├── README.md ├── .yara-ci.yml ├── LICENSE.txt ├── RMM_Inventory.csv ├── clamav └── indicator_rmm.ldb ├── scripts ├── mbcscbyar.py └── mbfyar.py ├── yara ├── indicator_rmm.yar ├── indicator_packed.yar └── indicator_office.yar └── zeek └── infostealer-email-addr.intel /README.md: -------------------------------------------------------------------------------- 1 | # Detection and Hunting Signatures 2 | 3 | A set of interrelated network and host detection rules with the aim of improving detection and hunting visibility and context. Where applicable, each Snort rule includes metadata indicating the corresponding Yara and ClamAV rules, and each Yara signature also includes metadata to the corresponding Snort and ClamAV rules, and so on. 4 | 5 | ## Supported Rules 6 | 7 | Currently, Snort 3, Yara and ClamAV rules are supported. Additional singatures and formats are work in progress. 8 | 9 | ## Scripts 10 | 11 | Currently, only scripts available are used to aid in auto-generation of hash-based and certificate-based Yara rules. 12 | -------------------------------------------------------------------------------- /.yara-ci.yml: -------------------------------------------------------------------------------- 1 | # Not FPs. 2 | false_positives: 3 | ignore: 4 | - rule: "INDICATOR_EXE_Packed_ASPack" 5 | - rule: "INDICATOR_EXE_Packed_MPress" 6 | - rule: "INDICATOR_EXE_Packed_VMProtect" 7 | - rule: "INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture" 8 | - rule: "INDICATOR_EXE_Packed_SmartAssembly" 9 | - rule: "INDICATOR_EXE_Packed_Dotfuscator" 10 | - rule: "INDICATOR_SUSPICIOUS_EXE_Reversed" 11 | - rule: "INDICATOR_KB_CERT_43bb437d609866286dd839e1d00309f5" 12 | - rule: "INDICATOR_RTF_EXPLOIT_CVE_2017_11882_1" 13 | - rule: "INDICATOR_RTF_EXPLOIT_CVE_2017_11882_3" 14 | - rule: "INDICATOR_RTF_EXPLOIT_CVE_2017_11882_4" 15 | 16 | files: 17 | accept: 18 | - "yara/*.yar" 19 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2021 by ditekSHen (https://github.com/ditekshen/detection). 2 | 3 | The 2-Clause BSD License 4 | 5 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 6 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 7 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 8 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 9 | -------------------------------------------------------------------------------- /RMM_Inventory.csv: -------------------------------------------------------------------------------- 1 | App,CompanyName (Vendor),ProductName,FileDescription,InternalName,Yara,ClamAV,Domains,Snort AppID 2 | "FleetDeck Commander 3 | FleetDeck Commander Service","FleetDeck Inc 4 | FleetDeck, inc 5 | FleetDeck Inc.",FleetDeck Commander,FleetDeck Commander,"fleetdeck_installer 6 | fleetdeck_commander_svc.exe","INDICATOR_RMM_FleetDeck_Commander 7 | INDICATOR_RMM_FleetDeck_Commander_SVC 8 | INDICATOR_RMM_FleetDeck_Commander_Launcher 9 | INDICATOR_RMM_FleetDeck_CERT","INDICATOR.Win.RMM.FleetDeckCommander 10 | INDICATOR.Win.RMM.FleetDeckCommander-SVC 11 | INDICATOR.Win.RMM.FleetDeckCommander-Launcher","relay.dev1.fleetdeck.io 12 | mqtt.dev1.fleetdeck.io 13 | agentregister.dev1.fleetdeck.io 14 | relay.test.fleetdeck.io 15 | agentregister.test.fleetdeck.io 16 | relay.fleetdeck.io 17 | mqtt.fleetdeck.io 18 | agentregister.fleetdeck.io 19 | commanderupdate.fleetdeck.io 20 | *.fleetdeck.io 21 | commanderapi.fleetdeck.io 22 | commanderinstall.fleetdeck.io 23 | commanderupdate.fleetdeck.io 24 | fleetdm.com", 25 | FleetDeck Agent,FleetDeck Inc.,FleetDeck Agent,FleetDeck Agent,NA,"INDICATOR_RMM_FleetDeck_Agent 26 | INDICATOR_RMM_FleetDeck_CERT",INDICATOR.Win.RMM.FleetDeckAgent,"relay.dev1.fleetdeck.io 27 | mqtt.dev1.fleetdeck.io 28 | agentregister.dev1.fleetdeck.io 29 | relay.test.fleetdeck.io 30 | agentregister.test.fleetdeck.io 31 | relay.fleetdeck.io 32 | mqtt.fleetdeck.io 33 | agentregister.fleetdeck.io 34 | commanderupdate.fleetdeck.io 35 | *.fleetdeck.io 36 | commanderapi.fleetdeck.io 37 | commanderinstall.fleetdeck.io 38 | commanderupdate.fleetdeck.io 39 | fleetdm.com", 40 | Mesh Agent,NA,MeshCentral Agent,MeshCentral Background Service Agent,NA,"INDICATOR_RMM_MeshAgent 41 | INDICATOR_RMM_MeshAgent_CERT",INDICATOR.Win.RMM.MeshAgent,, 42 | MeshCentral Server Installer,Open Source,MeshCentral Server Installer,MeshCentral Server Installer,,INDICATOR_RMM_MeshCentral_CERT,,, 43 | ConnectWise Control (formerly ScreenConnect),ScreenConnect Software,"ScreenConnect 44 | ScreenConnect Client*",NA,NA,"INDICATOR_RMM_ConnectWise_ScreenConnect 45 | INDICATOR_RMM_ConnectWise_ScreenConnect_CERT",INDICATOR.Win.RMM.ConnectWise-ScreenConnect,"*relay.screenconnect.com 46 | *demo.screenconnect.com 47 | *-web.screenconnect.com 48 | cloud.screenconnect.com", 49 | PDQConnect,PDQ.com,PDQConnectAgent,PDQ Connect Agent,NA,"INDICATOR_RMM_PDQConnect_Agent 50 | INDICATOR_RMM_PDQConnect_Agent_CERT",INDICATOR.Win.RMM.PDQConnectAgent,"app.pdq.com 51 | auth.pdq.com 52 | connect.pdq.com 53 | *.ingest.sentry.io 54 | pdqconnect.zendesk.com 55 | adminarsenal.zendesk.com 56 | help.pdq.com", 57 | Pulseway pcmontask,"MMSOFT Design 58 | MMSOFT Design Ltd.",Pulseway User Agent,Pulseway User Agent,pcmontask.exe,"INDICATOR_RMM_PulseWay_PCMonTaskSrv 59 | INDICATOR_RMM_PulseWay_CERT",INDICATOR.Win.RMM.PulseWay,computermonitor.mmsoft.ro, 60 | Pulseway pcmonitorsrv,"MMSOFT Design 61 | MMSOFT Design Ltd.",Pulseway,Pulseway Service,PCMonitorSrv.exe,"INDICATOR_RMM_PulseWay_PCMonTaskSrv 62 | INDICATOR_RMM_PulseWay_CERT",INDICATOR.Win.RMM.PulseWay,computermonitor.mmsoft.ro, 63 | Pulseway Remote Control,"MMSOFT Design 64 | MMSOFT Design Ltd.",Pulseway Remote Control,Pulseway Remote Control,RemoteDesktop.exe,"INDICATOR_RMM_PulseWay_RemoteDesktop 65 | INDICATOR_RMM_PulseWay_CERT",INDICATOR.Win.RMM.PulseWay,, 66 | Anydesk,"philandro Software GmbH 67 | AnyDesk Software GmbH",,,,,,, 68 | RemotePC,,,,,,,, 69 | Remote Utilities,,,,,,,, 70 | Kaseya,,,,,,,, 71 | NetSupport,,,,,,,, 72 | GoToMyPC,,,,,,,, 73 | Splashtop,,,,,,,, 74 | N-Able,,,,,,,, 75 | Atera,,,,,,,, 76 | Bomgar,,,,,,,, 77 | "TeamViewer 78 | TeamViewer Installer 79 | TeamViewer QS 80 | TeamViewer.app 81 | TeamViewerMeeting 82 | TeamViewerQS.app","TeamViewer 83 | TeamViewer GmbH 84 | TeamViewer Germany GmbH",,,,,,, 85 | Zoho Assist,,,,,,,, 86 | LogMeIn,,,,,,,, 87 | BeyondTrust (Bomgar),,,,,,,, 88 | Claroty,,,,,,,, 89 | PCAnywhere,,,,,,,, 90 | Xage,,,,,,,, 91 | XONA Systems,,,,,,,, 92 | Zscaler,,,,,,,, 93 | -------------------------------------------------------------------------------- /clamav/indicator_rmm.ldb: -------------------------------------------------------------------------------- 1 | ditekSHen.INDICATOR.Win.RMM.MeshAgent;Engine:51-255,Target:1;((0|1|2|3)&(4|5|6|7)>1)|(4&5&6&7);5c4d6573684167656e74::w;4d657368204167656e74::w;4d65736844756d6d79::w;4d65736843656e7472616c::w;494c696252656d6f74654c6f6767696e672e63;4167656e74436f72652f4d6573685365727665725f::w;636f6e736f6c652e6c6f672867657453484133383446696c65486173682870726f636573732e6578656350617468292e746f537472696e672827686578272929;7b226167656e74223a22 2 | ditekSHen.INDICATOR.Win.RMM.ConnectWise-ScreenConnect;Engine:51-255,Target:1;(0|1|2|3|4|5)>3;46494c45535953435245454e434f4e4e4543542e434f52452c2056455253494f4e3d::w;666565646261636b2e73637265656e636f6e6e6563742e636f6d2f466565646261636b2e617864::w;53637265656e436f6e6e65637420436c69656e74::w;53637265656e436f6e6e6563742e496e7374616c6c6572416374696f6e732153637265656e436f6e6e6563742e::w;53637265656e436f6e6e6563742e436f72652e706462;5c5c2e5c506970655c5465726d696e616c5365727665725c53797374656d45786563537276725c::w 3 | ditekSHen.INDICATOR.Win.RMM.FleetDeckAgent;Engine:51-255,Target:1;((0|1)&(2|3|4|5|6)>2)|(2&3&4&5&6);666c6565746465636b2e696f2f;6c6f616420466c6565744465636b206167656e74;72656d6f74654465736b746f7053657373696f6e4d75746578;6d61696e2e7669727475616c5465726d696e616c5761746368646f67;6d61696e2e6d65657452656d6f74654465736b746f70;7265706f2e73656e72692e73652f70726f746f74797065332f;6d61696e2e737663497063436c69656e74 4 | ditekSHen.INDICATOR.Win.RMM.FleetDeckCommander;Engine:51-255,Target:1;0&1&2&3;536f6674776172655c4d6963726f736f66745c466c6565744465636b20436f6d6d616e646572;7c466c6565744465636b20436f6d6d616e646572;666c6565746465636b2e696f2f70726f746f74797065332f;633a5c6167656e745c5f776f726b5c36365c735c 5 | ditekSHen.INDICATOR.Win.RMM.FleetDeckCommander-SVC;Engine:51-255,Target:1;(0|1|2|3)>2;666c6565746465636b666f726b2f6578656366756e636172677328;666c6565746465636b2e696f2f70726f746f74797065332f636f6d6d616e6465725f737663;70726f636565643a202a2e666c6565746465636b2e696f;5245472041444420484b45595f434c41535345535f524f4f545c2573202f56202255524c2050726f746f636f6c22202f54205245475f535a202f46 6 | ditekSHen.INDICATOR.Win.RMM.FleetDeckCommander-Launcher;Engine:51-255,Target:1;0&1;666c6565746465636b2e696f2f70726f746f74797065332f636f6d6d616e6465725f6c61756e63686572;466c6565744465636b20436f6d6d616e646572204c61756e63686572 7 | ditekSHen.INDICATOR.Win.RMM.PDQConnectAgent;Engine:51-255,Target:1;((0|1|2|3|4|5|6|7|8|9|10)>4)|((11&12&13&14&15)&(0|1|2|3|4|5|6|7|8|9|10));7369676e5f7064712e7273;782d7064712d6461746543726564656e7469616c3d282e2b3f292f;7064712d636f6e6e6563742d6167656e74;50445120436f6e6e656374204167656e74;504451436f6e6e6563744167656e74;504451436f6e6e6563744167656e747372635c6c6f676765722e7273;2d5044512d4b65792d496473557365722d4167656e74;5c5044515c504451436f6e6e6563744167656e745c;5c7064715f636f6e6e6563745f6167656e742e706462;7461736b5f6964735b5d50445120726f766572;6170702e7064712e636f6d;2f646576696365732f7265676973746572;2f646576696365732f736f636b65742f776562736f636b65743f6465766963655f69643d;2f646576696365732f7461736b73;2f646576696365732f617574682d6368616c6c656e6765;2f646576696365732f72656365697665722f55726c 8 | ditekSHen.INDICATOR.Win.RMM.PulseWay;Engine:51-255,Target:1;(0|1|2|3|4|5|6|7|8)>7;4d4d2e4d6f6e69746f722e;52444167656e7453657373696f6e53657474696e677356;436865636b466f724d61634f5352656d6f74654465736b746f70557064617465436f6d706c657465644576656e74;436f6e6669726d4167656e7453746172746564;47657453637265656e73686f74;556e6c6f616452656d6f74654465736b746f70446c6c73;4374726c416c7444656c65746550726f63;2437636663336238382d366463342d343966632d396630612d626639653931313361313464;636f6d70757465726d6f6e69746f722e6d6d736f66742e726f 9 | ditekSHen.INDICATOR.Win.RMM.PulseWay;Engine:51-255,Target:1;(0|1|2|3|4|5|6|7|8)>7;4d4d2e4d6f6e69746f722e;52444167656e7453657373696f6e53657474696e677356;436865636b466f724d61634f5352656d6f74654465736b746f70557064617465436f6d706c657465644576656e74;436f6e6669726d4167656e7453746172746564;47657453637265656e73686f74;556e6c6f616452656d6f74654465736b746f70446c6c73;4374726c416c7444656c65746550726f63;2437636663336238382d366463342d343966632d396630612d626639653931313361313464;636f6d70757465726d6f6e69746f722e6d6d736f66742e726f 10 | ditekSHen.INDICATOR.Win.RMM.ManageEngine-ZohoMeeting;Engine:51-255,Target:1;0&1&2&3&4&5&6&7;55454d53202d2052656d6f746520436f6e74726f6c::w;4167656e74486f6f6b2e646c6c::w;62696e5c436c69656e744175746848616e646c65722e646c6c::w;496e7374616c6c20686f6f6b2e2e2e2e::w;696e6469612e616476656e746e65742e636f6d2f6d6565742e7361733f6b3d;6463546370536f636b65743a3a;25732f25733f636c69656e7449643d25732673657373696f6e49643d257326636c69656e744e616d653d2573267469636b65743d257326636f6e6e656374696f6e49643d2573;2e5c656e67696e65735c6363676f73745c676f73745f 11 | ditekSHen.INDICATOR.Win.RMM.Atera;Engine:51-255,Target:1;(0&1&2&3&4)>2;534f4654574152455c4154455241204e6574776f726b735c416c7068614167656e74::w;416c706861436f6e74726f6c4167656e745c6f626a5c52656c656173655c41746572614167656e742e706462;416c706861436f6e74726f6c4167656e742e436c6f75644c6f67734d616e616765722b3c3e;4d6f6e69746f72696e672026204d616e6167656d656e74204167656e74206279204154455241::aw;6167656e742d6170692d7b307d2e61746572612e636f6d::w 12 | ditekSHen.INDICATOR.Win.RMM.SplashtopStreamer;Engine:51-255,Target:1;(0&1&2&3&4&5)>3;5c736c6176655c776f726b73706163655c4749545f57494e5f5352535f466f726d616c5c536f757263655c697269737365727665725c;536f6674776172655c53706c617368746f7020496e632e5c53706c617368746f70::w;2e6170692e73706c617368746f702e636f6d::w;726573746172746564207468652073747265616d65722e256e4170702076657273696f6e3a202531::w;53706c617368746f702d53706c617368746f702053747265616d65722d::w;5b52656d6f766553747265616d65725d2053656e64206d7367203220636c6f75642825643a25643a256429::w 