08e8d462fe
RED PILL 🔴 💊
174 lines
6.8 KiB
Text
174 lines
6.8 KiB
Text
|
|
rule Win7Elevatev2 {
|
|
meta:
|
|
description = "Detects Win7Elevate - Windows UAC bypass utility"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html"
|
|
date = "2015-05-14"
|
|
hash1 = "4f53ff6a04e46eda92b403faf42219a545c06c29" /* x64 */
|
|
hash2 = "808d04c187a524db402c5b2be17ce799d2654bd1" /* x86 */
|
|
score = 60
|
|
id = "af092d16-ca95-5985-822a-50457c9cbcc9"
|
|
strings:
|
|
$x1 = "This program attempts to bypass Windows 7's default UAC settings to run " wide
|
|
$x2 = "Win7ElevateV2\\x64\\Release\\" ascii
|
|
$x3 = "Run the command normally (without code injection)" wide
|
|
$x4 = "Inject file copy && elevate command" fullword wide
|
|
$x5 = "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" fullword wide
|
|
$x6 = "For injection, pick any unelevated Windows process with ASLR on:" fullword wide
|
|
|
|
$s1 = "\\cmd.exe" wide
|
|
$s2 = "runas" wide
|
|
$s3 = "explorer.exe" wide
|
|
$s4 = "Couldn't load kernel32.dll" wide
|
|
$s5 = "CRYPTBASE.dll" wide
|
|
$s6 = "shell32.dll" wide
|
|
$s7 = "ShellExecuteEx" ascii
|
|
$s8 = "COMCTL32.dll" ascii
|
|
$s9 = "ShellExecuteEx" ascii
|
|
$s10 = "HeapAlloc" ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and ( 1 of ($x*) or all of ($s*) )
|
|
}
|
|
|
|
rule UACME_Akagi {
|
|
meta:
|
|
description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/hfiref0x/UACME"
|
|
date = "2015-05-14"
|
|
hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a"
|
|
hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a"
|
|
score = 60
|
|
id = "7979129e-99a3-522a-8285-9061e1e2bd41"
|
|
strings:
|
|
$x1 = "UACMe injected, Fubuki at your service." wide fullword
|
|
$x3 = "%temp%\\Hibiki.dll" fullword wide
|
|
$x4 = "[UCM] Cannot write to the target process memory." fullword wide
|
|
|
|
$s1 = "%systemroot%\\system32\\cmd.exe" wide
|
|
$s2 = "D:(A;;GA;;;WD)" wide
|
|
$s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" fullword wide
|
|
$s4 = "/c wusa %ws /extract:%%windir%%\\system32" fullword wide
|
|
$s5 = "Fubuki.dll" ascii fullword
|
|
|
|
$l1 = "ntdll.dll" ascii
|
|
$l2 = "Cabinet.dll" ascii
|
|
$l3 = "GetProcessHeap" ascii
|
|
$l4 = "WriteProcessMemory" ascii
|
|
$l5 = "ShellExecuteEx" ascii
|
|
condition:
|
|
( 1 of ($x*) ) or ( 3 of ($s*) and all of ($l*) )
|
|
}
|
|
|
|
rule UACElevator {
|
|
meta:
|
|
description = "UACElevator bypassing UAC - file UACElevator.exe"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/MalwareTech/UACElevator"
|
|
date = "2015-05-14"
|
|
hash = "fd29d5a72d7a85b7e9565ed92b4d7a3884defba6"
|
|
id = "629b1a92-726d-5713-ae3d-74cc8a1e52ad"
|
|
strings:
|
|
$x1 = "\\UACElevator.pdb" ascii
|
|
|
|
$s1 = "%userprofile%\\Downloads\\dwmapi.dll" fullword ascii
|
|
$s2 = "%windir%\\system32\\dwmapi.dll" fullword ascii
|
|
$s3 = "Infection module: %s" fullword ascii
|
|
$s4 = "Could not save module to %s" fullword ascii
|
|
$s5 = "%s%s%p%s%ld%s%d%s" fullword ascii
|
|
$s6 = "Stack area around _alloca memory reserved by this function is corrupted" fullword ascii
|
|
$s7 = "Stack around the variable '" fullword ascii
|
|
