├── .github └── workflows │ ├── CCCS.yml │ ├── LICENSE.txt │ ├── YARAhub.yml │ └── YARAhub │ ├── YARAhub.py │ └── requirements.txt ├── .yara-ci.yml ├── LICENSE.md ├── README.md ├── Sigma ├── README.md └── windows │ ├── file_event │ ├── win_file_hijack_electron.yml │ └── win_file_nullsoft_installer.yml │ └── image_load │ └── win_load_nullsoft_installer.yml ├── Suricata ├── README.md └── mal_truebot.rules └── YARA ├── README.md ├── mal_electron_js_backdoor.yar ├── mal_havoc.yar ├── mal_injection_function_stomping.yar ├── mal_metasploit_windows_shellcode.yar ├── mal_syscall_hellshall.yar ├── mal_syscall_hwsyscalls.yar ├── mal_truebot.yar ├── sus_nsis.yar ├── sus_pe.yar ├── sus_xll.yar ├── weird_png.yar └── weird_zip.yar /.github/workflows/CCCS.yml: -------------------------------------------------------------------------------- 1 | name: Canadian Centre for Cyber Security YARA Specification 2 | 3 | on: 4 | push: 5 | paths: 6 | - YARA/** 7 | pull_request: 8 | paths: 9 | - YARA/** 10 | workflow_dispatch: 11 | 12 | permissions: 13 | contents: read 14 | 15 | jobs: 16 | Lint: 17 | 18 | runs-on: ubuntu-latest 19 | 20 | steps: 21 | - name: Set up Python 3.12 22 | uses: actions/setup-python@v3 23 | with: 24 | python-version: "3.12" 25 | - name: Install dependencies 26 | run: | 27 | python -m pip install git+https://github.com/CybercentreCanada/CCCS-Yara 28 | - name: Checkout signatures 29 | uses: actions/checkout@v3 30 | - name: Lint with Canadian Centre for Cyber Security YARA Specification 31 | run: | 32 | yara_validator -n -v -f $GITHUB_WORKSPACE/YARA/ 33 | -------------------------------------------------------------------------------- /.github/workflows/LICENSE.txt: -------------------------------------------------------------------------------- 1 | EUROPEAN UNION PUBLIC LICENCE v. 1.2 2 | EUPL © the European Union 2007, 2016 3 | 4 | This European Union Public Licence (the ‘EUPL’) applies to the Work (as 5 | defined below) which is provided under the terms of this Licence. Any use of 6 | the Work, other than as authorised under this Licence is prohibited (to the 7 | extent such use is covered by a right of the copyright holder of the Work). 8 | 9 | The Work is provided under the terms of this Licence when the Licensor (as 10 | defined below) has placed the following notice immediately following the 11 | copyright notice for the Work: 12 | 13 | Licensed under the EUPL 14 | 15 | or has expressed by any other means his willingness to license under the EUPL. 16 | 17 | 1. Definitions 18 | 19 | In this Licence, the following terms have the following meaning: 20 | 21 | - ‘The Licence’: this Licence. 22 | 23 | - ‘The Original Work’: the work or software distributed or communicated by the 24 | Licensor under this Licence, available as Source Code and also as Executable 25 | Code as the case may be. 26 | 27 | - ‘Derivative Works’: the works or software that could be created by the 28 | Licensee, based upon the Original Work or modifications thereof. This 29 | Licence does not define the extent of modification or dependence on the 30 | Original Work required in order to classify a work as a Derivative Work; 31 | this extent is determined by copyright law applicable in the country 32 | mentioned in Article 15. 33 | 34 | - ‘The Work’: the Original Work or its Derivative Works. 35 | 36 | - ‘The Source Code’: the human-readable form of the Work which is the most 37 | convenient for people to study and modify. 38 | 39 | - ‘The Executable Code’: any code which has generally been compiled and which 40 | is meant to be interpreted by a computer as a program. 41 | 42 | - ‘The Licensor’: the natural or legal person that distributes or communicates 43 | the Work under the Licence. 44 | 45 | - ‘Contributor(s)’: any natural or legal person who modifies the Work under 46 | the Licence, or otherwise contributes to the creation of a Derivative Work. 47 | 48 | - ‘The Licensee’ or ‘You’: any natural or legal person who makes any usage of 49 | the Work under the terms of the Licence. 50 | 51 | - ‘Distribution’ or ‘Communication’: any act of selling, giving, lending, 52 | renting, distributing, communicating, transmitting, or otherwise making 53 | available, online or offline, copies of the Work or providing access to its 54 | essential functionalities at the disposal of any other natural or legal 55 | person. 56 | 57 | 2. Scope of the rights granted by the Licence 58 | 59 | The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, 60 | sublicensable licence to do the following, for the duration of copyright 61 | vested in the Original Work: 62 | 63 | - use the Work in any circumstance and for all usage, 64 | - reproduce the Work, 65 | - modify the Work, and make Derivative Works based upon the Work, 66 | - communicate to the public, including the right to make available or display 67 | the Work or copies thereof to the public and perform publicly, as the case 68 | may be, the Work, 69 | - distribute the Work or copies thereof, 70 | - lend and rent the Work or copies thereof, 71 | - sublicense rights in the Work or copies thereof. 72 | 73 | Those rights can be exercised on any media, supports and formats, whether now 74 | known or later invented, as far as the applicable law permits so. 75 | 76 | In the countries where moral rights apply, the Licensor waives his right to 77 | exercise his moral right to the extent allowed by law in order to make 78 | effective the licence of the economic rights here above listed. 79 | 80 | The Licensor grants to the Licensee royalty-free, non-exclusive usage rights 81 | to any patents held by the Licensor, to the extent necessary to make use of 82 | the rights granted on the Work under this Licence. 83 | 84 | 3. Communication of the Source Code 85 | 86 | The Licensor may provide the Work either in its Source Code form, or as 87 | Executable Code. If the Work is provided as Executable Code, the Licensor 88 | provides in addition a machine-readable copy of the Source Code of the Work 89 | along with each copy of the Work that the Licensor distributes or indicates, 90 | in a notice following the copyright notice attached to the Work, a repository 91 | where the Source Code is easily and freely accessible for as long as the 92 | Licensor continues to distribute or communicate the Work. 93 | 94 | 4. Limitations on copyright 95 | 96 | Nothing in this Licence is intended to deprive the Licensee of the benefits 97 | from any exception or limitation to the exclusive rights of the rights owners 98 | in the Work, of the exhaustion of those rights or of other applicable 99 | limitations thereto. 100 | 101 | 5. Obligations of the Licensee 102 | 103 | The grant of the rights mentioned above is subject to some restrictions and 104 | obligations imposed on the Licensee. Those obligations are the following: 105 | 106 | Attribution right: The Licensee shall keep intact all copyright, patent or 107 | trademarks notices and all notices that refer to the Licence and to the 108 | disclaimer of warranties. The Licensee must include a copy of such notices and 109 | a copy of the Licence with every copy of the Work he/she distributes or 110 | communicates. The Licensee must cause any Derivative Work to carry prominent 111 | notices stating that the Work has been modified and the date of modification. 112 | 113 | Copyleft clause: If the Licensee distributes or communicates copies of the 114 | Original Works or Derivative Works, this Distribution or Communication will be 115 | done under the terms of this Licence or of a later version of this Licence 116 | unless the Original Work is expressly distributed only under this version of 117 | the Licence — for example by communicating ‘EUPL v. 1.2 only’. The Licensee 118 | (becoming Licensor) cannot offer or impose any additional terms or conditions 119 | on the Work or Derivative Work that alter or restrict the terms of the 120 | Licence. 