08e8d462fe
RED PILL 🔴 💊
1172 lines
No EOL
30 KiB
Text
1172 lines
No EOL
30 KiB
Text
rule anti_dbg {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Checks if being debugged"
|
|
version = "0.2"
|
|
strings:
|
|
$d1 = "Kernel32.dll" nocase
|
|
$c1 = "CheckRemoteDebuggerPresent"
|
|
$c2 = "IsDebuggerPresent"
|
|
$c3 = "OutputDebugString"
|
|
$c4 = "ContinueDebugEvent"
|
|
$c5 = "DebugActiveProcess"
|
|
condition:
|
|
$d1 and 1 of ($c*)
|
|
}
|
|
|
|
rule anti_dbgtools {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Checks for the presence of known debug tools"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "procexp.exe" nocase
|
|
$f2 = "procmon.exe" nocase
|
|
$f3 = "processmonitor.exe" nocase
|
|
$f4 = "wireshark.exe" nocase
|
|
$f5 = "fiddler.exe" nocase
|
|
$f6 = "windbg.exe" nocase
|
|
$f7 = "ollydbg.exe" nocase
|
|
$f8 = "winhex.exe" nocase
|
|
$f9 = "processhacker.exe" nocase
|
|
$f10 = "hiew32.exe" nocase
|
|
$c11 = "\\\\.\\NTICE"
|
|
$c12 = "\\\\.\\SICE"
|
|
$c13 = "\\\\.\\Syser"
|
|
$c14 = "\\\\.\\SyserBoot"
|
|
$c15 = "\\\\.\\SyserDbgMsg"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule av_sinkhole {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Check for known IP belonging to AV sinkhole"
|
|
version = "0.1"
|
|
strings:
|
|
$s1 = "23.92.16.214"
|
|
$s2 = "23.92.24.20"
|
|
$s3 = "23.239.17.167"
|
|
$s4 = "23.239.18.116"
|
|
$s5 = "50.56.177.56"
|
|
$s6 = "50.57.148.87"
|
|
$s7 = "69.55.59.73"
|
|
$s8 = "82.196.15.88"
|
|
$s9 = "85.159.211.119"
|
|
$s10 = "95.85.23.126"
|
|
$s11 = "96.126.112.224"
|
|
$s12 = "107.170.43.224"
|
|
$s13 = "107.170.106.77"
|
|
$s14 = "107.170.106.95"
|
|
$s15 = "107.170.113.230"
|
|
$s16 = "107.170.122.37"
|
|
$s17 = "107.170.164.115"
|
|
$s18 = "128.199.180.131"
|
|
$s19 = "128.199.187.239"
|
|
$s20 = "143.215.15.2"
|
|
$s21 = "143.215.130.33"
|
|
$s22 = "143.215.130.36"
|
|
$s23 = "143.215.130.38"
|
|
$s24 = "143.215.130.42"
|
|
$s25 = "143.215.130.46"
|
|
$s26 = "162.243.26.100"
|
|
$s27 = "162.243.90.135"
|
|
$s28 = "162.243.106.156"
|
|
$s29 = "162.243.106.160"
|
|
$s30 = "162.243.106.165"
|
|
$s31 = "166.78.16.123"
|
|
$s32 = "166.78.158.73"
|
|
$s33 = "192.241.129.22"
|
|
$s34 = "192.241.142.145"
|
|
$s35 = "192.241.196.69"
|
|
$s36 = "192.241.215.118"
|
|
$s37 = "198.61.227.6"
|
|
$s38 = "198.74.56.124"
|
|
$s39 = "198.199.69.31"
|
|
$s40 = "198.199.75.69"
|
|
$s41 = "198.199.79.133"
|
|
$s42 = "198.199.79.201"
|
|
$s43 = "198.199.79.222"
|
|
$s44 = "198.199.79.239"
|
|
$s45 = "198.199.105.51"
|
|
$s46 = "198.199.110.187"
|
|
$s47 = "212.71.250.4"
|
|
$s48 = "87.106.24.200"
|
|
$s49 = "87.106.26.9"
|
|
$s50 = "46.4.80.102"
|
|
$s51 = "54.227.61.124"
|
|
$s52 = "198.58.124.24"
|
|
$s53 = "198.177.254.186"
|
|
$s54 = "50.62.12.103"
|
|
$s55 = "166.78.62.91"
|
|
$s56 = "166.78.144.80"
|
|
$s57 = "23.21.71.54"
|
|
$s58 = "54.209.178.183"
|
|
$s59 = "81.166.122.234"
|
|
$s60 = "95.211.120.23"
|
|
$s61 = "95.211.172.143"
|
|
$s62 = "173.193.197.194"
|
|
$s63 = "87.255.51.229"
|
|
$s64 = "192.42.116.41"
|
|
$s65 = "192.42.119.41"
|
|
$s66 = "50.22.145.246"
|
|
$s67 = "50.23.174.203"
|
|
$s68 = "54.83.43.69"
|
|
$s69 = "82.165.25.167"
|
|
$s70 = "82.165.25.209"
|
|
$s71 = "82.165.25.210"
|
|
$s72 = "212.227.20.19"
|
|
$s73 = "50.116.32.177"
|
|
$s74 = "50.116.56.144"
|
|
$s75 = "66.175.212.197"
|
|
$s76 = "69.164.203.105"
|
|
$s77 = "72.14.182.233"
|
|
$s78 = "109.74.196.143"
|
|
$s79 = "173.230.133.99"
|
|
$s80 = "178.79.190.156"
|
|
$s81 = "198.74.50.135"
|
|
$s82 = "91.233.244.102"
|
|
$s83 = "91.233.244.106"
