08e8d462fe
RED PILL 🔴 💊
266 lines
11 KiB
Text
266 lines
11 KiB
Text
|
|
rule EXPL_Exchange_ProxyShell_Failed_Aug21_1 : SCRIPT {
|
|
meta:
|
|
description = "Detects ProxyShell exploitation attempts in log files"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 50
|
|
reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"
|
|
date = "2021-08-08"
|
|
modified = "2021-08-09"
|
|
id = "9b849042-8918-5322-a35a-2165d4b541d5"
|
|
strings:
|
|
$xr1 = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell|mapi\/nspi|EWS\/|X-Rps-CAT)[^\n]{1,400}401 0 0/ nocase ascii
|
|
$xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}401 0 0/ nocase ascii
|
|
condition:
|
|
1 of them
|
|
}
|
|
|
|
rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 : SCRIPT {
|
|
meta:
|
|
description = "Detects successful ProxyShell exploitation attempts in log files"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 85
|
|
reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"
|
|
date = "2021-08-08"
|
|
modified = "2021-08-09"
|
|
id = "8c11cd1a-6d3f-5f29-af61-17179b01ca8b"
|
|
strings:
|
|
$xr1a = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell|X-Rps-CAT)/ nocase ascii
|
|
$xr1b = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(mapi\/nspi|EWS\/)[^\n]{1,400}(200|302) 0 0/
|
|
$xr2 = /autodiscover\/autodiscover\.json[^\n]{1,60}&X-Rps-CAT=/ nocase ascii
|
|
$xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}200 0 0/ nocase ascii
|
|
condition:
|
|
1 of them
|
|
}
|
|
|
|
rule WEBSHELL_ASPX_ProxyShell_Aug21_2 {
|
|
meta:
|
|
description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST), size and content"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/"
|
|
date = "2021-08-13"
|
|
id = "a351a466-695e-570e-8c7f-9c6c0534839c"
|
|
strings:
|
|
$s1 = "Page Language=" ascii nocase
|
|
condition:
|
|
uint32(0) == 0x4e444221 /* PST header: !BDN */
|
|
and filesize < 2MB
|
|
and $s1
|
|
}
|
|
|
|
rule WEBSHELL_ASPX_ProxyShell_Aug21_3 {
|
|
meta:
|
|
description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be DER), size and content"
|
|
author = "Max Altgelt"
|
|
reference = "https://twitter.com/gossithedog/status/1429175908905127938?s=12"
|
|
date = "2021-08-23"
|
|
score = 75
|
|
id = "a7bca62b-c8f1-5a38-81df-f3d4582a590b"
|
|
strings:
|
|
$s1 = "Page Language=" ascii nocase
|
|
condition:
|
|
uint16(0) == 0x8230 /* DER start */
|
|
and filesize < 10KB
|
|
and $s1
|
|
}
|
|
|
|
rule WEBSHELL_ASPX_ProxyShell_Sep21_1 {
|
|
meta:
|
|
description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST) and base64 decoded request"
|
|
author = "Tobias Michalski"
|
|
date = "2021-09-17"
|
|
reference = "Internal Research"
|
|
hash = "219468c10d2b9d61a8ae70dc8b6d2824ca8fbe4e53bbd925eeca270fef0fd640"
|
|
score = 75
|
|
id = "d0d23e17-6b6a-51d1-afd9-59cc2404bcd8"
|
|
strings:
|
|
$s = ".FromBase64String(Request["
|
|
condition:
|
|
uint32(0) == 0x4e444221
|
|
and any of them
|
|
}
|
|
|
|
rule APT_IIS_Config_ProxyShell_Artifacts {
|
|
meta:
|
|
description = "Detects virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
|
|
date = "2021-08-25"
|
|
score = 90
|
|
id = "21888fc0-82c6-555a-9320-9cbb8332a843"
|
|
strings:
|
|
$a1 = "<site name=" ascii /* marker used to select IIS configs */
|
|
$a2 = "<sectionGroup name=\"system.webServer\">" ascii
|
|
|
|
$sa1 = " physicalPath=\"C:\\ProgramData\\COM" ascii
|
|
