├── IP ├── README.md ├── Cobalt_Strike_Default_SSL_Certificate.yar └── Cobalt_Strike_Malleable_C2_Profile_jQuery.yar ├── URL ├── README.md ├── URLs_Downloaded_Mimikatz.yar └── URLs_Serving_PSEXEC.yar ├── Domain ├── README.md └── APT32_SOUNDBITE_FQDN_Pattern.yar ├── File ├── README.md ├── VT_LNK_HTTP_MSHTA.yara ├── APT_Bitter_chm_files.yar ├── VT_LNK_HTTP_WEBDAV_POWERSHELL_PDF_DOCX.yara ├── PowerShell_BitsTransfer_Execution.yar ├── Gamaredon_Documents_DavSetCookie_RU.yar ├── VT_LNK_PowerShell_dropping_executing_PDF.yara ├── VT_ISO_dropping_executing_PDF.yara ├── VT_PEEXE_dropping_PDF_and_opening.yara ├── RomCom_MustangPanda_Similar_Behaviors.yar ├── PowerShell_Binary_Injection.yar └── WMI_Event_Subscription_Behaviors.yar ├── CODEOWNERS ├── README.md └── LICENSE /IP/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /URL/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Domain/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /File/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @VirusTotal/vt-yara-rules-reviewers 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # vt-public-crowdsourced-yara 2 | Share your Yara rules with VirusTotal 3 | -------------------------------------------------------------------------------- /URL/URLs_Downloaded_Mimikatz.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule URLs_Downloaded_Mimikatz { 4 | meta: 5 | name = "URLs Serving Files Detected as Mimikatz" 6 | description = "Using engine names/labels, identify new URLs that serve files detected as Mimikatz. This could include Mimikatz itself, or files that contain Mimi (or it's capabilities) embedded within" 7 | target_entity = "url" 8 | condition: 9 | for any engine, signature in vt.net.url.downloaded_file.signatures: ( 10 | signature icontains "mimikatz" 11 | ) 12 | } 13 | -------------------------------------------------------------------------------- /URL/URLs_Serving_PSEXEC.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule URLs_Serving_PSEXEC { 4 | meta: 5 | name = "URLs Serving Publicly Available PSEXEC Hash" 6 | description = "Will be slightly noisy due to public distribution URLs (github, etc) but will identify attacker open directories and other staging infrastructure where the attackers have legit tools like PSExec stored along side malware/etc" 7 | target_entity = "url" 8 | condition: 9 | vt.net.url.downloaded_file.sha256 == "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef" 10 | } 11 | -------------------------------------------------------------------------------- /IP/Cobalt_Strike_Default_SSL_Certificate.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule Cobalt_Strike_Default_SSL_Certificate 4 | { 5 | meta: 6 | name = "Default CobaltStrike self-signed SSL Certificate" 7 | description = "Find IP addresses serving the default SSL certificate used out of the box by Cobalt Strike for C2 comms" 8 | reference = "https://www.mandiant.com/resources/blog/defining-cobalt-strike-components" 9 | target_entity = "ip_address" 10 | condition: 11 | vt.net.ip.https_certificate.thumbprint == "6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c" 12 | } 13 | -------------------------------------------------------------------------------- /Domain/APT32_SOUNDBITE_FQDN_Pattern.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule APT32_SOUNDBITE_FQDN_Pattern 4 | { 5 | meta: 6 | name = "APT32 SOUNDBITE FQDN pattern" 7 | reference = "https://www.mandiant.com/resources/blog/cyber-espionage-apt32" 8 | description = "Matches on the naming scheme used for C2 servers for APT32's SOUNDBITE malware that performs C2 via DNS lookups." 9 | target_entity = "domain" 10 | condition: 11 | vt.net.domain.new_domain and 12 | (vt.net.domain.raw matches /^z\.[^.]{4,}\.[^.]+/) 13 | and for any record in vt.net.domain.dns_records: 14 | (record.type == "A" and record.value == "127.0.0.1") 15 | } 16 | -------------------------------------------------------------------------------- /File/VT_LNK_HTTP_MSHTA.yara: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule VT_LNK_HTTP_MSHTA { 4 | meta: 5 | target_entity = "file" 6 | disclaimer = "Please note that this YARA was created from a presentation and study done in a presentation. Before using it, make sure it meets your detection needs." 