├── README.md
├── page_brute-BETA.py
└── default_signatures.yar


/README.md:
--------------------------------------------------------------------------------
  1 | page_brute (beta!)
  2 | ==========
  3 | 
  4 | **page_brute.py** is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys. 
  5 | 
  6 | ***This tool can be used to:***
  7 |  * Disambiguate evidence within pagefile.sys by logically grouping blocks/pages into categories based on YARA rulesets of forensic artifacts that follow a pattern/convention.
  8 |  * Identify page files that contain remanants of popular cleartext protocols such as HTTP/FTP, etc to identify network activities.
  9 |  * Identify potential attacker activities based on popular command syntaxes used during internal propagations.
 10 |  * Identify evidence of active malware infections based on YARA signatures for known malware.
 11 |  * Isolate page files that contain signatures/magic values for popular file formats for more precise file carving.
 12 | 
 13 | ##NOTICE:
 14 | This tool is currently in beta! This utility and its signature set is subject to change in the near future! For suggestions - email the author via github.
 15 | 
 16 | ##Requires:
 17 |  * yara & yara-python: http://code.google.com/p/yara-project/downloads/list
 18 |  * default_signatures.yar (see above)
 19 | 
 20 | ##How does it work?
 21 | 1. Given block size, page_brute.py reads in pagefile in fixed-sized blocks (default, 4096 bytes)
 22 | 2. For each block, page_brute decides if the block is null - if null, the block is skipped.
 23 | 3. If block is not null, the block is applied against compiled yara signatures (defined in -r/--rules argument).
 24 |   * If -r/--rules not provided, page_brute.py will read from the default ruleset: default_signatures.yar
 25 |   * Custom rules stored in a folder can also be provided as an argument to -r/--rules (must end in .yar)
 26 | 4. If a block matches a YARA signature, the raw block will be stored in the corresponding output directory.
 27 |   * -o/--scanname defines output folder that raw blocks will be saved.
 28 |   * If no output is specified, a default folder is created in pwd: PAGE_BRUTE-YYYY-MM-DD-HH:MM:SS-RESULTS
 29 | 5. Blocks are labeled by their logical page ID beginning at 0.
 30 |   * To determine offset, multiply pageID by the page size.
 31 | 
 32 | ***NOTE:*** if a page file matches against multiple signatures, the corresponding page file will be copied to each rule directory.
 33 | 
 34 | ##How do I write signatures?
 35 | YARA is a powerful engine that allows you to match groups of strings,binary sequences,and regular expressions with user-defined boolean conditions against pretty much anything.
 36 | 
 37 | To learn more about writing YARA rules, please see the informative user guide here: http://yara-project.googlecode.com/files/YARA%20User%27s%20Manual%201.6.pdf
 38 | 
 39 | ##Current Signatures:
 40 |   * FTP
 41 |   * HTTP requests/responses
 42 |   * IRC
 43 |   * Administrative/Hidden Share Abuse
 44 |   * Remote system syntaxes
 45 |   * HTML
 46 |   * Javascript
 47 |   * CMD Shell (this might suck)
 48 |   * SMTP Message Headers
 49 | 
 50 | ##Usage:
 51 | From the help page:
 52 | ```
 53 | usage: page_brute-BETA.py [-h] [-f FILE] [-p SIZE] [-o SCANNAME] [-i]
 54 |                           [-r RULEFILE]
 55 | 
 56 | Checks pages in pagefiles for YARA-based rule matches. Useful to identify
 57 | forensic artifacts within Windows-based page files and characterize blocks
 58 | based on regular expressions.
 59 | 
 60 | optional arguments:
 61 |   -h, --help            show this help message and exit
 62 |   -r RULEFILE, --rules RULEFILE
 63 |                         File/directory containing YARA signatures (must end
 64 |                         with .yar)
 65 | 
 66 |   -f FILE, --file FILE  Pagefile or any chunk/block-based binary file
 67 |   -p SIZE, --size SIZE  Size of chunk/block in bytes (Default 4096)
 68 |   -o SCANNAME, --scanname SCANNAME
 69 |                         Descriptor of the scan session - used for output
 70 |                         directory
 71 |   -i, --invert          Given scan options, match all blocks that DO NOT match
 72 |                         a ruleset
 73 | ```
 74 | ###In Action:
 75 | ```
 76 | root@system:~/Desktop/page/page_brute# ./page_brute-BETA.py --file=pagefile.sys
 77 | [+] - PAGE_BRUTE processing file: pagefile.sys
 78 | [+] - Ruleset Compilation Successful.
