├── .gitignore
├── LICENSE
├── README.md
├── Requirements.txt
├── generate.py
├── sample_data
├── authenticode
│ ├── legitimate_certs.yaml
│ └── stolen_certs.yaml
├── office_exploits
│ └── ole.yaml
└── resources
│ ├── icons.yaml
│ └── malware.yaml
└── yaml2yara
├── __init__.py
└── templates
├── authenticode.html
├── authenticode_raw.html
├── base.html
├── helpers.html
├── office_exploits.html
└── resources.html
/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | build/
12 | develop-eggs/
13 | dist/
14 | downloads/
15 | eggs/
16 | .eggs/
17 | lib/
18 | lib64/
19 | parts/
20 | sdist/
21 | var/
22 | wheels/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 | MANIFEST
27 |
28 | # PyInstaller
29 | # Usually these files are written by a python script from a template
30 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
31 | *.manifest
32 | *.spec
33 |
34 | # Installer logs
35 | pip-log.txt
36 | pip-delete-this-directory.txt
37 |
38 | # Unit test / coverage reports
39 | htmlcov/
40 | .tox/
41 | .coverage
42 | .coverage.*
43 | .cache
44 | nosetests.xml
45 | coverage.xml
46 | *.cover
47 | .hypothesis/
48 | .pytest_cache/
49 |
50 | # Translations
51 | *.mo
52 | *.pot
53 |
54 | # Django stuff:
55 | *.log
56 | .static_storage/
57 | .media/
58 | local_settings.py
59 |
60 | # Flask stuff:
61 | instance/
62 | .webassets-cache
63 |
64 | # Scrapy stuff:
65 | .scrapy
66 |
67 | # Sphinx documentation
68 | docs/_build/
69 |
70 | # PyBuilder
71 | target/
72 |
73 | # Jupyter Notebook
74 | .ipynb_checkpoints
75 |
76 | # pyenv
77 | .python-version
78 |
79 | # celery beat schedule file
80 | celerybeat-schedule
81 |
82 | # SageMath parsed files
83 | *.sage.py
84 |
85 | # Environments
86 | .env
87 | .venv
88 | env/
89 | venv/
90 | ENV/
91 | env.bak/
92 | venv.bak/
93 |
94 | # Spyder project settings
95 | .spyderproject
96 | .spyproject
97 |
98 | # Rope project settings
99 | .ropeproject
100 |
101 | # mkdocs documentation
102 | /site
103 |
104 | # mypy
105 | .mypy_cache/
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU AFFERO GENERAL PUBLIC LICENSE
2 | Version 3, 19 November 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU Affero General Public License is a free, copyleft license for
11 | software and other kinds of works, specifically designed to ensure
12 | cooperation with the community in the case of network server software.
13 |
14 | The licenses for most software and other practical works are designed
15 | to take away your freedom to share and change the works. By contrast,
16 | our General Public Licenses are intended to guarantee your freedom to
17 | share and change all versions of a program--to make sure it remains free
18 | software for all its users.
19 |
20 | When we speak of free software, we are referring to freedom, not
21 | price. Our General Public Licenses are designed to make sure that you
22 | have the freedom to distribute copies of free software (and charge for
23 | them if you wish), that you receive source code or can get it if you
24 | want it, that you can change the software or use pieces of it in new
25 | free programs, and that you know you can do these things.
26 |
27 | Developers that use our General Public Licenses protect your rights
28 | with two steps: (1) assert copyright on the software, and (2) offer
29 | you this License which gives you legal permission to copy, distribute
30 | and/or modify the software.
31 |
32 | A secondary benefit of defending all users' freedom is that
33 | improvements made in alternate versions of the program, if they
34 | receive widespread use, become available for other developers to
35 | incorporate. Many developers of free software are heartened and
36 | encouraged by the resulting cooperation. However, in the case of
37 | software used on network servers, this result may fail to come about.
38 | The GNU General Public License permits making a modified version and
39 | letting the public access it on a server without ever releasing its
40 | source code to the public.
41 |
42 | The GNU Affero General Public License is designed specifically to
43 | ensure that, in such cases, the modified source code becomes available
44 | to the community. It requires the operator of a network server to
45 | provide the source code of the modified version running there to the
46 | users of that server. Therefore, public use of a modified version, on
47 | a publicly accessible server, gives the public access to the source
48 | code of the modified version.
49 |
50 | An older license, called the Affero General Public License and
51 | published by Affero, was designed to accomplish similar goals. This is
52 | a different license, not a version of the Affero GPL, but Affero has
53 | released a new version of the Affero GPL which permits relicensing under
54 | this license.
55 |
56 | The precise terms and conditions for copying, distribution and
57 | modification follow.
58 |
59 | TERMS AND CONDITIONS
60 |
61 | 0. Definitions.