13 | ditekSHen.INDICATOR.Win.RMM.AeroAdmin;Engine:51-255,Target:1;(0&1&2&3&4&5&6)>3;5c4165726f41646d696e::w;2e6165726f61646d696e2e636f6d::w;584165726f61646d696e417070526573746172746572::w;5c4e6574776f726b5c4165726f61646d696e53657276696365::w;4165726f41646d696e207b7d;464165726f41646d696e2e637070;504f5354202f73696d732f73696d735f6e65772e706870 14 | -------------------------------------------------------------------------------- /scripts/mbcscbyar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import os 4 | import csv 5 | import codecs 6 | import requests 7 | import argparse 8 | 9 | from contextlib import closing 10 | 11 | __author__ = "ditekSHen" 12 | __copyright__ = "Copyright 2020, ditekShen" 13 | __version__ = "1.0" 14 | __reference__ = "https://github.com/ditekshen" 15 | 16 | FILE_URL = "https://bazaar.abuse.ch/export/csv/cscb/" 17 | 18 | def parse_csv(infile=None): 19 | cert_data = list() 20 | if infile: 21 | infile = os.path.join(os.path.dirname(__file__), infile) 22 | try: 23 | with open(infile, 'r', encoding='utf-8') as csvfile: 24 | reader = csv.reader(csvfile, delimiter=',', quotechar='"', skipinitialspace=True) 25 | try: 26 | for row in reader: 27 | if not row[0].startswith('#'): 28 | cert = dict() 29 | cert["serial_number"] = row[1] 30 | cert["thumbprint"] = row[2] 31 | cert["subject_cn"] = row[4] 32 | cert["reason"] = row[8] 33 | cert_data.append(cert) 34 | except IndexError as err: 35 | print("Input file is potentially not a CSV file") 36 | raise SystemExit(err) 37 | except IOError as err: 38 | raise SystemExit(err) 39 | 40 | return cert_data 41 | else: 42 | try: 43 | with closing(requests.get(FILE_URL, stream=True)) as response: 44 | if response.status_code == 200: 45 | reader = csv.reader(codecs.iterdecode(response.iter_lines(),'utf-8'), delimiter=',', quotechar='"', skipinitialspace=True) 46 | try: 47 | for row in reader: 48 | if not row[0].startswith('#'): 49 | cert = dict() 50 | cert["serial_number"] = row[1] 51 | cert["thumbprint"] = row[2] 52 | cert["subject_cn"] = row[4] 53 | cert["reason"] = row[8] 54 | cert_data.append(cert) 55 | except IndexError as err: 56 | print("Response data is potentially not CSV formatted") 57 | raise SystemExit(err) 58 | except requests.exceptions.RequestException as err: 59 | raise SystemExit(err) 60 | 61 | return cert_data 62 | 63 | def write_yara(iocs, outfile): 64 | rules = str() 65 | 66 | try: 67 | fw = open(outfile, 'w') 68 | except IOError: 69 | print("Could not open file for writting output Yara rules file") 70 | 71 | file_header = "/*\n" 72 | file_header += " Auto-generated certificate-based Yara rules from Abuse.ch MalwareBazar Code Signing Certificate Blocklist\n" 73 | file_header += " Author: Automatically generated by MBCSCBYar (ditekSHen)\n" 74 | file_header += " Reference: https://bazaar.abuse.ch/faq/#cscb\n" 75 | file_header += " Reference: https://github.com/ditekshen\n" 76 | file_header += "*/\n\n" 77 | fw.write(file_header) 78 | 79 | fw.write('import "pe"\n\n') 80 | 81 | for cert in iocs: 82 | rule_name = "rule INDICATOR_KB_CERT_%s {\n" % cert["serial_number"].lower() 83 | rule_meta = " meta:\n" 84 | rule_meta += " author = \"ditekSHen\"\n" 85 | rule_meta += " description = \"Detects executables signed with stolen, revoked or invalid certificates\"\n" 86 | rule_meta += " thumbprint = \"%s\"\n" % cert["thumbprint"].lower() 87 | rule_meta += " reason = \"%s\"\n" % cert["reason"] 88 | rule_meta += " reference = \"https://bazaar.abuse.ch/faq/#cscb\"\n" 89 | rule_condition = " condition:\n" 90 | rule_condition += " uint16(0) == 0x5a4d and\n" 91 | rule_condition += " for any i in (0..pe.number_of_signatures): (\n" 92 | rule_condition += " pe.signatures[i].subject contains \"%s\" and\n" % cert["subject_cn"] 93 | rule_condition += " pe.signatures[i].serial == \"%s\"\n" % ':'.join(cert["serial_number"][i:i + 2] for i in range(0, len(cert["serial_number"]), 2)).lower() 94 | rule_condition += " )\n" 95 | rule_end = "}\n\n" 96 | 97 | rules += rule_name + rule_meta + rule_condition + rule_end 98 | 99 | fw.write(rules) 100 | 101 | try: 102 | fw.close() 103 | except IOError: 104 | print("Could not close output Yara rules file") 105 | 106 | def main(): 107 | usage_text = '''Example Usage: 108 | mbcscb_to_yara.py - Download CSCB CSV file from URL and write Yara rules file using default file name (defaults) 109 | mbcscb_to_yara.py -o name.yar - Download CSCB CSV file from URL and save generated Yara rules file using custom name 110 | mbcscb_to_yara.py -i cscb.csv - Read local CSCB CSV file and write Yara rules file using default file name 111 | mbcscb_to_yara.py -i cscb.csv -o name.yar - Read local CSCB CSV file and and save generated Yara rules file using custom name''' 112 | 113 | parser = argparse.ArgumentParser(description='Generate Yara rules from Abuse.ch MalwareBazar Code Signing Certificate Blocklist (CSCB)', 114 | epilog=usage_text, formatter_class=argparse.RawDescriptionHelpFormatter) 115 | parser.add_argument('-i', '--input', type=str, metavar='INPUT', required=False, action='store', help='Input CSCB CSV local file',) 116 | parser.add_argument('-o', '--output', type=str, metavar='OUTPUT', required=False, default='certificates.yar', help='Output Yara rules file name') 117 | args = parser.parse_args() 118 | 119 | cert_data = parse_csv(args.input) 120 | if len(cert_data) > 0: 121 | write_yara(cert_data, args.output) 122 | else: 123 | print("No certificate IOCs found, or something went wrong!") 124 | 125 | if __name__ == "__main__": 126 | main() 127 | -------------------------------------------------------------------------------- /scripts/mbfyar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import os 4 | import csv 5 | import argparse 6 | 7 | __author__ = "ditekSHen" 8 | __copyright__ = "Copyright 2020, ditekShen" 9 | __version__ = "1.0" 10 | __reference__ = "https://github.com/ditekshen" 11 | 12 | def parse_csv(infile=None,hashtype='md5'): 13 | samples = list() 14 | if infile: 15 | infile = os.path.join(os.path.dirname(__file__), infile) 16 | try: 17 | with open(infile, 'r', encoding='utf-8') as csvfile: 18 | reader = csv.reader(csvfile, delimiter=',', quotechar='"', skipinitialspace=True) 19 | try: 20 | for row in reader: 21 | if not row[0].startswith('#'): 22 | sample = dict() 23 | if ("dosexec" or "executable" or "exe") in row[7] and ("exe" or "dll" or "elf") in row[6]: 24 | sample["first_seen"] = row[0] 25 | sample["md5"] = row[2] 26 | sample["sha1"] = row[3] 27 | sample["sha2"] = row[1] 28 | sample["filetype"] = row[6] 29 | sample["mimetype"] = row[7] 30 | sample["signature"] = row[8] 31 | sample["imphash"] = row[11] 32 | sample["ssdeep"] = row[12] 33 | 34 | samples.append(sample) 35 | except IndexError as err: 36 | print("Input file is potentially not a CSV file") 37 | raise SystemExit(err) 38 | except IOError as err: 39 | raise SystemExit(err) 40 | 41 | return samples 42 | else: 43 | return None 44 | 45 | def write_yara(samples, hashtype, minsize, maxsize, outfile): 46 | rules = str() 47 | 48 | try: 49 | fw = open(outfile, 'w') 50 | except IOError: 51 | print("Could not open file for writting output Yara rules file") 52 | 53 | file_header = "/*\n" 54 | file_header += " Auto-generated hash-based Yara rules for executables (exe, dll, elf) from Abuse.ch MalwareBazar\n" 55 | file_header += " Author: Automatically generated by MBYar (ditekSHen)\n" 56 | file_header += " Reference: https://bazaar.abuse.ch/faq/\n" 57 | file_header += " Reference: https://github.com/ditekshen\n" 58 | file_header += "*/\n\n" 59 | fw.write(file_header) 60 | 61 | fw.write('import "hash"\n\n') 62 | 63 | rule_name_prefix = "rule INDICATOR_MB_Hash_" 64 | for sample in samples: 65 | if hashtype == "md5": 66 | rule_name = "rule INDICATOR_MB_Hash_%s {\n" % sample["md5"].lower() 67 | elif hashtype == "sha1": 68 | rule_name = "rule INDICATOR_MB_Hash_%s {\n" % sample["sha1"].lower() 69 | elif hashtype == "sha2": 70 | rule_name = "rule INDICATOR_MB_Hash_%s {\n" % sample["sha2"].lower() 71 | rule_meta = " meta:\n" 72 | rule_meta += " author = \"ditekSHen\"\n" 73 | rule_meta += " description = \"Detects malicious sample based on known hash from Abuse.ch MalwareBazar\"\n" 74 | rule_meta += " first_seen = \"%s\"\n" % sample["first_seen"].lower() 75 | rule_meta += " signature = \"%s\"\n" % sample["signature"] 76 | rule_meta += " md5 = \"%s\"\n" % sample["md5"].lower() 77 | rule_meta += " sha1 = \"%s\"\n" % sample["sha1"].lower() 78 | rule_meta += " sha2 = \"%s\"\n" % sample["sha2"].lower() 79 | if len(sample["imphash"]) == 32: 80 | rule_meta += " imphash = \"%s\"\n" % sample["imphash"].lower() 81 | rule_meta += " ssdeep = \"%s\"\n" % sample["ssdeep"] 82 | rule_condition = " condition:\n" 83 | if ("exe" or "dll") in sample["filetype"]: 84 | rule_condition += " uint16(0) == 0x5a4d and\n" 85 | elif ("elf") in sample["filetype"]: 86 | rule_condition += " uint16(0) == 0x457f and\n" 87 | rule_condition += " filesize > {0}KB and filesize < {1}KB and\n".format(minsize, maxsize) 88 | if hashtype == "md5": 89 | rule_condition += " hash.md5(0,filesize) == \"%s\"\n" % sample["md5"] 90 | elif hashtype == "sha1": 91 | rule_condition += " hash.sha1(0,filesize) == \"%s\"\n" % sample["sha1"] 92 | elif hashtype == "sha2": 93 | rule_condition += " hash.sha256(0,filesize) == \"%s\"\n" % sample["sha2"] 94 | rule_end = "}\n\n" 95 | 96 | rules += rule_name + rule_meta + rule_condition + rule_end 97 | 98 | fw.write(rules) 99 | 100 | try: 101 | fw.close() 102 | except IOError: 103 | print("Could not close output Yara rules file") 104 | 105 | def main(): 106 | usage_text = '''Example Usage: 107 | mbfyar.py -i full.csv - Generate Yara rules from MalwareBazar CSV file (defaults - hash: md5, minsize:100, maxsize:2000) 108 | mbfyar.py -H sha1 -i full.csv - Generate SHA1-based Yara rules from MalwareBazar CSV file 109 | mbyar.py -n 500 -x 5000 -i full.csv -o output.yar - Generate MD5-based Yara rules limiting matches to file size range to custom output file name''' 110 | 111 | parser = argparse.ArgumentParser(description='Generate Yara hash rules for executables (exe, dll, elf) from Absue.ch MalwareBazar', epilog=usage_text, formatter_class=argparse.RawDescriptionHelpFormatter) 112 | parser.add_argument('-H', '--hash', help='Hash type to generate Yara rules against', type=str, metavar="HASH", required=False, default="md5", choices=['md5', 'sha1', 'sha2']) 113 | parser.add_argument('-n', '--minsize', type=int, metavar='SIZE', required=False, action='store', default=100, help='Minimum file size in kilobytes (KB)') 114 | parser.add_argument('-x', '--maxsize', type=int, metavar='SIZE', required=False, action='store', default=2000, help='Maximum file size in kilobytes (KB)') 115 | parser.add_argument('-i', '--input', type=str, metavar='INPUT', required=True, action='store', help='Input full dump from Absue.ch MalwareBazar') 116 | parser.add_argument('-o', '--output', type=str, metavar='OUTPUT', required=False, default='hashes.yar', help='Output Yara rules file name') 117 | args = parser.parse_args() 118 | 119 | data = parse_csv(args.input) 120 | if data and len(data) > 0: 121 | write_yara(data, args.hash, args.minsize, args.maxsize, args.output) 122 | else: 123 | print("No hash IOCs found, or something went wrong!") 124 | 125 | if __name__ == "__main__": 126 | main() 127 | -------------------------------------------------------------------------------- /yara/indicator_rmm.