121 | 122 | Compatibility clause: If the Licensee Distributes or Communicates Derivative 123 | Works or copies thereof based upon both the Work and another work licensed 124 | under a Compatible Licence, this Distribution or Communication can be done 125 | under the terms of this Compatible Licence. For the sake of this clause, 126 | ‘Compatible Licence’ refers to the licences listed in the appendix attached to 127 | this Licence. Should the Licensee's obligations under the Compatible Licence 128 | conflict with his/her obligations under this Licence, the obligations of the 129 | Compatible Licence shall prevail. 130 | 131 | Provision of Source Code: When distributing or communicating copies of the 132 | Work, the Licensee will provide a machine-readable copy of the Source Code or 133 | indicate a repository where this Source will be easily and freely available 134 | for as long as the Licensee continues to distribute or communicate the Work. 135 | 136 | Legal Protection: This Licence does not grant permission to use the trade 137 | names, trademarks, service marks, or names of the Licensor, except as required 138 | for reasonable and customary use in describing the origin of the Work and 139 | reproducing the content of the copyright notice. 140 | 141 | 6. Chain of Authorship 142 | 143 | The original Licensor warrants that the copyright in the Original Work granted 144 | hereunder is owned by him/her or licensed to him/her and that he/she has the 145 | power and authority to grant the Licence. 146 | 147 | Each Contributor warrants that the copyright in the modifications he/she 148 | brings to the Work are owned by him/her or licensed to him/her and that he/she 149 | has the power and authority to grant the Licence. 150 | 151 | Each time You accept the Licence, the original Licensor and subsequent 152 | Contributors grant You a licence to their contributions to the Work, under the 153 | terms of this Licence. 154 | 155 | 7. Disclaimer of Warranty 156 | 157 | The Work is a work in progress, which is continuously improved by numerous 158 | Contributors. It is not a finished work and may therefore contain defects or 159 | ‘bugs’ inherent to this type of development. 160 | 161 | For the above reason, the Work is provided under the Licence on an ‘as is’ 162 | basis and without warranties of any kind concerning the Work, including 163 | without limitation merchantability, fitness for a particular purpose, absence 164 | of defects or errors, accuracy, non-infringement of intellectual property 165 | rights other than copyright as stated in Article 6 of this Licence. 166 | 167 | This disclaimer of warranty is an essential part of the Licence and a 168 | condition for the grant of any rights to the Work. 169 | 170 | 8. Disclaimer of Liability 171 | 172 | Except in the cases of wilful misconduct or damages directly caused to natural 173 | persons, the Licensor will in no event be liable for any direct or indirect, 174 | material or moral, damages of any kind, arising out of the Licence or of the 175 | use of the Work, including without limitation, damages for loss of goodwill, 176 | work stoppage, computer failure or malfunction, loss of data or any commercial 177 | damage, even if the Licensor has been advised of the possibility of such 178 | damage. However, the Licensor will be liable under statutory product liability 179 | laws as far such laws apply to the Work. 180 | 181 | 9. Additional agreements 182 | 183 | While distributing the Work, You may choose to conclude an additional 184 | agreement, defining obligations or services consistent with this Licence. 185 | However, if accepting obligations, You may act only on your own behalf and on 186 | your sole responsibility, not on behalf of the original Licensor or any other 187 | Contributor, and only if You agree to indemnify, defend, and hold each 188 | Contributor harmless for any liability incurred by, or claims asserted against 189 | such Contributor by the fact You have accepted any warranty or additional 190 | liability. 191 | 192 | 10. Acceptance of the Licence 193 | 194 | The provisions of this Licence can be accepted by clicking on an icon ‘I 195 | agree’ placed under the bottom of a window displaying the text of this Licence 196 | or by affirming consent in any other similar way, in accordance with the rules 197 | of applicable law. Clicking on that icon indicates your clear and irrevocable 198 | acceptance of this Licence and all of its terms and conditions. 199 | 200 | Similarly, you irrevocably accept this Licence and all of its terms and 201 | conditions by exercising any rights granted to You by Article 2 of this 202 | Licence, such as the use of the Work, the creation by You of a Derivative Work 203 | or the Distribution or Communication by You of the Work or copies thereof. 204 | 205 | 11. Information to the public 206 | 207 | In case of any Distribution or Communication of the Work by means of 208 | electronic communication by You (for example, by offering to download the Work 209 | from a remote location) the distribution channel or media (for example, a 210 | website) must at least provide to the public the information requested by the 211 | applicable law regarding the Licensor, the Licence and the way it may be 212 | accessible, concluded, stored and reproduced by the Licensee. 213 | 214 | 12. Termination of the Licence 215 | 216 | The Licence and the rights granted hereunder will terminate automatically upon 217 | any breach by the Licensee of the terms of the Licence. 218 | 219 | Such a termination will not terminate the licences of any person who has 220 | received the Work from the Licensee under the Licence, provided such persons 221 | remain in full compliance with the Licence. 222 | 223 | 13. Miscellaneous 224 | 225 | Without prejudice of Article 9 above, the Licence represents the complete 226 | agreement between the Parties as to the Work. 227 | 228 | If any provision of the Licence is invalid or unenforceable under applicable 229 | law, this will not affect the validity or enforceability of the Licence as a 230 | whole. Such provision will be construed or reformed so as necessary to make it 231 | valid and enforceable. 232 | 233 | The European Commission may publish other linguistic versions or new versions 234 | of this Licence or updated versions of the Appendix, so far this is required 235 | and reasonable, without reducing the scope of the rights granted by the 236 | Licence. New versions of the Licence will be published with a unique version 237 | number. 238 | 239 | All linguistic versions of this Licence, approved by the European Commission, 240 | have identical value. Parties can take advantage of the linguistic version of 241 | their choice. 242 | 243 | 14. Jurisdiction 244 | 245 | Without prejudice to specific agreement between parties, 246 | 247 | - any litigation resulting from the interpretation of this License, arising 248 | between the European Union institutions, bodies, offices or agencies, as a 249 | Licensor, and any Licensee, will be subject to the jurisdiction of the Court 250 | of Justice of the European Union, as laid down in article 272 of the Treaty 251 | on the Functioning of the European Union, 252 | 253 | - any litigation arising between other parties and resulting from the 254 | interpretation of this License, will be subject to the exclusive 255 | jurisdiction of the competent court where the Licensor resides or conducts 256 | its primary business. 257 | 258 | 15. Applicable Law 259 | 260 | Without prejudice to specific agreement between parties, 261 | 262 | - this Licence shall be governed by the law of the European Union Member State 263 | where the Licensor has his seat, resides or has his registered office, 264 | 265 | - this licence shall be governed by Belgian law if the Licensor has no seat, 266 | residence or registered office inside a European Union Member State. 