 79 | [+] - PAGE_BRUTE running with the following options:
 80 | 	[-] - FILE: pagefile.sys
 81 | 	[-] - PAGE_SIZE: 4096
 82 | 	[-] - RULES TYPE: DEFAULT
 83 | 	[-] - RULE LOCATION: default_signatures.yar
 84 | 	[-] - INVERSION SCAN: False
 85 | 	[-] - WORKING DIR: PAGE_BRUTE-2013-10-27-01:09:33-RESULTS
 86 | 	=================
 87 | 
 88 |         [!] FLAGGED BLOCK 56: cmdshell
 89 |         [!] FLAGGED BLOCK 87: cmdshell
 90 |         [!] FLAGGED BLOCK 1222: webartifact_html
 91 |         [!] FLAGGED BLOCK 1454: webartifact_html
 92 |         [!] FLAGGED BLOCK 1782: webartifact_html
 93 |         [!] FLAGGED BLOCK 2200: webartifact_html
 94 |         [!] FLAGGED BLOCK 3781: webartifact_html
 95 |         
 96 | root@system:~/Desktop/page/page_brute# ls -lR PAGE_BRUTE-2013-10-27-01\:09\:33-RESULTS/
 97 | PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/:
 98 | total 8
 99 | drwxr-xr-x 2 root root 4096 Oct 27 01:09 cmdshell
100 | drwxr-xr-x 2 root root 4096 Oct 27 01:09 webartifact_html
101 | 
102 | PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/cmdshell:
103 | total 8
104 | -rw-r--r-- 1 root root 4096 Oct 27 01:09 118.page
105 | -rw-r--r-- 1 root root 4096 Oct 27 01:09 77.page
106 | 
107 | PAGE_BRUTE-2013-10-27-01:09:33-RESULTS/webartifact_html:
108 | total 20
109 | -rw-r--r-- 1 root root 4096 Oct 27 01:09 1330.page
110 | -rw-r--r-- 1 root root 4096 Oct 27 01:09 1445.page
111 | 
112 | root@system:~/Desktop/page/page_brute/PAGE_BRUTE-2013-10-27-01:20:28-RESULTS/webartifact_html# xxd 24606.page 
113 | 0000000: 613e 3c2f 7464 3e0d 0a20 2020 2020 2020  a></td>..       
114 | 0000010: 2020 203c 2f74 723e 0d0a 0d0a 2020 2020     </tr>....    
115 | 0000020: 2020 2020 2020 3c74 7220 6964 3d22 446f        <tr id="Do
116 | 0000030: 4f76 6572 7269 6465 2220 7374 796c 653d  Override" style=
117 | 0000040: 2264 6973 706c 6179 3d27 6e6f 6e65 2722  "display='none'"
118 | 0000050: 3e20 0d0a 2020 2020 2020 2020 2020 2020  > ..            
119 | 0000060: 3c74 643e 3c69 6d67 2069 643d 226e 6f74  <td><img id="not
120 | 0000070: 5265 636f 6d6d 656e 6465 6449 636f 6e22  RecommendedIcon"
121 | 0000080: 2073 7263 3d22 7265 645f 7368 6965 6c64   src="red_shield
122 | 0000090: 2e70 6e67 2220 626f 7264 6572 3d22 3022  .png" border="0"
123 | 00000a0: 2061 6c74 3d22 4e6f 7420 7265 636f 6d6d   alt="Not recomm
124 | 00000b0: 656e 6465 6420 6963 6f6e 2220 636c 6173  ended icon" clas
125 | 00000c0: 733d 2261 6374 696f 6e49 636f 6e22 3e3c  s="actionIcon"><
126 | 00000d0: 2f74 643e 0d0a 2020 2020 2020 2020 2020  /td>..          
127 | 00000e0: 2020 3c74 6420 7374 796c 653d 2270 6164    <td style="pad
128 | 00000f0: 6469 6e67 2d62 6f74 746f 6d3a 202e 3165  ding-bottom: .1e
129 | 
130 | 
131 | ```
132 | 


--------------------------------------------------------------------------------
/page_brute-BETA.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | #
  3 | #	page_brute.py
  4 | #	by @matonis - secualexploits.blogspot.com - www.mike-matonis.com
  5 | #	Summer of 2013
  6 | #
  7 | import sys
  8 | import argparse
  9 | import datetime
 10 | import glob
 11 | import os
 12 | import os.path
 13 | import binascii
 14 | 
 15 | try:
 16 |         import yara
 17 | except:
 18 |         print "[!] - ERROR: Could not import YARA..."