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule INDICATOR_RMM_MeshAgent { 4 | meta: 5 | author = "ditekSHen" 6 | description = "Detects MeshAgent. Review RMM Inventory" 7 | clamav1 = "INDICATOR.Win.RMM.MeshAgent" 8 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 9 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 10 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 11 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 12 | strings: 13 | $x1 = "\\MeshAgent" wide 14 | $x2 = "Mesh Agent" wide 15 | $x3 = "MeshDummy" wide 16 | $x4 = "MeshCentral" wide 17 | $x5 = "ILibRemoteLogging.c" ascii 18 | $x6 = "AgentCore/MeshServer_" wide 19 | $s1 = "var _tmp = 'Detected OS: ' + require('os').Name;" ascii 20 | $s2 = "console.log(getSHA384FileHash(process.execPath).toString('hex'))" ascii 21 | $s3 = "ScriptContainer.Create(): Error spawning child process, using [%s]" fullword ascii 22 | $s4 = "{\"agent\":\"" ascii 23 | $s6 = "process.versions.commitHash" fullword ascii 24 | $s7 = "console.log('Error Initializing script from Zip file');process._exit();" fullword ascii 25 | condition: 26 | uint16(0) == 0x5a4d and (3 of ($x*) or (1 of ($x*) and 3 of ($s*)) or 6 of ($s*)) 27 | } 28 | 29 | rule INDICATOR_RMM_MeshAgent_CERT { 30 | meta: 31 | author = "ditekSHen" 32 | description = "Detects Mesh Agent by (default) certificate. Review RMM Inventory" 33 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 34 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 35 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 36 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 37 | condition: 38 | uint16(0) == 0x5a4d and 39 | for any i in (0..pe.number_of_signatures): ( 40 | pe.signatures[i].issuer contains "MeshCentralRoot-" 41 | ) 42 | } 43 | 44 | /* 45 | rule INDICATOR_RMM_MeshCentral_CERT { 46 | meta: 47 | author = "ditekSHen" 48 | description = "Detects Mesh Central by (default) certificate. Review RMM Inventory" 49 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 50 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 51 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 52 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 53 | condition: 54 | uint16(0) == 0x5a4d and 55 | for any i in (0..pe.number_of_signatures): ( 56 | pe.signatures[i].issuer contains "Unizeto Technologies S.A." and 57 | pe.signatures[i].subject contains "Open Source Developer" 58 | ) 59 | } 60 | */ 61 | 62 | rule INDICATOR_RMM_ConnectWise_ScreenConnect { 63 | meta: 64 | author = "ditekSHen" 65 | description = "Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory" 66 | clamav1 = "INDICATOR.Win.RMM.ConnectWise-ScreenConnect" 67 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 68 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 69 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 70 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 71 | strings: 72 | $s1 = "FILESYSCREENCONNECT.CORE, VERSION=" wide 73 | $s2 = "feedback.screenconnect.com/Feedback.axd" wide 74 | $s3 = /ScreenConnect (Software|Client)/ wide 75 | $s4 = "ScreenConnect.InstallerActions!ScreenConnect." wide 76 | $s5 = "\\\\.\\Pipe\\TerminalServer\\SystemExecSrvr\\" wide 77 | $s6 = "\\jmorgan\\Source\\cwcontrol\\Custom\\DotNetRunner\\" wide 78 | $s7 = "ScreenConnect." ascii 79 | $s8 = "\\ScreenConnect.Core.pdb" ascii 80 | $s9 = "relay.screenconnect.com" ascii 81 | condition: 82 | (uint16(0) == 0x5a4d or uint16(0) == 0xcfd0) and 3 of them 83 | } 84 | 85 | rule INDICATOR_RMM_ConnectWise_ScreenConnect_CERT { 86 | meta: 87 | author = "ditekSHen" 88 | description = "Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory" 89 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 90 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 91 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 92 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 93 | condition: 94 | uint16(0) == 0x5a4d and 95 | for any i in (0..pe.number_of_signatures): ( 96 | pe.signatures[i].issuer contains "DigiCert" and 97 | pe.signatures[i].subject contains "Connectwise, LLC" 98 | ) 99 | } 100 | 101 | rule INDICATOR_RMM_FleetDeck_Agent { 102 | meta: 103 | author = "ditekSHen" 104 | description = "Detects FleetDeck Agent. Review RMM Inventory" 105 | clamav1 = "INDICATOR.Win.RMM.FleetDeckAgent" 106 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 107 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 108 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 109 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 110 | strings: 111 | $s1 = "fleetdeck.io/" ascii 112 | $s2 = "load FleetDeck agent" ascii 113 | $s3 = ".dev1.fleetdeck.io" ascii 114 | $s4 = "remoteDesktopSessionMutex" ascii 115 | $s5 = "main.remoteDesktopWatchdog" fullword ascii 116 | $s6 = "main.virtualTerminalWatchdog" fullword ascii 117 | $s7 = "main.meetRemoteDesktop" fullword ascii 118 | $s8 = "repo.senri.se/prototype3/" ascii 119 | $s9 = "main.svcIpcClient" fullword ascii 120 | $s10 = "main.hookMqttLogging" fullword ascii 121 | condition: 122 | uint16(0) == 0x5a4d and 4 of them 123 | } 124 | 125 | rule INDICATOR_RMM_FleetDeck_Commander { 126 | meta: 127 | author = "ditekSHen" 128 | description = "Detects FleetDeck Commander. Review RMM Inventory" 129 | clamav1 = "INDICATOR.Win.RMM.FleetDeckCommander" 130 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 131 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 132 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 133 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 134 | strings: 135 | $s1 = "Software\\Microsoft\\FleetDeck Commander" ascii 136 | $s2 = "fleetdeck.io/prototype3/" ascii 137 | $s3 = "fleetdeck_commander_launcher.exe" ascii 138 | $s4 = "fleetdeck_commander_svc.exe" ascii 139 | $s5 = "|FleetDeck Commander" ascii 140 | $s6 = "c:\\agent\\_work\\66\\s\\" ascii 141 | condition: 142 | uint16(0) == 0x5a4d and 4 of them 143 | } 144 | 145 | rule INDICATOR_RMM_FleetDeck_Commander_SVC { 146 | meta: 147 | author = "ditekSHen" 148 | description = "Detects FleetDeck Commander SVC. Review RMM Inventory" 149 | clamav1 = "INDICATOR.Win.RMM.FleetDeckCommander-SVC" 150 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 151 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 152 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 153 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 154 | strings: 155 | $s1 = "fleetdeckfork/execfuncargs(" ascii 156 | $s2 = "REG ADD HKEY_CLASSES_ROOT\\%s /V \"URL Protocol\" /T REG_SZ /F" ascii 157 | $s3 = "proceed: *.fleetdeck.io" ascii 158 | $s4 = "fleetdeck.io/prototype3/commander_svc" ascii 159 | $s5 = "commanderupdate.fleetdeck.io" ascii 160 | condition: 161 | uint16(0) == 0x5a4d and 4 of them 162 | } 163 | 164 | rule INDICATOR_RMM_FleetDeck_Commander_Launcher { 165 | meta: 166 | author = "ditekSHen" 167 | description = "Detects FleetDeck Commander Launcher. Review RMM Inventory" 168 | clamav1 = "INDICATOR.Win.RMM.FleetDeckCommander-Launcher" 169 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 170 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 171 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 172 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 173 | strings: 174 | $s1 = "fleetdeck.io/prototype3/commander_launcher" ascii 175 | $s2 = "FleetDeck Commander Launcher" ascii 176 | condition: 177 | uint16(0) == 0x5a4d and all of them 178 | } 179 | 180 | rule INDICATOR_RMM_FleetDeck_CERT { 181 | meta: 182 | author = "ditekSHen" 183 | description = "Detects FleetDeck agent by (default) certificate. Review RMM Inventory" 184 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 185 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 186 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 187 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 188 | condition: 189 | uint16(0) == 0x5a4d and 190 | for any i in (0..pe.number_of_signatures): ( 191 | ( 192 | pe.signatures[i].issuer contains "Sectigo Limited" or 193 | pe.signatures[i].issuer contains "COMODO CA Limited" 194 | ) and 195 | 196 | pe.signatures[i].subject contains "FleetDeck Inc" 197 | ) 198 | } 199 | 200 | rule INDICATOR_RMM_PDQConnect_Agent { 201 | meta: 202 | author = "ditekSHen" 203 | description = "Detects PDQ Connect Agent. Review RMM Inventory" 204 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 205 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 206 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 207 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 208 | strings: 209 | $api1 = "/devices/register" ascii 210 | $api2 = "/devices/socket/websocket?device_id=" ascii 211 | $api3 = "/devices/tasks" ascii 212 | $api4 = "/devices/auth-challenge" ascii 213 | $api5 = "/devices/receiver/Url" ascii 214 | $s1 = "sign_pdq.rs" ascii 215 | $s2 = "x-pdq-dateCredential=(.+?)/" ascii 216 | $s3 = "pdq-connect-agent" ascii 217 | $s4 = "PDQ Connect Agent" ascii 218 | $s5 = "PDQConnectAgent" ascii 219 | $s6 = "PDQConnectAgentsrc\\logger.rs" ascii 220 | $s7 = "-PDQ-Key-IdsUser-Agent" ascii 221 | $s8 = "\\PDQ\\PDQConnectAgent\\" ascii 222 | $s9 = "\\pdq_connect_agent.pdb" ascii 223 | $s10 = "task_ids[]PDQ rover" ascii 224 | $s11 = "https://app.pdq.com/" ascii 225 | condition: 226 | (uint16(0) == 0x5a4d or uint16(0) == 0xcfd0) and (4 of ($s*) or (3 of ($api*) and 1 of ($s*))) 227 | } 228 | 229 | rule INDICATOR_RMM_PDQConnect_Agent_CERT { 230 | meta: 231 | author = "ditekSHen" 232 | description = "Detects PDQ Connect Agent by (default) certificate. Review RMM Inventory" 233 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 234 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 235 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 236 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 237 | condition: 238 | uint16(0) == 0x5a4d and 239 | for any i in (0..pe.number_of_signatures): ( 240 | pe.signatures[i].issuer contains "DigiCert, Inc." and 241 | pe.signatures[i].subject contains "PDQ.com Corporation" 242 | ) 243 | } 244 | 245 | rule INDICATOR_RMM_PulseWay_PCMonTaskSrv { 246 | meta: 247 | author = "ditekSHen" 248 | description = "Detects Pulseway pcmontask and service user agent responsible for Remote Control, Screens View, Computer Lock, etc" 249 | clamav1 = "INDICATOR.Win.RMM.PulseWay" 250 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 251 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 252 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 253 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 254 | strings: 255 | $s1 = "MM.Monitor." ascii 256 | $s2 = "RDAgentSessionSettingsV" ascii 257 | $s3 = "CheckForMacOSRemoteDesktopUpdateCompletedEvent" ascii 258 | $s4 = "ConfirmAgentStarted" ascii 259 | $s5 = "GetScreenshot" ascii 260 | $s6 = "UnloadRemoteDesktopDlls" ascii 261 | $s7 = "CtrlAltDeleteProc" ascii 262 | $s8 = "$7cfc3b88-6dc4-49fc-9f0a-bf9e9113a14d" ascii 263 | $s9 = "computermonitor.mmsoft.ro" ascii 264 | condition: 265 | (uint16(0) == 0x5a4d or uint16(0) == 0xcfd0) and 7 of them 266 | } 267 | 268 | rule INDICATOR_RMM_PulseWay_RemoteDesktop { 269 | meta: 270 | author = "ditekSHen" 271 | description = "Detects Pulseway Rempte Desktop client" 272 | clamav1 = "INDICATOR.Win.RMM.PulseWay" 273 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 274 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 275 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 276 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 277 | strings: 278 | $s1 = "RemoteControl" ascii 279 | $s2 = "MM.Monitor.RemoteDesktopClient." ascii 280 | $s3 = "MM.Monitor.RemoteControl" ascii 281 | $s4 = "RemoteDesktopClientUpdateInfo" ascii 282 | $s5 = "ShowRemoteDesktopEnabledSystemsOnly" ascii 283 | $s6 = "$31f50968-d45c-49d6-ace9-ebc790855a51" ascii 284 | condition: 285 | (uint16(0) == 0x5a4d or uint16(0) == 0xcfd0) and 5 of them 286 | } 287 | 288 | rule INDICATOR_RMM_PulseWay_CERT { 289 | meta: 290 | author = "ditekSHen" 291 | description = "Detects PulseWay by (default) certificate. Review RMM Inventory" 292 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 293 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 294 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 295 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 296 | condition: 297 | uint16(0) == 0x5a4d and 298 | for any i in (0..pe.number_of_signatures): ( 299 | pe.signatures[i].issuer contains "DigiCert, Inc." and 300 | pe.signatures[i].subject contains "MMSOFT Design Ltd." 301 | ) 302 | } 303 | 304 | rule INDICATOR_RMM_ManageEngine_ZohoMeeting { 305 | meta: 306 | author = "ditekSHen" 307 | description = "Detects ManageEngine Zoho Meeting (dc_rds.exe)" 308 | clamav1 = "INDICATOR.Win.RMM.ManageEngine-ZohoMeeting" 309 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 310 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 311 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 312 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 313 | strings: 314 | $s1 = "bin\\ClientAuthHandler.dll" wide 315 | $s2 = "AgentHook.dll" wide 316 | $s3 = "UEMS - Remote Control" wide 317 | $s4 = "Install hook...." wide 318 | $s5 = "india.adventnet.com/meet.sas?k=" ascii 319 | $s6 = "dcTcpSocket::" ascii 320 | $s7 = "%s/%s?clientId=%s&sessionId=%s&clientName=%s&ticket=%s&connectionId=%s" ascii 321 | $s8 = ".