Sneed-Reactivity/yara-Neo23x0/gen_metasploit_payloads.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

363 lines
15 KiB
Text

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-02-09
Identifier: MSF Payloads
*/
/* Rule Set ----------------------------------------------------------------- */
rule Msfpayloads_msf {
meta:
description = "Metasploit Payloads - file msf.sh"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
modified = "2022-08-18"
hash1 = "320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c"
id = "c56dbb8e-1e03-5112-b2ef-a0adfd14dffa"
strings:
$s1 = "export buf=\\" ascii
condition:
filesize < 5MB and $s1
}
rule Msfpayloads_msf_2 {
meta:
description = "Metasploit Payloads - file msf.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "e52f98466b92ee9629d564453af6f27bd3645e00a9e2da518f5a64a33ccf8eb5"
id = "ec1ae1b6-18a3-5590-ae15-1e2b362c545a"
strings:
$s1 = "& \"\\\" & \"svchost.exe\"" fullword ascii
$s2 = "CreateObject(\"Wscript.Shell\")" fullword ascii
$s3 = "<% @language=\"VBScript\" %>" fullword ascii
condition:
all of them
}
rule Msfpayloads_msf_psh {
meta:
description = "Metasploit Payloads - file msf-psh.vba"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f"
id = "5b760f03-b0f8-5871-bd34-e7e44443530c"
strings:
$s1 = "powershell.exe -nop -w hidden -e" ascii
$s2 = "Call Shell(" ascii
$s3 = "Sub Workbook_Open()" fullword ascii
condition:
all of them
}
rule Msfpayloads_msf_exe {
meta:
description = "Metasploit Payloads - file msf-exe.vba"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd"
id = "fd07240e-0ee0-5318-a436-d97054e92414"
strings:
$s1 = "'* PAYLOAD DATA" fullword ascii
$s2 = " = Shell(" ascii
$s3 = "= Environ(\"USERPROFILE\")" fullword ascii
$s4 = "'**************************************************************" fullword ascii
$s5 = "ChDir (" ascii
$s6 = "'* MACRO CODE" fullword ascii
condition:
4 of them
}
rule Msfpayloads_msf_3 {
meta:
description = "Metasploit Payloads - file msf.psh"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054"
id = "ad09167f-a12a-5f07-940b-df679fa8e6c0"
strings:
$s1 = "[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(" ascii
$s2 = "public enum MemoryProtection { ExecuteReadWrite = 0x40 }" fullword ascii
$s3 = ".func]::VirtualAlloc(0,"
$s4 = ".func+AllocationType]::Reserve -bOr [" ascii
$s5 = "New-Object System.CodeDom.Compiler.CompilerParameters" fullword ascii
$s6 = "ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))" fullword ascii
$s7 = "public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }" fullword ascii
$s8 = ".func]::CreateThread(0,0,$" fullword ascii
$s9 = "public enum Time : uint { Infinite = 0xFFFFFFFF }" fullword ascii
$s10 = "= [System.Convert]::FromBase64String(\"/" ascii
$s11 = "{ $global:result = 3; return }" fullword ascii
condition:
4 of them
}
rule Msfpayloads_msf_4 {
meta:
description = "Metasploit Payloads - file msf.aspx"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef"
id = "00d7681b-6041-5fe1-adbb-8b7c40df0193"
strings:
$s1 = "= VirtualAlloc(IntPtr.Zero,(UIntPtr)" ascii
$s2 = ".Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);" ascii
$s3 = "[System.Runtime.InteropServices.DllImport(\"kernel32\")]" fullword ascii
$s4 = "private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;" fullword ascii
$s5 = "private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);" fullword ascii
condition:
4 of them
}
rule Msfpayloads_msf_exe_2 {
meta:
description = "Metasploit Payloads - file msf-exe.aspx"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "3a2f7a654c1100e64d8d3b4cd39165fba3b101bbcce6dd0f70dae863da338401"
id = "a55a33e1-8f04-5417-af0c-b7e2da36fb46"
strings:
$x1 = "= new System.Diagnostics.Process();" fullword ascii
$x2 = ".StartInfo.UseShellExecute = true;" fullword ascii
$x3 = ", \"svchost.exe\");" ascii
$s4 = " = Path.GetTempPath();" ascii
condition:
all of them
}
rule Msfpayloads_msf_5 {
meta:
description = "Metasploit Payloads - file msf.msi"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "7a6c66dfc998bf5838993e40026e1f400acd018bde8d4c01ef2e2e8fba507065"
id = "030d1982-c9a8-539d-a995-7901ae425857"
strings:
$s1 = "required to install Foobar 1.0." fullword ascii
$s2 = "Copyright 2009 The Apache Software Foundation." fullword wide
$s3 = "{50F36D89-59A8-4A40-9689-8792029113AC}" fullword ascii
condition:
all of them
}
rule Msfpayloads_msf_6 {
meta:
description = "Metasploit Payloads - file msf.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f"
id = "5485102b-e709-5111-814a-e6878b4bd889"
strings:
$s1 = "= CreateObject(\"Wscript.Shell\")" fullword ascii
$s2 = "= CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$s3 = ".GetSpecialFolder(2)" ascii
$s4 = ".Write Chr(CLng(\"" ascii
$s5 = "= \"4d5a90000300000004000000ffff00" ascii
$s6 = "For i = 1 to Len(" ascii
$s7 = ") Step 2" ascii
condition:
5 of them
}
rule Msfpayloads_msf_7 {
meta:
description = "Metasploit Payloads - file msf.vba"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "425beff61a01e2f60773be3fcb74bdfc7c66099fe40b9209745029b3c19b5f2f"
id = "8d1b742e-510a-5807-ad3f-f10cc325d292"
strings:
$s1 = "Private Declare PtrSafe Function CreateThread Lib \"kernel32\" (ByVal" ascii
$s2 = "= VirtualAlloc(0, UBound(Tsw), &H1000, &H40)" fullword ascii
$s3 = "= RtlMoveMemory(" ascii
condition:
all of them
}
rule Msfpayloads_msf_8 {
meta:
description = "Metasploit Payloads - file msf.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "519717e01f0cb3f460ef88cd70c3de8c7f00fb7c564260bd2908e97d11fde87f"
id = "54466663-12ef-5fa4-a13c-e80ddbc0f4f8"
strings:
$s1 = "[DllImport(\"kernel32.dll\")]" fullword ascii
$s2 = "[DllImport(\"msvcrt.dll\")]" fullword ascii
$s3 = "-Name \"Win32\" -namespace Win32Functions -passthru" fullword ascii
$s4 = "::VirtualAlloc(0,[Math]::Max($" ascii
$s5 = ".Length,0x1000),0x3000,0x40)" ascii
$s6 = "public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);" fullword ascii
$s7 = "::memset([IntPtr]($" ascii
condition:
6 of them
}
rule Msfpayloads_msf_cmd {
meta:
description = "Metasploit Payloads - file msf-cmd.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f"
id = "71d42c34-a0b0-5173-8f2f-f48a7af0e4ff"
strings:
$x1 = "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e" ascii
condition:
all of them
}
rule Msfpayloads_msf_9 {
meta:
description = "Metasploit Payloads - file msf.war - contents"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81"
id = "488a2e97-ebc2-5ccf-ab5d-dfed4b534b52"
strings:
$s1 = "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1)" fullword ascii
$s2 = ".concat(\".exe\");" fullword ascii
$s3 = "[0] = \"chmod\";" ascii
$s4 = "= Runtime.getRuntime().exec(" ascii
$s5 = ", 16) & 0xff;" ascii
$x1 = "4d5a9000030000000" ascii
condition:
4 of ($s*) or (
uint32(0) == 0x61356434 and $x1 at 0
)
}
rule Msfpayloads_msf_10 {
meta:
description = "Metasploit Payloads - file msf.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082"
id = "3bc3b66a-9f8a-55c2-ae2a-00faa778cef7"
strings:
$s1 = { 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff ac 3c 61 }
$s2 = { 01 c7 38 e0 75 f6 03 7d f8 3b 7d 24 75 e4 58 8b }
$s3 = { 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 5f 5f }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
rule Msfpayloads_msf_svc {
meta:
description = "Metasploit Payloads - file msf-svc.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "2b02c9c10577ee0c7590d3dadc525c494122747a628a7bf714879b8e94ae5ea1"
id = "45d1c527-1f90-50f3-8e64-e77d69386b0a"
strings:
$s1 = "PAYLOAD:" fullword ascii
$s2 = ".exehll" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 50KB and all of them )
}
rule Msfpayloads_msf_11 {
meta:
description = "Metasploit Payloads - file msf.hta"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "d1daf7bc41580322333a893133d103f7d67f5cd8a3e0f919471061d41cf710b6"
id = "59b0cced-ffdc-5f2f-878c-856883ee275f"
strings:
$s1 = ".ExpandEnvironmentStrings(\"%PSModulePath%\") + \"..\\powershell.exe\") Then" fullword ascii
$s2 = "= CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$s3 = "= CreateObject(\"Wscript.Shell\") " fullword ascii
condition:
all of them
}
rule Msfpayloads_msf_ref {
meta:
description = "Metasploit Payloads - file msf-ref.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87"
id = "517ed365-03c6-5563-984b-dae10464671a"
strings:
$s1 = "kernel32.dll WaitForSingleObject)," ascii
$s2 = "= ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')" ascii
$s3 = "GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object" ascii
$s4 = ".DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual'," ascii
$s5 = "= [System.Convert]::FromBase64String(" ascii
$s6 = "[Parameter(Position = 0, Mandatory = $True)] [Type[]]" fullword ascii
$s7 = "DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard," ascii
condition:
5 of them
}
rule MAL_Metasploit_Framework_UA {
meta:
description = "Detects User Agent used in Metasploit Framework"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7"
date = "2018-08-16"
score = 65
hash1 = "1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29"
id = "e5a18456-3a07-5b58-ad95-086152298a1f"
strings:
$s3 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of them
}
rule HKTL_Meterpreter_inMemory {
meta:
description = "Detects Meterpreter in-memory"
author = "netbiosX, Florian Roth"
reference = "https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/"
date = "2020-06-29"
modified = "2023-04-21"
score = 85
id = "29c3bb7e-4da8-5924-ada7-2f28d9352009"
strings:
$sxc1 = { 6D 65 74 73 72 76 2E 64 6C 6C 00 00 52 65 66 6C
65 63 74 69 76 65 4C 6F 61 64 65 72 }
$sxs1 = "metsrv.x64.dll" ascii fullword
$ss1 = "WS2_32.dll" ascii fullword
$ss2 = "ReflectiveLoader" ascii fullword
$fp1 = "SentinelOne" ascii wide
$fp2 = "fortiESNAC" ascii wide
$fp3 = "PSNMVHookMS" ascii wide
condition:
( 1 of ($sx*) or 2 of ($s*) )
and not 1 of ($fp*)
}