267 | 268 | Appendix 269 | 270 | ‘Compatible Licences’ according to Article 5 EUPL are: 271 | 272 | - GNU General Public License (GPL) v. 2, v. 3 273 | - GNU Affero General Public License (AGPL) v. 3 274 | - Open Software License (OSL) v. 2.1, v. 3.0 275 | - Eclipse Public License (EPL) v. 1.0 276 | - CeCILL v. 2.0, v. 2.1 277 | - Mozilla Public Licence (MPL) v. 2 278 | - GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 279 | - Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for 280 | works other than software 281 | - European Union Public Licence (EUPL) v. 1.1, v. 1.2 282 | - Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong 283 | Reciprocity (LiLiQ-R+). 284 | 285 | The European Commission may update this Appendix to later versions of the 286 | above licences without producing a new version of the EUPL, as long as they 287 | provide the rights granted in Article 2 of this Licence and protect the 288 | covered Source Code from exclusive appropriation. 289 | 290 | All other changes or additions to this Appendix require the production of a 291 | new EUPL version. 292 | -------------------------------------------------------------------------------- /.github/workflows/YARAhub.yml: -------------------------------------------------------------------------------- 1 | name: YARAhub 2 | 3 | on: 4 | push: 5 | paths: 6 | - YARA/** 7 | workflow_dispatch: 8 | 9 | permissions: 10 | contents: read 11 | 12 | jobs: 13 | Package: 14 | 15 | runs-on: ubuntu-latest 16 | 17 | steps: 18 | - name: Set up Python 3.10 19 | uses: actions/setup-python@v3 20 | with: 21 | python-version: "3.10" 22 | 23 | - name: Checkout signatures 24 | uses: actions/checkout@v3 25 | 26 | - name: Install dependencies 27 | run: | 28 | python -m pip install --upgrade pip 29 | if [ -f $GITHUB_WORKSPACE/.github/workflows/YARAhub/requirements.txt ]; then pip install -r $GITHUB_WORKSPACE/.github/workflows/YARAhub/requirements.txt; fi 30 | 31 | 32 | - name: Convert YARA rules to YARAhub format 33 | run: | 34 | mkdir $GITHUB_WORKSPACE/out 35 | python $GITHUB_WORKSPACE/.github/workflows/YARAhub/YARAhub.py --dir $GITHUB_WORKSPACE/out $GITHUB_WORKSPACE/YARA/*.yar 36 | 37 | - uses: actions/upload-artifact@v3 38 | with: 39 | name: YARAhub 40 | path: ${{ github.workspace }}/out/*.yar 41 | if-no-files-found: error -------------------------------------------------------------------------------- /.github/workflows/YARAhub/YARAhub.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import baseconv 3 | from datetime import datetime 4 | import glob 5 | from os import path 6 | from typing import Sequence 7 | import uuid 8 | 9 | import plyara 10 | from plyara import utils 11 | 12 | def contains(dicts:Sequence[dict], key:any) -> bool: 13 | for d in dicts: 14 | if key in d: 15 | return True 16 | return False 17 | 18 | def first(dicts:Sequence[dict], key:any, default:any = None) -> dict: 19 | for d in dicts: 20 | if key in d: 21 | return d[key] 22 | return default 23 | 24 | if __name__ == "__main__": 25 | parser = argparse.ArgumentParser(description='Generate YARAhub rules file.') 26 | parser.add_argument('path', metavar='PATH', type=str, nargs='+', help='a glob expression to YARA rules compliant with the Canadian Centre for Cyber Security YARA specififcation') 27 | parser.add_argument('--dir', metavar='DIR', type=str, required=False, default='./', help='a directory in which rules should be saved') 28 | 29 | args = parser.parse_args() 30 | yara = plyara.Plyara() 31 | 32 | for expression in args.path: 33 | for filepath in glob.iglob(expression, recursive=True): 34 | with open(filepath, mode='r') as file: 35 | for rule in yara.parse_string(file.read()): 36 | # Date when the YARA rule has been written. Format: YYYY-MM-DD 37 | if not contains(rule['metadata'], 'date'): 38 | rule['metadata'].append({'date': first(rule['metadata'], 'last_modified', datetime.today().strftime('%Y-%m-%d'))}) 39 | # MD5 hash of a sample (file) that should match this YARA rule 40 | if not contains(rule['metadata'], 'yarahub_reference_md5'): 41 | md5 = [] 42 | for entry in rule['metadata']: 43 | for k, v in entry.items(): 44 | if k.startswith('hash') and len(v) == 32: 45 | md5.append({'yarahub_reference_md5': v}) 46 | if not md5: 47 | md5.append({'yarahub_reference_md5': '0'*32}) 48 | rule['metadata'].extend(md5) 49 | # A unique UUID 4 identifying this YARA rule 50 | identifier = uuid.UUID(first(rule['metadata'], 'yarahub_uuid', '{00000000-0000-0000-0000-000000000000}')) 51 | if not identifier.int: 52 | identifier = uuid.UUID(int=int(baseconv.base62.decode(first(rule['metadata'], 'id', 0)))) 53 | if not identifier.int: 54 | identifier = uuid.uuid4() 55 | rule['metadata'].append({'yarahub_uuid': str(identifier)}) 56 | # Creative Commons license under which you want to share your YARA rule. 57 | # Most restrictive as DRL is not supported (yet). 58 | if not contains(rule['metadata'], 'yarahub_license'): 59 | rule['metadata'].append({'yarahub_license': 'CC BY-NC-ND 4.0'}) 60 | # This TLP defines whether YARA matches of this rule should be publicly visible or not 61 | if not contains(rule['metadata'], 'yarahub_rule_matching_tlp'): 62 | tlp = first(rule['metadata'], 'sharing') 63 | # Use legacy TLP codes 64 | if tlp == "TLP:CLEAR": 65 | tlp = "TLP:WHITE" 66 | rule['metadata'].append({'yarahub_rule_matching_tlp': tlp}) 67 | # This TLP defines whether the YARA rule itself should be shared or not. 68 | # Quite restrictive as DRL is not supported (yet). 69 | if not contains(rule['metadata'], 'yarahub_rule_sharing_tlp'): 70 | rule['metadata'].append({'yarahub_rule_sharing_tlp': 'TLP:AMBER'}) 71 | destination = path.join(args.dir, f'{rule["rule_name"]}_{identifier}.yar') 72 | with open(destination, mode='w') as compiled: 73 | compiled.write(utils.rebuild_yara_rule(rule, condition_indents=True)) 74 | print(destination) 75 | yara.clear() 76 | -------------------------------------------------------------------------------- /.github/workflows/YARAhub/requirements.txt: -------------------------------------------------------------------------------- 1 | plyara>=2.1.1 2 | python-baseconv>=1.2.2 -------------------------------------------------------------------------------- /.yara-ci.yml: -------------------------------------------------------------------------------- 1 | files: 2 | accept: 3 | - "YARA/**.yar" 4 | ignore: 5 | - "YARA/weird_*.yar" -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # Detection Rule License (DRL) 1.1 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions: 4 | 5 | If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules: 6 | 7 | 1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). 8 | 9 | 2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable 10 | 11 | 3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable 12 | 13 | If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules: 14 | 15 | 1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). 16 | 17 | THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Signatures 2 | A TLP:CLEAR repository of detection rules licensed under the [Detection Rule License (DRL) 1.1](./LICENSE.md) ([Why this license?](https://github.com/SigmaHQ/Detection-Rule-License#detection-rule-license-drl)). 