\\engines\\ccgost\\gost_" ascii 322 | condition: 323 | uint16(0) == 0x5a4d and 5 of them 324 | } 325 | 326 | /* 327 | rule INDICATOR_RMM_ManageEngine_CERT { 328 | meta: 329 | author = "ditekSHen" 330 | description = "Detects ManageEngine Zoho Meeting by (default) certificate. Review RMM Inventory" 331 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 332 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 333 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 334 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 335 | condition: 336 | uint16(0) == 0x5a4d and 337 | for any i in (0..pe.number_of_signatures): ( 338 | pe.signatures[i].issuer contains "Sectigo Limited" and 339 | pe.signatures[i].subject contains "ZOHO Corporation Private Limited" 340 | // and pe.signatures[i].serial == "00:d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3" 341 | ) 342 | } 343 | */ 344 | 345 | rule INDICATOR_RMM_Atera { 346 | meta: 347 | author = "ditekSHen" 348 | description = "Detects Atera. Review RMM Inventory" 349 | clamav1 = "INDICATOR.Win.RMM.Atera" 350 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 351 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 352 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 353 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 354 | strings: 355 | $s1 = "SOFTWARE\\ATERA Networks\\AlphaAgent" wide 356 | $s2 = "Monitoring & Management Agent by ATERA" ascii wide 357 | $s3 = "agent-api-{0}.atera.com" wide 358 | $s4 = "agent-api.atera.com" wide 359 | $s5 = "acontrol.atera.com" wide 360 | $s6 = /Agent\/(PingReply|GetCommandsFallback|GetCommands|GetTime|GetEnvironmentStatus|GetRecurringPackages|AgentStarting|AcknowledgeCommands)/ wide 361 | $s7 = "\\AlphaControlAgent\\obj\\Release\\AteraAgent.pdb" ascii 362 | $s8 = "AteraWebAddress" ascii 363 | $s9 = "AlphaControlAgent.CloudLogsManager+<>" ascii 364 | condition: 365 | uint16(0) == 0x5a4d and 4 of them 366 | } 367 | 368 | rule INDICATOR_RMM_Atera_CERT { 369 | meta: 370 | author = "ditekSHen" 371 | description = "Detects Atera by certificate. Review RMM Inventory" 372 | clamav1 = "INDICATOR.Win.RMM.Atera" 373 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 374 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 375 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 376 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 377 | condition: 378 | uint16(0) == 0x5a4d and 379 | for any i in (0..pe.number_of_signatures): ( 380 | pe.signatures[i].issuer contains "DigiCert" and 381 | pe.signatures[i].subject contains "Atera Networks Ltd" 382 | ) 383 | } 384 | 385 | rule INDICATOR_RMM_SplashtopStreamer { 386 | meta: 387 | author = "ditekSHen" 388 | description = "Detects Splashtop Streamer. Review RMM Inventory" 389 | clamav1 = "INDICATOR.Win.RMM.SplashtopStreamer" 390 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 391 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 392 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 393 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 394 | strings: 395 | $s1 = "\\slave\\workspace\\GIT_WIN_SRS_Formal\\Source\\irisserver\\" ascii 396 | $s2 = ".api.splashtop.com" wide 397 | $s3 = "Software\\Splashtop Inc.\\Splashtop" wide 398 | $s4 = "restarted the streamer.%nApp version: %1" wide 399 | $s5 = "Splashtop-Splashtop Streamer-" wide 400 | $s6 = "[RemoveStreamer] Send msg 2 cloud(%d:%d:%d)" wide 401 | condition: 402 | uint16(0) == 0x5a4d and 4 of them 403 | } 404 | 405 | rule INDICATOR_RMM_SplashtopStreamer_CERT { 406 | meta: 407 | author = "ditekSHen" 408 | description = "Detects Splashtop Streamer by certificate. Review RMM Inventory" 409 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 410 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 411 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 412 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 413 | condition: 414 | uint16(0) == 0x5a4d and 415 | for any i in (0..pe.number_of_signatures): ( 416 | pe.signatures[i].issuer contains "DigiCert" and 417 | pe.signatures[i].subject contains "Splashtop Inc." 418 | ) 419 | } 420 | 421 | rule INDICATOR_RMM_AeroAdmin { 422 | meta: 423 | author = "ditekSHen" 424 | description = "Detects AeroAdmin. Review RMM Inventory" 425 | clamav1 = "INDICATOR.Win.RMM.AeroAdmin" 426 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 427 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 428 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 429 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 430 | strings: 431 | $s1 = "\\AeroAdmin" wide 432 | $s2 = ".aeroadmin.com" ascii wide 433 | $s3 = "XAeroadminAppRestarter" wide 434 | $s4 = "SYSTEM\\ControlSet001\\Control\\SafeBoot\\Network\\AeroadminService" wide 435 | $s5 = "AeroAdmin {}" ascii 436 | $s6 = "FAeroAdmin.cpp" fullword ascii 437 | $s7 = "Referer: http://900100.net" ascii 438 | $s8 = "POST /sims/sims_new.php" ascii 439 | $s9 = "aeroadmin.pdb" ascii 440 | condition: 441 | uint16(0) == 0x5a4d and 4 of them 442 | } 443 | 444 | rule INDICATOR_RMM_AeroAdmin_CERT { 445 | meta: 446 | author = "ditekSHen" 447 | description = "Detects AeroAdmin by certificate. Review RMM Inventory" 448 | clamav1 = "INDICATOR.Win.RMM.AeroAdmin" 449 | reference1 = "https://github.com/ditekshen/detection/blob/master/RMM_Inventory.csv" 450 | reference2 = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" 451 | reference3 = "https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" 452 | reference4 = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" 453 | condition: 454 | uint16(0) == 0x5a4d and 455 | for any i in (0..pe.number_of_signatures): ( 456 | pe.signatures[i].issuer contains "GlobalSign" and ( 457 | pe.signatures[i].subject contains "Aeroadmin LLC" or 458 | pe.signatures[i].subject contains "@aeroadmin.com" 459 | ) 460 | ) 461 | } 462 | -------------------------------------------------------------------------------- /yara/indicator_packed.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule INDICATOR_EXE_Packed_ConfuserEx { 4 | meta: 5 | author = "ditekSHen" 6 | description = "Detects executables packed with ConfuserEx Mod" 7 | snort2_sid = "930016-930018" 8 | snort3_sid = "930005-930006" 9 | strings: 10 | $s1 = "ConfuserEx " ascii 11 | $s2 = "ConfusedByAttribute" fullword ascii 12 | $c1 = "Confuser.Core " ascii wide 13 | $u1 = "Confu v" fullword ascii 14 | $u2 = "ConfuByAttribute" fullword ascii 15 | condition: 16 | uint16(0) == 0x5a4d and (all of ($s*) or all of ($c*) or all of ($u*)) 17 | } 18 | 19 | rule INDICATOR_EXE_Packed_ConfuserEx_Custom { 20 | meta: 21 | author = "ditekSHen" 22 | description = "Detects executables packed with ConfuserEx Custom; outside of GIT" 23 | strings: 24 | $s1 = { 43 6f 6e 66 75 73 65 72 45 78 20 76 [1-2] 2e [1-2] 2e [1-2] 2d 63 75 73 74 6f 6d } 25 | condition: 26 | uint16(0) == 0x5a4d and all of them 27 | } 28 | 29 | rule INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector { 30 | meta: 31 | author = "ditekSHen" 32 | description = "Detects executables packed with ConfuserEx Mod Beds Protector" 33 | snort2_sid = "930019-930024" 34 | snort3_sid = "930007-930008" 35 | strings: 36 | $s1 = "Beds Protector v" ascii 37 | $s2 = "Beds-Protector-v" ascii 38 | condition: 39 | uint16(0) == 0x5a4d and 1 of them 40 | } 41 | 42 | rule INDICATOR_EXE_Packed_ConfuserExMod_Trinity { 43 | meta: 44 | author = "ditekSHen" 45 | description = "Detects executables packed with ConfuserEx Mod Trinity Protector" 46 | snort2_sid = "930025-930030" 47 | snort3_sid = "930009-930010" 48 | strings: 49 | $s1 = "Trinity0-protecor|" ascii 50 | $s2 = "#TrinityProtector" fullword ascii 51 | $s3 = /Trinity\d-protector\|/ ascii 52 | condition: 53 | uint16(0) == 0x5a4d and 1 of them 54 | } 55 | 56 | rule INDICATOR_EXE_Packed_PS2EXE { 57 | meta: 58 | author = "ditekSHen" 59 | description = "Detects executables built or packed with PS2EXE" 60 | snort2_sid = "930004-930006" 61 | snort3_sid = "930001" 62 | strings: 63 | $s1 = "PS2EXE" fullword ascii 64 | $s2 = "PS2EXEApp" fullword ascii 65 | $s3 = "PS2EXEHost" fullword ascii 66 | $s4 = "PS2EXEHostUI" fullword ascii 67 | $s5 = "PS2EXEHostRawUI" fullword ascii 68 | condition: 69 | uint16(0) == 0x5a4d and 1 of them 70 | } 71 | 72 | rule INDICATOR_EXE_Packed_LSD { 73 | meta: 74 | author = "ditekSHen" 75 | description = "Detects executables built or packed with LSD packer" 76 | snort2_sid = "930058-930060" 77 | snort3_sid = "930021" 78 | strings: 79 | $s1 = "This file is packed with the LSD executable packer" ascii 80 | $s2 = "http://lsd.dg.com" ascii 81 | $s3 = "&V0LSD!$" fullword ascii 82 | condition: 83 | (uint16(0) == 0x5a4d or uint16(0)== 0x457f) and 1 of them 84 | } 85 | 86 | rule INDICATOR_EXE_Packed_AspireCrypt { 87 | meta: 88 | author = "ditekSHen" 89 | description = "Detects executables packed with AspireCrypt" 90 | snort2_sid = "930013-930015" 91 | snort3_sid = "930004" 92 | strings: 93 | $s1 = "AspireCrypt" fullword ascii 94 | $s2 = "aspirecrypt.net" ascii 95 | $s3 = "protected by AspireCrypt" ascii 96 | condition: 97 | uint16(0) == 0x5a4d and 1 of them 98 | } 99 | 100 | rule INDICATOR_EXE_Packed_Spices { 101 | meta: 102 | author = "ditekSHen" 103 | description = "Detects executables packed with 9Rays.Net Spices.Net Obfuscator." 104 | snort2_sid = "930001-930003" 105 | snort3_sid = "930000" 106 | strings: 107 | $s1 = "9Rays.Net Spices.Net" ascii 108 | $s2 = "protected by 9Rays.Net Spices.Net Obfuscator" ascii 109 | condition: 110 | uint16(0) == 0x5a4d and 1 of them 111 | } 112 | 113 | rule INDICATOR_JAVA_Packed_Allatori { 114 | meta: 115 | author = "ditekSHen" 116 | description = "Detects files packed with Allatori Java Obfuscator" 117 | strings: 118 | $s1 = "# Obfuscation by Allatori Obfuscator" ascii wide 119 | condition: 120 | all of them 121 | } 122 | 123 | rule INDICATOR_EXE_Packed_ASPack { 124 | meta: 125 | author = "ditekSHen" 126 | description = "Detects executables packed with ASPack" 127 | snort2_sid = "930007-930009" 128 | snort3_sid = "930002" 129 | //strings: 130 | // $s1 = { 00 00 ?? 2E 61 73 70 61 63 6B 00 00 } 131 | condition: 132 | uint16(0) == 0x5a4d and //all of them or 133 | for any i in (0 .. pe.number_of_sections) : ( 134 | ( 135 | pe.sections[i].name == ".aspack" 136 | ) 137 | ) 138 | } 139 | 140 | rule INDICATOR_EXE_Packed_Titan { 141 | meta: 142 | author = "ditekSHen" 143 | description = "Detects executables packed with Titan" 144 | snort2_sid = "930010-930012" 145 | snort3_sid = "930003" 146 | strings: 147 | $s1 = { 00 00 ?? 2e 74 69 74 61 6e 00 00 } 148 | condition: 149 | uint16(0) == 0x5a4d and all of them or 150 | for any i in (0 .. pe.number_of_sections) : ( 151 | ( 152 | pe.sections[i].name == ".titan" 153 | ) 154 | ) 155 | } 156 | 157 | rule INDICATOR_EXE_Packed_aPLib { 158 | meta: 159 | author = "ditekSHen" 160 | description = "Detects executables packed with aPLib." 161 | strings: 162 | $header = { 41 50 33 32 18 00 00 00 [0-35] 4D 38 5A 90 } 163 | condition: 164 | ((uint32(0) == 0x32335041 and uint32(24) == 0x905a384d) or (uint16(0) == 0x5a4d and $header )) 165 | } 166 | 167 | rule INDICATOR_EXE_Packed_LibZ { 168 | meta: 169 | author = "ditekSHen" 170 | description = "Detects executables built or packed with LibZ" 171 | snort2_sid = "930055-930057" 172 | snort3_sid = "930019-930020" 173 | strings: 174 | $s1 = "LibZ.Injected" fullword ascii 175 | $s2 = "{0:N}.dll" fullword wide 176 | $s3 = "asmz://(?[0-9a-fA-F]{32})/(?[0-9]+)(/(?