 19 |         print "...did you install yara and yara-python? Exiting."
 20 |         sys.exit()
 21 | 
 22 | 
 23 | def is_block_null(block):
 24 | 	#Here we test to see if the block is null..if so, skip.
 25 | 	RAW_BLOCK=binascii.hexlify(block)
 26 | 	NULL_REF=binascii.hexlify(NULL_REFERENCE)
 27 | 	if RAW_BLOCK == NULL_REF:
 28 | 		return True
 29 | 	else:
 30 | 		return False
 31 | 
 32 | def build_ruleset():
 33 | 	if RULETYPE == "FILE":
 34 | 		try:
 35 | 			rules=yara.compile(str(RULES))
 36 | 			print "..... Ruleset Compilation Successful."
 37 | 			return rules
 38 | 		except:
 39 | 			print "[!] - Could not compile YARA rule: %s" % RULES
 40 | 			print "Exiting."
 41 | 			sys.exit()
 42 | 	
 43 | 	elif RULETYPE == "FOLDER":
 44 | 		RULEDATA=""
 45 | 		#::Get list of files ending in .yara
 46 | 		
 47 | 		RULE_COUNT = len(glob.glob1(RULES,"*.yar"))
 48 | 		if RULE_COUNT != 0:
 49 | 			for yara_file in glob.glob(os.path.join(RULES, "*.yar")):
 50 | 				try:
 51 | 					yara.compile(str(yara_file))
 52 | 					print "..... Syntax appears to be OK: %s " % yara_file
 53 | 					try:
 54 | 						with open(yara_file, "r") as sig_file:
 55 | 							file_contents=sig_file.read()
 56 | 							RULEDATA=RULEDATA + "\n" + file_contents
 57 | 					except:
 58 | 						print "..... SKIPPING: Could not open file for reading: %s " % yara_file
 59 | 				except:
 60 | 					print "..... SKIPPING: Could not compile rule: %s " % yara_file
 61 | 			try:
 62 | 				rules=yara.compile(source=RULEDATA)
 63 | 				print "..... SUCCESS! Compiled noted yara rulesets.\n"
 64 | 				return rules
 65 | 			except:
 66 | 				print "[!] - Some catastropic error occurred in the compilation of signatureswithin the directory. Exiting."
 67 | 				sys.exit()
 68 | 		else:
 69 | 			print "No files ending in .yar within: %s " % RULES
 70 | 			print "Exiting."
 71 | 			sys.exit()
 72 | 	
 73 | 	elif RULETYPE == "DEFAULT":
 74 | 		rules=yara.compile(str(RULES))
 75 | 		print "[+] - Ruleset Compilation Successful."
 76 | 		return rules
 77 | 
 78 | 	else:
 79 | 		print "[!] - ERROR: Possible catastrophic error on build_ruleset. Exiting."
 80 | 		sys.exit()
 81 | 
 82 | def print_procedures():
 83 | 	print "[+] - PAGE_BRUTE running with the following options:"
 84 | 	print "\t[-] - FILE: %s" % FILE
 85 | 	print "\t[-] - PAGE_SIZE: %s" % PAGE_SIZE
 86 | 	print "\t[-] - RULES TYPE: %s" % RULETYPE
 87 | 	print "\t[-] - RULE LOCATION: %s" % RULES
 88 | 	print "\t[-] - INVERSION SCAN: %s" % INVERT
 89 | 	print "\t[-] - WORKING DIR: %s" % WORKING_DIR
 90 | 	print "\t=================\n"
 91 | 
 92 | def main():
 93 | 
 94 | 	global FILE
 95 | 	global PAGE_SIZE
 96 | 	global RULES
 97 | 	global SCANNAME
 98 | 	global INVERT
 99 | 	global RULETYPE
100 | 	global NULL_REFERENCE
101 | 
102 | 	argument_parser = argparse.ArgumentParser(description="Checks pages in pagefiles for YARA-based rule matches. Useful to identify forensic artifacts within Windows-based page files and characterize blocks based on regular expressions.")
