Sneed-Reactivity/yara-mikesxrs/crowdstrike/Crowdstrike_target_breach.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

88 lines
1.7 KiB
Text

rule CrowdStrike_targetbreach_exfil
{
meta:
description = "Tool Responsible for Exfiltration of CC Data."
last_modified = "2014-01-16"
version = "1.0"
in_the_wild = true
copyright = "CrowdStrike, Inc"
reference = "https://www.crowdstrike.com/blog/actionable-indicators-detection-signs-compromise-target-related-breaches/"
strings:
$fmt = "data_%d_%d_%d_%d_%d.txt"
$scramble1 = ""-BFr423mI_6uaMtg$bxl\sd1iU/0ok.cpe"
$scramble2 = "gBb63-t2p_.rkd0uaeU/x1c$s\o4il"
$scramble3 = "x"a-201Mt6b3sI$ /ceBok_i\m.rdpU4Fulg"
$scramble4 = "omv3.a 1%tNd\4ils60n2Te_w"
$scramble5 = "4mei gd2%rob-"
$scramble6 = "8pCt1wq_hynlsc0.u9a"
condition:
$fmt and 1 of ($scramble*)
}
rule CrowdStrike_blackpos_memscanner
{
meta:
description = "Tool Responsible for Scanning Memory For CC Data."
last_modified = "2014-01-16"
version = "1.0"
in_the_wild = true
copyright = "CrowdStrike, Inc"
reference = "https://www.crowdstrike.com/blog/actionable-indicators-detection-signs-compromise-target-related-breaches/"
strings:
$message1 = "S region:"
$message2 = " found ["
$message3 = "] bytes of pattern:["
$message4 = "CC2 region:"
$message5 = "CC memregion:"
$message6 = "KAPTOXA"
$message7 = "=== pid:"
$message8 = "scan process with pid for kartoxa and string pattern:"
$message9 = "scan process with pid for kartoxa:"
$message11 = "scan all processes for string pattern:"
condition:
2 of ($message*)
}