3 | 4 | ## YARA 5 | 6 | All YARA rules (except those identifying `weird` properties, sometimes found in legitimate software) are ran through [VirusTotal's YARA Continious Integration](https://yara-ci.cloud.virustotal.com/) pipeline to rule out false positives. -------------------------------------------------------------------------------- /Sigma/README.md: -------------------------------------------------------------------------------- 1 | # Sigma -------------------------------------------------------------------------------- /Sigma/windows/file_event/win_file_hijack_electron.yml: -------------------------------------------------------------------------------- 1 | title: Electron Application Search-Order Hijack 2 | id: 9c787eb6-9fc4-457e-b815-e161e1ed3532 3 | status: stable 4 | description: Detects the creation of an Electron hijack abusing the application search-order for persistence, execution and defense evasion. 5 | references: 6 | - https://github.com/electron/electron/commit/57d088517ceef0d6c7bd6dde6fd740813c3cf943#diff-913b4eb0955fc49f1792447dc4dc58049e89d29b8d6366ba986fcb51b48963a4 7 | author: 'Maxime Thiebaut (0xThiebaut)' 8 | date: 2021/11/15 9 | tags: 10 | - attack.persistence 11 | - attack.execution 12 | - attack.defense_evasion 13 | - attack.t1574 14 | logsource: 15 | category: file_event 16 | product: windows 17 | detection: 18 | selection: 19 | TargetFilename|endswith: '\app\package.json.js' 20 | condition: selection 21 | level: medium -------------------------------------------------------------------------------- /Sigma/windows/file_event/win_file_nullsoft_installer.yml: -------------------------------------------------------------------------------- 1 | title: Nullsoft Scriptable Installer Script (NSIS) execution 2 | id: b95288d8-020a-4df0-95cb-d2d3a806ab11 3 | description: Detects the creation of the NSIS System plugin library, indicative of an NSIS script execution. 4 | status: experimental 5 | date: 2023/06/12 6 | author: "Maxime THIEBAUT (@0xThiebaut), @TheDFIRReport" 7 | references: 8 | - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out 9 | - https://nsis.sourceforge.io/Docs/System/System.html 10 | logsource: 11 | category: file_event 12 | product: windows 13 | detection: 14 | selection1: 15 | TargetFilename|contains: '\Temp\ns' 16 | TargetFilename|endswith: '.tmp\System.dll' 17 | condition: selection1 18 | falsepositives: 19 | - Legitimate NSIS installers (e.g., Razer Chroma, Pulse Secure, ...) 20 | level: low 21 | tags: 22 | - attack.execution #TA0002 23 | - attack.T1106 24 | - dist.public 25 | -------------------------------------------------------------------------------- /Sigma/windows/image_load/win_load_nullsoft_installer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xThiebaut/Signatures/8dd34f03733f1900ea3ad1c107f709eb2acfb921/Sigma/windows/image_load/win_load_nullsoft_installer.yml -------------------------------------------------------------------------------- /Suricata/README.md: -------------------------------------------------------------------------------- 1 | # Suricata 2 | This signature-base provides Suricata network detection rules within the `3078540000` SID range. Suricata rules are currently Snort-compatible without future guarantee. 3 | 4 | | SID | Message | 5 | |--------------|---------------------------| 6 | | `3078540001` | `TrueBot Payload Request` | -------------------------------------------------------------------------------- /Suricata/mal_truebot.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TrueBot Payload Request"; flow:established,to_server; metadata:service http; content:"POST"; http_method; pcre:"/^\/[^?]+\.php\?file=[0-9a-f]{32}$/UAE"; pcre:"/^Host: \S+(\r\n)+$/HAE"; content:"|0d0a0d0a|"; isdataat:!1,relative; reference:url,https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/; metadata:author Maxime Thiebaut (@0xThiebaut); classtype:trojan-activity; sid: 3078540001; rev: 1;) 2 | -------------------------------------------------------------------------------- /YARA/README.md: -------------------------------------------------------------------------------- 1 | # YARA 2 | YARA rules within this repository conform to the [Canadian Centre for Cyber Security YARA Specification](https://github.com/CybercentreCanada/CCCS-Yara). 3 | 4 | All rules (except those identifying `weird` properties, sometimes found in legitimate software) are ran through [VirusTotal's YARA Continious Integration](https://yara-ci.cloud.virustotal.com/) pipeline to rule out false positives. -------------------------------------------------------------------------------- /YARA/mal_electron_js_backdoor.yar: -------------------------------------------------------------------------------- 1 | rule mal_electron_js_backdoor: RELEASED MALWARE BACKDOOR TA0002 T1059 T1059_007 { 2 | meta: 3 | id = "6GSHZaIgC9X671uyawFtRs" 4 | fingerprint = "f4b6b67e31aa12611d89a447556c63add7c3440703f49270c90b032871659357" 5 | version = "1.1" 6 | creation_date = "2021-11-04" 7 | first_imported = "2023-02-23" 8 | last_modified = "2023-02-28" 9 | status = "RELEASED" 10 | sharing = "TLP:WHITE" 11 | source = "THIEBAUT.DEV" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects suspicious JavaScript statements linked to an Electron backdoor deployed by FalconForce" 14 | category = "MALWARE" 15 | malware = "BACKDOOR" 16 | mitre_att = "T1574" 17 | reference = "https://github.com/electron/electron/commit/57d088517ceef0d6c7bd6dde6fd740813c3cf943#diff-913b4eb0955fc49f1792447dc4dc58049e89d29b8d6366ba986fcb51b48963a4" 18 | hash = "a148e00ef1a18e5d687f04dda6512526e9b8b2053e78d5461540a3939cf4f87c" 19 | 20 | strings: 21 | $require = "require" fullword 22 | $require_fs = "fs" fullword 23 | $require_path = "path" fullword 24 | $require_electron = "electron" fullword 25 | $require_net = "net" fullword 26 | $require_crypto = "crypto" fullword 27 | $require_os = "os" fullword 28 | $require_process = "process" fullword 29 | $crypto_random = "randomBytes" fullword 30 | $crypto_iv = "createCipheriv" fullword 31 | $func_eval = "eval" fullword 32 | 33 | condition: 34 | 9 of them and $func_eval and any of ($crypto_*) and #require >= 4 and #require_electron >= 2 and filesize <= 150KB 35 | } 36 | -------------------------------------------------------------------------------- /YARA/mal_havoc.yar: -------------------------------------------------------------------------------- 1 | rule mal_loader_havoc_x64: RELEASED MALWARE LOADER TA0005 T1027 T1027_007 { 2 | meta: 3 | id = "4P6Z0kQNZdiDMvT7A21ygW" 4 | fingerprint = "e734c13b40a026fc382af496be7eeec1a6da1bbf40de28090c854a0500b736cd" 5 | version = "1.0" 6 | creation_date = "2023-04-11" 7 | first_imported = "2023-04-11" 8 | last_modified = "2023-04-11" 9 | status = "RELEASED" 10 | sharing = "TLP:WHITE" 11 | source = "THIEBAUT.DEV" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects Havoc C2's import hashing algorithm" 14 | category = "MALWARE" 15 | malware = "LOADER" 16 | mitre_att = "T1027.007" 17 | reference = "https://github.com/HavocFramework/Havoc/blob/1248ff9ecc964325447128ae3ea819f1ad10b790/Teamserver/data/implants/Shellcode/Source/Utils.c" 18 | hash = "d3ca24a6588c46c60646c9f6f19a916b8e108e20f74d0b721393d972a72b39fc" 19 | 20 | strings: 21 | $hashing = { 22 | b8 05 15 00 00 // mov eax, ?? 23 | ?? be 11 // movsx ??, byte ptr [rcx] 24 | 48 ff c1 // inc rcx 25 | 84 ?? // test ??, ?? 26 | 74 ?? // jz short ?? 27 | 6b c0 ?? // imul eax, ?? 28 | 01 ?? // add eax, ?? 29 | eb ?? // jmp short ?? 30 | c3 // retn 31 | } 32 | condition: 33 | $hashing 34 | } 35 | 36 | rule mal_loader_custom_havoc_x64: RELEASED MALWARE LOADER TA0005 T1027 T1027_007 { 37 | meta: 38 | id = "1EmdHiqQ6Y4163shVAW5yI" 39 | fingerprint = "46c414b56ccf97ef65b1f1603aa64705a8ffb39b5d9e270e00d21774e79b561a" 40 | version = "1.0" 41 | creation_date = "2023-04-11" 42 | first_imported = "2023-04-11" 43 | last_modified = "2023-04-11" 44 | status = "RELEASED" 45 | sharing = "TLP:WHITE" 46 | source = "THIEBAUT.DEV" 47 | author = "Maxime THIEBAUT (@0xThiebaut)" 48 | description = "Detects a suspicious hashing algorithm similar (but not equal) to Havoc C2's import hashing with customized salt" 49 | category = "MALWARE" 50 | malware = "LOADER" 51 | mitre_att = "T1027.007" 52 | reference = "https://github.com/HavocFramework/Havoc/blob/1248ff9ecc964325447128ae3ea819f1ad10b790/Teamserver/data/implants/Shellcode/Source/Utils.c" 53 | hash = "b3dc5d08346a76c235ce29f0b4557abb0ef049c3cd7b676a615196a74dfbc5f9" 54 | 55 | strings: 56 | $hashing = { 57 | b8 ?? ?? ?? ?? // mov eax, ?? 