|
|
$s84 = "148.81.111.111"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule antisb_joesanbox {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Anti-Sandbox checks for Joe Sandbox"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
|
|
$c1 = "RegQueryValue"
|
|
$s1 = "55274-640-2673064-23950"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule antisb_anubis {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Anti-Sandbox checks for Anubis"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
|
|
$c1 = "RegQueryValue"
|
|
$s1 = "76487-337-8429955-22614"
|
|
$s2 = "76487-640-1457236-23837"
|
|
condition:
|
|
$p1 and $c1 and 1 of ($s*)
|
|
}
|
|
|
|
rule antisb_threatExpert {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Anti-Sandbox checks for ThreatExpert"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "dbghelp.dll" nocase
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule antisb_sandboxie {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Anti-Sandbox checks for Sandboxie"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "SbieDLL.dll" nocase
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule antisb_cwsandbox {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Anti-Sandbox checks for CWSandbox"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
|
|
$s1 = "76487-644-3177037-23510"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule antivm_virtualbox {
|
|
meta:
|
|
author = "x0r"
|
|
description = "AntiVM checks for VirtualBox"
|
|
version = "0.1"
|
|
strings:
|
|
$s1 = "VBoxService.exe" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule antivm_vmware {
|
|
meta:
|
|
author = "x0r"
|
|
description = "AntiVM checks for VMWare"
|
|
version = "0.1"
|
|
strings:
|
|
$s1 = "vmware.exe" nocase
|
|
$s2 = "vmware-authd.exe" nocase
|
|
$s3 = "vmware-hostd.exe" nocase
|
|
$s4 = "vmware-tray.exe" nocase
|
|
$s5 = "vmware-vmx.exe" nocase
|
|
$s6 = "vmnetdhcp.exe" nocase
|
|
$s7 = "vpxclient.exe" nocase
|
|
$s8 = { b868584d56bb00000000b90a000000ba58560000ed }
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule antivm_bios {
|
|
meta:
|
|
author = "x0r"
|
|
description = "AntiVM checks for Bios version"
|
|
version = "0.2"
|
|
strings:
|
|
$p1 = "HARDWARE\\DESCRIPTION\\System" nocase
|
|
$p2 = "HARDWARE\\DESCRIPTION\\System\\BIOS" nocase
|
|
$c1 = "RegQueryValue"
|
|
$r1 = "SystemBiosVersion"
|
|
$r2 = "VideoBiosVersion"
|
|
$r3 = "SystemManufacturer"
|
|
condition:
|
|
1 of ($p*) and 1 of ($c*) and 1 of ($r*)
|
|
}
|
|
|
|
rule disable_antivirus {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Disable AntiVirus"
|
|
version = "0.2"
|
|
strings:
|
|
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase
|
|
$p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase
|
|
$p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase
|
|
$c1 = "RegSetValue"
|
|
$r1 = "AntiVirusDisableNotify"
|
|
$r2 = "DontReportInfectionInformation"
|
|
$r3 = "DisableAntiSpyware"
|
|
$r4 = "RunInvalidSignatures"
|
|
$r5 = "AntiVirusOverride"
|
|
$r6 = "CheckExeSignatures"
|
|
$f1 = "blackd.exe" nocase
|
|
$f2 = "blackice.exe" nocase
|
|
$f3 = "lockdown.exe" nocase
|
|
$f4 = "lockdown2000.exe" nocase
|
|
$f5 = "taskkill.exe" nocase
|
|
$f6 = "tskill.exe" nocase
|
|
$f7 = "smc.exe" nocase
|
|
$f8 = "sniffem.exe" nocase
|
|
$f9 = "zapro.exe" nocase
|
|
$f10 = "zlclient.exe" nocase
|
|
$f11 = "zonealarm.exe" nocase
|
|
condition:
|
|
($c1 and $p1 and 1 of ($f*)) or ($c1 and $p2) or 1 of ($r*) or $p3
|
|
}
|
|
|
|