62 |
63 | "This License" refers to version 3 of the GNU Affero General Public License.
64 |
65 | "Copyright" also means copyright-like laws that apply to other kinds of
66 | works, such as semiconductor masks.
67 |
68 | "The Program" refers to any copyrightable work licensed under this
69 | License. Each licensee is addressed as "you". "Licensees" and
70 | "recipients" may be individuals or organizations.
71 |
72 | To "modify" a work means to copy from or adapt all or part of the work
73 | in a fashion requiring copyright permission, other than the making of an
74 | exact copy. The resulting work is called a "modified version" of the
75 | earlier work or a work "based on" the earlier work.
76 |
77 | A "covered work" means either the unmodified Program or a work based
78 | on the Program.
79 |
80 | To "propagate" a work means to do anything with it that, without
81 | permission, would make you directly or secondarily liable for
82 | infringement under applicable copyright law, except executing it on a
83 | computer or modifying a private copy. Propagation includes copying,
84 | distribution (with or without modification), making available to the
85 | public, and in some countries other activities as well.
86 |
87 | To "convey" a work means any kind of propagation that enables other
88 | parties to make or receive copies. Mere interaction with a user through
89 | a computer network, with no transfer of a copy, is not conveying.
90 |
91 | An interactive user interface displays "Appropriate Legal Notices"
92 | to the extent that it includes a convenient and prominently visible
93 | feature that (1) displays an appropriate copyright notice, and (2)
94 | tells the user that there is no warranty for the work (except to the
95 | extent that warranties are provided), that licensees may convey the
96 | work under this License, and how to view a copy of this License. If
97 | the interface presents a list of user commands or options, such as a
98 | menu, a prominent item in the list meets this criterion.
99 |
100 | 1. Source Code.
101 |
102 | The "source code" for a work means the preferred form of the work
103 | for making modifications to it. "Object code" means any non-source
104 | form of a work.
105 |
106 | A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 |
111 | The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form. A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 |
122 | The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities. However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work. For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 |
135 | The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 |
139 | The Corresponding Source for a work in source code form is that
140 | same work.
141 |
142 | 2. Basic Permissions.
143 |
144 | All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met. This License explicitly affirms your unlimited
147 | permission to run the unmodified Program. The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work. This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 |
152 | You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force. You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright. Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 |
163 | Conveying under any other circumstances is permitted solely under
164 | the conditions stated below. Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 |
167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 |
169 | No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 |
175 | When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 |
183 | 4. Conveying Verbatim Copies.
184 |
185 | You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 |
193 | You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 |
196 | 5. Conveying Modified Source Versions.
197 |
198 | You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 |
202 | a) The work must carry prominent notices stating that you modified
203 | it, and giving a relevant date.
204 |
205 | b) The work must carry prominent notices stating that it is
206 | released under this License and any conditions added under section
207 | 7. This requirement modifies the requirement in section 4 to
208 | "keep intact all notices".
209 |
210 | c) You must license the entire work, as a whole, under this
211 | License to anyone who comes into possession of a copy. This
212 | License will therefore apply, along with any applicable section 7
213 | additional terms, to the whole of the work, and all its parts,
214 | regardless of how they are packaged. This License gives no
215 | permission to license the work in any other way, but it does not
216 | invalidate such permission if you have separately received it.
217 |
218 | d) If the work has interactive user interfaces, each must display
219 | Appropriate Legal Notices; however, if the Program has interactive
220 | interfaces that do not display Appropriate Legal Notices, your
221 | work need not make them do so.
222 |
223 | A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit. Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 |
233 | 6. Conveying Non-Source Forms.
234 |
235 | You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 |
240 | a) Convey the object code in, or embodied in, a physical product
241 | (including a physical distribution medium), accompanied by the
242 | Corresponding Source fixed on a durable physical medium
243 | customarily used for software interchange.
244 |
245 | b) Convey the object code in, or embodied in, a physical product
246 | (including a physical distribution medium), accompanied by a
247 | written offer, valid for at least three years and valid for as
248 | long as you offer spare parts or customer support for that product
249 | model, to give anyone who possesses the object code either (1) a
250 | copy of the Corresponding Source for all the software in the
251 | product that is covered by this License, on a durable physical
252 | medium customarily used for software interchange, for a price no
253 | more than your reasonable cost of physically performing this
254 | conveying of source, or (2) access to copy the
255 | Corresponding Source from a network server at no charge.
256 |
257 | c) Convey individual copies of the object code with a copy of the
258 | written offer to provide the Corresponding Source. This
259 | alternative is allowed only occasionally and noncommercially, and
260 | only if you received the object code with such an offer, in accord
261 | with subsection 6b.