$sa2 = " physicalPath=\"C:\\ProgramData\\WHO" ascii
|
|
$sa3 = " physicalPath=\"C:\\ProgramData\\ZING" ascii
|
|
$sa4 = " physicalPath=\"C:\\ProgramData\\ZOO" ascii
|
|
$sa5 = " physicalPath=\"C:\\ProgramData\\XYZ" ascii
|
|
$sa6 = " physicalPath=\"C:\\ProgramData\\AUX" ascii
|
|
$sa7 = " physicalPath=\"C:\\ProgramData\\CON\\" ascii
|
|
|
|
$sb1 = " physicalPath=\"C:\\Users\\All Users\\" ascii
|
|
condition:
|
|
filesize < 500KB and all of ($a*) and 1 of ($s*)
|
|
}
|
|
|
|
rule WEBSHELL_ASPX_ProxyShell_Exploitation_Aug21_1 {
|
|
meta:
|
|
description = "Detects unknown malicious loaders noticed in August 2021"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/VirITeXplorer/status/1430206853733097473"
|
|
date = "2021-08-25"
|
|
score = 90
|
|
id = "1fa563fc-c91c-5f4e-98f1-b895e1acb4f4"
|
|
strings:
|
|
$x1 = ");eval/*asf" ascii
|
|
condition:
|
|
filesize < 600KB and 1 of them
|
|
}
|
|
|
|
rule WEBSHELL_ASPX_ProxyShell_Aug15 {
|
|
meta:
|
|
description = "Webshells iisstart.aspx and Logout.aspx"
|
|
author = "Moritz Oettle"
|
|
reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"
|
|
date = "2021-09-04"
|
|
score = 75
|
|
id = "b1e6c0f3-787f-59b8-8123-4045522047ca"
|
|
strings:
|
|
$g1 = "language=\"JScript\"" ascii
|
|
$g2 = "function getErrorWord" ascii
|
|
$g3 = "errorWord" ascii
|
|
$g4 = "Response.Redirect" ascii
|
|
$g5 = "function Page_Load" ascii
|
|
$g6 = "runat=\"server\"" ascii
|
|
$g7 = "Request[" ascii
|
|
$g8 = "eval/*" ascii
|
|
|
|
$s1 = "AppcacheVer" ascii /* HTTP Request Parameter */
|
|
$s2 = "clientCode" ascii /* HTTP Request Parameter */
|
|
$s3 = "LaTkWfI64XeDAXZS6pU1KrsvLAcGH7AZOQXjrFkT816RnFYJQR" ascii
|
|
condition:
|
|
filesize < 1KB and
|
|
( 1 of ($s*) or 4 of ($g*) )
|
|
}
|
|
|
|
rule WEBSHELL_Mailbox_Export_PST_ProxyShell_Aug26 {
|
|
meta:
|
|
description = "Webshells generated by an Mailbox export to PST and stored as aspx: 570221043.aspx 689193944.aspx luifdecggoqmansn.aspx"
|
|
author = "Moritz Oettle"
|
|
reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"
|
|
date = "2021-09-04"
|
|
score = 85
|
|
id = "6aea414f-d27c-5202-84f8-b8620782fc90"
|
|
strings:
|
|
$x1 = "!BDN" /* PST file header */
|
|
|
|
$g1 = "Page language=" ascii
|
|
$g2 = "<%@ Page" ascii
|
|
$g3 = "Request.Item[" ascii
|
|
$g4 = "\"unsafe\");" ascii
|
|
$g5 = "<%eval(" ascii
|
|
$g6 = "script language=" ascii
|
|
$g7 = "Request[" ascii
|
|
|
|
$s1 = "gold8899" ascii /* HTTP Request Parameter */
|
|
$s2 = "exec_code" ascii /* HTTP Request Parameter */
|
|
$s3 = "orangenb" ascii /* HTTP Request Parameter */
|
|
condition:
|
|
filesize < 500KB and
|
|
$x1 at 0 and
|
|
( 1 of ($s*) or 3 of ($g*) )
|
|
}
|
|
|
|
|
|
/*
|
|
Hunting Rules
|
|
*/
|
|
|
|
rule SUSP_IIS_Config_ProxyShell_Artifacts {
|
|
meta:
|
|
description = "Detects suspicious virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
|
|
date = "2021-08-25"
|
|
score = 70
|
|
id = "bde65d9e-b17d-5746-8d29-8419363d0511"
|
|
strings:
|
|
$a1 = "<site name=" ascii /* marker used to select IIS configs */
|
|
$a2 = "<sectionGroup name=\"system.webServer\">" ascii
|
|
|
|
$s1 = " physicalPath=\"C:\\ProgramData\\" ascii
|
|
condition:
|
|
filesize < 500KB and all of ($a*) and 1 of ($s*)
|
|
}
|
|
|
|
rule SUSP_IIS_Config_VirtualDir {
|
|
meta:
|
|
description = "Detects suspicious virtual directory configured in IIS pointing to a User folder"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