103 | 	
104 | 	group_arg = argument_parser.add_argument_group()
105 | 	group_arg.add_argument("-f", "--file", metavar="FILE", help="Pagefile or any chunk/block-based binary file")
106 | 	group_arg.add_argument("-p", "--size", metavar="SIZE", help="Size of chunk/block in bytes (Default 4096)")
107 | 	group_arg.add_argument("-o", "--scanname", metavar="SCANNAME", help="Descriptor of the scan session - used for output directory")
108 | 	group_arg.add_argument("-i", "--invert", help="Given scan options, match all blocks that DO NOT match a ruleset",action='store_true')
109 | 
110 | 	group_arg = argument_parser.add_mutually_exclusive_group()
111 | 	group_arg.add_argument("-r", "--rules", metavar="RULEFILE", help="File/directory containing YARA signatures (must end with .yar)")
112 | 
113 | 	args = argument_parser.parse_args()
114 | 
115 | 	if len(sys.argv) < 2:
116 | 		print argument_parser.print_help()
117 | 		sys.exit()
118 | 
119 | 	#::Check to see if file was provided::#
120 | 	if args.file:
121 | 		try:
122 | 			with open(args.file):
123 | 				FILE=args.file
124 | 				print "[+] - PAGE_BRUTE processing file: %s" % FILE
125 | 		except:
126 | 			print "[!] - Could not open %s. Exiting." % FILE
127 | 			sys.exit()
128 | 	else:
129 | 		print "[!] - No file provided. Use -f, --file to provide a file. Exiting."
130 | 		sys.exit()
131 | 
132 | 	#::Check to see if page size provided::#
133 | 	if args.size:
134 | 		PAGE_SIZE=int(args.size)
135 | 		NULL_REFERENCE= '\x00' * PAGE_SIZE
136 | 	else:
137 | 		PAGE_SIZE=4096
138 | 		NULL_REFERENCE= '\x00' * PAGE_SIZE
139 | 
140 | 	#::Check if --scan-name provided::#
141 | 	if args.scanname:
142 | 		SCANNAME=args.scanname
143 | 	else:
144 | 		SCANNAME="PAGE_BRUTE-" + datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S") + "-RESULTS"
145 | 	
146 | 	#::Check if --invert-match provided::#
147 | 	if args.invert:
148 | 		INVERT=True
149 | 	else:
150 | 		INVERT=False
151 | 	
152 | 	#::Check if --rule-file provdided - if not, use default ruleset::#
153 | 	if args.rules:
154 | 		RULES=args.rules
155 | 		try:
156 | 			#::Is File?::#
157 | 			if os.path.isfile(RULES):
158 | 				RULETYPE="FILE"
159 | 				print "[+] - YARA rule of File type provided for compilation: %s" % RULES
160 | 			elif os.path.isdir(RULES):
161 | 				print "[+] - YARA rule of Folder type provided for compilation: %s" % RULES
162 | 				RULETYPE="FOLDER"
163 | 		except:
164 | 			print "[!] - Possible catastrophic error with the provided rule file...exiting."
165 | 			sys.exit()
166 | 	else:
167 | 		try:
168 | 			with open("default_signatures.yar"):
169 | 				RULES="default_signatures.yar"
170 | 				RULETYPE="DEFAULT"
171 | 		except:
172 | 			print "[!] - Could not locate \"default_signature.yar\". Find it or provide custom signatures via --rules. Exiting."
173 | 			sys.exit()
174 | 	
175 | 	#::Compile rules::#
176 | 	authoritative_rules=build_ruleset()
177 | 	#::Build directory structure
178 | 	global WORKING_DIR
179 | 	WORKING_DIR=SCANNAME
180 | 	if not os.path.exists(WORKING_DIR):
181 | 		os.makedirs(WORKING_DIR)
182 | 	#::Let People Know what we're doing::#
183 | 	print_procedures()	
184 | 	#::Find Evil::#
185 | 	page_id=0
186 | 	with open(FILE, "rb") as page_file:
187 | 		while True:
188 | 			matched=False
189 | 			raw_page=page_file.read(PAGE_SIZE)
190 | 			if raw_page == "":
191 | 				print "Done!"