262 |
263 | d) Convey the object code by offering access from a designated
264 | place (gratis or for a charge), and offer equivalent access to the
265 | Corresponding Source in the same way through the same place at no
266 | further charge. You need not require recipients to copy the
267 | Corresponding Source along with the object code. If the place to
268 | copy the object code is a network server, the Corresponding Source
269 | may be on a different server (operated by you or a third party)
270 | that supports equivalent copying facilities, provided you maintain
271 | clear directions next to the object code saying where to find the
272 | Corresponding Source. Regardless of what server hosts the
273 | Corresponding Source, you remain obligated to ensure that it is
274 | available for as long as needed to satisfy these requirements.
275 |
276 | e) Convey the object code using peer-to-peer transmission, provided
277 | you inform other peers where the object code and Corresponding
278 | Source of the work are being offered to the general public at no
279 | charge under subsection 6d.
280 |
281 | A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 |
285 | A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling. In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage. For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product. A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 |
298 | "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source. The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 |
306 | If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information. But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 |
317 | The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed. Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 |
325 | Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 |
331 | 7. Additional Terms.
332 |
333 | "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law. If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 |
342 | When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it. (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.) You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 |
349 | Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 |
353 | a) Disclaiming warranty or limiting liability differently from the
354 | terms of sections 15 and 16 of this License; or
355 |
356 | b) Requiring preservation of specified reasonable legal notices or
357 | author attributions in that material or in the Appropriate Legal
358 | Notices displayed by works containing it; or
359 |
360 | c) Prohibiting misrepresentation of the origin of that material, or
361 | requiring that modified versions of such material be marked in
362 | reasonable ways as different from the original version; or
363 |
364 | d) Limiting the use for publicity purposes of names of licensors or
365 | authors of the material; or
366 |
367 | e) Declining to grant rights under trademark law for use of some
368 | trade names, trademarks, or service marks; or
369 |
370 | f) Requiring indemnification of licensors and authors of that
371 | material by anyone who conveys the material (or modified versions of
372 | it) with contractual assumptions of liability to the recipient, for
373 | any liability that these contractual assumptions directly impose on
374 | those licensors and authors.
375 |
376 | All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10. If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term. If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 |
386 | If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 |
391 | Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 |
395 | 8. Termination.
396 |
397 | You may not propagate or modify a covered work except as expressly
398 | provided under this License. Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 |
403 | However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 |
410 | Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 |
417 | Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License. If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 |
423 | 9. Acceptance Not Required for Having Copies.
424 |
425 | You are not required to accept this License in order to receive or
426 | run a copy of the Program. Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance. However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work. These actions infringe copyright if you do
431 | not accept this License. Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 |
434 | 10. Automatic Licensing of Downstream Recipients.
435 |
436 | Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License. You are not responsible
439 | for enforcing compliance by third parties with this License.
440 |
441 | An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations. If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 |
451 | You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License. For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 |
459 | 11. Patents.
460 |
461 | A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based. The
463 | work thus licensed is called the contributor's "contributor version".
464 |
465 | A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version. For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 |
475 | Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 |
480 | In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement). To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 |
487 | If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients. "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 |
501 | If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 |
509 | A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License. You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 |
524 | Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 |
528 | 12. No Surrender of Others' Freedom.
529 |
530 | If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License. If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all. For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 |
540 | 13. Remote Network Interaction; Use with the GNU General Public License.
541 |
542 | Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software. This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 |
553 | Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work. The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 |
561 | 14. Revised Versions of this License.
562 |
563 | The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time. Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 |
568 | Each version is given a distinguishing version number. If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation. If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 |
577 | If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 |
582 | Later license versions may give you additional or different
583 | permissions. However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 |
587 | 15. Disclaimer of Warranty.
588 |
589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 |
598 | 16. Limitation of Liability.
599 |
600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 |
610 | 17. Interpretation of Sections 15 and 16.
611 |
612 | If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 |
619 | END OF TERMS AND CONDITIONS
620 |
621 | How to Apply These Terms to Your New Programs
622 |
623 | If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 |
627 | To do so, attach the following notices to the program. It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 |
632 |
633 | Copyright (C)
634 |
635 | This program is free software: you can redistribute it and/or modify
636 | it under the terms of the GNU Affero General Public License as published
637 | by the Free Software Foundation, either version 3 of the License, or
638 | (at your option) any later version.
639 |
640 | This program is distributed in the hope that it will be useful,
641 | but WITHOUT ANY WARRANTY; without even the implied warranty of
642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
643 | GNU Affero General Public License for more details.
644 |
645 | You should have received a copy of the GNU Affero General Public License
646 | along with this program. If not, see .
647 |
648 | Also add information on how to contact you by electronic and paper mail.
649 |
650 | If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source. For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code. There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 |
658 | You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | .
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Introduction
2 |
3 | Released as open source by NCC Group Plc - http://www.nccgroup.com/
4 |
5 | Developed by David Cannings (@edeca)
6 |
7 | http://www.github.com/nccgroup/yaml2yara
8 |
9 | This project is released under the AGPL license. Please see LICENSE for more information.