7 | purpose = "hunting" 8 | description = "This YARA rule detects LNK files that are hidding HTTP communications and mshta executions during the sandbox detonation" 9 | author = "@Joseliyo_Jstnk - VirusTotal" 10 | hash = "0cee6c7fbe37cb12a8c4416bc916aed3644ad5c09f02641477522a940bfb8d9e" 11 | //metadata:"'??ht??t?p?://" or metadata:"\\W*\\S*2\\m*h?a." 12 | condition: 13 | vt.metadata.new_file and 14 | (vt.metadata.exiftool["CommandLineArguments"] icontains "??ht??t?p?://" or vt.metadata.exiftool["CommandLineArguments"] icontains "\\W*\\S*2\\m*h?a.") 15 | // you can add more ways observed to encode http and mshta calls. 16 | } 17 | -------------------------------------------------------------------------------- /IP/Cobalt_Strike_Malleable_C2_Profile_jQuery.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule Cobalt_Strike_Malleable_C2_Profile_jQuery 4 | { 5 | meta: 6 | name = "Cobalt Strike Malleable C2 Profile - jQuery (Masquerade)" 7 | description = "Identifies IP addresses serving a self-signed SSL certificate consistent with a Cobalt Strike Beacon Malleable C2 profile masquerading as the legitiamte jQuery" 8 | reference = "https://github.com/threatexpress/malleable-c2/blob/master/jquery-c2.4.0.profile" 9 | target_entity = "ip_address" 10 | condition: 11 | vt.net.ip.https_certificate.subject.common_name == "jquery.com" and 12 | ( 13 | vt.net.ip.https_certificate.subject.organizational_unit == "Certificate Authority" or 14 | vt.net.ip.https_certificate.subject.organizational_unit == "DigiCertSSL" 15 | ) and 16 | vt.net.ip.https_certificate.subject.organization == "jQuery" and 17 | ( 18 | vt.net.ip.https_certificate.subject.country == "US" or 19 | vt.net.ip.https_certificate.subject.country == "CN" or 20 | vt.net.ip.https_certificate.subject.country == "en" 21 | ) and 22 | for any tag in vt.net.ip.tags: 23 | (tag == "self-signed") 24 | } 25 | -------------------------------------------------------------------------------- /File/APT_Bitter_chm_files.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule APT_Bitter_chm_files { 4 | meta: 5 | name = "APT_Bitter_chm_files" 6 | author = "Joseliyo Sanchez - @Joseliyo_Jstnk" 7 | description = "Find chm files related to APT Bitter used during their operations" 8 | target_entity = "file" 9 | //vt_intelligence_query = behavior_processes:"%Comspec%" behavior_processes:"schtasks.exe" tag:chm 10 | 11 | condition: 12 | ( 13 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( 14 | vt_behaviour_processes_created contains "schtasks" 15 | ) 16 | 17 | or 18 | 19 | for any vt_behaviour_command_executions in vt.behaviour.command_executions: ( 20 | vt_behaviour_command_executions contains "schtasks" 21 | ) 22 | ) 23 | 24 | and 25 | 26 | ( 27 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( 28 | vt_behaviour_processes_created contains "coMSPec" or vt_behaviour_processes_created contains "comspec" 29 | ) 30 | 31 | or 32 | 33 | for any vt_behaviour_command_executions in vt.behaviour.command_executions: ( 34 | vt_behaviour_command_executions contains "coMSPec" or vt_behaviour_command_executions contains "comspec" 35 | ) 36 | ) 37 | 38 | and 39 | 40 | for any vt_metadata_tags in vt.metadata.tags: ( 41 | vt_metadata_tags == "chm" 42 | ) 43 | 44 | and 45 | 46 | vt.metadata.new_file 47 | } -------------------------------------------------------------------------------- /File/VT_LNK_HTTP_WEBDAV_POWERSHELL_PDF_DOCX.yara: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule VT_LNK_HTTP_WEBDAV_POWERSHELL_PDF_DOCX { 4 | meta: 5 | target_entity = "file" 6 | disclaimer = "Please note that this YARA was created from a presentation and study done in a presentation. Before using it, make sure it meets your detection needs." 7 | purpose = "hunting" 8 | description = "This YARA rule use LNK metadata to detect HTTP and WebDAV connections made by LNK files. PowerShell is executed and finally a decoy .docx or .pdf file is also used during the intrusion" 9 | author = "@Joseliyo_Jstnk - VirusTotal" 10 | hash = "19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc" 11 | // 9724cecaa8ca38041ee9f2a42cc5a297 5f126b2279648d849e622e4be910b96c 47f4b4d8f95a7e842691120c66309d5b 8d1b91e8fb68e227f1933cfab99218a4 6fdd416a768d04a1af1f28ecaa29191b 5db75e816b4cef5cc457f0c9e3fc4100 6128d9bf34978d2dc7c0a2d463d1bcdd 825a12e2377dd694bbb667f862d60c43 acd9fc44001da67f1a3592850ec09cb7 12 | condition: 13 | vt.metadata.new_file and 14 | ( 15 | vt.metadata.exiftool["CommandLineArguments"] icontains "http" or 16 | vt.metadata.exiftool["CommandLineArguments"] icontains "file://" 17 | ) and 18 | ( 19 | vt.metadata.exiftool["CommandLineArguments"] icontains "powershell" or 20 | vt.metadata.exiftool["RelativePath"] icontains "powershell" 21 | ) and 22 | ( 23 | vt.metadata.exiftool["CommandLineArguments"] icontains ".pdf" or //this can be removed 24 | vt.metadata.exiftool["CommandLineArguments"] icontains ".docx" //this can be removed 25 | ) 26 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | # Detection Rule License (DRL) 1.1 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this rule set and associated documentation files (the "Rules"), to deal 5 | in the Rules without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Rules, and to permit persons to whom the Rules are furnished to do so, 8 | subject to the following conditions: 9 | 10 | If you share the Rules (including in modified form), you must retain the 11 | following if it is supplied within the Rules: 12 | 13 | 1. identification of the authors(s) ("author" field) of the Rule and any 14 | others designated to receive attribution, in any reasonable manner 15 | requested by the Rule author (including by pseudonym if designated). 16 | 17 | 2. a URI or hyperlink to the Rule set or explicit Rule to the extent 18 | reasonably practicable 19 | 20 | 3. indicate the Rules are licensed under this Detection Rule License, and 21 | include the text of, or the URI or hyperlink to, this Detection Rule 22 | License to the extent reasonably practicable 23 | 24 | If you use the Rules (including in modified form) on data, messages based on 25 | matches with the Rules must retain the following if it is supplied within the 26 | Rules: 27 | 28 | 1. identification of the authors(s) ("author" field) of the Rule and any 29 | others designated to receive attribution, in any reasonable manner 30 | requested by the Rule author (including by pseudonym if designated). 31 | 32 | THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 33 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 34 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 35 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 36 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 37 | OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE 38 | RULES. 39 | -------------------------------------------------------------------------------- /File/PowerShell_BitsTransfer_Execution.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule PowerShell_BitsTransfer_Execution { 4 | meta: 5 | name = "PowerShell_BitsTransfer_Execution" 6 | target_entity = "file" 7 | description = "Behavior identified by Kaspersky CTI Team in their - Modern Asian APT Groups report" 8 | reference = "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf" 9 | author = "Joseliyo Sanchez - @Joseliyo_Jstnk" 10 | sha256 = "464e1847b4fd20aa49a1928a25b64281a62de5e542a6610b75bb5f3835a3a451" 11 | //behavior_processes:"Start-BitsTransfer -Source" (behavior_processes:"[System.Convert]::FromBase64String" or behavior_processes:"[System.IO.File]::WriteAllBytes") 12 | 13 | condition: 14 | vt.metadata.new_file and 15 | ( 16 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( vt_behaviour_processes_created icontains "Start-BitsTransfer -Source" ) 17 | or 18 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( vt_behaviour_processes_terminated icontains "Start-BitsTransfer -Source" ) 19 | or 20 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "Start-BitsTransfer -Source" ) 21 | ) 22 | 23 | and 24 | 25 | ( 26 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( 27 | vt_behaviour_processes_created icontains "[System.Convert]::FromBase64String" 28 | or 29 | vt_behaviour_processes_created icontains "[System.IO.File]" 30 | ) 31 | 32 | or 33 | 34 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( 35 | vt_behaviour_processes_terminated icontains "[System.Convert]::FromBase64String" 36 | or 37 | vt_behaviour_processes_terminated icontains "[System.IO.File]" 38 | ) 39 | 40 | or 41 | 42 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( 43 | vt_behaviour_command_executions icontains "[System.Convert]::FromBase64String" 44 | or 45 | vt_behaviour_command_executions icontains "[System.IO.File]" 46 | ) 47 | ) 48 | } -------------------------------------------------------------------------------- /File/Gamaredon_Documents_DavSetCookie_RU.