192 | 				print "Ending page_id is: %s" % page_id
193 | 				break
194 | 			if not is_block_null(raw_page):
195 |                                 #::Determine if block is null...:
196 | 				for matches in authoritative_rules.match(data=raw_page):
197 | 					if INVERT == True:
198 | 						matched=True
199 | 					else:
200 | 						CHUNK_OUTPUT_DIR=os.path.join(WORKING_DIR,matches.rule)
201 | 						print "        [!] FLAGGED BLOCK " + str(page_id) + ": " + matches.rule
202 | 
203 | 						if not os.path.exists(CHUNK_OUTPUT_DIR):
204 | 							os.makedirs(CHUNK_OUTPUT_DIR)
205 | 
206 |                                        		#::Save chunk to file::#
207 | 						CHUNK_OUTPUT_FWD=os.path.join(CHUNK_OUTPUT_DIR,str(page_id) + ".block")
208 | 						page_export=open(CHUNK_OUTPUT_FWD,'w+')
209 | 						page_export.write(raw_page)
210 | 						page_export.close()
211 | 
212 | 				if INVERT == True:
213 | 					if matched == False:
214 | 						CHUNK_OUTPUT_DIR=os.path.join(WORKING_DIR,"INVERTED-MATCH")
215 | 						print "        [!] BLOCK DOES NOT MATCH ANY KNOWN SIGNATURE " + str(page_id)
216 | 						if not os.path.exists(CHUNK_OUTPUT_DIR):
217 | 							os.makedirs(CHUNK_OUTPUT_DIR)
218 | 
219 | 						CHUNK_OUTPUT_FWD=os.path.join(CHUNK_OUTPUT_DIR,str(page_id) + ".block")
220 | 						page_export=open(CHUNK_OUTPUT_FWD,'w+')
221 | 						page_export.write(raw_page)
222 | 						page_export.close()
223 | 			#::Increment Counter for offset increment::#
224 | 			page_id=page_id+1
225 | 
226 | if __name__ == "__main__":
227 |     main()
228 | 


--------------------------------------------------------------------------------
/default_signatures.yar:
--------------------------------------------------------------------------------
  1 | rule administrative_share_abuse
  2 | {
  3 |         meta:
  4 |                 author="@matonis"
  5 |                 description="syntax for accessing adminstrative shares"
  6 |         strings:
  7 |                 $s0 = /(copy|del|psexec|net)/ nocase
  8 |                 $s1 = "\\c$\\windows\\system32\\" nocase
  9 |                 $s2 = "\\c$\\system32\\" nocase
 10 |                 $s3 = "\\admin$\\" nocase
 11 |         condition:
 12 |                 $s0 and (any of ($s1,$s2,$s3))
 13 | }
 14 | 
 15 | rule remote_system_syntax 
 16 | {
 17 | 	meta:
 18 | 		author = "@matonis"
 19 | 		info = "Command syntax that is used to access remote systems by IP address"
 20 | 	strings:
 21 | 		$s1 = /\\\\\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
 22 | 	condition:
 23 | 		$s1
 24 | }
 25 | 
 26 | rule http_request_header
 27 | {
 28 | 	meta:
 29 | 		author="@matonis"
 30 | 		description="HTTP header fields"
 31 | 	strings:
 32 | 		//methods
 33 | 		$method0 = "OPTIONS"
 34 | 		$method1 = "GET"
 35 | 		$method2 = "HEAD"
 36 | 		$method3 = "POST"
 37 | 		$method4 = "PUT"
 38 | 		$method5 = "DELETE"
 39 | 		$method6 = "TRACE"
 40 | 		$method7 = "CONNECT"
 41 | 
 42 | 		//http version
 43 | 		$version0 = "HTTP/1.1"
 44 | 		$version1 = "HTTP/1.0"
 45 | 
 46 | 		//headers
 47 | 		$header0 = "Host: "
 48 | 		$header1 = "User-Agent: "
 49 | 		$header2 = "Content-Encoding: "
 50 | 		$header3 = "Last-Modified: "
 51 | 		$header4 = "Expires: "
 52 | 		$header5 = "Connection: "