10 |
11 | # Overview
12 |
13 | This repository contains a script that will create custom detection rules from YAML input.
14 |
15 | It is used to automatically generate the same rule for multiple pieces of input data, for example:
16 |
17 | * Rules to detect stolen code signing certificates.
18 | * Rules to detect known vulnerable OLE components in exploit documents.
19 | * Rules to detect known bad resources (icons, dialogs etc).
20 |
21 | This decouples the rule logic and data to match, meaning that bulk rules can be updated easily to optimise them or take advantage of new YARA features.
22 |
23 | It was initially designed to generate Yara rules. However this could easily be expanded to any other format (MAEC, Suricata rules) with new templates.
24 |
25 | # Aims
26 |
27 | The aims are to:
28 |
29 | * Store useful data in a human readable format.
30 | * Generate rules with minimal fuss.
31 | * Produce output which can be fed into your favourite source code management tool (Git, mercurial, etc.).
32 |
33 | # Dependencies
34 |
35 | All required dependencies can be installed using pip:
36 |
37 | pip install -r Requirements.txt
38 |
39 | # Usage
40 |
41 | Some sample data files and templates are included in the repository. Example usage:
42 |
43 | ./generate.py --template authenticode --input sample_data/authenticode/stolen_certs.yaml
44 | ./generate.py --template office_exploits --input sample_data/office_exploits/ole.yaml
45 | ./generate.py --template resources --input sample_data/resources/malware.yaml
46 |
47 | The output can also be modified with `--tag`, which will add [rule tags](http://yara.readthedocs.io/en/latest/writingrules.html#rule-tags) to each generated rule:
48 |
49 | ./generate.py --template authenticode --tag authenticode --input sample_data/authenticode/stolen_certs.yaml
50 |
51 | A `--prefix` option is also available, which will name all rules:
52 |
53 | ./generate.py --template office_exploits --prefix exploit --input sample_data/office_exploits/ole.yaml
54 |
55 | Help is available, see `./generate.py --help`.
--------------------------------------------------------------------------------
/Requirements.txt:
--------------------------------------------------------------------------------
1 | Jinja2>=2.10.1
2 | MarkupSafe==1.0
3 | pyyaml>=4.2b1
--------------------------------------------------------------------------------
/generate.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | from __future__ import print_function
3 | from collections import OrderedDict
4 | from jinja2 import Environment, PackageLoader
5 | from jinja2.exceptions import TemplateNotFound
6 | from binascii import hexlify
7 | import yaml
8 | import sys
9 | import argparse
10 | import os
11 | import re
12 |
13 | ########
14 | # Author: David Cannings
15 | # Date: June 2016
16 | #
17 | # Generate cyber cyber detection rules from YAML input. Useful to
18 | # create the same rule multiple times with different input.
19 | #
20 | # Sample usages include detecting known bad code signing certificates,
21 | # identifying resources or signaturing exploit docs based on OLE objects.
22 | #
23 | # Released under AGPL, please see Readme.md and LICENSE.
24 | ########
25 |
26 | def eprint(*args, **kwargs):
27 | """ Print an error """
28 | print(*args, file=sys.stderr, **kwargs)
29 |
30 |
31 | def fatal(msg):
32 | """ Print a fatal error and quit """
33 | eprint("[!] {}".format(msg))
34 | sys.exit(1)
35 |
36 |
37 | def clsid_to_hex(data):
38 | """ Convert a displayed class ID to the hex representation """
39 |
40 | # See: https://support.microsoft.com/en-us/kb/325648
41 | data = data.replace('-', '')
42 |
43 | hex_str = data[6:8]
44 | hex_str += data[4:6]
45 | hex_str += data[2:4]
46 | hex_str += data[0:2]
47 | hex_str += data[10:12]
48 | hex_str += data[8:10]
49 | hex_str += data[14:16]
50 | hex_str += data[12:14]
51 | hex_str += data[16:]
52 | return hex_str
53 |
54 |
55 | def to_hex(data):
56 | """ Helper function, used inside jinja2 templates """
57 | return hexlify(data.encode("ascii")).decode("ascii")
58 |
59 |
60 | def add_tags(rules, global_tags):
61 | """ Loop through all rules and add global tags """
62 |
63 | for name,r in rules.items():
64 | for tag in global_tags:
65 | try:
66 | r['tags'].append(tag)
67 | except KeyError:
68 | r['tags'] = [ tag ]
69 | except AttributeError:
70 | # TODO: Fix this case by validating all input according to global rules
71 | eprint("[!] Error in {}: 'tags' should be a list, not string".format(name))
72 | sys.exit(0)
73 |
74 |
75 | def main():
76 | rules = None
77 |
78 | parser = argparse.ArgumentParser(description='Generate rules from YAML input.')