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule Gamaredon_Documents_DavSetCookie_RU { 4 | meta: 5 | name = "Gamaredon_Documents_DavSetCookie_RU" 6 | author = "Joseliyo Sanchez - @Joseliyo_Jstnk" 7 | description = "Documents related to Gamaredon threat actor abusing of DavSetCookie to load remote templates" 8 | target_entity = "file" 9 | sha256 = "01d27b175fcc3c7917223abe51e55adbb69d052bfccc189d30df2b4cb2c35480" 10 | // vt_intelligence_query = (behavior_processes:*.ru* and behavior_processes:*DavSetCookie* and behavior_processes:*http*) and (behavior_network:*.ru* or embedded_domain:*.ru* or embedded_url:*.ru*) and (type:document) 11 | 12 | condition: 13 | 14 | ( 15 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( 16 | vt_behaviour_processes_terminated icontains ",DavSetCookie" and 17 | vt_behaviour_processes_terminated contains "http" and 18 | vt_behaviour_processes_terminated contains ".ru" 19 | ) 20 | 21 | or 22 | 23 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( 24 | vt_behaviour_command_executions icontains ",DavSetCookie" and 25 | vt_behaviour_command_executions contains "http" and 26 | vt_behaviour_command_executions contains ".ru" 27 | ) 28 | 29 | or 30 | 31 | for any vt_behaviour_processes_created in vt.behaviour.processes_created : ( 32 | vt_behaviour_processes_created icontains ",DavSetCookie" and 33 | vt_behaviour_processes_created contains "http" and 34 | vt_behaviour_processes_created contains ".ru" 35 | 36 | ) 37 | ) 38 | 39 | and 40 | 41 | ( 42 | for any vt_behaviour_http_conversations in vt.behaviour.http_conversations: ( 43 | vt_behaviour_http_conversations.url contains ".ru" 44 | ) or 45 | for any vt_behaviour_dns_lookups in vt.behaviour.dns_lookups: ( 46 | vt_behaviour_dns_lookups.hostname contains ".ru" 47 | ) 48 | ) 49 | 50 | and 51 | 52 | for any vt_metadata_file_type_tags in vt.metadata.file_type_tags: ( 53 | vt_metadata_file_type_tags == "document" 54 | ) 55 | } -------------------------------------------------------------------------------- /File/VT_LNK_PowerShell_dropping_executing_PDF.yara: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule VT_LNK_PowerShell_dropping_executing_PDF { 4 | meta: 5 | target_entity = "file" 6 | disclaimer = "Please note that this YARA was created from a presentation and study done in a presentation. Before using it, make sure it meets your detection needs." 7 | purpose = "hunting" 8 | description = "This YARA rule detects LNK files that are executing PowerShell in order to drop and load a decoy PDF file. This technique is commonly used by some APT groups and cybercriminals." 9 | author = "@Joseliyo_Jstnk - VirusTotal" 10 | hash = "c6398b5ca98e0da75c7d1ec937507640037ce3f3c66e074c50a680395ecf5eae" 11 | condition: 12 | vt.metadata.new_file and 13 | for any vt_metadata_tags in vt.metadata.tags: ( vt_metadata_tags == "lnk") and 14 | ( 15 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( 16 | vt_behaviour_processes_created icontains "powershell" 17 | ) or 18 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( 19 | vt_behaviour_processes_terminated icontains "powershell" 20 | ) or 21 | for any vt_behaviour_command_executions in vt.behaviour.command_executions: ( 22 | vt_behaviour_command_executions icontains "powershell" 23 | ) 24 | ) 25 | and 26 | ( 27 | for any vt_behaviour_files_written in vt.behaviour.files_written: ( 28 | vt_behaviour_files_written endswith ".pdf" 29 | ) or 30 | for any vt_behaviour_files_dropped in vt.behaviour.files_dropped: ( 31 | vt_behaviour_files_dropped.path endswith ".pdf" and vt_behaviour_files_dropped.process_name icontains "powershell" 32 | ) 33 | ) 34 | and 35 | ( 36 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( 37 | vt_behaviour_processes_created icontains "AcroRd32.exe" and vt_behaviour_processes_created icontains ".pdf" 38 | ) or 39 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( 40 | vt_behaviour_processes_terminated icontains "AcroRd32.exe" and vt_behaviour_processes_terminated icontains ".pdf" 41 | ) or 42 | for any vt_behaviour_command_executions in vt.behaviour.command_executions: ( 43 | vt_behaviour_command_executions icontains "AcroRd32.exe" and vt_behaviour_command_executions icontains ".pdf" 44 | ) or 45 | for any vt_behaviour_files_opened in vt.behaviour.files_opened: ( 46 | vt_behaviour_files_opened icontains "AcroRd32.dll" 47 | ) 48 | ) 49 | } 50 | 51 | -------------------------------------------------------------------------------- /File/VT_ISO_dropping_executing_PDF.yara: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule VT_ISO_dropping_executing_PDF { 4 | meta: 5 | target_entity = "file" 6 | disclaimer = "Please note that this YARA was created from a presentation and study done in a presentation. Before using it, make sure it meets your detection needs." 