[a-zA-Z0-9]*))?" fullword wide 177 | $s4 = "Software\\Softpark\\LibZ" fullword wide 178 | $s5 = "(AsmZ/{" wide 179 | $s6 = "asmz://" ascii 180 | $s7 = "GetRegistryDWORD" ascii 181 | $s8 = "REGISTRY_KEY_NAME" fullword ascii 182 | $s9 = "REGISTRY_KEY_PATH" fullword ascii 183 | $s10 = "InitializeDecoders" fullword ascii 184 | condition: 185 | uint16(0) == 0x5a4d and 5 of them 186 | } 187 | 188 | rule INDICATOR_EXE_Packed_Enigma { 189 | meta: 190 | author = "ditekSHen" 191 | description = "Detects executables packed with Enigma" 192 | snort2_sid = "930052-930054" 193 | snort3_sid = "930018" 194 | strings: 195 | $s1 = ".enigma0" fullword ascii 196 | $s2 = ".enigma1" fullword ascii 197 | $s3 = ".enigma2" fullword ascii 198 | $s4 = ".enigma3" fullword ascii 199 | condition: 200 | uint16(0) == 0x5a4d and 2 of them or 201 | for any i in (0 .. pe.number_of_sections) : ( 202 | ( 203 | pe.sections[i].name == ".enigma0" or 204 | pe.sections[i].name == ".enigma1" or 205 | pe.sections[i].name == ".enigma2" or 206 | pe.sections[i].name == ".enigma3" 207 | ) 208 | ) 209 | } 210 | 211 | rule INDICATOR_EXE_Python_Byte_Compiled { 212 | meta: 213 | author = "ditekSHen" 214 | description = "Detects python-byte compiled executables" 215 | strings: 216 | $s1 = "b64decode" ascii 217 | $s2 = "decompress" ascii 218 | condition: 219 | uint32(0) == 0x0a0df303 and filesize < 5KB and all of them 220 | } 221 | 222 | rule INDICATOR_MSI_EXE2MSI { 223 | meta: 224 | author = "ditekSHen" 225 | description = "Detects executables converted to .MSI packages using a free online converter." 226 | snort2_sid = "930061-930063" 227 | snort3_sid = "930022" 228 | strings: 229 | $winin = "Windows Installer" ascii 230 | $title = "Exe to msi converter free" ascii 231 | condition: 232 | uint32(0) == 0xe011cfd0 and ($winin and $title) 233 | } 234 | 235 | rule INDICATOR_EXE_Packed_MPress { 236 | meta: 237 | author = "ditekSHen" 238 | description = "Detects executables built or packed with MPress PE compressor" 239 | snort2_sid = "930031-930033" 240 | snort3_sid = "930011" 241 | strings: 242 | $s1 = ".MPRESS1" fullword ascii 243 | $s2 = ".MPRESS2" fullword ascii 244 | condition: 245 | uint16(0) == 0x5a4d and 1 of them or 246 | for any i in (0 .. pe.number_of_sections) : ( 247 | ( 248 | pe.sections[i].name == ".MPRESS1" or 249 | pe.sections[i].name == ".MPRESS2" 250 | ) 251 | ) 252 | } 253 | 254 | rule INDICATOR_EXE_Packed_Nate { 255 | meta: 256 | author = "ditekSHen" 257 | description = "Detects executables built or packed with Nate packer" 258 | snort2_sid = "930034-930036" 259 | snort3_sid = "930012" 260 | strings: 261 | $s1 = "@.nate0" fullword ascii 262 | $s2 = "`.nate1" fullword ascii 263 | condition: 264 | uint16(0) == 0x5a4d and 1 of them or 265 | for any i in (0 .. pe.number_of_sections) : ( 266 | ( 267 | pe.sections[i].name == ".nate0" or 268 | pe.sections[i].name == ".nate1" 269 | ) 270 | ) 271 | } 272 | 273 | rule INDICATOR_EXE_Packed_VMProtect { 274 | meta: 275 | author = "ditekSHen" 276 | description = "Detects executables packed with VMProtect." 277 | snort2_sid = "930049-930051" 278 | snort3_sid = "930017" 279 | strings: 280 | $s1 = ".vmp0" fullword ascii 281 | $s2 = ".vmp1" fullword ascii 282 | condition: 283 | uint16(0) == 0x5a4d and all of them or 284 | for any i in (0 .. pe.number_of_sections) : ( 285 | ( 286 | pe.sections[i].name == ".vmp0" or 287 | pe.sections[i].name == ".vmp1" 288 | ) 289 | ) 290 | } 291 | 292 | rule INDICATOR_EXE_DotNET_Encrypted { 293 | meta: 294 | author = "ditekSHen" 295 | description = "Detects encrypted or obfuscated .NET executables" 296 | strings: 297 | $s1 = "FromBase64String" fullword ascii 298 | $s2 = "ToCharArray" fullword ascii 299 | $s3 = "ReadBytes" fullword ascii 300 | $s4 = "add_AssemblyResolve" fullword ascii 301 | $s5 = "MemoryStream" fullword ascii 302 | $s6 = "CreateDecryptor" fullword ascii 303 | 304 | // 08 00 00 00 00 00 1e 01 00 01 00 54 02 16 WrapNonExceptionThrows 01 305 | $bytes1 = { 08 01 00 08 00 00 00 00 00 1e 01 00 01 00 54 02 306 | 16 57 72 61 70 4e 6f 6e 45 78 63 65 70 74 69 6f 307 | 6e 54 68 72 6f 77 73 01 } 308 | // 00 00 BSJB...v2.0.50727 00 00 00 00 05 00 309 | // 00 00 BSJB...v4.0.30319 00 00 00 00 05 00 310 | $bytes2 = { 00 00 42 53 4a 42 01 00 01 00 00 00 00 00 0c 00 311 | 00 00 76 3? 2e 3? 2e ?? ?? ?? ?? ?? 00 00 00 00 312 | 05 00 } 313 | // #Strings...#US...#GUID...#Blob 314 | $bytes3 = { 00 00 23 53 74 72 69 6e 67 73 00 00 00 00 [5] 00 315 | 00 00 23 55 53 00 [5] 00 00 00 23 47 55 49 44 00 316 | 00 00 [6] 00 00 23 42 6c 6f 62 00 00 00 } 317 | // .GetString.set_WorkingDirectory.WaitForExit.Close.Thread.System.Threading.Sleep.ToInt32.get_MainModule.ProcessModule.get_FileName.Split. 318 | $bytes4 = { 00 47 65 74 53 74 72 69 6e 67 00 73 65 74 5f 57 319 | 6f 72 6b 69 6e 67 44 69 72 65 63 74 6f 72 79 00 320 | 57 61 69 74 46 6f 72 45 78 69 74 00 43 6c 6f 73 321 | 65 00 54 68 72 65 61 64 00 53 79 73 74 65 6d 2e 322 | 54 68 72 65 61 64 69 6e 67 00 53 6c 65 65 70 00 323 | 54 6f 49 6e 74 33 32 00 67 65 74 5f 4d 61 69 6e 324 | 4d 6f 64 75 6c 65 00 50 72 6f 63 65 73 73 4d 6f 325 | 64 75 6c 65 00 67 65 74 5f 46 69 6c 65 4e 61 6d 326 | 65 00 53 70 6c 69 74 00 } 327 | condition: 328 | uint16(0) == 0x5a4d and 3 of ($bytes*) and all of ($s*) 329 | } 330 | 331 | rule INDICATOR_PY_Packed_PyMinifier { 332 | meta: 333 | author = "ditekSHen" 334 | description = "Detects python code potentially obfuscated using PyMinifier" 335 | strings: 336 | $s1 = "exec(lzma.decompress(base64.b64decode(" 337 | condition: 338 | (uint32(0) == 0x6f706d69 or uint16(0) == 0x2123 or uint16(0) == 0x0a0d or uint16(0) == 0x5a4d) and all of them 339 | } 340 | 341 | rule INDICATOR_EXE_Packed_BoxedApp { 342 | meta: 343 | author = "ditekSHen" 344 | description = "Detects executables packed with BoxedApp" 345 | snort2_sid = "930037-930042" 346 | snort3_sid = "930013-930014" 347 | strings: 348 | $s1 = "BoxedAppSDK_HookFunction" fullword ascii 349 | $s2 = "BoxedAppSDK_StaticLib.cpp" ascii 350 | $s3 = "embedding BoxedApp into child processes: %s" ascii 351 | $s4 = "GetCommandLineA preparing to intercept" ascii 352 | condition: 353 | uint16(0) == 0x5a4d and 2 of them or 354 | for any i in (0 .. pe.number_of_sections) : ( 355 | ( 356 | pe.sections[i].name contains ".bxpck" 357 | ) 358 | ) 359 | } 360 | 361 | rule INDICATOR_EXE_Packed_eXPressor { 362 | meta: 363 | author = "ditekSHen" 364 | description = "Detects executables packed with eXPressor" 365 | snort2_sid = "930043-930048" 366 | snort3_sid = "930015-930016" 367 | strings: 368 | $s1 = "eXPressor_InstanceChecker_" fullword ascii 369 | $s2 = "This application was packed with an Unregistered version of eXPressor" ascii 370 | $s3 = ", please visit www.cgsoftlabs.ro" ascii 371 | $s4 = /eXPr-v\.\d+\.\d+/ ascii 372 | condition: 373 | uint16(0) == 0x5a4d and 2 of them or 374 | for any i in (0 .. pe.number_of_sections) : ( 375 | ( 376 | pe.sections[i].name contains ".ex_cod" 377 | ) 378 | ) 379 | } 380 | 381 | rule INDICATOR_EXE_Packed_MEW { 382 | meta: 383 | author = "ditekSHen" 384 | description = "Detects executables packed with MEW" 385 | condition: 386 | uint16(0) == 0x5a4d and 387 | for any i in (0 .. pe.number_of_sections) : ( 388 | ( 389 | pe.sections[i].name == "MEW" or 390 | pe.sections[i].name == "\x02\xd2u\xdb\x8a\x16\xeb\xd4" 391 | ) 392 | ) 393 | } 394 | 395 | rule INDICATOR_EXE_Packed_RLPack { 396 | meta: 397 | author = "ditekSHen" 398 | description = "Detects executables packed with RLPACK" 399 | snort2_sid = "930064-930066" 400 | snort3_sid = "930023" 401 | strings: 402 | $s1 = ".packed" fullword ascii 403 | $s2 = ".RLPack" fullword ascii 404 | condition: 405 | uint16(0) == 0x5a4d and all of them or 406 | for any i in (0 .. pe.number_of_sections) : ( 407 | ( 408 | pe.sections[i].name == ".RLPack" 409 | ) 410 | ) 411 | } 412 | 413 | rule INDICATOR_EXE_Packed_Cassandra { 414 | meta: 415 | author = "ditekSHen" 416 | description = "Detects executables packed with Cassandra/CyaX" 417 | strings: 418 | $s1 = "AntiEM" fullword ascii wide 419 | $s2 = "AntiSB" fullword ascii wide 420 | $s3 = "Antis" fullword ascii wide 421 | $s4 = "XOR_DEC" fullword ascii wide 422 | $s5 = "StartInject" fullword ascii wide 423 | $s6 = "DetectGawadaka" fullword ascii wide 424 | $c1 = "CyaX-Sharp" ascii wide 425 | $c2 = "CyaX_Sharp" ascii wide 426 | $c3 = "CyaX-PNG" ascii wide 427 | $c4 = "CyaX_PNG" ascii wide 428 | $pdb = "\\CyaX\\obj\\Debug\\CyaX.pdb" ascii wide 429 | condition: 430 | (uint16(0) == 0x5a4d and (4 of ($s*) or 2 of ($c*) or $pdb)) or (7 of them) 431 | } 432 | 433 | rule INDICATOR_EXE_Packed_Themida { 434 | meta: 435 | author = "ditekSHen" 436 | description = "Detects executables packed with Themida" 437 | snort2_sid = "930067-930069" 438 | snort3_sid = "930024" 439 | strings: 440 | $s1 = ".themida" fullword ascii 441 | condition: 442 | uint16(0) == 0x5a4d and all of them or 443 | for any i in (0 .. pe.number_of_sections) : ( 444 | ( 445 | pe.sections[i].name == ".themida" 446 | ) 447 | ) 448 | } 449 | 450 | rule INDICATOR_EXE_Packed_SilentInstallBuilder { 451 | meta: 452 | author = "ditekSHen" 453 | description = "Detects executables packed with Silent Install Builder" 454 | snort2_sid = "930070-930072" 455 | snort3_sid = "930025" 456 | strings: 457 | $s1 = "C:\\Users\\Operations\\Source\\Workspaces\\Sib\\Sibl\\Release\\Sibuia.pdb" fullword ascii 458 | $s2 = "->mb!Silent Install Builder Demo Package." fullword wide 459 | condition: 460 | uint16(0) == 0x5a4d and 1 of them 461 | } 462 | 463 | rule INDICATOR_EXE_Packed_NyanXCat_CSharpLoader { 464 | meta: 465 | author = "ditekSHen" 466 | description = "Detects .NET executables utilizing NyanX-CAT C# Loader" 467 | snort2_sid = "930073-930075" 468 | snort3_sid = "930026" 469 | strings: 470 | $s1 = { 00 50 72 6f 67 72 61 6d 00 4c 6f 61 64 65 72 00 4e 79 61 6e 00 } 471 | condition: 472 | uint16(0) == 0x5a4d and all of them 473 | } 474 | 475 | rule INDICATOR_EXE_Packed_Loader { 476 | meta: 477 | author = "ditekSHen" 478 | description = "Detects packed executables observed in Molerats" 479 | strings: 480 | $l1 = "loaderx86.dll" fullword ascii 481 | $l2 = "loaderx86" fullword ascii 482 | $l3 = "loaderx64.dll" fullword ascii 483 | $l4 = "loaderx64" fullword ascii 484 | $s1 = "ImportCall_Zw" wide 485 | $s2 = "DllInstall" ascii wide 486 | $s3 = "evb*.tmp" fullword wide 487 | $s4 = "WARNING ZwReadFileInformation" ascii 488 | $s5 = "LoadLibrary failed with module " fullword wide 489 | condition: 490 | uint16(0) == 0x5a4d and 2 of ($l*) and 4 of ($s*) 491 | } 492 | 493 | rule INDICATOR_EXE_Packed_Bonsai { 494 | meta: 495 | author = "ditekSHen" 496 | description = "Detects .NET executables developed using Bonsai" 497 | strings: 498 | $bonsai1 = "" wide 686 | $s3 = "is protected by an unregistered version of Eziriz's \".NET Reactor\"!" wide 687 | condition: 688 | uint16(0) == 0x5a4d and 1 of them 689 | } 690 | 691 | rule INDICATOR_EXE_Packed_Dotfuscator { 692 | meta: 693 | author = "ditekSHen" 694 | description = "Detects executables packed with Dotfuscator" 695 | strings: 696 | $s1 = "DotfuscatorAttribute" fullword ascii 697 | condition: 698 | uint16(0) == 0x5a4d and 1 of them 699 | } 700 | 701 | rule INDICATOR_EXE_Packed_DNGuard { 702 | meta: 703 | author = "ditekSHen" 704 | description = "Detects executables packed with DNGuard" 705 | strings: 706 | $s1 = "DNGuard Runtime library" wide 707 | $s2 = "[*=*]This application is expired ![*=*]" fullword wide 708 | $s3 = "DNGuard.Runtime" ascii wide 709 | $s4 = "EnableHVM" ascii 710 | $s5 = "DNGuard.SDK" ascii 711 | $s6 = "DNGuard HVM Runtime" wide 712 | $s7 = "HVMRuntm.dll" wide 713 | condition: 714 | uint16(0) == 0x5a4d and 2 of them 715 | } 716 | 717 | rule INDICATOR_EXE_Packed_NETProtectIO { 718 | meta: 719 | author = "ditekSHen" 720 | description = "Detects executables packed with NETProtect.IO" 721 | strings: 722 | $s1 = "NETProtect.IO v" ascii 723 | condition: 724 | uint16(0) == 0x5a4d and 1 of them 725 | } 726 | 727 | rule INDICATOR_EXE_Packed_KoiVM { 728 | meta: 729 | author = "ditekSHen" 730 | description = "Detects executables packed with or use KoiVM" 731 | strings: 732 | $s1 = "KoiVM v" ascii wide 733 | $s2 = "DarksVM " ascii wide 734 | $s3 = "Koi.NG" ascii wide 735 | $s4 = "KoiVM." ascii wide 736 | condition: 737 | uint16(0) == 0x5a4d and 1 of them 738 | } 739 | 740 | rule INDICATOR_EXE_Packed_Goliath { 741 | meta: 742 | author = "ditekSHen" 743 | description = "Detects executables packed with Goliath" 744 | strings: 745 | $s1 = "ObfuscatedByGoliath" fullword ascii 746 | condition: 747 | uint16(0) == 0x5a4d and 1 of them 748 | } 749 | 750 | rule INDICATOR_EXE_Packed_Babel { 751 | meta: 752 | author = "ditekSHen" 753 | description = "Detects executables packed with Babel" 754 | snort = "930043-930044" 755 | strings: 756 | $s1 = "BabelObfuscatorAttribute" fullword ascii 757 | $m1 = ";babelvm;smoketest" ascii wide 758 | $m2 = { 62 00 61 00 62 00 65 00 6c 00 76 00 6d [1-20] 73 00 6d 00 6f 00 6b 00 65 00 74 00 65 00 73 00 74 } 759 | $m3 = "babelvm" wide 760 | $m4 = "smoketest" wide 761 | $m5 = /lic[A-F0-9]{8}/ ascii wide // in particular 'lic70F93782' 762 | condition: 763 | ((uint16(0) == 0x5a4d and 1 of ($s*)) or (2 of ($m*))) 764 | } 765 | 766 | rule INDICATOR_EXE_Packed_GEN01 { 767 | meta: 768 | author = "ditekSHen" 769 | description = "Detect packed .NET executables. Mostly AgentTeslaV4." 