58 | ?? be 11 // movsx ??, byte ptr [rcx] 59 | 48 ff c1 // inc rcx 60 | 84 ?? // test ??, ?? 61 | 74 ?? // jz short ?? 62 | 6b c0 ?? // imul eax, ?? 63 | 01 ?? // add eax, ?? 64 | eb ?? // jmp short ?? 65 | c3 // retn 66 | } 67 | condition: 68 | $hashing and for any i in(1..#hashing): ( 69 | uint32(@hashing[i]+1) != 0x1505 // Exclude Havoc C2 salt 70 | ) 71 | } 72 | -------------------------------------------------------------------------------- /YARA/mal_injection_function_stomping.yar: -------------------------------------------------------------------------------- 1 | rule mal_injection_function_stomping: RELEASED MALWARE LOADER TA0005 T1055 { 2 | meta: 3 | id = "6UdqYRxOBY0mQcVrIM50lI" 4 | fingerprint = "c79c0d5b4fb36149eb3809fe8b099de3bad42f35e35bba6924d29ae943eeabc1" 5 | version = "1.1" 6 | creation_date = "2022-01-25" 7 | first_imported = "2023-02-23" 8 | last_modified = "2023-03-01" 9 | status = "RELEASED" 10 | sharing = "TLP:WHITE" 11 | source = "THIEBAUT.DEV" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects suspicious strings related to the FunctionStomping PoC by Ido Veltzman" 14 | category = "MALWARE" 15 | malware = "LOADER" 16 | mitre_att = "T1055" 17 | reference = "https://github.com/Idov31/FunctionStomping/blob/9ed837b51616147c0b36235583c9d26d72e3d3cb/header/functionstomping.hpp" 18 | hash = "37cf2f4a421ff8feb097f62eefcca647bc50acc571f7f620885d10741a2d09a5" 19 | 20 | strings: 21 | $stomp_err = "The function name is misspelled or the function is unstompable" ascii wide fullword 22 | $stomp_ok = "Successfuly stomped the function" ascii wide fullword 23 | $ok_func_base = "Got function base" ascii wide fullword 24 | $ok_perms = "Changed protection to WCX instead of RWX" ascii wide fullword 25 | $err_stomp_size = "Cannot write more than 4096 bytes" ascii wide fullword 26 | $err_stomp = "Failed to overwrite function" ascii wide fullword 27 | 28 | condition: 29 | any of ($stomp_*) or 4 of them 30 | } 31 | -------------------------------------------------------------------------------- /YARA/mal_metasploit_windows_shellcode.yar: -------------------------------------------------------------------------------- 1 | rule mal_metasploit_shellcode_windows_pingback_reverse_tcp: RELEASED MALWARE BACKDOOR TA0011 T1095 { 2 | meta: 3 | id = "5G85R2pF2ch4aUwWEzqu5t" 4 | fingerprint = "870b0365c881e045049deb6ce71af19204fb713536e6fcb7466e26ab37970e15" 5 | version = "1.0" 6 | creation_date = "2021-09-02" 7 | first_imported = "2023-02-23" 8 | last_modified = "2023-02-23" 9 | status = "RELEASED" 10 | sharing = "TLP:WHITE" 11 | source = "THIEBAUT.DEV" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects Metasploit import-hashes from the windows/pingback_reverse_tcp payload" 14 | category = "MALWARE" 15 | malware = "BACKDOOR" 16 | mitre_att = "T1095" 17 | reference = "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/" 18 | hash = "6675cdf56a8dbde5b5d745145ad41c7a717000d7dd03ac4baa88c8647733d0ab" 19 | 20 | strings: 21 | $import_full = "ws2_32" // 64-bit 22 | $import_part = {33 32 [03] 77 73 32 5F} // 32-bit 23 | $imphashes = { 24 | 4c 77 26 07 // kernel32.dll::LoadLibraryA 25 | [10-30] 26 | 29 80 6b 00 // ws2_32.dll::WSAStartup 27 | [10-30] 28 | 02 00 // AF_INET 29 | [10-30] 30 | ea 0f df e0 // ws2_32.dll::WSASocketA 31 | [05-25] 32 | 99 a5 74 61 // ws2_32.dll::connect 33 | [45-65] 34 | 75 6e 4d 61 // ws2_32.dll::closesocket 35 | [15-35] 36 | f0 b5 a2 56 // kernel32.dll::ExitProcess 37 | } 38 | condition: 39 | any of ($import_*) and $imphashes 40 | } 41 | 42 | rule mal_metasploit_shellcode_windows_powershell_tcp: RELEASED MALWARE BACKDOOR TA0011 T1095 { 43 | meta: 44 | id = "6an4dnzmZYlWYU4nyMMJoM" 45 | fingerprint = "fc43b130e92407e09022ba96e76ce9b34266af67bef678a12eda739b7895487a" 46 | version = "1.0" 47 | creation_date = "2021-09-02" 48 | first_imported = "2023-02-23" 49 | last_modified = "2023-02-23" 50 | status = "RELEASED" 51 | sharing = "TLP:WHITE" 52 | source = "THIEBAUT.DEV" 53 | author = "Maxime THIEBAUT (@0xThiebaut)" 54 | description = "Detects Metasploit import-hashes from the windows/powershell_bind_tcp and windows/powershell_reverse_tcp payloads" 55 | category = "MALWARE" 56 | malware = "BACKDOOR" 57 | mitre_att = "T1095" 58 | reference = "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/" 59 | hash = "e26603ef85151596b0faf5ab7dc82ae655d37ec8aef204b329553cf5bc5b730b" 60 | hash = "9e017c8a6e0078f06dfb898721f3ef7c49f797bc8e2073ff338407dbb5a92297" 61 | 62 | strings: 63 | $imphashes = { 64 | 31 8b 6f 87 // kernel32.dll::WinExec 65 | [01-20] 66 | f0 b5 a2 56 // kernel32.dll::ExitProcess 67 | [01-20] 68 | a6 95 bd 9d // kernel32.dll::GetVersion 69 | [10-30] 70 | 47 13 72 6f // ntdll.dll::RtlExitUserThread 71 | } 72 | condition: 73 | all of them 74 | } 75 | 76 | rule mal_metasploit_shellcode_windows_shell_bind_tcp: RELEASED MALWARE BACKDOOR TA0011 T1095 { 77 | meta: 78 | id = "4uKthQU886pm3rYwVJD705" 79 | fingerprint = "335fd73453b337e1c1b818c6df849657bde8bb552bddbe170ae07cfc842eb559" 80 | version = "1.0" 81 | creation_date = "2021-09-02" 82 | first_imported = "2023-02-23" 83 | last_modified = "2023-02-23" 84 | status = "RELEASED" 85 | sharing = "TLP:WHITE" 86 | source = "THIEBAUT.DEV" 87 | author = "Maxime THIEBAUT (@0xThiebaut)" 88 | description = "Detects Metasploit import-hashes from the windows/shell_bind_tcp payload" 89 | category = "MALWARE" 90 | malware = "BACKDOOR" 91 | mitre_att = "T1095" 92 | reference = "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/" 93 | hash = "826232cee9ccd0ee22c82685d7841e09c4fd17e2101736f43d8c6f1621e2fcb3" 94 | 95 | strings: 96 | $import_full = "ws2_32" // 64-bit 97 | $import_part = {33 32 [03] 77 73 32 5F} // 32-bit 98 | $imphashes = { 99 | 4c 77 26 07 // kernel32.dll::LoadLibraryA 100 | [10-30] 101 | 29 80 6b 00 // ws2_32.dll::WSAStartup 102 | [10-30] 103 | ea 0f df e0 // ws2_32.dll::WSASocketA 104 | [02-20] 105 | 02 00 // AF_INET 106 | [05-25] 107 | c2 db 37 67 // ws2_32.dll::bind 108 | [02-10] 109 | b7 e9 38 ff // ws2_32.dll::listen 110 | [02-10] 111 | 74 ec 3b e1 // ws2_32.dll::accept 112 | [02-20] 113 | 75 6e 4d 61 // ws2_32.dll::closesocket 114 | [35-55] 115 | 79 cc 3f 86 // kernel32.dll::CreateProcessA 116 | [05-25] 117 | 08 87 1d 60 // kernel32.dll::WaitForSingleObject 118 | [00-10] 119 | f0 b5 a2 56 // kernel32.dll::ExitProcess 120 | [00-10] 121 | a6 95 bd 9d // kernel32.dll::GetVersion 122 | [10-30] 123 | 47 13 72 6f // ntdll.dll::RtlExitUserThread 124 | } 125 | condition: 126 | any of ($import_*) and $imphashes 127 | } 128 | 129 | rule mal_metasploit_shellcode_windows_shell_hidden_bind_tcp: RELEASED MALWARE BACKDOOR TA0011 T1095 { 130 | meta: 131 | id = "6HQ4oEHcqNUBbmJxwjBpVZ" 132 | fingerprint = "cf568dda6d7ec12ed2e9ed3f24865b92bb243cae359f3c7264c8819f4ae8a430" 133 | version = "1.0" 134 | creation_date = "2021-09-02" 135 | first_imported = "2023-02-23" 136 | last_modified = "2023-02-23" 137 | status = "RELEASED" 138 | sharing = "TLP:WHITE" 139 | source = "THIEBAUT.DEV" 140 | author = "Maxime THIEBAUT (@0xThiebaut)" 141 | author = "Maxime THIEBAUT (@0xThiebaut)" 142 | description = "Detects Metasploit import-hashes from the windows/shell_hidden_bind_tcp payload" 143 | category = "MALWARE" 144 | malware = "BACKDOOR" 145 | mitre_att = "T1095" 146 | reference = "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/" 147 | hash = "166a5d9715d238d7902dbc505df2b2769fa68db337a2de1405be430513f7a938" 148 | 149 | strings: 150 | $import_full = "ws2_32" // 64-bit 151 | $import_part = {33 32 [03] 77 73 32 5F} // 32-bit 