79 | parser.add_argument('--tag', nargs='*', default=[], help='Tags to add to all rules')
80 | parser.add_argument('--prefix', type=str, default="", help='prefix all rule names with a string')
81 | parser.add_argument('--template', type=str, help='template to use', required=True)
82 | parser.add_argument('--input', type=str, help='input data file', required=True)
83 | parser.add_argument('--output', type=str, help='output Yara file', required=True)
84 | args = parser.parse_args()
85 |
86 | # Check input file exists
87 | if not os.path.isfile(args.input):
88 | fatal("Input file does not exist: {}".format(args.input))
89 |
90 | # Validate prefix
91 | if not re.match('^(|[a-zA-Z][a-zA-Z0-9_]+)$', args.prefix):
92 | fatal("Not a valid name prefix: {}".format(args.prefix))
93 |
94 | # Validate template name
95 | if not re.match('^[a-z][a-z_]+$', args.template):
96 | fatal("Not a valid template name: {}".format(args.template))
97 |
98 | # Check template exists
99 | try:
100 | env = Environment(loader=PackageLoader('yaml2yara', 'templates'))
101 | env.filters['to_hex'] = to_hex
102 | env.filters['clsid_to_hex'] = clsid_to_hex
103 | template = env.get_template('{}.html'.format(args.template))
104 | except TemplateNotFound:
105 | fatal("Template not found: {}".format(args.template))
106 |
107 | with open (args.input, encoding='utf-8', mode='r') as fh:
108 | rules = yaml.load(fh, Loader=yaml.SafeLoader)
109 |
110 | # SCM friendly output, sort by rule name so that output
111 | # is consistent between runs. This minimises diffs where
112 | # input data has not changed.
113 | #
114 | # Note that templates need to sort any dict items they
115 | # use (e.g. tags, a list of hashes etc).
116 | rules_sorted = OrderedDict(sorted(rules.items(), key=lambda t: t[0]))
117 |
118 | # If custom tags were provided add them to every rule.
119 | if len(args.tag):
120 | add_tags(rules_sorted, args.tag)
121 |
122 | rules = template.render(data=rules_sorted, prefix=args.prefix)
123 | with open(args.output, encoding='utf-8', mode="w") as fh:
124 | fh.write(rules)
125 |
126 |
127 | if __name__ == "__main__":
128 | main()
--------------------------------------------------------------------------------
/sample_data/authenticode/legitimate_certs.yaml:
--------------------------------------------------------------------------------
1 | kaspersky:
2 | added_by: David Cannings
3 | description: "Kaspersky certificate, legitimate but used in DLL planting attacks"
4 | serial: 77:8b:d7:e8:bb:92:7c:a9:65:11:90:8a:d9:41:d0:28
5 | subject: Kaspersky Lab
6 |
7 | fsecure:
8 | added_by: David Cannings
9 | description: "F-Secure certificate, legitimate but used in DLL planting attacks (e.g. PlugX)"
10 | serial: 59:8b:48:92:bd:19:55:eb:9a:88:8f:f3:93:b8:52:37
11 | subject: ST=Helsinki/L=Helsinki/O=F-Secure Corporation
12 |
13 | # Avoid FP on signed DLLs that hit other Yara rules
14 | cylance:
15 | added_by: David Cannings
16 | description: "Cylance certificate, used to sign Protect endpoint agent"
17 | #serial: 16:61:fd:0e:5d:7e:52:ee:4c:1f:1a:44:cc:97:ed:cf
18 | subject: O=Cylance, Inc.
19 |
20 | # TODO: All of these hackingteam certs are thumbprints NOT serials - find the originals
21 | hackingteam1:
22 | added_by: David Cannings
23 | description: "Hacking Team certificate"
24 | serial: 2e:87:34:34:8c:03:39:0d:24:fa:f9:6e:86:bb:01:b3:9e:3a:d4:db
25 |
26 | hackingteam2:
27 | added_by: David Cannings
28 | description: "Hacking Team certificate"
29 | serial: b7:c6:46:e3:a4:33:98:6e:16:5b:a4:5b:20:9d:a4:a2:c4:11:19:39
30 |
31 | hackingteam3:
32 | added_by: David Cannings
33 | description: "Hacking Team certificate"
34 | serial: fd:c9:28:1a:b9:2d:4f:b8:5a:03:25:4d:cb:62:d1:c2:9a:80:3f:b1
35 |
36 | hackingteam4:
37 | added_by: David Cannings
38 | description: "Hacking Team certificate"
39 | serial: 2a:1d:a6:dc:86:35:e6:c7:25:cc:cb:e6:c0:35:ee:c8:13:fb:eb:2e
40 |
41 | magicdesktop:
42 | added_by: David Cannings
43 | description: "Magic Desktop S&T certificate, has signed Zolsearch malware"
44 | serial: 02:64:32:a0:ea:f1:d4
45 | subject: Magic Desktop S&T Development Co., Ltd.