rule disable_uax {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Disable User Access Control"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "SOFTWARE\\Microsoft\\Security Center" nocase
|
|
$r1 = "UACDisableNotify"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule disable_firewall {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Disable Firewall"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" nocase
|
|
$c1 = "RegSetValue"
|
|
$r1 = "FirewallPolicy"
|
|
$r2 = "EnableFirewall"
|
|
$r3 = "FirewallDisableNotify"
|
|
$s1 = "netsh firewall add allowedprogram"
|
|
condition:
|
|
(1 of ($p*) and $c1 and 1 of ($r*)) or $s1
|
|
}
|
|
|
|
rule disable_registry {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Disable Registry editor"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
|
|
$c1 = "RegSetValue"
|
|
$r1 = "DisableRegistryTools"
|
|
$r2 = "DisableRegedit"
|
|
condition:
|
|
1 of ($p*) and $c1 and 1 of ($r*)
|
|
}
|
|
|
|
rule disable_dep {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Bypass DEP"
|
|
version = "0.1"
|
|
strings:
|
|
$c1 = "EnableExecuteProtectionSupport"
|
|
$c2 = "NtSetInformationProcess"
|
|
$c3 = "VirtualProctectEx"
|
|
$c4 = "SetProcessDEPPolicy"
|
|
$c5 = "ZwProtectVirtualMemory"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule disable_taskmanager {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Disable Task Manager"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
|
|
$r1 = "DisableTaskMgr"
|
|
condition:
|
|
1 of ($p*) and 1 of ($r*)
|
|
}
|
|
|
|
rule inject_thread {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Code injection with CreateRemoteThread in a remote process"
|
|
version = "0.1"
|
|
strings:
|
|
$c1 = "OpenProcess"
|
|
$c2 = "VirtualAllocEx"
|
|
$c3 = "NtWriteVirtualMemory"
|
|
$c4 = "WriteProcessMemory"
|
|
$c5 = "CreateRemoteThread"
|
|
$c6 = "CreateThread"
|
|
$c7 = "OpenProcess"
|
|
condition:
|
|
$c1 and $c2 and ( $c3 or $c4 ) and ( $c5 or $c6 or $c7 )
|
|
}
|
|
|
|
rule create_process {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Create a new process"
|
|
version = "0.2"
|
|
strings:
|
|
$f1 = "Shell32.dll" nocase
|
|
$f2 = "Kernel32.dll" nocase
|
|
$c1 = "ShellExecute"
|
|
$c2 = "WinExec"
|
|
$c3 = "CreateProcess"
|
|
$c4 = "CreateThread"
|
|
condition:
|
|
($f1 and $c1 ) or $f2 and ($c2 or $c3 or $c4)
|
|
}
|
|
|
|
rule persistence {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Install itself for autorun at Windows startup"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase
|
|
$p2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase
|
|
$p3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" nocase
|
|
$p4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" nocase
|
|
$p5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" nocase
|
|
$p6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" nocase
|
|
$p7 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\" nocase
|
|
$p8 = "SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" nocase
|
|
$p9 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" nocase
|
|
$p10 = "comfile\\shell\\open\\command" nocase
|
|
$p11 = "piffile\\shell\\open\\command" nocase
|
|
$p12 = "exefile\\shell\\open\\command" nocase
|
|
$p13 = "txtfile\\shell\\open\\command" nocase
|
|
$p14 = "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
|
|
$f1 = "win.ini" nocase
|
|
$f2 = "system.ini" nocase
|
|