152 | $imphashes = { 153 | 4c 77 26 07 // kernel32.dll::LoadLibraryA 154 | [10-30] 155 | 29 80 6b 00 // ws2_32.dll::WSAStartup 156 | [10-30] 157 | ea 0f df e0 // ws2_32.dll::WSASocketA 158 | [02-20] 159 | 02 00 // AF_INET 160 | [05-25] 161 | c2 db 37 67 // ws2_32.dll::bind 162 | [05-25] 163 | f1 a2 77 29 // ws2_32.dll::setsockopt 164 | [02-15] 165 | b7 e9 38 ff // ws2_32.dll::listen 166 | [30-50] 167 | 94 ac be 33 // ws2_32.dll::WSAAccept 168 | [05-25] 169 | 75 6e 4d 61 // ws2_32.dll::closesocket 170 | [40-60] 171 | 79 cc 3f 86 // kernel32.dll::CreateProcessA 172 | [05-25] 173 | 08 87 1d 60 // kernel32.dll::WaitForSingleObject 174 | [02-15] 175 | f0 b5 a2 56 // kernel32.dll::ExitProcess 176 | [01-10] 177 | a6 95 bd 9d // kernel32.dll::GetVersion 178 | [10-30] 179 | 47 13 72 6f // ntdll.dll::RtlExitUserThread 180 | } 181 | condition: 182 | any of ($import_*) and $imphashes 183 | } 184 | 185 | rule mal_metasploit_encode_xor_x64 : RELEASED MALWARE BACKDOOR TA0005 T1027 T1027_002 { 186 | meta: 187 | id = "zGjRO3lps1ui10W9jN19C" 188 | fingerprint = "bed08d8cf7527fd89c91dfbc076f05abf7eca6e2d28e9a973e598d0cbf38780b" 189 | version = "1.1" 190 | creation_date = "2023-02-28" 191 | first_imported = "2023-02-28" 192 | last_modified = "2023-02-28" 193 | status = "RELEASED" 194 | sharing = "TLP:WHITE" 195 | source = "THIEBAUT.DEV" 196 | author = "Maxime THIEBAUT (@0xThiebaut)" 197 | description = "Detects XOR-encoded Metasploit shellcode" 198 | category = "MALWARE" 199 | malware = "OBFUSCATOR" 200 | mitre_att = "T1027" 201 | reference = "https://github.com/rapid7/metasploit-framework/blob/b8178397a9aba19dc7a80ee1346d8685674cc0ff/modules/encoders/x64/xor.rb#L36-L42" 202 | hash = "37cf2f4a421ff8feb097f62eefcca647bc50acc571f7f620885d10741a2d09a5" 203 | 204 | strings: 205 | $encryption = { 206 | 48 31 c9 // xor rcx, rcx 207 | 48 81 e9 ?? ?? ?? ?? // sub ecx, block_count 208 | 48 8d 05 ef ff ff ff // lea rax, [rel 0x0] 209 | 48 bb ?? ?? ?? ?? ?? ?? ?? ?? // mov rbx, xor_key 210 | 48 31 58 27 // xor [rax+0x27], rbx 211 | 48 2d f8 ff ff ff // sub rax, -8 212 | e2 f4 // loop 0x1b 213 | } 214 | condition: 215 | // Detect the encryption stub 216 | $encryption and 217 | // And validate the XOR'ed section is shellcode 218 | for any i in (1..#encryption) : ( 219 | uint8(@encryption[i] + 0x27) == 0xfc or // cld decrypted (e.g. memory dump) 220 | uint8(@encryption[i] + 0x13) ^ uint8(@encryption[i] + 0x27) == 0xfc // cld encrypted (i.e. pre-execution) 221 | ) 222 | } 223 | 224 | rule mal_metasploit_shellcode_windows_meterpreter_reverse_http_x64: RELEASED MALWARE BACKDOOR TA0011 T1095 { 225 | meta: 226 | id = "4jQXv3cD0UvsQfhgndgWy8" 227 | fingerprint = "77a24b255c5ef6068896176dd36b5b8ae9ce75d7d8affa3292be66f042f07f8a" 228 | version = "1.0" 229 | creation_date = "2023-03-01" 230 | first_imported = "2023-03-01" 231 | last_modified = "2023-03-01" 232 | status = "RELEASED" 233 | sharing = "TLP:WHITE" 234 | source = "THIEBAUT.DEV" 235 | author = "Maxime THIEBAUT (@0xThiebaut)" 236 | description = "Detects Metasploit import-hashes from the windows/x64/meterpreter/reverse_http payload" 237 | category = "MALWARE" 238 | malware = "BACKDOOR" 239 | mitre_att = "T1071" 240 | reference = "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/" 241 | hash = "2c4c41f21a5b8681a23b2a500b844dc7c4ad5d3ec6c92c841a23f6068567326a" 242 | 243 | strings: 244 | $import = "wininet" fullword 245 | $imphashes_1 = { 246 | 4c 77 26 07 // kernel32.dll::LoadLibraryA 247 | [15-25] 248 | 3a 56 79 a7 // wininet.dll::InternetOpenA 249 | [40-60] 250 | 57 89 9f c6 // wininet.dll::InternetConnectA 251 | } 252 | $imphashes_2 = { 253 | eb 55 2e 3b // wininet.dll::HttpOpenRequestA 254 | [20-30] 255 | 2d 06 18 7b // wininet.dll::HttpSendRequestA 256 | [10-20] 257 | 44 f0 35 e0 // kernel32.dll::Sleep 258 | [25-40] 259 | 58 a4 53 e5 // kernel32.dll::VirtualAlloc 260 | [20-35] 261 | 12 96 89 e2 // wininet.dll::InternetReadFile 262 | } 263 | condition: 264 | all of them 265 | } 266 | 267 | rule mal_metasploit_shellcode_windows_meterpreter_reverse_http_x86: RELEASED MALWARE BACKDOOR TA0011 T1095 { 268 | meta: 269 | id = "70MTcX1QJqCy2yCgyLIa00" 270 | fingerprint = "acd46b57de80a4bbb074d11a7f7b5d2c5ee4f15a6f25080ddf63c976f813cb3d" 271 | version = "1.0" 272 | creation_date = "2023-03-01" 273 | first_imported = "2023-03-01" 274 | last_modified = "2023-03-01" 275 | status = "RELEASED" 276 | sharing = "TLP:WHITE" 277 | source = "THIEBAUT.DEV" 278 | author = "Maxime THIEBAUT (@0xThiebaut)" 279 | description = "Detects Metasploit import-hashes from the windows/meterpreter/reverse_http payload" 280 | category = "MALWARE" 281 | malware = "BACKDOOR" 282 | mitre_att = "T1071" 283 | reference = "https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/" 284 | hash = "6675cdf56a8dbde5b5d745145ad41c7a717000d7dd03ac4baa88c8647733d0ab" 285 | 286 | strings: 287 | $LoadLibraryA = { 288 | 6E 65 74 00 // wini(net) 289 | [01-03] 290 | 77 69 6E 69 // (wini)net 291 | [01-05] 292 | 4C 77 26 07 // kernel32.dll::LoadLibraryA 293 | } 294 | $InternetOpenA = { 3a 56 79 a7 } // wininet.dll::InternetOpenA 295 | $imphashes = { 296 | 57 89 9f c6 // wininet.dll::InternetConnectA 297 | [15-25] 298 | eb 55 2e 3b // wininet.dll::HttpOpenRequestA 299 | [05-15] 300 | 2d 06 18 7b // wininet.dll::HttpSendRequestA 301 | [05-15] 302 | 44 f0 35 e0 // kernel32.dll::Sleep 303 | [20-30] 304 | 58 a4 53 e5 // kernel32.dll::VirtualAlloc 305 | [10-20] 306 | 12 96 89 e2 // wininet.dll::InternetReadFile 307 | [30-50] 308 | f0 b5 a2 56 // kernel32.dll::ExitProcess 309 | } 310 | condition: 311 | all of them 312 | } 313 | -------------------------------------------------------------------------------- /YARA/mal_syscall_hellshall.yar: -------------------------------------------------------------------------------- 1 | rule mal_syscall_hellshall: RELEASED MALWARE OBFUSCATOR TA0002 T1106 { 2 | meta: 3 | id = "okKC4Zt2kjWBvbcVqTf6F" 4 | fingerprint = "3770e9ec6fe18a9709ce7bc0cd8f454a94261eeb283496d4eb1b6c0781e92d69" 5 | version = "1.0" 6 | creation_date = "2023-04-11" 7 | first_imported = "2023-04-11" 8 | last_modified = "2023-04-11" 9 | status = "RELEASED" 10 | sharing = "TLP:WHITE" 11 | source = "THIEBAUT.DEV" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects suspicious syscall extraction and indirect syscall used in HellsHall" 14 | category = "MALWARE" 15 | malware = "OBFUSCATOR" 16 | mitre_att = "T1106" 17 | reference = "https://github.com/Maldev-Academy/HellHall" 18 | hash = "b3dc5d08346a76c235ce29f0b4557abb0ef049c3cd7b676a615196a74dfbc5f9" 19 | 20 | strings: 21 | $convert = { 22 | 80 ?? 4c // cmp byte ptr [??], 4Ch 23 | 75 ?? // jnz ?? 24 | 80 ?? 01 8b // cmp byte ptr [??+1], 8Bh 25 | 75 ?? // jnz ?? 26 | 80 ?? 02 d1 // cmp byte ptr [??+2], 0D1h 27 | 75 ?? // jnz ?? 28 | 80 ?? 03 b8 // cmp byte ptr [??+3], 0B8h 29 | 75 ?? // jnz ?? 30 | 80 ?? 08 f6 // cmp byte ptr [??+8], 0F6h 31 | 75 ?? // jnz ?? 32 | 80 ?? 09 04 // cmp byte ptr [??+9], 4 33 | 75 ?? // jnz ?? 34 | 80 ?? 0a 25 // cmp byte ptr [??+0Ah], 25h 35 | 74 // jz ?? 