46 |
47 | ommoo:
48 | added_by: David Cannings
49 | description: "Ommoo certificate, has signed Zolsearch malware"
50 | serial: 2b:16:4b:99:60:c1:7a:65:11:6c:44:6f:b3:66:b0:19
51 | subject: contact@ommoo.net
52 |
53 | ammyy:
54 | added_by: David Cannings
55 | description: "Ammyy certificate, RDP software seen in IR cases"
56 | subject: /O=Ammyy LLC/CN=Ammyy LLC
57 |
58 | ratiborus:
59 | added_by: David Cannings
60 | description: "Ratiborus certificate, signed Potentially Unwanted Software including Windows Activator (KMSAuto)"
61 | subject: /CN=Ratiborus MSFree Inc
62 | serial: 1e:b5:23:94:d7:a0:f7:80:4a:c8:f8:0d:76:13:95:91
63 |
64 | clearthink:
65 | added_by: David Cannings
66 | description: "ClearThink certificate, sign Potentially Unwanted Softare including BrowseFox"
67 | subject: /O=ClearThink/CN=ClearThink
68 |
69 |
--------------------------------------------------------------------------------
/sample_data/authenticode/stolen_certs.yaml:
--------------------------------------------------------------------------------
1 | # Details of stolen authenticode certificates used to sign malware.
2 | #
3 | # Legitimate certificates (e.g. not stolen ones) are in a separate file.
4 | #
5 | # When adding to the file please use the version reported by Yara. See
6 | # below for further info.
7 | #
8 | # TODO: Yara uses one version of the serial field but Windows displays
9 | # it differently. Windows displays the hex which will appear in
10 | # the file. Yara (through OpenSSL) may compute a different value,
11 | # perhaps where it is a negative number?
12 | #
13 | # Consider ways to automatically convert serial into both possible
14 | # permutations.
15 |
16 | esupplychain:
17 | added_by: David Cannings
18 | description: "esupplychain.com.tw stolen certificate, used by Dark Hotel"
19 | ref: https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf
20 | serial: 65:c8:08:10
21 | subject: www.esupplychain.com.tw
22 | issuer: TaiCA Secure CA
23 |
24 | automotive_aftermarket:
25 | added_by: David Cannings
26 | description: "calltracking.automotive-aftermarket.de certificate, used by Dark Hotel"
27 | # Windows thinks the serial is 00:80:97 but it doesn't hit in Yara
28 | serial: 80:97
29 | subject: calltracking.automotive-aftermarket.de
30 | issuer: Deutsche Telekom CA 5
31 |
32 | xuchang_hongguang:
33 | added_by: David Cannings
34 | description: "Xuchang Hongguang certificate, used by Dark Hotel"
35 | serial: 26:7b:de:88:8b:c1:50:15:11:00:f2:54:d8:ca:ed:67
36 | subject: Xuchang Hongguang Technology Co.,Ltd.
37 |
38 | dtoptoolz:
39 | added_by: David Cannings
40 | description: "DTOPTOOLZ certificate, used by various APT groups"
41 | serial: 47:d5:d5:37:2b:cb:15:62:b4:c9:f4:c2:bd:f1:35:87
42 | subject: DTOPTOOLZ Co.,Ltd.
43 |
44 | neowiz:
45 | added_by: David Cannings
46 | description: "Neowiz certificate"
47 | serial: 5c:2f:97:a3:1a:bc:32:b0:8c:ac:01:00:59:8f:32:f6
48 | subject: Neowiz CORPORATION
49 |
50 | ynk_japan:
51 | added_by: David Cannings
52 | description: "YNK JAPAN certificate"
53 | serial: 67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d
54 | subject: YNK JAPAN Inc
55 |
56 | mgame:
57 | added_by: David Cannings
58 | description: "MGAME Corp certificate"
59 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
60 | serial: 4e:eb:08:05:55:f1:ab:f7:09:bb:a9:ca:e3:2f:13:cd
61 | subject: MGAME Corp.