$f3 = "Start Menu\\Programs\\Startup" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule hijack_network {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Hijack network configuration"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "SOFTWARE\\Classes\\PROTOCOLS\\Handler" nocase
|
|
$p2 = "SOFTWARE\\Classes\\PROTOCOLS\\Filter" nocase
|
|
$p3 = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer" nocase
|
|
$p4 = "software\\microsoft\\windows\\currentversion\\internet settings\\proxyenable" nocase
|
|
$f1 = "drivers\\etc\\hosts" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule create_service {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Create a windows service"
|
|
version = "0.2"
|
|
strings:
|
|
$f1 = "Advapi32.dll" nocase
|
|
$c1 = "CreateService"
|
|
$c2 = "ControlService"
|
|
$c3 = "StartService"
|
|
$c4 = "QueryServiceStatus"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule create_com_service {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Create a COM server"
|
|
version = "0.1"
|
|
strings:
|
|
$c1 = "DllCanUnloadNow" nocase
|
|
$c2 = "DllGetClassObject"
|
|
$c3 = "DllInstall"
|
|
$c4 = "DllRegisterServer"
|
|
$c5 = "DllUnregisterServer"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule network_udp_sock {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over UDP network"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "Ws2_32.dll" nocase
|
|
$f2 = "System.Net" nocase
|
|
$f3 = "wsock32.dll" nocase
|
|
$c0 = "WSAStartup"
|
|
$c1 = "sendto"
|
|
$c2 = "recvfrom"
|
|
$c3 = "WSASendTo"
|
|
$c4 = "WSARecvFrom"
|
|
$c5 = "UdpClient"
|
|
condition:
|
|
(($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5)
|
|
}
|
|
|
|
rule network_tcp_listen {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Listen for incoming communication"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "Ws2_32.dll" nocase
|
|
$f2 = "Mswsock.dll" nocase
|
|
$f3 = "System.Net" nocase
|
|
$f4 = "wsock32.dll" nocase
|
|
$c1 = "bind"
|
|
$c2 = "accept"
|
|
$c3 = "GetAcceptExSockaddrs"
|
|
$c4 = "AcceptEx"
|
|
$c5 = "WSAStartup"
|
|
$c6 = "WSAAccept"
|
|
$c7 = "WSASocket"
|
|
$c8 = "TcpListener"
|
|
$c9 = "AcceptTcpClient"
|
|
$c10 = "listen"
|
|
condition:
|
|
1 of ($f*) and 2 of ($c*)
|
|
}
|
|
|
|
rule network_dyndns {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications dyndns network"
|
|
version = "0.1"
|
|
strings:
|
|
$s1 =".no-ip.org"
|
|
$s2 =".publicvm.com"
|
|
$s3 =".linkpc.net"
|
|
$s4 =".dynu.com"
|
|
$s5 =".dynu.net"
|
|
$s6 =".afraid.org"
|
|
$s7 =".chickenkiller.com"
|
|
$s8 =".crabdance.com"
|
|
$s9 =".ignorelist.com"
|
|
$s10 =".jumpingcrab.com"
|
|
$s11 =".moo.com"
|
|
$s12 =".strangled.com"
|
|
$s13 =".twillightparadox.com"
|
|
$s14 =".us.to"
|
|
$s15 =".strangled.net"
|
|
$s16 =".info.tm"
|
|
$s17 =".homenet.org"
|
|
$s18 =".biz.tm"
|
|
$s19 =".continent.kz"
|
|
$s20 =".ax.lt"
|
|
$s21 =".system-ns.com"
|
|
$s22 =".adultdns.com"
|
|
$s23 =".craftx.biz"
|
|
$s24 =".ddns01.com"
|
|
$s25 =".dns53.biz"
|
|
$s26 =".dnsapi.info"
|
|
$s27 =".dnsd.info"
|
|
$s28 =".dnsdynamic.com"
|
|
$s29 =".dnsdynamic.net"
|
|
$s30 =".dnsget.org"
|
|
$s31 =".fe100.net"
|
|
$s32 =".flashserv.net"
|
|
$s33 =".ftp21.net"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule network_toredo {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over Toredo network"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "FirewallAPI.dll" nocase
|
|
$p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule network_smtp_dotNet {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications smtp"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "System.Net.Mail" nocase