770 | strings: 771 | $c1 = "com.apple.Safari" fullword ascii 772 | $c2 = "Unable to resolve HTTP prox" fullword ascii 773 | $c3 = "rotcetorP rekciP laitnederC swodniW$" fullword ascii 774 | $c4 = "laitnederC drowssaP beW swodniW$" fullword ascii 775 | $s1 = "Accounts" fullword wide 776 | $s2 = "logins" fullword wide 777 | $s3 = "sha512" fullword wide 778 | $s4 = "credential" fullword wide 779 | condition: 780 | uint16(0) == 0x5a4d and 2 of ($c*) and all of ($s*) 781 | } 782 | 783 | rule INDICATOR_EXE_Packed_CryptoProtector { 784 | meta: 785 | author = "ditekSHen" 786 | description = "Detects executables packed with CryptoProtector / CryptoObfuscator" 787 | strings: 788 | $s1 = "CryptoObfuscator" ascii 789 | $s2 = "CryptoProtector [{0}]" wide 790 | $e1 = /[A-F0-9]{7,8}\.Crypto/ ascii 791 | condition: 792 | uint16(0) == 0x5a4d and all of ($s*) or (($s1) and #e1 > 10) or all of them 793 | } 794 | 795 | rule INDICATOR_EXE_Packed_Yano { 796 | meta: 797 | author = "ditekSHen" 798 | description = "Detects executables packed with Yano Obfuscator" 799 | strings: 800 | $s1 = "YanoAttribute" fullword ascii 801 | $s2 = "StripAfterObfuscation" fullword ascii 802 | condition: 803 | uint16(0) == 0x5a4d and all of them 804 | } 805 | -------------------------------------------------------------------------------- /yara/indicator_office.yar: -------------------------------------------------------------------------------- 1 | rule INDICATOR_RTF_EXPLOIT_CVE_2017_0199_1 { 2 | meta: 3 | description = "Detects RTF documents potentially exploiting CVE-2017-0199" 4 | author = "ditekSHen" 5 | strings: 6 | // URL Moniker 7 | /* Reduce FPs 8 | $urlmoniker1 = "e0c9ea79f9bace118c8200aa004ba90b" ascii nocase 9 | $urlmoniker2 = { 45 30 43 39 45 41 37 39 46 39 42 41 43 45 31 31 10 | 38 43 38 32 30 30 41 41 30 30 34 42 41 39 30 42 } // HEX + lower-case 11 | */ 12 | $urlmoniker3 = { 45 0a 30 0a 43 0a 39 0a 45 0a 41 0a 37 0a 39 0a 13 | 46 0a 39 0a 42 0a 41 0a 43 0a 45 0a 31 0a 31 0a 14 | 38 0a 43 0a 38 0a 32 0a 30 0a 30 0a 41 0a 41 0a 15 | 30 0a 30 0a 34 0a 42 0a 41 0a 39 0a 30 0a 42 } // HEX + lower-case + \x0a manipulation 16 | $urlmoniker4 = { 45 0d 0a 30 0d 0a 43 0d 0a 39 0d 0a 45 0d 0a 41 17 | 0d 0a 37 0d 0a 39 0d 0a 46 0d 0a 39 0d 0a 42 0d 18 | 0a 41 0d 0a 43 0d 0a 45 0d 0a 31 0d 0a 31 0d 0a 19 | 38 0d 0a 43 0d 0a 38 0d 0a 32 0d 0a 30 0d 0a 30 20 | 0d 0a 41 0d 0a 41 0d 0a 30 0d 0a 30 0d 0a 34 0d 21 | 0a 42 0d 0a 41 0d 0a 39 0d 0a 30 0d 0a 42 } // HEX + lower-case + \x0d0a manipulation 22 | /* Reduce FPs 23 | $urlmoniker5 = { 65 30 63 39 65 61 37 39 66 39 62 61 63 65 31 31 24 | 38 63 38 32 30 30 61 61 30 30 34 62 61 39 30 62 } // HEX + upper-case 25 | */ 26 | $urlmoniker6 = { 65 0a 30 0a 63 0a 39 0a 65 0a 61 0a 37 0a 39 0a 27 | 66 0a 39 0a 62 0a 61 0a 63 0a 65 0a 31 0a 31 0a 28 | 38 0a 63 0a 38 0a 32 0a 30 0a 30 0a 61 0a 61 0a 29 | 30 0a 30 0a 34 0a 62 0a 61 0a 39 0a 30 0a 62 } // HEX + upper-case + \x0a manipulation 30 | $urlmoniker7 = { 65 0d 0a 30 0d 0a 63 0d 0a 39 0d 0a 65 0d 0a 61 31 | 0d 0a 37 0d 0a 39 0d 0a 66 0d 0a 39 0d 0a 62 0d 32 | 0a 61 0d 0a 63 0d 0a 65 0d 0a 31 0d 0a 31 0d 0a 33 | 38 0d 0a 63 0d 0a 38 0d 0a 32 0d 0a 30 0d 0a 30 34 | 0d 0a 61 0d 0a 61 0d 0a 30 0d 0a 30 0d 0a 34 0d 35 | 0a 62 0d 0a 61 0d 0a 39 0d 0a 30 0d 0a 62 } // HEX + upper-case + \x0d0a manipulation 36 | /* is slowing down scanning 37 | $urlmoniker2 = { 45 [0-2] 30 [0-2] 43 [0-2] 39 [0-2] 45 [0-2] 41 [0-2] 37 [0-2] 38 | 39 [0-2] 46 [0-2] 39 [0-2] 42 [0-2] 41 [0-2] 43 [0-2] 45 [0-2] 39 | 31 [0-2] 31 [0-2] 38 [0-2] 43 [0-2] 38 [0-2] 32 [0-2] 30 [0-2] 40 | 30 [0-2] 41 [0-2] 41 [0-2] 30 [0-2] 30 [0-2] 34 [0-2] 42 [0-2] 41 | 41 [0-2] 39 [0-2] 30 [0-2] 42 } 42 | $urlmoniker2 = { 45 [0-2] 30 [0-2] 43 [0-2] 39 [0-2] 45 [0-2] 41 [0-2] 37 [0-2] 43 | 39 [0-2] 46 [0-2] 39 [0-2] 42 [0-2] 41 [0-2] 43 [0-2] 45 [0-2] 44 | 31 [0-2] 31 [0-2] 38 [0-2] 43 [0-2] 38 [0-2] 32 [0-2] 30 [0-2] 45 | 30 [0-2] 41 [0-2] 41 [0-2] 30 [0-2] 30 [0-2] 34 [0-2] 42 [0-2] 46 | 41 [0-2] 39 [0-2] 30 [0-2] 42 } 47 | $urlmoniker3 = { 65 [0-2] 30 [0-2] 63 [0-2] 39 [0-2] 65 [0-2] 61 [0-2] 37 [0-2] 48 | 39 [0-2] 66 [0-2] 39 [0-2] 62 [0-2] 61 [0-2] 63 [0-2] 65 [0-2] 49 | 31 [0-2] 31 [0-2] 38 [0-2] 63 [0-2] 38 [0-2] 32 [0-2] 30 [0-2] 50 | 30 [0-2] 61 [0-2] 61 [0-2] 30 [0-2] 30 [0-2] 34 [0-2] 62 [0-2] 51 | 61 [0-2] 39 [0-2] 30 [0-2] 62 } 52 | */ 53 | // OLE Signature 54 | $ole1 = { d0 cf 11 e0 a1 b1 1a e1 } 55 | $ole2 = "d0cf11e0a1b11ae1" ascii nocase 56 | $ole3 = "64306366313165306131623131616531" ascii // HEX 57 | $ole4 = "640a300a630a660a310a310a650a300a610a310a620a310a310a610a650a31" ascii nocase // HEX manipulated 58 | $ole5 = { 64 0a 30 0a 63 0a 66 0a 31 0a 31 0a 65 0a 30 } 59 | $ole6 = { 64 0d 0a 30 0d 0a 63 0d 0a 66 0d 0a 31 0d 0a 31 0d 0a 65 0d 0a 30 } 60 | // Embedded Objects 61 | $obj1 = "\\objhtml" ascii 62 | $obj2 = "\\objdata" ascii 63 | $obj3 = "\\objupdate" ascii 64 | $obj4 = "\\objemb" ascii 65 | $obj5 = "\\objautlink" ascii 66 | $obj6 = "\\objlink" ascii 67 | condition: 68 | uint32(0) == 0x74725c7b and 1 of ($urlmoniker*) and 1 of ($ole*) and 1 of ($obj*) 69 | } 70 | 71 | rule INDICATOR_RTF_EXPLOIT_CVE_2017_11882_1 { 72 | meta: 73 | description = "Detects RTF documents potentially exploiting CVE-2017-11882" 74 | author = "ditekSHen" 75 | strings: 76 | // 0002CE02-0000-0000-C000-000000000046: Equation <> CVE-2017-11882 or CVE-2018-0802 77 | $s1 = { 32[0-20](43|63)[0-20](45|65)[0-20]30[0-20]32[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20](43|63)[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]34[0-20]36} 78 | // Root Entry 79 | $s2 = "52006f006f007400200045006e00740072007900" ascii nocase 80 | // bin0 81 | $s3 = "\\bin0" ascii nocase 82 | // OLE Signature 83 | $ole = { (64|44)[0-20]30[0-20](63|43)[0-20](66|46)[0-20]31[0-20]31[0-20](65|45)[0-20]30[0-20](61|41)[0-20]31[0-20](62|42)[0-20]31[0-20]31[0-20](61|41) } 84 | //$ole1 = "d0cf11e0a1b11ae1" ascii nocase 85 | //$ole2 = { 6430 [0-1] 6366 [0-1] 3131 [0-1] 6530 [0-1] 6131 [0-1] 6231 [0-1] 3161 } 86 | //$ole3 = { 4430 [0-1] 4346 [0-1] 3131 [0-1] 4530 [0-1] 4131 [0-1] 4231 [0-1] 3141 } 87 | //$ole4 = { 64[0-1]30[0-1]63[0-1]66[0-1]31[0-1]31[0-1]65[0-1]30[0-1]61[0-1]31[0-1]62[0-1]31[0-1]31[0-1]61 } 88 | //$ole5 = { 44[0-1]30[0-1]43[0-1]46[0-1]31[0-1]31[0-1]45[0-1]30[0-1]41[0-1]31[0-1]42[0-1]31[0-1]31[0-1]41 } 89 | // Embedded Objects 90 | $obj1 = "\\objhtml" ascii 91 | $obj2 = "\\objdata" ascii 92 | $obj3 = "\\objupdate" ascii 93 | $obj4 = "\\objemb" ascii 94 | $obj5 = "\\objautlink" ascii 95 | $obj6 = "\\objlink" ascii 96 | condition: 97 | uint32(0) == 0x74725c7b and 2 of ($s*) and $ole and 2 of ($obj*) 98 | } 99 | 100 | rule INDICATOR_RTF_EXPLOIT_CVE_2017_11882_2 { 101 | meta: 102 | description = "detects an obfuscated RTF variant documents potentially exploiting CVE-2017-11882" 103 | author = "ditekSHen" 104 | strings: 105 | // 0002CE02-0000-0000-C000-000000000046: Equation 106 | // CVE-2017-11882 or CVE-2018-0802 107 | $eq1 = "02ce020000000000c000000000000046" ascii nocase 108 | $eq2 = "equation." ascii nocase 109 | $eq3 = "6551754174496f4e2e33" ascii nocase 110 | $eq4 = { 32[0-20](43|63)[0-20](45|65)[0-20]30[0-20]32[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20](43|63)[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]34[0-20]36 } 111 | // Embedded Objects 112 | $obj1 = "\\objhtml" ascii 113 | $obj2 = "\\objdata" ascii 114 | $obj3 = "\\objupdate" ascii 115 | $obj4 = "\\objemb" ascii 116 | $obj5 = "\\objautlink" ascii 117 | $obj6 = "\\objlink" ascii 118 | $obj7 = "\\mmath" ascii 119 | // Shellcode Artefacts 120 | $s1 = "4c6f61644c696272617279" ascii nocase // LoadLibrary 121 | $s2 = "47657450726f6341646472657373" ascii nocase // GetProcAddress 122 | $s3 = "55524c446f776e6c6f6164546f46696c65" ascii nocase // URLDownloadToFile 123 | $s4 = "5368656c6c45786563757465" ascii nocase // ShellExecute 124 | $s5 = "4578697450726f63657373" ascii nocase // ExitProcess 125 | condition: 126 | uint32(0) == 0x74725c7b and 1 of ($eq*) and 1 of ($obj*) and 2 of ($s*) 127 | } 128 | 129 | rule INDICATOR_RTF_EXPLOIT_CVE_2017_11882_3 { 130 | meta: 131 | description = "detects RTF variant documents potentially exploiting CVE-2018-0802 or CVE-2017-11882" 132 | author = "ditekSHen" 133 | strings: 134 | // Ole10Native 135 | $ole1 = "4f006c006500310030004e00410054004900760065" ascii nocase 136 | $ole2 = { (3666|3466) (3663|3463) (3635|3435) 3331 3330 (3665|3465) (3631|3431) (3734|3534) (3639|3439) (3736|3536) (3635|3435) } 137 | $ole3 = { (4f|6f)[0-5](4c|6c)[0-5](45|65)[0-5]30[0-5](4e|6e)[0-5](41|61)[0-5](54|74)[0-5](49|69)[0-5](56|76)[0-5](45|65) } 138 | // CVE-2017-11882 or CVE-2018-0802 139 | // 0002CE02-0000-0000-C000-000000000046: Equation 140 | $clsid1 = "2ce020000000000c000000000000046" ascii nocase 141 | $clsid2 = { 32 (43|63) (45|65) 30 32 30 30 30 30 30 30 30 30 30 30 (43|63) 30 30 30 30 30 30 30 30 30 30 30 30 30 34 36 } 142 | $clsid3 = { 32[0-20](43|63)[0-20](45|65)[0-20]30[0-20]32[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20](43|63)[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]34[0-20]36 } 143 | // Root Entry 144 | $re = "52006f006f007400200045006e00740072007900" ascii nocase 145 | // Embedded Objects 146 | $obj1 = "\\objhtml" ascii 147 | $obj2 = "\\objdata" ascii 148 | $obj3 = "\\objupdate" ascii 149 | $obj4 = "\\objemb" ascii 150 | $obj5 = "\\objautlink" ascii 151 | $obj6 = "\\objlink" ascii 152 | $obj7 = "\\mmath" ascii 153 | condition: 154 | uint32(0) == 0x74725c7b and (1 of ($ole*) and 1 of ($clsid*) and $re and 1 of ($obj*)) 155 | } 156 | 157 | rule INDICATOR_RTF_EXPLOIT_CVE_2017_11882_4 { 158 | meta: 159 | description = "detects RTF variant documents potentially exploiting CVE-2018-0802 or CVE-2017-11882" 160 | author = "ditekSHen" 161 | strings: 162 | // equation.3 manipulated 163 | // is slowing down scanning, but good detection rate 164 | $s1 = { (36|34)[0-50]35[0-50](37|35)[0-50]31[0-50](37|35)[0-50]35[0-50](36|34)[0-50]31[0-50](37|35)[0-50]34[0-50](36|34)[0-50]39[0-50](36|34)[0-50]66[0-50](36|34)[0-50]65[0-50]32[0-50]65[0-50]33[0-50]33 } 165 | $s2 = { (7d|5c|2b|24)[0-50](37|35)[0-50]31[0-50](37|35)[0-50]35[0-50](36|34)[0-50]31[0-50](37|35)[0-50]34[0-50](36|34)[0-50]39[0-50](36|34)[0-50]66[0-50](36|34)[0-50]65[0-50]32[0-50]65[0-50]33[0-50]33 } 166 | //$s3 = { 32[0-20](43|63)[0-20](45|65)[0-20]30[0-20]32[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20](43|63)[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]30[0-20]34[0-20]36 } 167 | // NOT slowing down scanning, but FN prone 168 | // $s3 = { (36|34)[0-1]35[0-1](37|35)[0-1]31[0-1](37|35)[0-1]35[0-1](36|34)[0-1]31[0-1](37|35)[0-1]34[0-1](36|34)[0-1]39[0-1](36|34)[0-1]66[0-1](36|34)[0-1]65[0-1]3265[0-1]3333 } 169 | //$s4 = { (7d|5c|2b|24)[0-1](37|35)[0-1]31[0-1](37|35)[0-1]35[0-1](36|34)[0-1]31[0-1](37|35)[0-1]34[0-1](36|34)[0-1]39[0-1](36|34)[0-1]66[0-1](36|34)[0-1]65[0-1]3265[0-1]3333 } 170 | // Embedded Objects 171 | $obj1 = "\\objhtml" ascii 172 | $obj2 = "\\objdata" ascii 173 | $obj3 = "\\objupdate" ascii 174 | $obj4 = "\\objemb" ascii 175 | $obj5 = "\\objautlink" ascii 176 | $obj6 = "\\objlink" ascii 177 | $obj7 = "\\mmath" ascii 178 | condition: 179 | uint32(0) == 0x74725c7b and (1 of ($s*) and 1 of ($obj*)) 180 | } 181 | 182 | rule INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1 { 183 | meta: 184 | description = "detects OLE documents potentially exploiting CVE-2017-11882" 185 | author = "ditekSHen" 186 | strings: 187 | $s1 = { d0 cf 11 e0 a1 b1 1a e1 } 188 | $s2 = { 02 ce 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 } 189 | $s3 = "ole10native" wide nocase 190 | $s4 = "Root Entry" wide 191 | condition: 192 | uint16(0) == 0xcfd0 and all of them 193 | } 194 | 195 | rule INDICATOR_RTF_EXPLOIT_CVE_2017_8759_1 { 196 | meta: 197 | description = "detects CVE-2017-8759 weaponized RTF documents." 