7 | purpose = "hunting" 8 | description = "This YARA rule detects mounted ISO Images and DMG files, that are also executing a decoy PDF file during the sandbox detonation." 9 | author = "@Joseliyo_Jstnk - VirusTotal" 10 | hash = "f9f2ff85bb4523a5ebd6e3e66f2d768596d0b52f5e03db62af70b7136c0f9d81" 11 | condition: 12 | vt.metadata.new_file and 13 | ( 14 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( 15 | vt_behaviour_processes_created icontains "cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\\Windows\\path.txt) > tmp.log 2>&1" 16 | ) or 17 | for any vt_behaviour_command_executions in vt.behaviour.command_executions: ( 18 | vt_behaviour_command_executions icontains "cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\\Windows\\path.txt) > tmp.log 2>&1" 19 | ) or 20 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( 21 | vt_behaviour_processes_terminated icontains "cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\\Windows\\path.txt) > tmp.log 2>&1" 22 | ) 23 | ) and 24 | ( 25 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( 26 | vt_behaviour_processes_created icontains "AcroRd32.exe" and vt_behaviour_processes_created icontains ".pdf" 27 | ) or 28 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( 29 | vt_behaviour_processes_terminated icontains "AcroRd32.exe" and vt_behaviour_processes_terminated icontains ".pdf" 30 | ) or 31 | for any vt_behaviour_command_executions in vt.behaviour.command_executions: ( 32 | vt_behaviour_command_executions icontains "AcroRd32.exe" and vt_behaviour_command_executions icontains ".pdf" 33 | ) 34 | ) and 35 | vt.metadata.analysis_stats.malicious >= 3 36 | 37 | // Other ideas to add in your livehunt 38 | 39 | //for any vt_behaviour_files_dropped in vt.behaviour.files_dropped: ( 40 | // vt_behaviour_files_dropped.path icontains "\\Device\\" and vt_behaviour_files_dropped.path iendswith ".dll" 41 | //) 42 | 43 | //for any vt_behaviour_files_dropped in vt.behaviour.files_dropped: ( 44 | // vt_behaviour_files_dropped.path icontains "\\Device\\" and vt_behaviour_files_dropped.type == vt.FileType.PDF 45 | //) 46 | 47 | } 48 | 49 | -------------------------------------------------------------------------------- /File/VT_PEEXE_dropping_PDF_and_opening.yara: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule VT_PEEXE_dropping_executing_PDF { 4 | meta: 5 | target_entity = "file" 6 | disclaimer = "Please note that this YARA was created from a presentation and study done in a presentation. Before using it, make sure it meets your detection needs." 7 | purpose = "hunting" 8 | description = "This YARA rule detects PEEXE that are dropping and executing decoy PDF files. Most of the files detected are fake docs trojanized." 9 | author = "@Joseliyo_Jstnk - VirusTotal" 10 | hash = "6d48c8b9caa754587fdd1412139fba9820dbf02fe30e70156b0a597f8b7a4665" 11 | // entity:file (behavior_files:"\\Users\\Public\\" and behavior_files:"*.pdf") fs:2024-01-01+ p:5+ (behavior_processes:"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe" and behavior_processes:"*.pdf") and not tag:pdf 12 | condition: 13 | vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 14 | ( 15 | for any vt_behaviour_files_opened in vt.behaviour.files_opened: ( 16 | (vt_behaviour_files_opened icontains "C:\\Users\\Public\\" or vt_behaviour_files_opened icontains "\\AppData\\Local\\Temp\\" or vt_behaviour_files_opened icontains "\\Downloads\\" or vt_behaviour_files_opened icontains "\\Desktop\\") and vt_behaviour_files_opened endswith ".pdf" 17 | ) or 18 | for any vt_behaviour_files_written in vt.behaviour.files_written: ( 19 | (vt_behaviour_files_written icontains "C:\\Users\\Public\\" or vt_behaviour_files_written icontains "\\AppData\\Local\\Temp\\" or vt_behaviour_files_written icontains "\\Downloads\\" or vt_behaviour_files_written