|
|
$p1 = "SmtpClient" nocase
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule network_smtp_raw {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications smtp"
|
|
version = "0.1"
|
|
strings:
|
|
$s1 = "MAIL FROM:" nocase
|
|
$s2 = "RCPT TO:" nocase
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule network_smtp_vb {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications smtp"
|
|
version = "0.1"
|
|
strings:
|
|
$c1 = "CDO.Message" nocase
|
|
$c2 = "cdoSMTPServer" nocase
|
|
$c3 = "cdoSendUsingMethod" nocase
|
|
$c4 = "cdoex.dll" nocase
|
|
$c5 = "/cdo/configuration/smtpserver" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule network_p2p_win {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over P2P network"
|
|
version = "0.1"
|
|
strings:
|
|
$c1 = "PeerCollabExportContact"
|
|
$c2 = "PeerCollabGetApplicationRegistrationInfo"
|
|
$c3 = "PeerCollabGetEndpointName"
|
|
$c4 = "PeerCollabGetEventData"
|
|
$c5 = "PeerCollabGetInvitationResponse"
|
|
$c6 = "PeerCollabGetPresenceInfo"
|
|
$c7 = "PeerCollabGetSigninOptions"
|
|
$c8 = "PeerCollabInviteContact"
|
|
$c9 = "PeerCollabInviteEndpoint"
|
|
$c10 = "PeerCollabParseContact"
|
|
$c11 = "PeerCollabQueryContactData"
|
|
$c12 = "PeerCollabRefreshEndpointData"
|
|
$c13 = "PeerCollabRegisterApplication"
|
|
$c14 = "PeerCollabRegisterEvent"
|
|
$c15 = "PeerCollabSetEndpointName"
|
|
$c16 = "PeerCollabSetObject"
|
|
$c17 = "PeerCollabSetPresenceInfo"
|
|
$c18 = "PeerCollabSignout"
|
|
$c19 = "PeerCollabUnregisterApplication"
|
|
$c20 = "PeerCollabUpdateContact"
|
|
condition:
|
|
5 of them
|
|
}
|
|
|
|
rule network_tor {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over TOR network"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "tor\\hidden_service\\private_key" nocase
|
|
$p2 = "tor\\hidden_service\\hostname" nocase
|
|
$p3 = "tor\\lock" nocase
|
|
$p4 = "tor\\state" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
rule network_irc {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over IRC network"
|
|
version = "0.1"
|
|
strings:
|
|
$s1 = "NICK"
|
|
$s2 = "PING"
|
|
$s3 = "JOIN"
|
|
$s4 = "USER"
|
|
$s5 = "PRIVMSG"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule network_http {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over HTTP"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "wininet.dll" nocase
|
|
$c1 = "InternetConnect"
|
|
$c2 = "InternetOpen"
|
|
$c3 = "InternetOpenUrl"
|
|
$c4 = "InternetReadFile"
|
|
$c5 = "InternetWriteFile"
|
|
$c6 = "HttpOpenRequest"
|
|
$c7 = "HttpSendRequest"
|
|
$c8 = "IdHTTPHeaderInfo"
|
|
condition:
|
|
$f1 and $c1 and ($c2 or $c3) and ($c4 or $c5 or $c6 or $c7 or $c8)
|
|
}
|
|
|
|
rule network_dropper {
|
|
meta:
|
|
author = "x0r"
|
|
description = "File downloader/dropper"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "urlmon.dll" nocase
|
|
$c1 = "URLDownloadToFile"
|
|
$c2 = "URLDownloadToCacheFile"
|
|
$c3 = "URLOpenStream"
|
|
$c4 = "URLOpenPullStream"
|
|
condition:
|
|
$f1 and 1 of ($c*)
|
|
}
|
|
|
|
rule network_ftp {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over FTP"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "Wininet.dll" nocase
|
|
$c1 = "FtpGetCurrentDirectory"
|
|
$c2 = "FtpGetFile"
|
|
$c3 = "FtpPutFile"
|
|
$c4 = "FtpSetCurrentDirectory"
|
|
$c5 = "FtpOpenFile"
|
|
$c6 = "FtpGetFileSize"
|
|
$c7 = "FtpDeleteFile"
|
|
$c8 = "FtpCreateDirectory"
|
|
$c9 = "FtpRemoveDirectory"
|
|
$c10 = "FtpRenameFile"
|
|
$c11 = "FtpDownload"
|
|
$c12 = "FtpUpload"
|
|