36 | } 37 | $syscall = { 38 | 49 89 ca // mov r10, rcx 39 | 8b 44 24 ?? // mov eax, [rsp+dwNumber] 40 | ff 64 24 ?? // jmp [rsp+pSyscall] 41 | } 42 | condition: 43 | any of them 44 | } 45 | -------------------------------------------------------------------------------- /YARA/mal_syscall_hwsyscalls.yar: -------------------------------------------------------------------------------- 1 | rule mal_syscall_hwsyscalls: TESTING MALWARE OBFUSCATOR TA0002 T1106 { 2 | meta: 3 | id = "5R3sUrHeZZAeQe3gaAmWEL" 4 | fingerprint = "5b40b828a8026ee7910b362a4f94da97b866c9f08b6b577419f5d089c323a8a0" 5 | version = "1.0" 6 | creation_date = "2023-02-28" 7 | first_imported = "2023-02-28" 8 | last_modified = "2023-02-28" 9 | status = "TESTING" 10 | sharing = "TLP:WHITE" 11 | source = "THIEBAUT.DEV" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects suspicious strings related to the HWSyscalls PoC by Mor Davidovich" 14 | category = "MALWARE" 15 | malware = "OBFUSCATOR" 16 | mitre_att = "T1106" 17 | reference = "https://github.com/Dec0ne/HWSyscalls/blob/ff832ed11a95092478eeebb3422fc35c7be7df31/Src/HWSyscalls.cpp" 18 | hash = "b27ee235a1caeeeecfc4c7023e894d08c1cbffcb86b4f315974217def617a0c7" 19 | 20 | strings: 21 | // Common data 22 | $FindRetGadget_Module_1 = "KERNEL32.DLL" fullword ascii 23 | $FindRetGadget_Module_2 = "kernelbase.dll" fullword ascii 24 | $FindRetGadget_bMask = "\x48\x83\xC4\x68\xC3" fullword ascii 25 | $SetMainBreakpoint_Module = "KERNEL32.DLL" fullword wide 26 | $SetMainBreakpoint_Symbol_1 = "GetThreadContext" fullword ascii 27 | $SetMainBreakpoint_Symbol_2 = "SetThreadContext" fullword ascii 28 | $SetMainBreakpoint_ContextFlags = {C7 84 24 ?? 00 00 00 10 00 10 00} // mov DWORD PTR [rsp+0x??],0x100010 29 | // Debug data 30 | $FindRetGadget_FindInModule_1 = "RET_GADGET in kernel32" fullword nocase 31 | $FindRetGadget_FindInModule_2 = "RET_GADGET in kernelbase" fullword nocase 32 | $HWSyscallExceptionHandler_1 = "HWSYSCALLS DEBUG" fullword nocase 33 | $HWSyscallExceptionHandler_2 = "PrepareSyscall Breakpoint Hit" fullword nocase 34 | $HWSyscallExceptionHandler_3 = "RET_GADGET (%#llx)" fullword nocase 35 | $HWSyscallExceptionHandler_4 = "Halos Gate" fullword nocase 36 | $HWSyscallExceptionHandler_5 = "PrepareSyscall" fullword nocase 37 | $HWSyscallExceptionHandlerOp_1 = "mov r10, rcx" fullword nocase 38 | $HWSyscallExceptionHandlerOp_2 = "mov rax, 0x%X" fullword nocase 39 | $InitHWSyscalls_FindRetGadget_1 = "ADD RSP,68;RET" fullword nocase 40 | $InitHWSyscalls_FindRetGadget_2 = "gadget in kernel32 or kernelbase" fullword nocase 41 | $InitHWSyscalls_FindRetGadget_3 = "InitHWSyscalls failed" fullword nocase 42 | condition: 43 | // Common data 44 | ( 45 | $FindRetGadget_bMask 46 | and any of ($FindRetGadget_Module_*) 47 | and all of ($SetMainBreakpoint_*) 48 | ) 49 | // Debug data 50 | or any of ($FindRetGadget_FindInModule_*) 51 | or any of ($InitHWSyscalls_*) 52 | or any of ($HWSyscallExceptionHandler_*) 53 | or all of ($HWSyscallExceptionHandlerOp_*) 54 | } 55 | -------------------------------------------------------------------------------- /YARA/mal_truebot.yar: -------------------------------------------------------------------------------- 1 | rule mal_truebot: TESTING MALWARE TA0002 T1027 T1204_002 { 2 | meta: 3 | id = "2snLTJeZ4eKhhGLfWNM6NV" 4 | fingerprint = "03f4fb857eaf63b4ce33611cce6c9f06e57180c122d28305bc7d7d2cb839ef27" 5 | version = "1.0" 6 | creation_date = "2023-05-25" 7 | first_imported = "2023-05-25" 8 | last_modified = "2023-05-25" 9 | status = "TESTING" 10 | sharing = "TLP:WHITE" 11 | source = "THEDFIRREPORT.COM" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects strings commonly related to TrueBot functionality" 14 | category = "MALWARE" 15 | malware = "TRUEBOT" 16 | mitre_att = "T1204.002" 17 | reference = "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/" 18 | hash = "717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb" 19 | 20 | strings: 21 | $c2_params_1 = "n=%s&o=%s&a=%d&u=%s&p=%s&d=%s" fullword 22 | $c2_params_2 = "n=%s&l=%s" fullword 23 | $c2_id = "%08x-%08x" fullword 24 | $c2_status = "Not Found" fullword 25 | $c2_method = "POST " fullword 26 | $c2_proto = "HTTP/1.0" fullword 27 | $c2_header_host = "Host: " fullword 28 | $c2_header_ct = "Content-type: application/x-www-form-urlencoded" fullword 29 | $other_workgroup = "WORKGROUP" fullword 30 | $other_unknown = "UNKW" fullword 31 | $load_perms = "SeDebugPrivilege" fullword 32 | $load_library = "user32" fullword wide 33 | $load_import = "RtlCreateUserThread" fullword 34 | $cmd_del = "/c del" fullword wide 35 | 36 | condition: 37 | 13 of them 38 | } 39 | -------------------------------------------------------------------------------- /YARA/sus_nsis.yar: -------------------------------------------------------------------------------- 1 | rule sus_nsis_tampered_signature: TESTING SUSPICIOUS TA0005 T1027 T1027_005 { 2 | meta: 3 | id = "7tGWOPTZRLhRAMCf6cQC0" 4 | fingerprint = "082b47efe4dbb5ff515f2db759233fc39238bf4982aa0884b809232686c49531" 5 | version = "1.0" 6 | creation_date = "2023-06-01" 7 | first_imported = "2023-06-01" 8 | last_modified = "2023-06-01" 9 | status = "TESTING" 10 | sharing = "TLP:WHITE" 11 | source = "THEDFIRREPORT.COM" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects a suspected Nullsoft Scriptable Install System (NSIS) executable with a tampered compiler signature" 14 | category = "TOOL" 15 | tool = "NSIS" 16 | mitre_att = "T1027.005" 17 | reference = "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/" 18 | hash = "121a1f64fff22c4bfcef3f11a23956ed403cdeb9bdb803f9c42763087bd6d94e" 19 | 20 | strings: 21 | $brand_error = "NSIS Error" fullword 22 | $brand_description = "Nullsoft Install System" fullword 23 | $brand_name = "Nullsoft.NSIS" fullword 24 | $brand_url = "http://nsis.sf.net/NSIS_Error" fullword 25 | $code_get_module = { 26 | C1 E6 03 // shl esi, 3 27 | 8B BE ?? ?? ?? ?? // mov edi, Modules[esi] 28 | 57 // push edi ; lpModuleName 29 | FF 15 ?? ?? ?? ?? // call ds:GetModuleHandleA 30 | 85 C0 // test eax, eax 31 | 75 ?? // jnz ?? 32 | } 33 | $code_get_proc = { 34 | FF B6 ?? ?? ?? ?? // push Procedures[esi] 35 | 50 // push eax ; hModule 36 | FF 15 ?? ?? ?? ?? // call ds:__imp_GetProcAddress 37 | EB ?? // jmp ?? 38 | } 39 | $code_jump_table = { 40 | 8B 4D ?? // mov ecx, [ebp+??] 41 | 83 C1 ?? // add ecx, 0FFFFFF??h ; switch ?? cases 42 | 83 F9 ?? // cmp ecx, ??h 43 | 0F 87 ?? ?? 00 00 // ja ?? ; jumptable ?? default case, cases 65,66 44 | FF 24 8D ?? ?? ?? 00 // jmp ds:??[ecx*4] ; switch jump 45 | } 46 | $signature_1_00 = {EF BE AD DE 6E 73 69 73 69 6E 73 74 61 6C 6C 00} 47 | $signature_1_00_check = { 48 | 81 7D ?? EF BE AD DE // cmp [ebp+??], 0DEADBEEFh 49 | 75 ?? // jnz short ?? 50 | 81 7D ?? 61 6C 6C 00 // cmp [ebp+??], 06C6C61h 51 | 75 ?? // jnz short ?? 52 | 81 7D ?? 69 6E 73 74 // cmp [ebp+var_1C], 74736E69h 53 | 75 ?? // jnz short ?? 54 | 81 7D ?? 6E 73 69 73 // cmp [ebp+??], 7369736Eh 55 | 75 ?? // jnz ?? 56 | } 57 | $signature_1_1e = {ED BE AD DE 4E 75 6C 6C 53 6F 66 74 49 6E 73 74} 58 | $signature_1_1e_check = { 59 | 81 7D ?? ED BE AD DE // cmp [ebp+??], 0DEADBEEDh 60 | 75 ?? // jnz short ?? 61 | 81 7D ?? 49 6E 73 74 // cmp [ebp+??], 74736E49h 62 | 75 ?? // jnz short ?? 63 | 81 7D ?? 53 6F 66 74 // cmp [ebp+var_1C], 74666F53h 64 | 75 ?? // jnz short ?? 65 | 81 7D ?? 4E 75 6C 6C // cmp [ebp+??], 6C6C754Eh 66 | 75 ?? // jnz ?? 67 | } 68 | $signature_1_30 = {EF BE AD DE 4E 75 6C 6C 53 6F 66 74 49 6E 73 74} 69 | $signature_1_30_check = { 70 | 81 7D ?? EF BE AD DE // cmp [ebp+??], 0DEADBEEFh 71 | 75 ?? // jnz short ?? 72 | 81 7D ?? 49 6E 73 74 // cmp [ebp+??], 74736E49h 73 | 75 ?? // jnz short ?? 74 | 81 7D ?? 53 6F 66 74 // cmp [ebp+var_1C], 74666F53h 75 | 75 ?? // jnz short ?? 76 | 81 7D ?? 4E 75 6C 6C // cmp [ebp+??], 6C6C754Eh 77 | 75 ?? // jnz ?? 78 | } 79 | $signature_1_60 = {EF BE AD DE 4E 75 6C 6C 73 6F 66 74 49 6E 73 74} 80 | $signature_1_60_check = { 81 | 81 7D ?? EF BE AD DE // cmp [ebp+??], 0DEADBEEFh 82 | 75 ?? // jnz short ?? 83 | 81 7D ?? 49 6E 73 74 // cmp [ebp+??], 74736E49h 84 | 75 ?? // jnz short ?? 85 | 81 7D ?? 73 6F 66 74 // cmp [ebp+var_1C], 74666F73h 86 | 75 ?? // jnz short ?? 87 | 81 7D ?? 4E 75 6C 6C // cmp [ebp+??], 6C6C754Eh 88 | 75 ?? // jnz ?? 89 | } 90 | 91 | condition: 92 | uint16(0) == 0x5A4D and (3 of ($brand_*) or 2 of ($code_*)) and none of ($signature_*) 93 | } 94 | -------------------------------------------------------------------------------- /YARA/sus_pe.