 53 | 		$header6 = "Accept-Language: "
 54 | 		$header7 = "Accept-Encoding: "
 55 | 		$header8 = "Accet-Charset: "
 56 | 		$header9 = "Cookie: "
 57 | 		$header10 = "Content-Length: "
 58 | 		$header11 = "Accept: "
 59 | 	condition:
 60 | 		(1 of ($method*)) and (1 of ($version*)) and (2 of ($header*))
 61 | }
 62 | 
 63 | rule http_response_header
 64 | {
 65 | 	meta:
 66 | 		author="@matonis"
 67 | 		description="HTTP Response headers"
 68 | 	strings:
 69 | 		//Response Codes
 70 | 		$response0 = "200 OK"
 71 | 		$response1 = "201 Created"
 72 | 		$response2 = "202 Accepted"
 73 | 		$response3 = "203 Non-Authoritative Information"
 74 | 		$response4 = "204 No Content"
 75 | 		$response5 = "205 Reset Content"
 76 | 		$response6 = "206 Partial Content"
 77 | 		$response7 = "300 Multiple Choices"
 78 | 		$response8 = "301 Moved Permanently"
 79 | 		$response9 = "302 Found"
 80 | 		$response10 = "303 See Other"
 81 | 		$response11 = "304 Not Modified"
 82 | 		$response12 = "305 Use Proxy"
 83 | 		$response13 = "307 Temporary Redirect"
 84 | 		$response14 = "400 Bad REQUEST"
 85 | 		$response15 = "401 Unauthorized"
 86 | 		$response16 = "403 Forbidden"
 87 | 		$response17 = "404 Not Found"
 88 | 		$response18 = "405 Method Not Allowed"
 89 | 		$response19 = "406 Not Acceptable"
 90 | 		$response20 = "407 Proxy Authentication Require"
 91 | 		$response21 = "408 Request Timeout"
 92 | 		$response22 = "409 Conflict"
 93 | 		$response23 = "410 Gone"
 94 | 		$response24 = "411 Length Required"
 95 | 		$response25 = "412 Precondition Failed"
 96 | 		$response26 = "413 Request Entity Too Large"
 97 | 		$response27 = "414 Request-URI Too Long"
 98 | 		$response28 = "415 Unsupported Media Type"
 99 | 		$response29 = "416 Requested Range Not Satisfiable"
100 | 		$response30 = "417 Expectation Failed"
101 | 		$response31 = "500 Internal Server Error"
102 | 		$response32 = "501 Not Implemented"
103 | 		$response33 = "502 Bad Gateway"
104 | 		$response34 = "503 Service Unavailable"
105 | 		$response35 = "504 Gateway Timeout"
106 | 		$response36 = "505 HTTP Version Not Supported"
107 | 
108 | 		//HTTP Versions
109 | 		$version0 = "HTTP/1.1"
110 | 		$version1 = "HTTP/1.0"
111 | 
112 | 		//headers
113 | 		$field0 = "Set-Cookie:"
114 | 		$field1 = "Content-Type:"
115 | 		$field2 = "X-Powered-By:"
116 | 		$field3 = "Vary:"
117 | 		$field4 = "Transfer-Encoding:"
118 | 		$field5 = "Etag:"
119 | 		$field6 = "Date:"
120 | 		$field7 = "Server:"
121 | 		$field8 = "Cache-Control:"
122 | 		$field9 = "Connection:"
123 | 		$field10 = "Last-Modified:"
124 | 	condition:
125 | 		(1 of ($response*)) and (1 of ($version*)) and (2 of ($field*))
126 | }
127 | 
128 | rule webartifact_html
129 | {
130 | 	meta:
131 | 		author="@matonis"
132 | 		description="HTML identifiers"
133 | 	strings:
134 | 		//sepcific tags
135 | 		$html0 = "DOCTYPE"
136 | 		$html1 = "head>"
137 | 		$html2 = "body>"
138 | 		$html3 = "title>"
139 | 		$html4 = "body>"
140 | 		$html5 = "html>"
141 | 		$html6 = "</html>"
142 | 		$html7 = "<!--"
143 | 		$html8 = "-->"
144 | 		$html9 = "br>"
145 | 		$html10 = "script>"
146 | 
147 | 	condition:
148 | 		2 of them
149 | }
150 | 
151 | rule webartifact_javascript
152 | {
153 | 	meta:
154 | 		author="@matonis"
155 | 		description="Javascript signature"