$c13 = "FtpGetDirectory"
|
|
condition:
|
|
$f1 and (4 of ($c*))
|
|
}
|
|
|
|
rule network_tcp_socket {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over RAW socket"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "Ws2_32.dll" nocase
|
|
$f2 = "wsock32.dll" nocase
|
|
$c1 = "WSASocket"
|
|
$c2 = "socket"
|
|
$c3 = "send"
|
|
$c4 = "WSASend"
|
|
$c5 = "WSAConnect"
|
|
$c6 = "connect"
|
|
$c7 = "WSAStartup"
|
|
$c8 = "closesocket"
|
|
$c9 = "WSACleanup"
|
|
condition:
|
|
1 of ($f*) and 2 of ($c*)
|
|
}
|
|
|
|
rule network_dns {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications use DNS"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "System.Net"
|
|
$f2 = "Ws2_32.dll" nocase
|
|
$f3 = "Dnsapi.dll" nocase
|
|
$f4 = "wsock32.dll" nocase
|
|
$c2 = "GetHostEntry"
|
|
$c3 = "getaddrinfo"
|
|
$c4 = "gethostbyname"
|
|
$c5 = "WSAAsyncGetHostByName"
|
|
$c6 = "DnsQuery"
|
|
condition:
|
|
1 of ($f*) and 1 of ($c*)
|
|
}
|
|
|
|
rule network_ssl {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communications over SSL"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "ssleay32.dll" nocase
|
|
$f2 = "libeay32.dll" nocase
|
|
$f3 = "libssl32.dll" nocase
|
|
$c1 = "IdSSLOpenSSL" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule network_dga {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Communication using dga"
|
|
version = "0.1"
|
|
strings:
|
|
$dll1 = "Advapi32.dll" nocase
|
|
$dll2 = "wininet.dll" nocase
|
|
$dll3 = "Crypt32.dll" nocase
|
|
$time1 = "SystemTimeToFileTime"
|
|
$time2 = "GetSystemTime"
|
|
$time3 = "GetSystemTimeAsFileTime"
|
|
$hash1 = "CryptCreateHash"
|
|
$hash2 = "CryptAcquireContext"
|
|
$hash3 = "CryptHashData"
|
|
$net1 = "InternetOpen"
|
|
$net2 = "InternetOpenUrl"
|
|
$net3 = "gethostbyname"
|
|
$net4 = "getaddrinfo"
|
|
condition:
|
|
all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*)
|
|
}
|
|
|
|
|
|
rule bitcoin {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Perform crypto currency mining"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "OpenCL.dll" nocase
|
|
$f2 = "nvcuda.dll" nocase
|
|
$f3 = "opengl32.dll" nocase
|
|
$s1 = "cpuminer 2.2.2X-Mining-Extensions"
|
|
$s2 = "cpuminer 2.2.3X-Mining-Extensions"
|
|
$s3 = "Ufasoft bitcoin-miner/0.20"
|
|
$s4 = "bitcoin" nocase
|
|
$s5 = "stratum" nocase
|
|
condition:
|
|
1 of ($f*) and 1 of ($s*)
|
|
}
|
|
|
|
rule certificate {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Inject certificate in store"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "Crypt32.dll" nocase
|
|
$r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase
|
|
$c1 = "CertOpenSystemStore"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule escalate_priv {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Escalade priviledges"
|
|
version = "0.1"
|
|
strings:
|
|
$d1 = "Advapi32.dll" nocase
|
|
$c1 = "SeDebugPrivilege"
|
|
$c2 = "AdjustTokenPrivileges"
|
|
condition:
|
|
1 of ($d*) and 1 of ($c*)
|
|
}
|
|
|
|
rule screenshot {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Take screenshot"
|
|
version = "0.1"
|
|
strings:
|
|
$d1 = "Gdi32.dll" nocase
|
|
$d2 = "User32.dll" nocase
|
|
$c1 = "BitBlt"
|
|
$c2 = "GetDC"
|
|
condition:
|
|
1 of ($d*) and 1 of ($c*)
|
|
}
|
|
|
|
rule lookupip {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Lookup external IP"
|
|
version = "0.1"
|
|
strings:
|
|
$n1 = "checkip.dyndns.org" nocase
|
|
$n2 = "whatismyip.org" nocase
|
|
$n3 = "whatsmyipaddress.com" nocase
|
|
$n4 = "getmyip.org" nocase
|
|