62 |
63 | sjsystem:
64 | added_by: David Cannings
65 | description: "SJ SYSTEM certificate, has signed Sakula malware"
66 | serial: 20:d0:ee:42:fc:90:1e:6b:3a:8f:ef:e8:c1:e6:08:7a
67 | subject: SJ SYSTEM
68 |
69 | molerats1:
70 | added_by: David Cannings
71 | description: "Fake Microsoft certificate, used by Molerats group"
72 | ref: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
73 | serial: 03:e1:e1:aa:a5:bc:a1:9f:ba:8c:42:05:8b:4a:bf:28
74 | subject: Microsoft Corporation
75 |
76 | molerats2:
77 | added_by: David Cannings
78 | description: "Fake Microsoft certificate, used by Molerats group"
79 | ref: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
80 | serial: 06:50:11:a5:bc:bf:83:c0:93:28:16:5e:7e:85:27:75
81 | subject: Microsoft Corporation
82 |
83 | molerats3:
84 | added_by: David Cannings
85 | description: "Fake Microsoft certificate, used by Molerats group"
86 | ref: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
87 | serial: 0c:c0:35:9c:9c:3c:da:00:d7:e9:da:2d:c6:ba:7b:6d
88 | subject: Skype Technologies SA
89 |
90 | estsoft:
91 | added_by: David Cannnings
92 | description: "ESTsoft Corp. certificate, used by Winnti"
93 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
94 | serial: 30:d3:fe:26:59:1d:8e:ac:8c:30:66:7a:c4:99:9b:d7
95 | subject: ESTsoft Corp.
96 |
97 | rosso:
98 | added_by: David Cannnings
99 | description: "ROSSO INDEX certificate, used by Winnti"
100 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
101 | serial: 01:00:00:00:00:01:29:7d:ba:69:dd
102 | subject: ROSSO INDEX K.K.
103 |
104 | kogco:
105 | added_by: David Cannnings
106 | description: "KOG Co. certificate, used by Winnti"
107 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
108 | serial: 66:e3:f0:b4:45:9f:15:ac:7f:2a:2b:44:99:0d:d7:09
109 | subject: KOG Co., Ltd.
110 |
111 | guangzhou_yuanluo:
112 | added_by: David Cannnings
113 | description: "Guangzhou YuanLuo certificate, used by Winnti"
114 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
115 | serial: 0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35
116 | subject: Guangzhou YuanLuo Technology Co.,Ltd
117 |
118 | fantastycorp:
119 | added_by: David Cannings
120 | description: "Fantasy Technology Corp. certificate, used by Winnti"
121 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
122 | serial: 75:82:f3:34:85:aa:26:4d:e0:3b:2b:df:74:e0:bf:32
123 | subject: Fantasy Technology Corp.
124 |
125 | liveplex:
126 | added_by: David Cannings
127 | description: "LivePlex Corp certificate, used by Winnti"
128 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
129 | serial: 1c:aa:0d:0d:ad:f3:2a:24:04:a7:51:95:ae:47:82:0a
130 | subject: LivePlex Corp
131 |
132 | wemade:
133 | added_by: David Cannings
134 | description: "Wemade Entertainment certificate, used by Winnti"
135 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
136 | serial: 61:00:39:d6:34:9e:e5:31:e4:ca:a3:a6:5d:10:0c:7d
137 | subject: Wemade Entertainment
138 |
139 | wemade_2:
140 | added_by: David Cannings
141 | description: "Wemade Entertainment certificate, used by Winnti"
142 | serial: 47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe
143 | subject: Wemade Entertainment
144 |
145 | sesisoft:
146 | added_by: David Cannings
147 | description: "Sesisoft certificate, used by Winnti"
148 | ref: http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game
149 | serial: 61:3e:2f:a1:4e:32:3c:69:ee:3e:72:0c:27:af:e4:ce
150 |
151 | calltogether:
152 | added_by: David Cannings
153 | description: "CallTogether, Inc. certificate"
154 | ref: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
155 | serial: 45:21:56:c3:b3:fb:01:76:36:5b:db:5b:77:15:bc:4c
156 | subject: CallTogether, Inc.
157 |
158 | qti:
159 | added_by: David Cannings
160 | description: "QTI International certificate"
161 | serial: 2e:df:b9:fd:cf:a0:0c:cb:5a:b0:09:ee:3a:db:97:b9
162 | subject: QTI International Inc
163 |
164 | fuqing:
165 | added_by: David Cannings
166 | description: "Fuqing Dawu Technology Co.,Ltd. certificate, used to sign Derusbi"
167 | ref: http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
168 | serial: 4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5
169 |
170 | xlgames:
171 | added_by: David Cannings
172 | description: "XL Games Co.,Ltd. certificate, used to sign Derusbi"
173 | ref: http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
174 | # Also https://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/
175 | serial: 7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b
176 |
177 | wemade2:
178 | added_by: David Cannings
179 | description: "Wemade Entertainment certificate #2, used to sign Derusbi"
180 | ref: http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
181 | serial: 47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe
182 | subject: Wemade Entertainment co.Ltd
183 |
184 | acer_corp:
185 | added_by: David Cannings
186 | description: "Acer Incorporated certificate, used by Wild Neutron"
187 | ref: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
188 | serial: 5c:c5:3b:a3:e8:31:a7:df:dc:7c:28:d5:15:8f:c3:80
189 |
190 | honhai:
191 | added_by: David Cannings
192 | description: "HON HAI PRECISION certificate, used in Duqu"
193 | ref: https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/
194 | serial: 25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8
195 |
196 | micro_digital:
197 | added_by: David Cannings
198 | description: "MICRO DIGITAL INC. certificate, signed Sakula sample"
199 | serial: 31:06:2e:48:3e:01:06:b1:8c:98:2f:00:53:18:5c:36
200 |
201 | career_credit:
202 | added_by: David Cannings
203 | description: "Career Credit Co certificate, signed Sakula sample"
204 | serial: 01:a5:d9:59:95:19:b1:ba:fc:fa:d0:e8:0b:6d:67:35
205 |
206 | utech_it:
207 | added_by: David Cannings
208 | description: "U-Tech IT service certificate, signed Sakula sample"
209 | serial: 3a:c1:0e:68:f1:ce:51:9e:84:dd:cd:28:b1:1f:a5:42
210 |
211 | fake_intel1:
212 | added_by: David Cannings
213 | description: "Fake Intel certificate, used by ENERGETIC BEAR"
214 | serial: 38:7d:56:db:4f:6f:01:af:42:b5:4d:1c:76:35:ba:ba
215 | subject: Intel corp.
