120 lines
4.7 KiB
Text
120 lines
4.7 KiB
Text
|
|
rule APT_UNC5221_Ivanti_ForensicArtifacts_Jan24_1 {
|
|
meta:
|
|
description = "Detects forensic artifacts found in the Ivanti VPN exploitation campaign by APT UNC5221"
|
|
author = "Florian Roth"
|
|
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
|
|
date = "2024-01-11"
|
|
score = 75
|
|
id = "49ba2a96-379d-5a58-979d-45e83fa546e7"
|
|
strings:
|
|
$x1 = "system(\"chmod a+x /home/etc/sql/dsserver/sessionserver.sh\");"
|
|
$x2 = "SSH-2.0-OpenSSH_0.3xx."
|
|
$x3 = "sed -i '/retval=$(exec $installer $@)/d' /pkg/do-install"
|
|
condition:
|
|
filesize < 5MB and 1 of them
|
|
}
|
|
|
|
rule M_Hunting_Backdoor_ZIPLINE_1 {
|
|
meta:
|
|
author = "Mandiant"
|
|
description = "This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor."
|
|
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
|
|
date = "2024-01-11"
|
|
score = 75
|
|
id = "753884d6-d4c1-5e94-9d2c-f6ebb7bfaf85"
|
|
strings:
|
|
$s1 = "SSH-2.0-OpenSSH_0.3xx" ascii
|
|
$s2 = "$(exec $installer $@)" ascii
|
|
$t1 = "./installer/do-install" ascii
|
|
$t2 = "./installer/bom_files/" ascii
|
|
$t3 = "/tmp/data/root/etc/ld.so.preload" ascii
|
|
$t4 = "/tmp/data/root/home/etc/manifest/exclusion_list" ascii
|
|
condition:
|
|
uint32(0) == 0x464c457f and
|
|
filesize < 5MB and
|
|
((1 of ($s*)) or
|
|
(3 of ($t*)))
|
|
}
|
|
|
|
rule M_Hunting_Dropper_WIREFIRE_1 {
|
|
meta:
|
|
author = "Mandiant"
|
|
description = "This rule detects WIREFIRE, a web shell written in Python that exists as trojanized logic to a component of the pulse secure appliance."
|
|
md5 = "6de651357a15efd01db4e658249d4981"
|
|
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
|
|
date = "2024-01-11"
|
|
score = 75
|
|
id = "051244f0-00b1-5a4b-8c81-f4ce6f1aa22a"
|
|
strings:
|
|
$s1 = "zlib.decompress(aes.decrypt(base64.b64decode(" ascii
|
|
$s2 = "aes.encrypt(t+('\\x00'*(16-len(t)%16))" ascii
|
|
$s3 = "Handles DELETE request to delete an existing visits data." ascii
|
|
$s4 = "request.data.decode().startswith('GIF'):" ascii
|
|
$s5 = "Utils.api_log_admin" ascii
|
|
condition:
|
|
filesize < 10KB
|
|
and all of them
|
|
}
|
|
|
|
rule M_Hunting_Webshell_LIGHTWIRE_2 {
|
|
meta:
|
|
author = "Mandiant (modified by Florian Roth)"
|
|
description = "Detects LIGHTWIRE based on the RC4 decoding and execution 1-liner."
|
|
md5 = "3d97f55a03ceb4f71671aa2ecf5b24e9"
|
|
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
|
|
date = "2024-01-11"
|
|
modified = "2024-01-12"
|
|
score = 75
|
|
id = "9451da63-c68e-51e8-b4b1-c3082d46fbf6"
|
|
strings:
|
|
// rewritten as strings - because a regex is unnecessary
|
|
// $re1 = /eval\{my.{1,20}Crypt::RC4->new\(\".{1,50}->RC4\(decode_base64\(CGI::param\(\'.{1,30};eval\s\$.{1,30}\"Compatibility\scheck:\s\$@\";\}/
|
|
$s1 = "eval{my"
|
|
$s2 = "Crypt::RC4->new(\""
|
|
$s3 = "->RC4(decode_base64(CGI::param('"
|
|
$s4 = ";eval $"
|
|
$s5 = "\"Compatibility check: $@\";}"
|
|
condition:
|
|
filesize < 10KB
|
|
and all of them
|
|
}
|
|
|
|
rule M_Hunting_Dropper_THINSPOOL_1 {
|
|
meta:
|
|
author = "Mandiant"
|
|
description = "This rule detects THINSPOOL, a dropper that installs the LIGHTWIRE web shell onto a Pulse Secure system."
|
|
md5 = "677c1aa6e2503b56fe13e1568a814754"
|
|
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
|
|
date = "2024-01-11"
|
|
score = 75
|
|
id = "dd340f72-0a2c-5b66-9e31-1c0f20cd842f"
|
|
strings:
|
|
$s1 = "/tmp/qactg/" ascii
|
|
$s2 = "echo '/home/config/dscommands'" ascii
|
|
$s3 = "echo '/home/perl/DSLogConfig.pm'" ascii
|
|
$s4 = "ADM20447" ascii
|
|
condition:
|
|
filesize < 10KB
|
|
and all of them
|
|
}
|
|
|
|
rule M_Hunting_CredTheft_WARPWIRE_1 {
|
|
meta:
|
|
author = "Mandiant"
|
|
description = "This rule detects WARPWIRE, a credential stealer written in JavaScript that is embedded into a legitimate Pulse Secure file."
|
|
md5 = "d0c7a334a4d9dcd3c6335ae13bee59ea"
|
|
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
|
|
date = "2024-01-11"
|
|
score = 75
|
|
id = "9a6a8783-b531-560d-998d-8aa7c90158a8"
|
|
strings:
|
|
$s1 = {76 61 72 20 77 64 61 74 61 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 66 72 6d 4c 6f 67 69 6e 2e 75 73 65 72 6e 61 6d 65 2e 76 61 6c 75 65 3b}
|
|
$s2 = {76 61 72 20 73 64 61 74 61 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 66 72 6d 4c 6f 67 69 6e 2e 70 61 73 73 77 6f 72 64 2e 76 61 6c 75 65 3b}
|
|
$s3 = {2b 77 64 61 74 61 2b 27 26 27 2b 73 64 61 74 61 3b}
|
|
$s4 = {76 61 72 20 78 68 72 20 3d 20 6e 65 77 20 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74}
|
|
$s5 = "Remember the last selected auth realm for 30 days" ascii
|
|
condition:
|
|
filesize < 8KB and
|
|
all of them
|
|
}
|