$n5 = "getmyip.co.uk" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule dyndns {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Dynamic DNS"
|
|
version = "0.1"
|
|
strings:
|
|
$s1 = "SOFTWARE\\Vitalwerks\\DUC" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule lookupgeo {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Lookup Geolocation"
|
|
version = "0.1"
|
|
strings:
|
|
$n1 = "j.maxmind.com" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule keylogger {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Run a keylogger"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "User32.dll" nocase
|
|
$c1 = "GetAsyncKeyState"
|
|
$c2 = "GetKeyState"
|
|
$c3 = "MapVirtualKey"
|
|
$c4 = "GetKeyboardType"
|
|
condition:
|
|
$f1 and 1 of ($c*)
|
|
}
|
|
|
|
rule cred_local {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Steal credential"
|
|
version = "0.1"
|
|
strings:
|
|
$c1 = "LsaEnumerateLogonSessions"
|
|
$c2 = "SamIConnect"
|
|
$c3 = "SamIGetPrivateData"
|
|
$c4 = "SamQueryInformationUse"
|
|
$c5 = "CredEnumerateA"
|
|
$c6 = "CredEnumerateW"
|
|
$r1 = "software\\microsoft\\internet account manager" nocase
|
|
$r2 = "software\\microsoft\\identitycrl\\creds" nocase
|
|
$r3 = "Security\\Policy\\Secrets"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
|
|
rule sniff_audio {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Record Audio"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "winmm.dll" nocase
|
|
$c1 = "waveInStart"
|
|
$c2 = "waveInReset"
|
|
$c3 = "waveInAddBuffer"
|
|
$c4 = "waveInOpen"
|
|
$c5 = "waveInClose"
|
|
condition:
|
|
$f1 and 2 of ($c*)
|
|
}
|
|
|
|
rule cred_ff {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Steal Firefox credential"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "signons.sqlite"
|
|
$f2 = "signons3.txt"
|
|
$f3 = "secmod.db"
|
|
$f4 = "cert8.db"
|
|
$f5 = "key3.db"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule cred_vnc {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Steal VNC credential"
|
|
version = "0.1"
|
|
strings:
|
|
$s1 = "VNCPassView"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule cred_ie7 {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Steal IE 7 credential"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "Crypt32.dll" nocase
|
|
$c1 = "CryptUnprotectData"
|
|
$s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule sniff_lan {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Sniff Lan network traffic"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "packet.dll" nocase
|
|
$f2 = "npf.sys" nocase
|
|
$f3 = "wpcap.dll" nocase
|
|
$f4 = "winpcap.dll" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule migrate_apc {
|
|
meta:
|
|
author = "x0r"
|
|
description = "APC queue tasks migration"
|
|
version = "0.1"
|
|
strings:
|
|
$c1 = "OpenThread"
|
|
$c2 = "QueueUserAPC"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule spreading_file {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Malware can spread east-west file"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "autorun.inf" nocase
|
|
$f2 = "desktop.ini" nocase
|
|
$f3 = "desktop.lnk" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule spreading_share {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Malware can spread east-west using share drive"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "netapi32.dll" nocase
|
|
$c1 = "NetShareGetInfo"
|
|
$c2 = "NetShareEnum"
|
|
condition:
|
|
$f1 and 1 of ($c*)
|
|
}
|
|
|
|