198 | author = "ditekSHen" 199 | strings: 200 | // 00000300-0000-0000-C000-000000000046: OLE2Link 201 | $clsid1 = { 00 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 } 202 | $clsid2 = { 00 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 } 203 | $clsid3 = "0003000000000000c000000000000046" ascii nocase 204 | $clsid4 = "4f4c45324c696e6b" ascii nocase // HEX 205 | $clsid5 = "OLE2Link" ascii nocase 206 | // OLE Signature 207 | $ole1 = { d0 cf 11 e0 a1 b1 1a e1 } 208 | $ole2 = "d0cf11e0a1b11ae1" ascii nocase 209 | $ole3 = "64306366313165306131623131616531" ascii // HEX 210 | $ole4 = "640a300a630a660a310a310a650a300a610a310a620a310a310a610a650a31" // HEX manipulated 211 | // Second Stage Artefacts 212 | $s1 = "wsdl=http" wide 213 | $s2 = "METAFILEPICT" ascii 214 | $s3 = "INCLUDEPICTURE \"http" ascii 215 | $s4 = "!This program cannot be run in DOS mode" ascii 216 | condition: 217 | uint32(0) == 0x74725c7b and 1 of ($clsid*) and 1 of ($ole*) and 2 of ($s*) 218 | } 219 | 220 | rule INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 { 221 | meta: 222 | description = "detects CVE-2017-8759 weaponized RTF documents." 223 | author = "ditekSHen" 224 | strings: 225 | // Msxml2.SAXXMLReader. 226 | // 88D96A0C-F192-11D4-A65F-0040963251E5: Msxml2.SAXXMLReader.6 227 | $clsid1 = { 88 d9 6a 0c f1 92 11 d4 a6 5f 00 40 96 32 51 e5 } 228 | $clsid2 = "88d96a0cf19211d4a65f0040963251e5" ascii nocase 229 | $clsid3 = "4d73786d6c322e534158584d4c5265616465722e" ascii nocase // HEX 230 | $clsid4 = "Msxml2.SAXXMLReader." ascii nocase 231 | // OLE Signature 232 | $ole1 = { d0 cf 11 e0 a1 b1 1a e1 } 233 | $ole2 = "d0cf11e0a1b11ae1" ascii nocase 234 | $ole3 = "64306366313165306131623131616531" ascii // HEX 235 | $ole4 = "640a300a630a660a310a310a650a300a610a310a620a310a310a610a650a31" // HEX manipulated 236 | // Embedded Objects 237 | $obj1 = "\\objhtml" ascii 238 | $obj2 = "\\objdata" ascii 239 | $obj3 = "\\objupdate" ascii 240 | $obj4 = "\\objemb" ascii 241 | $obj5 = "\\objautlink" ascii 242 | $obj6 = "\\objlink" ascii 243 | $obj7 = "\\objclass htmlfile" ascii 244 | // SOAP Moniker 245 | $soap1 = "c7b0abec197fd211978e0000f8757e" ascii nocase 246 | condition: 247 | uint32(0) == 0x74725c7b and 1 of ($clsid*) and 1 of ($ole*) and (2 of ($obj*) or 1 of ($soap*)) 248 | } 249 | 250 | rule INDICATOR_RTF_Exploit_Scripting { 251 | meta: 252 | description = "detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents." 253 | author = "ditekSHen" 254 | strings: 255 | // 00000300-0000-0000-C000-000000000046: OLE2Link 256 | $clsid1 = { 00 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 } 257 | $clsid2 = "0003000000000000c000000000000046" ascii nocase 258 | $clsid3 = "4f4c45324c696e6b" ascii nocase 259 | $clsid4 = "OLE2Link" ascii nocase 260 | // OLE Signature 261 | $ole1 = { d0 cf 11 e0 a1 b1 1a e1 } 262 | $ole2 = "d0cf11e0a1b11ae1" ascii nocase 263 | $ole3 = "64306366313165306131623131616531" ascii // HEX 264 | $ole4 = "640a300a630a660a310a310a650a300a610a310a620a310a310a610a650a31" // HEX manipulated 265 | $ole5 = { 64 30 63 66 [0-2] 31 31 65 30 61 31 62 31 31 61 65 31 } 266 | $ole6 = "D0cf11E" ascii nocase 267 | // Embedded Objects 268 | $obj1 = "\\objhtml" ascii 269 | $obj2 = "\\objdata" ascii 270 | $obj3 = "\\objupdate" ascii 271 | $obj4 = "\\objemb" ascii 272 | $obj5 = "\\objautlink" ascii 273 | $obj6 = "\\objlink" ascii 274 | $obj7 = "\\mmath" ascii 275 | $obj8 = "\\objclass htmlfile" ascii 276 | // >08 00 00 00 |................| 319 | // 00003e10 55 73 65 72 00<< 00 00 00 1e 00 00 00 04 00 00 00 |User............| 320 | // Some variants don't reference the command itself, but following parts 321 | $cmd1 = { 00 1E 00 00 00 [1-4] 00 00 (63|43) (6D|4D) (64|44) (00|20) } // |00 00|cmd|00| 322 | $cmd2 = { 00 1E 00 00 00 [1-4] 00 00 (6D|4D) (73|53) (68|48) (74|54) (61|41) (00|20) } // |00 00|mshta|00| 323 | $cmd3 = { 00 1E 00 00 00 [1-4] 00 00 (77|57) (73|53) (63|43) (72|52) (69|49) (70|50) (74|54) (00|20) } // |00 00|wscript|00| 324 | $cmd4 = { 00 1E 00 00 00 [1-4] 00 00 (63|42) (65|45) (72|52) (74|54) (75|55) (74|54) (69|49) (6C|4C) (00|20) } // |00 00|certutil|00| 325 | $cmd5 = { 00 1E 00 00 00 [1-4] 00 00 (70|50) (6F|4F) (77|57) (65|45) (72|52) (73|43) (68|48) (65|45) (6C|4C) (6C|4C) (00|20) } // |00 00|powershell|00| 326 | $cmd6 = { 00 1E 00 00 00 [1-4] 00 00 (6E|4E) (65|45) (74|54) 2E (77|57) (65|45) (62|42) (63|43) (6C|4C) (69|49) (65|45) (6E|4E) (74|54) (00|20) } // |00 00|net.webclient|00| 327 | condition: 328 | uint16(0) == 0xcfd0 and any of them 329 | } 330 | 331 | rule INDICATOR_RTF_MultiExploit_Embedded_Files { 332 | meta: 333 | description = "Detects RTF documents potentially exploting multiple vulnerabilities and embeding next stage scripts and/or binaries" 334 | author = "ditekSHen" 335 | strings: 336 | // 0002CE02-0000-0000-C000-000000000046: Equation 337 | // CVE-2017-11882 or CVE-2018-0802 338 | $eq1 = "02ce020000000000c000000000000046" ascii nocase 339 | $eq2 = { 02ce020000000000c000000000000046 } 340 | // 00000300-0000-0000-C000-000000000046: OLE2Link 341 | // CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 or CVE-2018-8174 342 | $ole2link1 = "03000000000000c000000000000046" ascii nocase 343 | $ole2link2 = { (36|34) (66|46) (36|34) (63|43) (36|34) 35 33 32 (36|34) (63|43) (36|34) 39 (36|34) (65|45) (36|34) (62|42) } // HEX + manipulated 344 | // Embedded Objects 345 | $obj1 = "\\objhtml" ascii 346 | $obj2 = "\\objdata" ascii 347 | $obj3 = "\\objupdate" ascii 348 | $obj4 = "\\objemb" ascii 349 | $obj5 = "\\objautlink" ascii 350 | $obj6 = "\\mmath" ascii 351 | // OLE Package Object 352 | $pkg = { (70|50) (61|41) (63|43) (6b|4b) (61|41) (67|47) (65|45) } 353 | // Embedded Files Extensions - ASCII 354 | $emb_exe = { 3265 (3635|3435) (3738|3538) (3635|3435) 3030 } 355 | $emb_scr = { 3265 (3733|3533) (3633|3433) (3532|3732) 3030 } 356 | $emb_dll = { 3265 (3634|3434) (3663|3463) (3663|3463) 3030 } 357 | $emb_doc = { 3265 (3634|3434) (3666|3466) (3633|3433) 3030 } 358 | $emb_bat = { 3265 (3632|3432) (3631|3431) (3734|3534) 3030 } 359 | $emb_sct = { 3265 (3733|3533) (3633|3433) (3734|3534) 3030 } 360 | $emb_txt = { 3265 (3734|3534) (3738|3538) (3734|3534) 3030 } 361 | $emb_psw = { 3265 (3730|3530) (3733|3533) 313030 } 362 | condition: 363 | // Strict: uint32(0) == 0x74725c7b and filesize > 400KB and (1 of ($eq*) or 1 of ($ole2link*)) and $pkg and 2 of ($obj*) and 1 of ($emb*) 364 | uint32(0) == 0x74725c7b and (1 of ($eq*) or 1 of ($ole2link*)) and $pkg and 2 of ($obj*) and 1 of ($emb*) 365 | } 366 | 367 | rule INDICATOR_OLE_ObjectPool_Embedded_Files { 368 | meta: 369 | description = "Detects OLE documents with ObjectPool OLE storage and embed suspicous excutable files" 370 | author = "ditekSHen" 371 | strings: 372 | $s1 = "ObjectPool" fullword wide 373 | $s2 = "Ole10Native" fullword wide 374 | $s3 = "Root Entry" fullword wide 375 | 376 | $h1 = { 4f 00 62 00 6a 00 65 00 63 00 74 00 50 00 6f 00 6f 00 6c 00 } 377 | $h2 = { 4f 00 6c 00 65 00 31 00 30 00 4e 00 61 00 74 00 69 00 76 00 65 00 } 378 | $h3 = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 } 379 | // OLE Package Object 380 | $olepkg = { 00 00 00 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 } 381 | // Embedded Files Extensions - ASCII - Not as reliable as its hex variant 382 | $fa_exe = ".exe" ascii nocase 383 | $fa_scr = ".scr" ascii nocase 384 | $fa_dll = ".dll" ascii nocase 385 | $fa_bat = ".bat" ascii nocase 386 | $fa_cmd = ".cmd" ascii nocase 387 | $fa_sct = ".sct" ascii nocase 388 | $fa_txt = ".txt" ascii nocase 389 | $fa_psw = ".ps1" ascii nocase 390 | // File extensions - Hex > slowing down scanning 391 | $fh_exe = { 2e (45|65) (58|78) (45|65) 00 } 392 | $fh_scr = { 2e (53|73) (43|63) (52|72) 00 } 393 | $fh_dll = { 2e (44|64) (4c|6c) (4c|6c) 00 } 394 | $fh_bat = { 2e (42|62) (41|61) (54|74) 00 } 395 | $fh_cmd = { 2e (43|63) (4d|6d) (44|64) 00 } 396 | $fh_sct = { 2e (53|73) (43|63) (54|74) 00 } 397 | $fh_txt = { 2e (54|74) (58|78) (54|74) 00 } 398 | $fh_psw = { 2e (50|70) (53|73) 31 00 } 399 | condition: 400 | uint16(0) == 0xcfd0 and (all of ($s*) or all of ($h*)) and $olepkg and (1 of ($fa*) or 1 of ($fh*)) 401 | } 402 | 403 | rule INDICATOR_RTF_Equation_BITSAdmin_Downloader { 404 | meta: 405 | description = "Detects RTF documents that references both Microsoft Equation Editor and BITSAdmin. Common exploit + dropper behavior." 406 | author = "ditekSHen" 407 | snort2_sid = "910002-910003" 408 | snort3_sid = "910001" 409 | clamav_sig = "INDICATOR.RTF.EquationBITSAdminDownloader" 410 | strings: 411 | // 0002CE02-0000-0000-C000-000000000046: Equation 412 | // CVE-2017-11882 or CVE-2018-0802 413 | $eq = "0200000002CE020000000000C000000000000046" ascii nocase 414 | // BITSAdmin 415 | $ba = "6269747361646d696e" ascii nocase 416 | // Embedded Objects 417 | $obj1 = "\\objhtml" ascii 418 | $obj2 = "\\objdata" ascii 419 | $obj3 = "\\objupdate" ascii 420 | $obj4 = "\\objemb" ascii 421 | $obj5 = "\\objautlink" ascii 422 | $obj6 = "\\objlink" ascii 423 | $obj7 = "\\mmath" ascii 424 | condition: 425 | uint32(0) == 0x74725c7b and (($eq and $ba) and 1 of ($obj*)) 426 | } 427 | 428 | rule INDICATOR_RTF_Equation_CertUtil_Downloader { 429 | meta: 430 | description = "Detects RTF documents that references both Microsoft Equation Editor and CertUtil. Common exploit + dropper behavior." 431 | author = "ditekSHen" 432 | snort2_sid = "910006-910007" 433 | snort3_sid = "910003" 434 | clamav_sig = "INDICATOR.RTF.EquationCertUtilDownloader" 435 | strings: 436 | // 0002CE02-0000-0000-C000-000000000046: Equation 437 | // CVE-2017-11882 or CVE-2018-0802 438 | $eq = "0200000002CE020000000000C000000000000046" ascii nocase 439 | // CertUtil 440 | $cu = "636572747574696c" ascii nocase 441 | // Embedded Objects 442 | $obj1 = "\\objhtml" ascii 443 | $obj2 = "\\objdata" ascii 444 | $obj3 = "\\objupdate" ascii 445 | $obj4 = "\\objemb" ascii 446 | $obj5 = "\\objautlink" ascii 447 | $obj6 = "\\objlink" ascii 448 | $obj7 = "\\mmath" ascii 449 | condition: 450 | uint32(0) == 0x74725c7b and (($eq and $cu) and 1 of ($obj*)) 451 | } 452 | 453 | rule INDICATOR_RTF_Equation_PowerShell_Downloader { 454 | meta: 455 | description = "Detects RTF documents that references both Microsoft Equation Editor and PowerShell. Common exploit + dropper behavior." 456 | author = "ditekSHen" 457 | snort2_sid = "910004-910005" 458 | snort3_sid = "910002" 459 | clamav_sig = "INDICATOR.RTF.EquationPowerShellDownloader" 460 | strings: 461 | // 0002CE02-0000-0000-C000-000000000046: Equation 462 | // CVE-2017-11882 or CVE-2018-0802 463 | $eq = "0200000002CE020000000000C000000000000046" ascii nocase 464 | // PowerShell 465 | $ps = "706f7765727368656c6c" ascii nocase 466 | // Embedded Objects 467 | $obj1 = "\\objhtml" ascii 468 | $obj2 = "\\objdata" ascii 469 | $obj3 = "\\objupdate" ascii 470 | $obj4 = "\\objemb" ascii 471 | $obj5 = "\\objautlink" ascii 472 | $obj6 = "\\objlink" ascii 473 | $obj7 = "\\mmath" ascii 474 | condition: 475 | uint32(0) == 0x74725c7b and (($ps and $eq) and 1 of ($obj*)) 476 | } 477 | 478 | rule INDICATOR_RTF_LNK_Shell_Explorer_Execution { 479 | meta: 480 | description = "detects RTF files with Shell.Explorer.1 OLE objects with embedded LNK files referencing an executable." 