$s8 = "MSVCR120D.dll" fullword wide
|
|
$s9 = "Address: 0x" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 172KB and
|
|
( $x1 or 8 of ($s*) )
|
|
}
|
|
|
|
rule s4u {
|
|
meta:
|
|
description = "Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/aurel26/s-4-u-for-windows"
|
|
date = "2015-06-05"
|
|
hash = "cfc18f3d5306df208461459a8e667d89ce44ed77"
|
|
score = 50
|
|
id = "0d746311-56fe-538c-946c-3a3dd1603adc"
|
|
strings:
|
|
// Specific strings (may change)
|
|
$x0 = "s4u.exe Domain\\Username [Extra SID]" fullword ascii
|
|
$x1 = "\\Release\\s4u.pdb" ascii
|
|
|
|
// Less specific strings
|
|
$s0 = "CreateProcessAsUser failed (error %u)." fullword ascii
|
|
$s1 = "GetTokenInformation failed (error: %u)." fullword ascii
|
|
$s2 = "LsaLogonUser failed (error 0x%x)." fullword ascii
|
|
$s3 = "LsaLogonUser: OK, LogonId: 0x%x-0x%x" fullword ascii
|
|
$s4 = "LookupPrivilegeValue failed (error: %u)." fullword ascii
|
|
$s5 = "The token does not have the specified privilege (%S)." fullword ascii
|
|
$s6 = "Unable to parse command line." fullword ascii
|
|
$s7 = "Unable to find logon SID." fullword ascii
|
|
$s8 = "AdjustTokenPrivileges failed (error: %u)." fullword ascii
|
|
$s9 = "AdjustTokenPrivileges (%S): OK" fullword ascii
|
|
|
|
// Generic
|
|
$g1 = "%systemroot%\\system32\\cmd.exe" wide
|
|
$g2 = "SeTcbPrivilege" wide
|
|
$g3 = "winsta0\\default" wide
|
|
$g4 = ".rsrc"
|
|
$g5 = "HeapAlloc"
|
|
$g6 = "GetCurrentProcess"
|
|
$g7 = "HeapFree"
|
|
$g8 = "GetProcessHeap"
|
|
$g9 = "ExpandEnvironmentStrings"
|
|
$g10 = "ConvertStringSidToSid"
|
|
$g11 = "LookupPrivilegeValue"
|
|
$g12 = "AllocateLocallyUniqueId"
|
|
$g13 = "ADVAPI32.dll"
|
|
$g14 = "LsaLookupAuthenticationPackage"
|
|
$g15 = "Secur32.dll"
|
|
$g16 = "MSVCR120.dll"
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 60KB and ( 1 of ($x*) or all of ($s*) or all of ($g*) )
|
|
}
|
|
|
|
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-02-03
|
|
Identifier: UACME Akagi
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule UACME_Akagi_2 {
|
|
meta:
|
|
description = "Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/hfiref0x/UACME"
|
|
date = "2017-02-03"
|
|
hash1 = "caf744d38820accb48a6e50216e547ed2bb3979604416dbcfcc991ce5e18f4ca"
|
|
hash2 = "609e9b15114e54ffc40c05a8980cc90f436a4a77c69f3e32fe391c0b130ff1c5"
|
|
score = 80
|
|
id = "1177d663-1081-5d17-9dd7-1218d95d90f7"
|
|
strings:
|
|
$x1 = "Usage: Akagi.exe [Method] [OptionalParamToExecute]" fullword wide
|
|
$x2 = "[UCM] Target file already exists, abort" fullword wide
|
|
|
|
$s1 = "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" fullword wide
|
|
$s2 = "Akagi.exe" fullword wide
|
|
$s3 = "Elevation:Administrator!new:{3AD05575-8857-4850-9277-11B85BDB8E09}" fullword wide
|
|
$s4 = "/c wusa %ws /extract:%%windir%%\\system32\\sysprep" fullword wide
|
|
$s5 = "/c wusa %ws /extract:%%windir%%\\system32\\migwiz" fullword wide
|
|
$s6 = "loadFrom=\"%systemroot%\\system32\\sysprep\\cryptbase.DLL\"" fullword ascii
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 900KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 6 of them )
|
|
}
|