Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-Neo23x0/apt_leviathan.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

96 lines
4 KiB
Text
Raw Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-10-18
Identifier: Leviathan Phishing Attacks
Reference: https://goo.gl/MZ7dRg
*/
/* Rule Set ----------------------------------------------------------------- */
rule SeDLL_Javascript_Decryptor {
meta:
description = "Detects SeDll - DLL is used for decrypting and executing another JavaScript backdoor such as Orz"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
modified = "2023-01-07"
hash1 = "146aa9a0ec013aa5bdba9ea9d29f59d48d43bc17c6a20b74bb8c521dbb5bc6f4"
id = "8fafd139-0c4f-5c51-af8f-b4917d2d69b0"
strings:
$x1 = "SEDll_Win32.dll" fullword ascii
$x2 = "regsvr32 /s \"%s\" DR __CIM__" wide
$s1 = "WScriptW" fullword ascii
$s2 = "IWScript" fullword ascii
$s3 = "%s\\%s~%d" fullword wide
$s4 = "PutBlockToFileWW" fullword ascii
$s5 = "CheckUpAndDownWW" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 40KB and ( 1 of ($x*) or 4 of them )
}
rule Leviathan_CobaltStrike_Sample_1 {
meta:
description = "Detects Cobalt Strike sample from Leviathan report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
hash1 = "5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362"
id = "e29072d8-b4ea-5e94-8a1c-0a1baec5f423"
strings:
$x1 = "a54c81.dll" fullword ascii
$x2 = "%d is an x64 process (can't inject x86 content)" fullword ascii
$x3 = "Failed to impersonate logged on user %d (%u)" fullword ascii
$s1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
$s2 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
$s3 = "could not run command (w/ token) because of its length of %d bytes!" fullword ascii
$s4 = "could not write to process memory: %d" fullword ascii
$s5 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
$s6 = "Could not connect to pipe (%s): %d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 3 of them )
}
rule MockDll_Gen {
meta:
description = "Detects MockDll - regsvr DLL loader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
hash1 = "bfc5c6817ff2cc4f3cd40f649e10cc9ae1e52139f35fdddbd32cb4d221368922"
hash2 = "80b931ab1798d7d8a8d63411861cee07e31bb9a68f595f579e11d3817cfc4aca"
id = "904a0649-27e7-5024-aa6b-ddb23bba6202"
strings:
$x1 = "mock_run_ini_Win32.dll" fullword ascii
$x2 = "mock_run_ini_x64.dll" fullword ascii
$s1 = "RealCmd=%s %s" fullword ascii
$s2 = "MockModule=%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 20KB and ( 1 of ($x*) or 2 of them )
}
rule VBScript_Favicon_File {
meta:
description = "VBScript cloaked as Favicon file used in Leviathan incident"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
modified = "2023-01-06"
hash1 = "39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36"
id = "84147d4e-d062-5ba4-8019-6bf4b72c36c6"
strings:
$x1 = "myxml = '<?xml version=\"\"1.0\"\" encoding=\"\"UTF-8\"\"?>';myxml = myxml +'<root>" ascii
$x2 = ".Run \"taskkill /im mshta.exe" ascii
$x3 = "<script language=\"VBScript\">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 :" ascii
$s1 = ".ExpandEnvironmentStrings(\"%ALLUSERSPROFILE%\") &" ascii
$s2 = ".ExpandEnvironmentStrings(\"%temp%\") & " ascii
condition:
filesize < 100KB and ( uint16(0) == 0x733c and 1 of ($x*) )
or ( 3 of them )
}
Reference in a new issue View git blame Copy permalink