156 | 	strings:
157 | 		$java0 = "document.write" nocase
158 | 		$java1 = "createElement" nocase
159 | 		$java2 = "getElementsByTagName" nocase
160 | 		$java3 = "appendChild" nocase
161 | 		$java4 = "eval" nocase
162 | 		$java5 = "document.cookie" nocase
163 | 		$java6 = "p,a,c,k,e,d" nocase
164 | 		$java7 = ".substring"
165 | 	condition:
166 | 		3 of them
167 | }
168 | 
169 | rule cmdshell
170 | {
171 | 	meta:
172 | 		author="@matonis"
173 | 		description="Command prompt syntax to identify potential priv escalation"
174 | 	strings:
175 | 		$cmd0 = "C:\\Documents and Settings\\Administrator"
176 | 		$cmd2 = "C:\\Users\\Administrator"
177 | 	condition:
178 | 		any of them
179 | }
180 | 
181 | rule webartifact_gmail
182 | {
183 | 	meta:
184 | 		author="@matonis"
185 | 		description="Gmail artifacts"
186 | 	strings:
187 | 		$s1 = "[\"ms\","
188 | 		$s2 = "[\"ce\"]"
189 | 		$s3 = "[\"e\""
190 | 	condition:
191 | 		2 of them
192 | }
193 | 
194 | rule social_security_syntax
195 | {
196 | 	meta:
197 | 		author="@matonis"
198 | 		description="SSN Syntax"
199 | 	strings:
200 | 		$s1 = /[0-9]{3}-[0-9]{2}-[0-9]{3}/
201 | 	condition:
202 | 		$s1
203 | }
204 | 
205 | rule smtp_fragments
206 | {
207 | 	meta:
208 | 		author="@matonis"
209 | 		description="SMTP Artifacts"
210 | 	strings:
211 | 		$stmp0 = "HELO"
212 | 		$stmp1 = "MAIL FROM"
213 | 		$stmp2 = "RCPT TO"
214 | 		$stmp4 = "From:"
215 | 		$stmp5 = "To:"
216 | 		$stmp6 = "Cc:"
217 | 		$stmp7 = "Date:"
218 | 		$stmp8 = "Subject:"
219 | 		$stmp9 = "Delivered-To:"
220 | 		$stmp10 = "Received: by"
221 | 		$stmp11 = "Authentication-Results:"
222 | 		$stmp12 = "Return-Path:"
223 | 		$stmp13 = "Message-ID:"
224 | 		$stmp14 = "Content-Transfer-Encoding:"
225 | 		$stmp15 = "Content-Disposition:"
226 | 		$stmp16 = "X-Forwarded-To:"
227 | 		$stmp17 = "X-Forwarded-For:"
228 | 	condition:
229 | 		7 of them
230 | }
231 | 
232 | rule irc
233 | {
234 | 	meta:
235 | 		author="@matonis"
236 | 		description="IRC Artifacts"
237 | 	strings:
238 | 		$irc0="has joined #"
239 | 		$irc1 = "Channel created on"
240 | 		$irc2 = "USER"
241 | 		$irc3 = "PASS"
242 | 		$irc5 = "NICK"
243 | 		$irc6 = "CHANNEL"
244 | 		$irc7 = /are [0-9]* users and [0-9]* invisible on/
245 | 		$irc8 = /[0-9]* operator(s) online/
246 | 
247 | 	condition:
248 | 		$irc0 or ($irc2 and $irc3 and $irc5 and $irc6) or $irc7 or $irc8 or $irc1
249 | }
250 | 
251 | rule ftp
252 | {
253 | 	meta:
254 | 		author="@matonis"
255 | 		description="FTP Command Artifacts"
256 | 	strings:
257 | 		$ftp1 = "150 File status okay; about to open data connection."
258 | 		$ftp2 = "150 Opening BINARY mode data connection for"
259 | 		$ftp3 = "150 Opening data connection."
260 | 		$ftp4 = "200 Command PORT okay."
261 | 		$ftp5 = "200 Command PROT okay."
262 | 		$ftp6 = "200 Command SITE okay."
263 | 		$ftp7 = "200 Command okay."
264 | 		$ftp8 = "200 EPRT command okay."
265 | 		$ftp9 = "200 Goodbye."
266 | 		$ftp10 = "200 PORT command successful."
267 | 		$ftp11 = "202 Already logged-in."
268 | 		$ftp12 = "202 Command ACCT not implemented."
269 | 		$ftp13 = "214 Help information."
270 | 		$ftp14 = "221 Goodbye."
271 | 		$ftp15 = "221 List of all the extensions supported."
272 | 		$ftp16 = "226 ABOR command successful."