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule sus_pe_free_without_allocation: TESTING SUSPICIOUS TA0005 T1027 T1027_007 { 4 | meta: 5 | id = "5BqhLNZUKDAagE3Pf0GHSf" 6 | fingerprint = "7b6b4edcc9349c23ff837084934c15034888c8dd744a5cb32bf662802bdc822b" 7 | version = "1.1" 8 | creation_date = "2023-05-13" 9 | first_imported = "2023-05-13" 10 | last_modified = "2023-05-13" 11 | status = "TESTING" 12 | sharing = "TLP:WHITE" 13 | source = "THIEBAUT.DEV" 14 | author = "Maxime THIEBAUT (@0xThiebaut)" 15 | description = "Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution" 16 | category = "INFO" 17 | mitre_att = "T1027.007" 18 | 19 | condition: 20 | pe.number_of_imports <= 3 // Restrict to low-import executables 21 | and (pe.imports("kernel32.dll", "VirtualFree") or pe.imports("kernel32.dll", "VirtualFreeEx")) 22 | and not ( 23 | pe.imports("gdi32.dll") 24 | or pe.imports("kernel32.dll", "VirtualAlloc") 25 | or pe.imports("kernel32.dll", "VirtualAlloc2") 26 | or pe.imports("kernel32.dll", "VirtualAlloc2FromApp") 27 | or pe.imports("kernel32.dll", "VirtualAllocEx") 28 | or pe.imports("kernel32.dll", "VirtualAllocExNuma") 29 | or pe.imports("kernel32.dll", "VirtualAllocFromApp") 30 | ) 31 | } 32 | -------------------------------------------------------------------------------- /YARA/sus_xll.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule sus_xll_xlAutoOpen_empty: TESTING SUSPICIOUS TA0003 T1137 T1137_006 { 4 | meta: 5 | id = "IKlkRzFlrc1iw7JdK41Ul" 6 | fingerprint = "1d2ba344475b2ebafb1524ebc273f9219a56bfa136d7afb218b49f2c88ac8938" 7 | version = "1.1" 8 | creation_date = "2023-05-13" 9 | first_imported = "2023-05-13" 10 | last_modified = "2023-05-13" 11 | status = "TESTING" 12 | sharing = "TLP:WHITE" 13 | source = "THIEBAUT.DEV" 14 | author = "Maxime THIEBAUT (@0xThiebaut)" 15 | description = "Detects an Excel XLL file exporting an empty xlAutoOpen function, often indicative of hidden logic inside DllMain" 16 | category = "INFO" 17 | mitre_att = "T1137.006" 18 | reference = "https://learn.microsoft.com/en-us/office/client-developer/excel/creating-xlls#turning-dlls-into-xlls-add-in-manager-interface-functions" 19 | reference = "https://learn.microsoft.com/en-us/office/client-developer/excel/xlautoopen" 20 | 21 | condition: 22 | pe.exports("xlAutoOpen") 23 | and ( 24 | uint8(pe.export_details[pe.exports_index("xlAutoOpen")].offset) == 0xC3 // ret 25 | or ( 26 | uint16(pe.export_details[pe.exports_index("xlAutoOpen")].offset) == 0xC033 // xor eax eax 27 | and uint8(pe.export_details[pe.exports_index("xlAutoOpen")].offset+2) == 0xC3 // ret 28 | ) 29 | ) 30 | } 31 | 32 | rule sus_xll_xlAutoClose_empty: TESTING SUSPICIOUS TA0003 T1137 T1137_006 { 33 | meta: 34 | id = "6of2wrJksv1WZcHOthgatn" 35 | fingerprint = "819b0f27d9d0ebdf486646a0d9e71e1cb12c4c3691094d8633e0c93a07cbc24b" 36 | version = "1.0" 37 | creation_date = "2023-05-13" 38 | first_imported = "2023-05-13" 39 | last_modified = "2023-05-13" 40 | status = "TESTING" 41 | sharing = "TLP:WHITE" 42 | source = "THIEBAUT.DEV" 43 | author = "Maxime THIEBAUT (@0xThiebaut)" 44 | description = "Detects an Excel XLL file exporting the optional xlAutoClose as an empty function" 45 | category = "INFO" 46 | mitre_att = "T1137.006" 47 | reference = "https://learn.microsoft.com/en-us/office/client-developer/excel/xlautoclose" 48 | 49 | condition: 50 | pe.exports("xlAutoClose") 51 | and ( 52 | uint8(pe.export_details[pe.exports_index("xlAutoClose")].offset) == 0xC3 // ret 53 | or ( 54 | uint16(pe.export_details[pe.exports_index("xlAutoClose")].offset) == 0xC033 // xor eax eax 55 | and uint8(pe.export_details[pe.exports_index("xlAutoClose")].offset+2) == 0xC3 // ret 56 | ) 57 | ) 58 | } 59 | -------------------------------------------------------------------------------- /YARA/weird_png.yar: -------------------------------------------------------------------------------- 1 | rule weird_png_data_after_end: TESTING WEIRD T1027 T1027_003 { 2 | meta: 3 | id = "B6qzTNn5O3u7peuIgFwSO" 4 | fingerprint = "9aacd62b49ab6c51b9483329c699e72690da0152b6a191c950b4ae01dd9bc7e4" 5 | version = "1.2" 6 | creation_date = "2023-03-23" 7 | first_imported = "2023-03-23" 8 | last_modified = "2023-03-23" 9 | status = "TESTING" 10 | sharing = "TLP:WHITE" 11 | source = "THIEBAUT.DEV" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects data suspiciously located after a PNG's end header" 14 | category = "INFO" 15 | mitre_att = "T1027.003" 16 | reference = "https://isc.sans.edu/diary/Windows+11+Snipping+Tool+Privacy+Bug+Inspecting+PNG+Files/29660" 17 | reference = "https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/" 18 | 19 | strings: 20 | $chunk_IEND = {00 00 00 00 49 45 4E 44} 21 | $types = /PLTE|IDAT|bKGD|cHRM|dSIG|eXIf|gAMA|hIST|iCCP|iTXt|pHYs|sBIT|sPLT|sRGB|sTER|tEXt|tIME|tRNS|zTXt/ 22 | 23 | condition: 24 | // A PNG starts with a header... 25 | uint32(0) == 0x474e5089 and uint32(4) == 0x0a1a0a0d 26 | // and is followed by the mandatory image header chunk. 27 | and uint32(8) == 0x0d000000 and uint32(12) == 0x52444849 28 | // An malformed PNG requires a... 29 | and for any i in (1..#types): ( 30 | // valid end-chunk... 31 | $chunk_IEND at (uint32be(@types[i]-4) + @types[i] + 0x08) and 32 | // with additional data afterwards. 33 | (uint32be(@types[i]-4) + @types[i] + 0x14) < filesize 34 | ) 35 | } 36 | 37 | rule weird_png_acropalypse: TESTING WEIRD T1027 T1027_003 { 38 | meta: 39 | id = "3hzbpn9OXCHvKIyYNY0M29" 40 | fingerprint = "500cdc0437a0f12a10ad740186dcef7852c11ebc415efeecd2d1b4cf2d62ef60" 41 | version = "1.1" 42 | creation_date = "2023-03-23" 43 | first_imported = "2023-03-23" 44 | last_modified = "2023-03-23" 45 | status = "TESTING" 46 | sharing = "TLP:WHITE" 47 | source = "THIEBAUT.DEV" 48 | author = "Maxime THIEBAUT (@0xThiebaut)" 49 | description = "Detects a cropped PNG leaking original data" 50 | category = "INFO" 51 | mitre_att = "T1027.003" 52 | reference = "https://isc.sans.edu/diary/Windows+11+Snipping+Tool+Privacy+Bug+Inspecting+PNG+Files/29660" 53 | reference = "https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/" 54 | 55 | strings: 56 | $chunk_IEND = {00 00 00 00 49 45 4E 44} 57 | 58 | condition: 59 | // An acropalypse PNG has data after the first end-chuck as well as an end-chunk closing the file. 60 | weird_png_data_after_end and $chunk_IEND at filesize-0x0C 61 | } 62 | -------------------------------------------------------------------------------- /YARA/weird_zip.yar: -------------------------------------------------------------------------------- 1 | rule weird_zip_high_compression_ratio: RELEASED WEIRD T1204 T1204_002 { 2 | meta: 3 | id = "5n0TXEMYZ3x4OEpXEa4PUm" 4 | fingerprint = "526a726a0bde1ab1fb5832fea08c150b49771f7dbea2bc65ea342bea59ef3d44" 5 | version = "1" 6 | creation_date = "2023-04-06" 7 | first_imported = "2023-04-06" 8 | last_modified = "2023-04-06" 9 | status = "RELEASED" 10 | sharing = "TLP:WHITE" 11 | source = "THIEBAUT.DEV" 12 | author = "Maxime THIEBAUT (@0xThiebaut)" 13 | description = "Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit" 14 | category = "INFO" 15 | mitre_att = "T1204.002" 16 | reference = "https://twitter.com/Cryptolaemus1/status/1633099154623803394" 17 | hash = "4d9a6dfca804989d40eeca9bb2d90ef33f3980eb07ca89bbba06d0ef4b37634b" 18 | 19 | condition: 20 | // Find ZIP files... 21 | uint32(filesize-22) == 0x06054b50 22 | // with only one entry on disk... 23 | and uint16(filesize-14) == 1 24 | // and only one entry in directory. 25 | and uint16(filesize-12) == 1 26 | // Where the directory... 27 | and uint32(uint32(filesize-6)) == 0x02014b50 28 | // has an uncompressed size larger than the AV limit... 29 | and uint32(uint32(filesize-6)+24) >= 500MB 30 | // while the compressed ration is high (>100:1 compression ratio) 31 | and uint32(uint32(filesize-6)+20) * 100 < uint32(uint32(filesize-6)+24) 32 | } 33 | --------------------------------------------------------------------------------