08e8d462fe
RED PILL 🔴 💊
50 lines
2.2 KiB
Text
50 lines
2.2 KiB
Text
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-07-11
|
|
Identifier: WinPayloads
|
|
Reference: https://github.com/nccgroup/Winpayloads
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule WinPayloads_PowerShell {
|
|
meta:
|
|
description = "Detects WinPayloads PowerShell Payload"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/nccgroup/Winpayloads"
|
|
date = "2017-07-11"
|
|
hash1 = "011eba8f18b66634f6eb47527b4ceddac2ae615d6861f89a35dbb9fc591cae8e"
|
|
id = "8b6b8823-4656-5b0d-9a1e-84045287f5bf"
|
|
strings:
|
|
$x1 = "$Base64Cert = 'MIIJeQIBAzCCCT8GCSqGSIb3DQEHAaCCCTAEggksMIIJKDCCA98GCSqGSIb3DQEHBqCCA9AwggPMAgEAMIIDxQYJKoZIhvcNAQcBMBwGCiqGSIb3D" ascii
|
|
$x2 = "powershell -w hidden -noni -enc SQBF" fullword ascii nocase
|
|
$x3 = "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwA" ascii
|
|
$x4 = "powershell.exe -WindowStyle Hidden -enc JABjAGwAaQBlAG4AdAA" ascii
|
|
condition:
|
|
filesize < 10KB and 1 of them
|
|
}
|
|
|
|
rule WinPayloads_Payload {
|
|
meta:
|
|
description = "Detects WinPayloads Payload"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/nccgroup/Winpayloads"
|
|
date = "2017-07-11"
|
|
super_rule = 1
|
|
hash1 = "23a24f99c3c6c00cd4bf6cb968f813ba2ceadfa846c7f169f412bcbb71ba6573"
|
|
hash2 = "35069905d9b7ba1fd57c8df03614f563504194e4684f47aafa08ebb8d9409d0b"
|
|
hash3 = "a28d107f168d85c38fc76229b14561b472e60e60973eb10b6b554c1f57469322"
|
|
hash4 = "ed93e28ca18f749a78678b1e8e8ac31f4c6c0bab2376d398b413dbdfd5af9c7f"
|
|
hash5 = "26f5aee1ce65158e8375deb63c27edabfc9f5de3c1c88a4ce26a7e50b315b6d8"
|
|
hash6 = "b25a515706085dbde0b98deaf647ef9a8700604652c60c6b706a2ff83fdcbf45"
|
|
id = "44fae324-1fc8-5417-950a-8a3783b6d2ae"
|
|
strings:
|
|
$s1 = "bpayload.exe.manifest" fullword ascii
|
|
$s2 = "spayload" fullword ascii
|
|
condition:
|
|
( uint16(0) == 0x5a4d and filesize < 10000KB and all of them )
|
|
}
|