273 | 		$ftp17 = "226 Closing data connection."
274 | 		$ftp18 = "226 Transfer complete."
275 | 		$ftp19 = "229 Entering passive mode"
276 | 		$ftp20 = "230 Already logged-in."
277 | 		$ftp21 = "230 User logged in, proceed."
278 | 		$ftp22 = "234 AUTH command okay; starting SSL connection."
279 | 		$ftp23 = "Transfer started."
280 | 		$ftp24 = "250 Command okay."
281 | 		$ftp25 = "250 Directory created."
282 | 		$ftp26 = "250 Directory removed."
283 | 		$ftp27 = "250 Requested file action okay, file renamed."
284 | 		$ftp28 = "331 Guest login okay, send your complete e-mail address as password."
285 | 		$ftp29 = "331 User name okay, need password."
286 | 		$ftp30 = "350 Requested file action pending further information."
287 | 		$ftp31 = "421 Maximum anonymous login limit has been reached."
288 | 		$ftp32 = "421 Maximum login limit has been reached."
289 | 		$ftp33 = "425 Can't open data connection."
290 | 		$ftp34 = "425 Cannot open data connection."
291 | 		$ftp35 = "425 Cannot open passive connection."
292 | 		$ftp36 = "425 Cannot open the data connection."
293 | 		$ftp37 = "426 Data connection error."
294 | 		$ftp38 = "431 Security is disabled."
295 | 		$ftp39 = "431 Service is unavailable."
296 | 		$ftp40 = "450 Can't delete file."
297 | 		$ftp41 = "450 No permission to delete."
298 | 		$ftp42 = "500 Execution failed."
299 | 		$ftp43 = "501 Syntax error in parameters or arguments."
300 | 		$ftp44 = "501 Syntax error."
301 | 		$ftp45 = "502 Command SITE not implemented for this argument."
302 | 		$ftp46 = "502 Not yet implemented."
303 | 		$ftp47 = "503 Cannot find the file which has to be renamed."
304 | 		$ftp48 = "503 Login with USER first."
305 | 		$ftp49 = "504 Command not implemented."
306 | 		$ftp50 = "504 Not implemented for this command."
307 | 		$ftp51 = "504 Server does not understand the specified protection level."
308 | 		$ftp52 = "510 EPRT IP is not same as client IP."
309 | 		$ftp53 = "510 EPRT is disabled."
310 | 		$ftp54 = "510 PORT IP mismatch."
311 | 		$ftp55 = "510 Port is disabled."
312 | 		$ftp56 = "510 Syntax error in parameters."
313 | 		$ftp57 = "510 Syntax error."
314 | 		$ftp58 = "530 Access denied."
315 | 		$ftp59 = "530 Anonymous connection is not allowed."
316 | 		$ftp60 = "530 Authentication failed."
317 | 		$ftp61 = "530 Invalid user name."
318 | 		$ftp62 = "550 Already exists."
319 | 		$ftp63 = "550 Cannot create directory."
320 | 		$ftp64 = "550 Cannot remove directory."
321 | 		$ftp65 = "550 File unavailable."
322 | 		$ftp66 = "550 Invalid path."
323 | 		$ftp67 = "550 No permission."
324 | 		$ftp68 = "550 No such directory."
325 | 		$ftp69 = "550 No such file or directory."
326 | 		$ftp70 = "550 Not a plain file."
327 | 		$ftp71 = "550 Not a valid directory."
328 | 		$ftp72 = "550 Not a valid file."
329 | 		$ftp73 = "550 Permission denied."
330 | 		$ftp74 = "550 Unique file name error."
331 | 		$ftp75 = "551 Error on input file."
332 | 		$ftp76 = "551 Error on output file."
333 | 		$ftp77 = "551 File listing failed."
334 | 		$ftp78 = "552 Invalid port number."
335 | 		$ftp79 = "552 Not a valid port number."
336 | 		$ftp80 = "553 Cannot rename file."
337 | 		$ftp81 = "553 Host unknown."
338 | 		$ftp82 = "553 No permission."
339 | 		$ftp83 = "553 Not a valid file name."
340 | 		$ftp84 = "Interactive mode on."
341 | 		$ftp85 = "bytes received in"
342 | 		$ftp86 = "command successful"
343 | 
344 | 	condition:
345 | 		4 of them
346 | }
347 | 
348 | 


--------------------------------------------------------------------------------