08e8d462fe
RED PILL 🔴 💊
54 lines
2 KiB
Text
54 lines
2 KiB
Text
|
|
rule SUSP_WER_Critical_HeapCorruption {
|
|
meta:
|
|
description = "Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/cyb3rops/status/1185459425710092288"
|
|
date = "2019-10-18"
|
|
score = 45
|
|
id = "2b1dad5f-cc2c-5d8c-8275-ebb56d079895"
|
|
strings:
|
|
$a1 = "ReportIdentifier=" wide
|
|
$a2 = ".Name=Fault Module Name" wide
|
|
|
|
$s1 = "c0000374" wide /* Heap Corruption */
|
|
condition:
|
|
( uint32be(0) == 0x56006500 or uint32be(0) == 0xfffe5600 )
|
|
and all of them
|
|
}
|
|
|
|
rule SUSP_WER_Suspicious_Crash_Directory {
|
|
meta:
|
|
description = "Detects a crashed application executed in a suspicious directory"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/cyb3rops/status/1185585050059976705"
|
|
date = "2019-10-18"
|
|
score = 45
|
|
id = "bf91e20c-aa35-5b13-86ed-a63e6fb4d1a2"
|
|
strings:
|
|
$a1 = "ReportIdentifier=" wide
|
|
$a2 = ".Name=Fault Module Name" wide
|
|
$a3 = "AppPath=" wide nocase
|
|
|
|
/* Whitelist */
|
|
$l1 = "AppPath=C:\\Windows\\" wide nocase
|
|
$l2 = "AppPath=C:\\Program" wide nocase
|
|
$l3 = "AppPath=C:\\Python" wide nocase
|
|
$l4 = "AppPath=C:\\Users\\" wide nocase
|
|
|
|
/* Blacklist */
|
|
/* covered via Whitelist
|
|
$s1 = "AppPath=C:\\$Recycle.Bin\\" wide
|
|
$s2 = "AppPath=C:\\Perflogs\\" wide
|
|
$s3 = "AppPath=C:\\Temp\\" wide
|
|
$s4 = "AppPath=\\\\" wide // network share, or \\tsclient\c etc.
|
|
$s5 = /AppPath=[C-Z]:\\\\[^\\]{1,64}\.exe/ wide nocase // in the root of a partition - no sub folder
|
|
*/
|
|
$s6 = "AppPath=C:\\Users\\Public\\" nocase wide
|
|
$s7 = "AppPath=C:\\Users\\Default\\" nocase wide
|
|
/* Root of AppData */
|
|
$s8 = /AppPath=C:\\Users\\[^\\]{1,64}\\AppData\\(Local|Roaming)\\[^\\]{1,64}\.exe/ wide nocase
|
|
condition:
|
|
( uint32be(0) == 0x56006500 or uint32be(0) == 0xfffe5600 )
|
|
and all of ($a*) and ( not 1 of ($l*) or 1 of ($s*) )
|
|
}
|