s9 = ".DownloadFile(" ascii wide
|
|
$s10 = "IEX(" ascii wide
|
|
$s11 = "iex(" ascii wide
|
|
$s12 = "WScript.shell" ascii wide fullword nocase
|
|
$s13 = " -nop " ascii wide
|
|
$s14 = "&tasklist>"
|
|
$s15 = "setlocal EnableExtensions DisableDelayedExpansion"
|
|
$s16 = "echo^ set^"
|
|
$s17 = "del /f /q "
|
|
$s18 = " echo | start "
|
|
$s19 = "&& echo "
|
|
$s20 = "&&set "
|
|
$s21 = "%&&@echo off "
|
|
condition:
|
|
uint16(0) == 0x004c and 1 of them
|
|
}
|
|
|
|
rule SUSP_DOC_LNK_in_ZIP {
|
|
meta:
|
|
description = "Detects suspicious .doc.lnk file in ZIP archive"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/RedDrip7/status/1145877272945025029"
|
|
date = "2019-07-02"
|
|
score = 50
|
|
hash1 = "7ea4f77cac557044e72a8e280372a2abe072f2ad98b5a4fbed4e2229e780173a"
|
|
id = "9c140d02-3b18-5faf-bb1d-2eb5c07a23dc"
|
|
strings:
|
|
$s1 = ".doc.lnk" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x4b50 and 1 of them
|
|
}
|