481 | author = "ditekSHen" 482 | strings: 483 | // Shell.Explorer.1 OLE Object CLSID 484 | $clsid = "c32ab2eac130cf11a7eb0000c05bae0b" ascii nocase 485 | // LNK Shortcut Header 486 | $lnk_header = "4c00000001140200" ascii nocase 487 | // Second Stage Artefacts - http/file 488 | $http_url = "6800740074007000" ascii nocase 489 | $file_url = "660069006c0065003a" ascii nocase 490 | condition: 491 | uint32(0) == 0x74725c7b and filesize < 1500KB and $clsid and $lnk_header and ($http_url or $file_url) 492 | } 493 | 494 | rule INDICATOR_RTF_Forms_HTML_Execution { 495 | meta: 496 | description = "detects RTF files with Forms.HTML:Image.1 or Forms.HTML:Submitbutton.1 OLE objects referencing file or HTTP URLs." 497 | author = "ditekSHen" 498 | strings: 499 | // Forms.HTML:Image.1 OLE Object CLSID 500 | $img_clsid = "12d11255c65ccf118d6700aa00bdce1d" ascii nocase 501 | // Forms.HTML:Submitbutton.1 Object CLSID 502 | $sub_clsid = "10d11255c65ccf118d6700aa00bdce1d" ascii nocase 503 | // Second Stage Artefacts - http/file 504 | $http_url = "6800740074007000" ascii nocase 505 | $file_url = "660069006c0065003a" ascii nocase 506 | condition: 507 | uint32(0) == 0x74725c7b and filesize < 1500KB and ($img_clsid or $sub_clsid) and ($http_url or $file_url) 508 | } 509 | 510 | rule INDICATOR_PUB_MSIEXEC_Remote { 511 | meta: 512 | description = "detects VB-enable Microsoft Publisher files utilizing Microsoft Installer to retrieve remote files and execute them" 513 | author = "ditekSHen" 514 | strings: 515 | $s1 = "Microsoft Publisher" ascii 516 | $s2 = "msiexec.exe" ascii 517 | $s3 = "Document_Open" ascii 518 | $s4 = "/norestart" ascii 519 | $s5 = "/i http" ascii 520 | $s6 = "Wscript.Shell" fullword ascii 521 | $s7 = "\\VBE6.DLL#" wide 522 | condition: 523 | uint16(0) == 0xcfd0 and 6 of them 524 | } 525 | 526 | rule INDICATOR_RTF_Ancalog_Exploit_Builder_Document { 527 | meta: 528 | description = "Detects documents generated by Phantom Crypter/Ancalog" 529 | author = "ditekSHen" 530 | snort2_sid = "910000-910001" 531 | snort3_sid = "910000" 532 | clamav_sig = "INDICATOR.RTF.AncalogExploitBuilderDocument" 533 | strings: 534 | $builder1 = "{\\*\\ancalog" ascii 535 | $builder2 = "\\ancalog" ascii 536 | condition: 537 | uint32(0) == 0x74725c7b and 1 of ($builder*) 538 | } 539 | 540 | rule INDICATOR_RTF_ThreadKit_Exploit_Builder_Document { 541 | meta: 542 | description = "Detects vaiations of RTF documents generated by ThreadKit builder." 543 | author = "ditekSHen" 544 | strings: 545 | // Embedded Objects 546 | $obj1 = "\\objhtml" ascii 547 | $obj2 = "\\objdata" ascii 548 | $obj3 = "\\objupdate" ascii 549 | $obj4 = "\\objemb" ascii 550 | $obj5 = "\\objautlink" ascii 551 | $obj6 = "\\objlink" ascii 552 | $obj7 = "\\mmath" ascii 553 | // Patterns 554 | $pat1 = /\\objupdate\\v[\\\s\n\r]/ ascii 555 | condition: 556 | uint32(0) == 0x74725c7b and 2 of ($obj*) and 1 of ($pat*) 557 | } 558 | 559 | rule INDICATOR_XML_LegacyDrawing_AutoLoad_Document { 560 | meta: 561 | description = "detects AutoLoad documents using LegacyDrawing" 562 | author = "ditekSHen" 563 | strings: 564 | $s1 = " Triggers 629 | $ax1 = "_Layout" ascii 630 | $ax2 = "MultiPage1_" ascii 631 | $ax3 = "_MouseMove" ascii 632 | $ax4 = "_MouseHover" ascii 633 | $ax5 = "_MouseLeave" ascii 634 | $ax6 = "_MouseEnter" ascii 635 | $ax7 = "ImageCombo21_Change" ascii 636 | $ax8 = "InkEdit1_GotFocus" ascii 637 | $ax9 = "InkPicture1_" ascii 638 | $ax10 = "SystemMonitor1_" ascii 639 | $ax11 = "WebBrowser1_" ascii 640 | $ax12 = "_Click" ascii 641 | // Suspicious Keywords 642 | $kw1 = "CreateObject" ascii 643 | $kw2 = "CreateTextFile" ascii 644 | $kw3 = ".SpawnInstance_" ascii 645 | $kw4 = "WScript.Shell" ascii 646 | $kw5 = { 43 68 72 [0-2] 41 73 63 [0-2] 4d 69 64 } // & Chr(Asc(Mid( 647 | $kw6 = { 43 68 [0-2] 72 24 28 40 24 28 22 26 48 } // & Chr$(Val("&H" 648 | $kw7 = { 41 63 74 69 76 65 44 6f 63 75 6d 65 6e 74 } // ActiveDocument 649 | condition: 650 | uint16(0) == 0xcfd0 and $vb and 1 of ($ax*) and 2 of ($kw*) 651 | } 652 | 653 | rule INDICATOR_OLE_Suspicious_MITRE_T1117 { 654 | meta: 655 | description = "Detects MITRE technique T1117 in OLE documents" 656 | author = "ditekSHen" 657 | strings: 658 | $s1 = "scrobj.dll" ascii nocase 659 | $s2 = "regsvr32" ascii nocase 660 | $s3 = "JyZWdzdnIzMi5leGU" ascii 661 | $s4 = "HNjcm9iai5kbGw" ascii 662 | condition: 663 | uint16(0) == 0xcfd0 and 2 of them 664 | } 665 | 666 | rule INDICATOR_OLE_RemoteTemplate { 667 | meta: 668 | description = "Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents" 669 | author = "ditekSHen" 670 | strings: 671 | $olerel = "relationships/oleObject" ascii 672 | $target1 = "Target=\"http" ascii 673 | $target2 = "Target=\"file" ascii 674 | $mode = "TargetMode=\"External" ascii 675 | condition: 676 | $olerel and $mode and 1 of ($target*) 677 | } 678 | 679 | rule INDICATOR_RTF_MalVer_Objects { 680 | meta: 681 | description = "Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents." 682 | author = "ditekSHen" 683 | strings: 684 | // Embedded Objects 685 | $obj1 = "\\objhtml" ascii 686 | $obj2 = "\\objdata" ascii 687 | $obj3 = "\\objupdate" ascii 688 | $obj4 = "\\objemb" ascii 689 | $obj5 = "\\objautlink" ascii 690 | $obj6 = "\\objlink" ascii 691 | condition: 692 | uint32(0) == 0x74725c7b and ((not uint8(4) == 0x66 or not uint8(5) == 0x31 or not uint8(6) == 0x5c) and 1 of ($obj*)) 693 | } 694 | 695 | rule INDICATOR_PPT_MasterMana { 696 | meta: 697 | description = "Detects known malicious pattern (MasterMana) in PowerPoint documents." 698 | author = "ditekSHen" 699 | strings: 700 | $a1 = "auto_close" ascii nocase 701 | $a2 = "autoclose" ascii nocase 702 | $a3 = "auto_open" ascii nocase 703 | $a4 = "autoopen" ascii nocase 704 | $vb1 = "\\VBE7.DLL" ascii 705 | $vb2 = { 41 74 74 72 69 62 75 74 ?? 65 20 56 42 5f 4e 61 6d ?? 65 } 706 | $clsid = "000204EF-0000-0000-C000-000000000046" wide nocase 707 | $i1 = "@j.mp/" ascii wide 708 | $i2 = "j.mp/" ascii wide 709 | $i3 = "\\pm.j\\\\:" ascii wide 710 | $i4 = ".zz.ht/" ascii wide 711 | $i5 = "/pm.j@" ascii wide 712 | $i6 = "\\pm.j@" ascii wide 713 | condition: 714 | uint16(0) == 0xcfd0 and 1 of ($i*) and $clsid and 1 of ($a*) and 1 of ($vb*) 715 | } 716 | 717 | rule INDICATOR_XML_WebRelFrame_RemoteTemplate { 718 | meta: 719 | description = "Detects XML web frame relations refrencing an external target in dropper OOXML documents" 720 | author = "ditekSHen" 721 | strings: 722 | $target1 = "/frame\" Target=\"http" ascii nocase 723 | $target2 = "/frame\" Target=\"file" ascii nocase 724 | $mode = "TargetMode=\"External" ascii 725 | condition: 726 | uint32(0) == 0x6d783f3c and (1 of ($target*) and $mode) 727 | } 728 | 729 | rule INDICATOR_PDF_IPDropper { 730 | meta: 731 | description = "Detects PDF documents with Action and URL pointing to direct IP address" 732 | author = "ditekSHen" 733 | strings: 734 | $s1 = { 54 79 70 65 20 2f 41 63 74 69 6f 6e 0d 0a 2f 53 20 2f 55 52 49 0d 0a } 735 | $s2 = /\/URI \(http(s)?:\/\/([0-9]{1,3}\.){3}[0-9]{1,3}\// ascii 736 | condition: 737 | uint32(0) == 0x46445025 and all of them 738 | } 739 | 740 | rule INDICATOR_OLE_Excel4Macros_DL1 { 741 | meta: 742 | author = "ditekSHen" 743 | description = "Detects OLE Excel 4 Macros documents acting as downloaders" 744 | strings: 745 | $s1 = "Macros Excel 4.0" fullword ascii 746 | $s2 = { 00 4d 61 63 72 6f 31 85 00 } 747 | $s3 = "http" ascii 748 | $s4 = "file:" ascii 749 | //$cmd1 = { 00 (43|63) [0-1] (4d|6d) [0-1] (44|64) 20 } 750 | //$cmd2 = { (50|70) [0-1] (4f|6f) [0-1] (57|77) [0-1] (45|65) [0-1] (52|72) [0-1] (53|73) [0-1] (48|68) [0-1] (45|65) [0-1] (4c|6c) [0-1] (4c|6c) } 751 | //$cmd3 = { (57|77) [0-1] (53|73) [0-1] (43|63) [0-1] (52|72) [0-1] (49|69) [0-1] (50|70) [0-1] (54|74) } 752 | $fa_exe = ".exe" ascii nocase 753 | $fa_scr = ".scr" ascii nocase 754 | $fa_dll = ".dll" ascii nocase 755 | $fa_bat = ".bat" ascii nocase 756 | $fa_cmd = ".cmd" ascii nocase 757 | $fa_sct = ".sct" ascii nocase 758 | $fa_txt = ".txt" ascii nocase 759 | $fa_psw = ".ps1" ascii nocase 760 | $fa_py = ".py" ascii nocase 761 | $fa_js = ".js" ascii nocase 762 | condition: 763 | uint16(0) == 0xcfd0 and (3 of ($s*) and 1 of ($fa*)) 764 | } 765 | 766 | rule INDICATOR_OLE_Excel4Macros_DL2 { 767 | meta: 768 | author = "ditekSHen" 769 | description = "Detects OLE Excel 4 Macros documents acting as downloaders" 770 | strings: 771 | $e1 = "Macros Excel 4.0" ascii 772 | $e2 = { 00 4d 61 63 72 6f 31 85 00 } 773 | $a1 = { 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3a 00 } // auto-open 774 | $a2 = { 18 00 17 00 aa 03 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3a 00 } // auto-open 775 | $a3 = { 18 00 21 00 20 00 00 01 12 00 00 00 00 00 00 00 00 00 01 3a ff } // auto-open 776 | $a4 = { 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 02 3a 00 } // auto-close 777 | $a5 = { 18 00 17 00 aa 03 00 01 07 00 00 00 00 00 00 00 00 00 00 02 3a 00 } // auto-clos 778 | $a6 = "auto_open" ascii nocase 779 | $a7 = "auto_close" ascii nocase 780 | $x1 = "* #,##0" ascii 781 | $x2 = "=EXEC(CHAR(" ascii 782 | $x3 = "-w 1 stARt`-s" ascii nocase 783 | $x4 = ")&CHAR(" ascii 784 | $x5 = "Reverse" fullword ascii 785 | condition: 786 | uint16(0) == 0xcfd0 and (1 of ($e*) and 1 of ($a*) and (#x1 > 3 or 2 of ($x*))) 787 | } 788 | 789 | rule INDICATOR_RTF_Embedded_Excel_URLDownloadToFile { 790 | meta: 791 | author = "ditekSHen" 792 | description = "Detects RTF documents that embed Excel documents for detection evation." 793 | strings: 794 | // Excel 795 | $clsid1 = "2008020000000000c000000000000046" ascii nocase 796 | // Embedded Objects 797 | $obj1 = "\\objhtml" ascii 798 | $obj2 = "\\objdata" ascii 799 | $obj3 = "\\objupdate" ascii 800 | $obj4 = "\\objemb" ascii 801 | $obj5 = "\\objautlink" ascii 802 | $obj6 = "\\objlink" ascii 803 | // OLE Signature 804 | $ole1 = { d0 cf 11 e0 a1 b1 1a e1 } 805 | $ole2 = "d0cf11e0a1b11ae1" ascii nocase 806 | $ole3 = "64306366313165306131623131616531" ascii 807 | $ole4 = "640a300a630a660a310a310a650a300a610a310a620a310a310a610a650a31" 808 | $ole5 = { 64 30 63 66 [0-2] 31 31 65 30 61 31 62 31 31 61 65 31 } 809 | $ole6 = "D0cf11E" ascii nocase 810 | // Lib 811 | $s1 = "55524c446f776e6c6f6164546f46696c6541" ascii nocase // URLDownloadToFile 812 | $s2 = "55524c4d4f4e" ascii nocase // UrlMon 813 | condition: 814 | uint32(0) == 0x74725c7b and (1 of ($clsid*) and 1 of ($obj*) and 1 of ($ole*) and 1 of ($s*)) 815 | } 816 | 817 | rule INDICATOR_OLE_Excel4Macros_DL3 { 818 | meta: 819 | author = "ditekSHen" 820 | description = "Detects OLE Excel 4 Macros documents acting as downloaders" 821 | strings: 822 | $a1 = { 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3a 00 } // auto-open 823 | $a2 = { 18 00 17 00 aa 03 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3a 00 } // auto-open 824 | $a3 = { 18 00 21 00 20 00 00 01 12 00 00 00 00 00 00 00 00 00 01 3a ff } // auto-open 825 | $a4 = { 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 02 3a 00 } // auto-close 826 | $a5 = { 18 00 17 00 aa 03 00 01 07 00 00 00 00 00 00 00 00 00 00 02 3a 00 } // auto-clos 827 | $a6 = "auto_open" ascii nocase 828 | $a7 = "auto_close" ascii nocase 829 | $s1 = "* #,##0" ascii 830 | $s2 = "URLMon" ascii 831 | $s3 = "DownloadToFileA" ascii 832 | $s4 = "DllRegisterServer" ascii 833 | condition: 834 | uint16(0) == 0xcfd0 and 1 of ($a*) and all of ($s*) and #s1 > 3 835 | } 836 | 837 | rule INDICATOR_DOC_PhishingPatterns { 838 | meta: 839 | author = "ditekSHen" 840 | description = "Detects OLE, RTF, PDF and OOXML (decompressed) documents with common phishing strings" 841 | strings: 842 | $s1 = "PERFORM THE FOLLOWING STEPS TO PERFORM DECRYPTION" ascii nocase 843 | $s2 = "Enable Editing" ascii nocase 844 | $s3 = "Enable Content" ascii nocase 845 | $s4 = "WHY I CANNOT OPEN THIS DOCUMENT?" ascii nocase 846 | $s5 = "You are using iOS or Android, please use Desktop PC" ascii nocase 847 | $s6 = "You are trying to view this document using Online Viewer" ascii nocase 848 | $s7 = "This document was edited in a different version of" ascii nocase 849 | $s8 = "document are locked and will not" ascii nocase 850 | $s9 = "until the \"Enable\" button is pressed" ascii nocase 851 | $s10 = "This document created in online version of Microsoft Office" ascii nocase 852 | $s11 = "This document created in previous version of Microsoft Office" ascii nocase 853 | $s12 = "This document protected by Microsoft Office" ascii nocase 854 | $s13 = "This document encrypted by" ascii nocase 855 | $s14 = "document created in earlier version of microsoft office" ascii nocase 856 | condition: 857 | (uint16(0) == 0xcfd0 or uint32(0) == 0x74725c7b or uint32(0) == 0x46445025 or uint32(0) == 0x6d783f3c) and 2 of them 858 | } 859 | 860 | rule INDICATOR_OOXML_Excel4Macros_EXEC { 861 | meta: 862 | author = "ditekSHen" 863 | description = "Detects OOXML (decompressed) documents with Excel 4 Macros XLM macrosheet" 864 | clamav_sig = "INDICATOR.OOXML.Excel4MacrosEXEC" 865 | strings: 866 | $ms = "