icontains "\\Desktop\\") and vt_behaviour_files_written endswith ".pdf" 20 | ) or 21 | for any vt_behaviour_files_dropped in vt.behaviour.files_dropped: ( 22 | (vt_behaviour_files_dropped.path icontains "C:\\Users\\Public\\" or vt_behaviour_files_dropped.path icontains "\\AppData\\Local\\Temp\\" or vt_behaviour_files_dropped.path icontains "\\Downloads\\" or vt_behaviour_files_dropped.path icontains "\\Desktop\\") and vt_behaviour_files_dropped.path endswith ".pdf" 23 | ) 24 | ) and 25 | ( 26 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( 27 | vt_behaviour_processes_created icontains "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe" and vt_behaviour_processes_created endswith ".pdf" 28 | ) or 29 | for any vt_behaviour_command_executions in vt.behaviour.command_executions: ( 30 | vt_behaviour_command_executions icontains "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe" and vt_behaviour_command_executions endswith ".pdf" 31 | ) or 32 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( 33 | vt_behaviour_processes_terminated icontains "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe" and vt_behaviour_processes_terminated endswith ".pdf" 34 | ) 35 | ) and not for any vt_metadata_tags in vt.metadata.tags: (vt_metadata_tags == "pdf") 36 | } 37 | 38 | -------------------------------------------------------------------------------- /File/RomCom_MustangPanda_Similar_Behaviors.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule RomCom_MustangPanda_Similar_Behaviors 4 | { 5 | meta: 6 | name = "RomCom_MustangPanda_Similar_Behaviors" 7 | description = "Rule to detect samples related to RomCom RAT and also Mustang Panda, since both are sharing common behaviors" 8 | author = "Joseliyo Sanchez - @Joseliyo_Jstnk" 9 | target_entity = "file" 10 | sha256 = "6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d" 11 | // vt_intelligence_query1 = ((behavior_processes:".dll,fwdTst") OR (behavior_processes:"dll\",#1" behavior_processes:"\\Public\\Libraries\\") OR (behavior_processes:*.dll0* behavior_processes:"\\Public\\Libraries\\")) AND ((behaviour_files:*\\Public\\Libraries\\*) AND (behavior:*rundll32.exe*)) 12 | // vt_intelligence_query2 = ((behavior_processes:".dll,fwdTst") OR (behavior_processes:"dll\",#1" behavior_processes:"\\Public\\Libraries\\") OR (behavior_processes:*.dll0* behavior_processes:"\\Public\\Libraries\\") OR (behavior_processes:*.dll,main* behavior_processes:"\\Public\\Libraries\\")) AND ((behaviour_files:*\\Public\\Libraries\\*) AND (behavior:*rundll32.exe*)) 13 | 14 | condition: 15 | 16 | ( 17 | vt.metadata.file_type == vt.FileType.PE_DLL or 18 | vt.metadata.file_type == vt.FileType.PE_EXE or 19 | vt.metadata.file_type == vt.FileType.MSI 20 | ) 21 | 22 | and not 23 | 24 | ( 25 | vt.metadata.analysis_stats.malicious <= 1 26 | ) 27 | 28 | and 29 | 30 | ( 31 | for any files_writt in vt.behaviour.files_written : ( 32 | files_writt icontains "\\Public\\Libraries" 33 | ) 34 | ) 35 | 36 | and 37 | 38 | ( 39 | for any proc in vt.behaviour.processes_created : ( 40 | proc icontains "rundll32" 41 | ) 42 | or 43 | for any cmd in vt.behaviour.command_executions : ( 44 | cmd icontains "rundll32" 45 | ) 46 | or 47 | for any term in vt.behaviour.processes_terminated: ( 48 | term icontains "rundll32" 49 | ) 50 | ) 51 | 52 | and 53 | 54 | ( 55 | 56 | for any cmdexec in vt.behaviour.command_executions : ( 57 | (cmdexec contains ",#1" or cmdexec icontains ",fwdTst" or cmdexec icontains ",main") and 58 | cmdexec contains ".dll" 59 | ) 60 | or 61 | for any proc in vt.behaviour.processes_created : ( 62 | (proc contains ",#1" or proc icontains ",fwdTst" or proc icontains ",main") and 63 | proc contains ".dll" 64 | ) 65 | or 66 | for any terminated in vt.behaviour.processes_terminated : ( 67 | (terminated contains ",#1" or terminated icontains ",fwdTst" or terminated icontains ",main") and 68 | terminated contains ".dll" 69 | ) 70 | 71 | ) 72 | 73 | and vt.metadata.new_file 74 | } -------------------------------------------------------------------------------- /File/PowerShell_Binary_Injection.