|
|
date = "2021-08-25"
|
|
modified = "2022-09-17"
|
|
score = 60
|
|
id = "cfe5ca5e-a0cc-5f60-84d2-1b0538e999c7"
|
|
strings:
|
|
$a1 = "<site name=" ascii /* marker used to select IIS configs */
|
|
$a2 = "<sectionGroup name=\"system.webServer\">" ascii
|
|
|
|
$s2 = " physicalPath=\"C:\\Users\\" ascii
|
|
|
|
$fp1 = "Microsoft.Web.Administration" wide
|
|
$fp2 = "<virtualDirectory path=\"/\" physicalPath=\"C:\\Users\\admin\\"
|
|
condition:
|
|
filesize < 500KB and all of ($a*) and 1 of ($s*)
|
|
and not 1 of ($fp*)
|
|
}
|
|
|
|
rule SUSP_ASPX_PossibleDropperArtifact_Aug21 {
|
|
meta:
|
|
description = "Detects an ASPX file with a non-ASCII header, often a result of MS Exchange drop techniques"
|
|
reference = "Internal Research"
|
|
author = "Max Altgelt"
|
|
date = "2021-08-23"
|
|
score = 60
|
|
id = "52016598-74a1-53d6-812a-40b078ba0bb9"
|
|
strings:
|
|
$s1 = "Page Language=" ascii nocase
|
|
|
|
$fp1 = "Page Language=\"java\"" ascii nocase
|
|
condition:
|
|
filesize < 500KB
|
|
and not uint16(0) == 0x4B50 and not uint16(0) == 0x6152 and not uint16(0) == 0x8b1f // Exclude ZIP / RAR / GZIP files (can cause FPs when uncompressed)
|
|
and not uint16(0) == 0x5A4D // PE
|
|
and not uint16(0) == 0xCFD0 // OLE
|
|
and not uint16(0) == 0xC3D4 // PCAP
|
|
and not uint16(0) == 0x534D // CAB
|
|
and all of ($s*) and not 1 of ($fp*) and
|
|
(
|
|
((uint8(0) < 0x20 or uint8(0) > 0x7E /*non-ASCII*/ ) and uint8(0) != 0x9 /* tab */ and uint8(0) != 0x0D /* carriage return */ and uint8(0) != 0x0A /* new line */ and uint8(0) != 0xEF /* BOM UTF-8 */)
|
|
or ((uint8(1) < 0x20 or uint8(1) > 0x7E /*non-ASCII*/ ) and uint8(1) != 0x9 /* tab */ and uint8(1) != 0x0D /* carriage return */ and uint8(1) != 0x0A /* new line */ and uint8(1) != 0xBB /* BOM UTF-8 */)
|
|
or ((uint8(2) < 0x20 or uint8(2) > 0x7E /*non-ASCII*/ ) and uint8(2) != 0x9 /* tab */ and uint8(2) != 0x0D /* carriage return */ and uint8(2) != 0x0A /* new line */ and uint8(2) != 0xBF /* BOM UTF-8 */)
|
|
or ((uint8(3) < 0x20 or uint8(3) > 0x7E /*non-ASCII*/ ) and uint8(3) != 0x9 /* tab */ and uint8(3) != 0x0D /* carriage return */ and uint8(3) != 0x0A /* new line */)
|
|
or ((uint8(4) < 0x20 or uint8(4) > 0x7E /*non-ASCII*/ ) and uint8(4) != 0x9 /* tab */ and uint8(4) != 0x0D /* carriage return */ and uint8(4) != 0x0A /* new line */)
|
|
or ((uint8(5) < 0x20 or uint8(5) > 0x7E /*non-ASCII*/ ) and uint8(5) != 0x9 /* tab */ and uint8(5) != 0x0D /* carriage return */ and uint8(5) != 0x0A /* new line */)
|
|
or ((uint8(6) < 0x20 or uint8(6) > 0x7E /*non-ASCII*/ ) and uint8(6) != 0x9 /* tab */ and uint8(6) != 0x0D /* carriage return */ and uint8(6) != 0x0A /* new line */)
|
|
or ((uint8(7) < 0x20 or uint8(7) > 0x7E /*non-ASCII*/ ) and uint8(7) != 0x9 /* tab */ and uint8(7) != 0x0D /* carriage return */ and uint8(7) != 0x0A /* new line */)
|
|
)
|
|
}
|
|
|
|
rule WEBSHELL_ProxyShell_Exploitation_Nov21_1 {
|
|
meta:
|
|
description = "Detects webshells dropped by DropHell malware"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside"
|
|
date = "2021-11-01"
|
|
score = 85
|
|
id = "300eaadf-db0c-5591-84fc-abdf7cdd90c1"
|
|
strings:
|
|
$s01 = ".LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[" ascii wide
|
|
$s02 = "new System.IO.MemoryStream()" ascii wide
|
|
$s03 = "Transform(" ascii wide
|
|
condition:
|
|
all of ($s*)
|
|
}
|