08e8d462fe
RED PILL 🔴 💊
68 lines
2.9 KiB
Text
68 lines
2.9 KiB
Text
rule apt3_bemstour_strings
|
|
{
|
|
meta:
|
|
|
|
description = "Detects strings used by the Bemstour exploitation tool"
|
|
reference = "https://research.checkpoint.com/2019/upsynergy/"
|
|
author = "Mark Lechtik"
|
|
company = "Check Point Software Technologies LTD."
|
|
date = "2019-06-25"
|
|
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
|
|
strings:
|
|
|
|
$dbg_print_1 = "leaked address is 0x%llx" ascii wide
|
|
$dbg_print_2 = "========== %s ==========" ascii wide
|
|
$dbg_print_3 = "detailVersion:%d" ascii wide
|
|
$dbg_print_4 = "create pipe twice failed" ascii wide
|
|
$dbg_print_5 = "WSAStartup function failed with error: %d" ascii wide
|
|
$dbg_print_6 = "can't open input file." ascii wide
|
|
$dbg_print_7 = "Allocate Buffer Failed." ascii wide
|
|
$dbg_print_8 = "Connect to target failed." ascii wide
|
|
$dbg_print_9 = "connect successful." ascii wide
|
|
$dbg_print_10 = "not supported Platform" ascii wide
|
|
$dbg_print_11 = "Wait several seconds." ascii wide
|
|
$dbg_print_12 = "not set where to write ListEntry ." ascii wide
|
|
$dbg_print_13 = "backdoor not installed." ascii wide
|
|
$dbg_print_14 = "REConnect to target failed." ascii wide
|
|
$dbg_print_15 = "Construct TreeConnectAndX Request Failed." ascii wide
|
|
$dbg_print_16 = "Construct NTCreateAndXRequest Failed." ascii wide
|
|
$dbg_print_17 = "Construct Trans2 Failed." ascii wide
|
|
$dbg_print_18 = "Construct ConsWXR Failed." ascii wide
|
|
$dbg_print_19 = "Construct ConsTransSecondary Failed." ascii wide
|
|
$dbg_print_20 = "if you don't want to input password , use server2003 version.." ascii wide
|
|
|
|
$cmdline_1 = "Command format %s TargetIp domainname username password 2" ascii wide
|
|
$cmdline_2 = "Command format %s TargetIp domainname username password 1" ascii wide
|
|
$cmdline_3 = "cmd.exe /c net user test test /add && cmd.exe /c net localgroup administrators test /add" ascii wide
|
|
$cmdline_4 = "hello.exe \"C:\\WINDOWS\\DEBUG\\test.exe\"" ascii wide
|
|
$cmdline_5 = "parameter not right" ascii wide
|
|
|
|
$smb_param_1 = "browser" ascii wide
|
|
$smb_param_2 = "spoolss" ascii wide
|
|
$smb_param_3 = "srvsvc" ascii wide
|
|
$smb_param_4 = "\\PIPE\\LANMAN" ascii wide
|
|
$smb_param_5 = "Werttys for Workgroups 3.1a" ascii wide
|
|
$smb_param_6 = "PC NETWORK PROGRAM 1.0" ascii wide
|
|
$smb_param_7 = "LANMAN1.0" ascii wide
|
|
$smb_param_8 = "LM1.2X002" ascii wide
|
|
$smb_param_9 = "LANMAN2.1" ascii wide
|
|
$smb_param_10 = "NT LM 0.12" ascii wide
|
|
$smb_param_12 = "WORKGROUP" ascii wide
|
|
$smb_param_13 = "Windows Server 2003 3790 Service Pack 2" ascii wide
|
|
$smb_param_14 = "Windows Server 2003 5.2" ascii wide
|
|
$smb_param_15 = "Windows 2002 Service Pack 2 2600" ascii wide
|
|
$smb_param_16 = "Windows 2002 5.1" ascii wide
|
|
$smb_param_17 = "PC NETWORK PROGRAM 1.0" ascii wide
|
|
$smb_param_18 = "Windows 2002 5.1" ascii wide
|
|
$smb_param_19 = "Windows for Workgroups 3.1a" ascii wide
|
|
|
|
$unique_str_1 = "WIN-NGJ7GKNROVS"
|
|
$unique_str_2 = "XD-A31C2E0087B2"
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and (5 of ($dbg_print*) or 2 of ($cmdline*) or 1 of ($unique_str*)) and 3 of ($smb_param*)
|
|
}
|
|
|
|
|
|
|
|
|