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule PowerShell_Binary_Injection { 4 | meta: 5 | name = "PowerShell_Binary_Injection" 6 | target_entity = "file" 7 | description = "Behavior identified by Kaspersky CTI Team in their - Modern Asian APT Groups report" 8 | reference = "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf" 9 | author = "Joseliyo Sanchez - @Joseliyo_Jstnk" 10 | sha256 = "676e2d67ab2de186b1e5375d30530e4c45006e793fb229ad906d6c820b9ab575" 11 | //behavior_processes:"{$b='PowerShell.exe'}" behavior_processes:"-nop -w hidden -noni -c" behavior_processes:"{$b=$env:windir+" 12 | 13 | condition: 14 | vt.metadata.new_file and 15 | ( 16 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( vt_behaviour_processes_created icontains "-nop -w hidden -noni -c" ) 17 | or 18 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "-nop -w hidden -noni -c" ) 19 | or 20 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( vt_behaviour_processes_terminated icontains "-nop -w hidden -noni -c" ) 21 | or 22 | for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: ( 23 | for any vt_behaviour_sigma_analysis_results_match_context in vt_behaviour_sigma_analysis_results.match_context: ( 24 | vt_behaviour_sigma_analysis_results_match_context.values["CommandLine"] icontains "-nop -w hidden -noni -c" 25 | ) 26 | ) 27 | ) 28 | 29 | and 30 | 31 | ( 32 | 33 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( vt_behaviour_processes_created icontains "{$b=$env:windir+" ) 34 | or 35 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "{$b=$env:windir+" ) 36 | or 37 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( vt_behaviour_processes_terminated icontains "{$b=$env:windir+" ) 38 | or 39 | for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: ( 40 | for any vt_behaviour_sigma_analysis_results_match_context in vt_behaviour_sigma_analysis_results.match_context: ( 41 | vt_behaviour_sigma_analysis_results_match_context.values["CommandLine"] icontains "{$b=$env:windir+" 42 | ) 43 | ) 44 | ) 45 | 46 | and 47 | 48 | ( 49 | for any vt_behaviour_processes_created in vt.behaviour.processes_created: ( vt_behaviour_processes_created icontains "{$b='PowerShell.exe'}" ) 50 | or 51 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "{$b='PowerShell.exe'}" ) 52 | or 53 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( vt_behaviour_processes_terminated icontains "{$b='PowerShell.exe'}" ) 54 | or 55 | for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: ( 56 | for any vt_behaviour_sigma_analysis_results_match_context in vt_behaviour_sigma_analysis_results.match_context: ( 57 | vt_behaviour_sigma_analysis_results_match_context.values["CommandLine"] icontains "{$b='PowerShell.exe'}" 58 | ) 59 | ) 60 | ) 61 | } -------------------------------------------------------------------------------- /File/WMI_Event_Subscription_Behaviors.yar: -------------------------------------------------------------------------------- 1 | import "vt" 2 | 3 | rule WMI_Event_Subscription_Behaviors { 4 | meta: 5 | name = "WMI_Event_Subscription_Behaviors" 6 | target_entity = "file" 7 | description = "Behavior identified by Kaspersky CTI Team in their - Modern Asian APT Groups report" 8 | reference = "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf" 9 | author = "Joseliyo Sanchez - @Joseliyo_Jstnk" 10 | sha256 = "8b7b38ec56a9dc0b73e3078ea22070dfe32c99ec836182393b8dbe62ca8f2018" 11 | //(behavior:"EventNamespace =") (behavior:"Name =") behavior:"QueryLanguage = \"WQL\"" (behavior:"__EventFilter" behavior:"CommandLineEventConsumer") behavior:"ExecutablePath =" 12 | 13 | condition: 14 | vt.metadata.new_file and 15 | ( 16 | ( 17 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( vt_behaviour_processes_terminated icontains "QueryLanguage=WQL" or vt_behaviour_processes_terminated icontains "QueryLanguage=\"WQL\"" ) 18 | or 19 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "QueryLanguage=WQL" or vt_behaviour_command_executions icontains "QueryLanguage=\"WQL\"" ) 20 | or 21 | for any vt_behaviour_processes_created in vt.behaviour.processes_created : ( vt_behaviour_processes_created icontains "QueryLanguage=WQL" or vt_behaviour_processes_created icontains "QueryLanguage=\"WQL\"" ) 22 | ) 23 | or 24 | ( 25 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "QueryLanguage=WQL" or vt_behaviour_system_property_lookups icontains "QueryLanguage=\"WQL\"" ) 26 | or 27 | for any vt_behaviour_text_highlighted in vt.behaviour.text_highlighted: ( vt_behaviour_text_highlighted icontains "QueryLanguage=WQL" or vt_behaviour_text_highlighted