rule rat_vnc {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Remote Administration toolkit VNC"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "ultravnc.ini" nocase
|
|
$c2 = "StartVNC"
|
|
$c3 = "StopVNC"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule rat_rdp {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Remote Administration toolkit enable RDP"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" nocase
|
|
$p2 = "software\\microsoft\\windows nt\\currentversion\\terminal server" nocase
|
|
$p3 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" nocase
|
|
$r1 = "EnableAdminTSRemote"
|
|
$c1 = "net start termservice"
|
|
$c2 = "sc config termservice start"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule rat_telnet {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Remote Administration toolkit enable Telnet"
|
|
version = "0.1"
|
|
strings:
|
|
$r1 = "software\\microsoft\\telnetserver" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
|
|
rule rat_webcam {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Remote Administration toolkit using webcam"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "avicap32.dll" nocase
|
|
$c1 = "capCreateCaptureWindow" nocase
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule check_patchlevel {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Check if hotfix are applied"
|
|
version = "0.1"
|
|
strings:
|
|
$p1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Hotfix" nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule win_mutex {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Create or check mutex"
|
|
version = "0.1"
|
|
strings:
|
|
$c1 = "CreateMutex"
|
|
condition:
|
|
1 of ($c*)
|
|
}
|
|
|
|
rule win_registry {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Affect system registries"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "advapi32.dll" nocase
|
|
$c1 = "RegQueryValueExA"
|
|
$c2 = "RegOpenKeyExA"
|
|
$c3 = "RegCloseKey"
|
|
$c4 = "RegSetValueExA"
|
|
$c5 = "RegCreateKeyA"
|
|
$c6 = "RegCloseKey"
|
|
condition:
|
|
$f1 and 1 of ($c*)
|
|
}
|
|
|
|
rule win_token {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Affect system token"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "advapi32.dll" nocase
|
|
$c1 = "DuplicateTokenEx"
|
|
$c2 = "AdjustTokenPrivileges"
|
|
$c3 = "OpenProcessToken"
|
|
$c4 = "LookupPrivilegeValueA"
|
|
condition:
|
|
$f1 and 1 of ($c*)
|
|
}
|
|
|
|
rule win_private_profile {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Affect private profile"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "kernel32.dll" nocase
|
|
$c1 = "GetPrivateProfileIntA"
|
|
$c2 = "GetPrivateProfileStringA"
|
|
$c3 = "WritePrivateProfileStringA"
|
|
condition:
|
|
$f1 and 1 of ($c*)
|
|
}
|
|
|
|
rule win_files_operation {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Affect private profile"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "kernel32.dll" nocase
|
|
$c1 = "WriteFile"
|
|
$c2 = "SetFilePointer"
|
|
$c3 = "WriteFile"
|
|
$c4 = "ReadFile"
|
|
$c5 = "DeleteFileA"
|
|
$c6 = "CreateFileA"
|
|
$c7 = "FindFirstFileA"
|
|
$c8 = "MoveFileExA"
|
|
$c9 = "FindClose"
|
|
$c10 = "SetFileAttributesA"
|
|
$c11 = "CopyFile"
|
|
|
|
condition:
|
|
$f1 and 3 of ($c*)
|
|
}
|
|
|
|
|
|
rule win_hook {
|
|
meta:
|
|
author = "x0r"
|
|
description = "Affect hook table"
|
|
version = "0.1"
|
|
strings:
|
|
$f1 = "user32.dll" nocase
|
|
$c1 = "UnhookWindowsHookEx"
|
|
$c2 = "SetWindowsHookExA"
|
|
$c3 = "CallNextHookEx"
|
|
condition:
|
|
$f1 and 1 of ($c*)
|
|
} |