icontains "QueryLanguage=\"WQL\"" ) 28 | or 29 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "__EventFilter" or vt_behaviour_system_property_lookups icontains "QueryLanguage=\"WQL\"" ) 30 | ) 31 | ) 32 | 33 | and 34 | 35 | ( 36 | ( 37 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: ( vt_behaviour_processes_terminated icontains "EventNameSpace=" ) 38 | or 39 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "EventNameSpace=" ) 40 | or 41 | for any vt_behaviour_processes_created in vt.behaviour.processes_created : ( vt_behaviour_processes_created icontains "EventNameSpace=" ) 42 | ) 43 | or 44 | ( 45 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "EventNameSpace=" ) 46 | or 47 | for any vt_behaviour_text_highlighted in vt.behaviour.text_highlighted: ( vt_behaviour_text_highlighted icontains "EventNameSpace=" ) 48 | or 49 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "EventNameSpace=" ) 50 | ) 51 | ) 52 | 53 | and 54 | 55 | ( 56 | ( 57 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: (vt_behaviour_processes_terminated icontains "ExecutablePath=" or vt_behaviour_processes_terminated icontains "ExecutablePath<>") 58 | or 59 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "ExecutablePath=" or vt_behaviour_command_executions icontains "ExecutablePath<>" ) 60 | or 61 | for any vt_behaviour_processes_created in vt.behaviour.processes_created : ( vt_behaviour_processes_created icontains "ExecutablePath=" or vt_behaviour_processes_created icontains "ExecutablePath<>" ) 62 | ) 63 | or 64 | ( 65 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "ExecutablePath=" ) 66 | or 67 | for any vt_behaviour_text_highlighted in vt.behaviour.text_highlighted: ( vt_behaviour_text_highlighted icontains "ExecutablePath=" ) 68 | or 69 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "ExecutablePath=" ) 70 | ) 71 | ) 72 | 73 | and 74 | 75 | ( 76 | ( 77 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: (vt_behaviour_processes_terminated icontains "CommandLineEventConsumer" ) 78 | or 79 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "CommandLineEventConsumer" ) 80 | or 81 | for any vt_behaviour_processes_created in vt.behaviour.processes_created : ( vt_behaviour_processes_created icontains "CommandLineEventConsumer" ) 82 | ) 83 | or 84 | ( 85 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "CommandLineEventConsumer" ) 86 | or 87 | for any vt_behaviour_text_highlighted in vt.behaviour.text_highlighted: ( vt_behaviour_text_highlighted icontains "CommandLineEventConsumer" ) 88 | or 89 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "CommandLineEventConsumer" ) 90 | ) 91 | ) 92 | 93 | and 94 | 95 | ( 96 | ( 97 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: (vt_behaviour_processes_terminated icontains "Name=" ) 98 | or 99 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "Name=" ) 100 | or 101 | for any vt_behaviour_processes_created in vt.behaviour.processes_created : ( vt_behaviour_processes_created icontains "Name=" ) 102 | ) 103 | or 104 | ( 105 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "Name=" ) 106 | or 107 | for any vt_behaviour_text_highlighted in vt.behaviour.text_highlighted: ( vt_behaviour_text_highlighted icontains "Name=" ) 108 | or 109 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "Name=" ) 110 | ) 111 | ) 112 | 113 | and 114 | 115 | ( 116 | ( 117 | for any vt_behaviour_processes_terminated in vt.behaviour.processes_terminated: (vt_behaviour_processes_terminated icontains "__EventFilter" ) 118 | or 119 | for any vt_behaviour_command_executions in vt.behaviour.command_executions : ( vt_behaviour_command_executions icontains "__EventFilter" ) 120 | or 121 | for any vt_behaviour_processes_created in vt.behaviour.processes_created : ( vt_behaviour_processes_created icontains "__EventFilter" ) 122 | ) 123 | or 124 | ( 125 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "__EventFilter" ) 126 | or 127 | for any vt_behaviour_text_highlighted in vt.behaviour.text_highlighted: ( vt_behaviour_text_highlighted icontains "__EventFilter" ) 128 | or 129 | for any vt_behaviour_system_property_lookups in vt.behaviour.system_property_lookups: ( vt_behaviour_system_property_lookups icontains "__EventFilter" ) 130 | ) 131 | ) 132 | } --------------------------------------------------------------------------------