216 |
217 | fake_intel2:
218 | added_by: David Cannings
219 | description: "Fake Intel certificate, used by ENERGETIC BEAR"
220 | serial: c8:2c:59:ec:eb:94:a3:49:ff:be:96:f6:b2:ac:a6
221 | subject: Intel corp.
222 |
223 | fake_intel3:
224 | added_by: David Cannings
225 | description: "Fake Intel certificate, used by ENERGETIC BEAR"
226 | serial: 16:16:3d:e1:d7:88:eb:86:45:18:9d:60:b0:45:9a:af
227 | subject: Intel corp.
228 |
229 | fake_intel4:
230 | added_by: David Cannings
231 | description: "Fake Intel certificate, used by ENERGETIC BEAR"
232 | serial: 42:3a:49:0d:e8:c9:49:96:4f:ae:56:da:73:db:5c:0c
233 | subject: Intel Inside
234 |
235 | fake_intel5:
236 | added_by: David Cannings
237 | description: "Fake Intel certificate, used by ENERGETIC BEAR"
238 | serial: 42:f3:df:89:33:b0:fb:6b:ba:6d:8b:c3:64:e9:16:ef
239 | subject: Intel corp.
240 |
241 | fake_intel6:
242 | added_by: David Cannings
243 | description: "Fake Intel certificate, used by ENERGETIC BEAR"
244 | serial: 6e:af:a3:88:65:4f:a0:8e:46:6b:4b:d3:89:66:d1:96
245 | subject: Intel corp.
246 |
247 | fake_ibm1:
248 | added_by: David Cannings
249 | description: "Fake IBM certificate, used by ENERGETIC BEAR"
250 | serial: 19:c6:97:ff:ad:46:91:5b:b4:c3:02:51:40:f1:f2:e1
251 | subject: info@IBM.com
252 |
253 | fake_ibm2:
254 | added_by: David Cannings
255 | description: "Fake IBM certificate, used by ENERGETIC BEAR"
256 | serial: 2b:c3:be:7a:30:33:ab:87:4a:85:17:d8:9f:49:f3:ab
257 | subject: info@IBM.com
258 |
259 | fake_ibm3:
260 | added_by: David Cannings
261 | description: "Fake IBM certificate, used by ENERGETIC BEAR"
262 | serial: 34:f0:1e:a2:04:9b:f2:4a:b7:30:7f:a6:1b:ab:da:ee
263 | subject: info@IBM.com
264 |
265 | fake_ibm4:
266 | added_by: David Cannings
267 | description: "Fake IBM certificate, used by ENERGETIC BEAR"
268 | serial: 48:fd:43:55:5e:dd:5f:98:46:3b:d0:57:67:8a:25:70
269 | subject: info@IBM.com
270 |
271 | fake_ibm5:
272 | added_by: David Cannings
273 | description: "Fake IBM certificate, used by ENERGETIC BEAR"
274 | serial: 52:09:98:30:b4:1a:3c:6b:b3:23:83:72:30:d3:75:e1
275 | subject: info@IBM.com
276 |
277 | fake_asus:
278 | added_by: David Cannings
279 | description: "Fake Asus certificate, used by ENERGETIC BEAR"
280 | serial: 29:12:6d:77:f1:76:48:a4:40:85:4b:d5:22:63:7e:e3
281 | subject: admin@asus.com
282 |
283 | fake_apple:
284 | added_by: David Cannings
285 | description: "Fake Apple certificate, used by ENERGETIC BEAR"
286 | serial: 3a:67:7b:45:bf:08:5b:9a:4f:16:34:92:2a:e0:b6:40
287 | subject: apple.co.uk
288 |
289 | fake_foxcon:
290 | added_by: David Cannings
291 | description: "Fake Foxcon certificate, used by ENERGETIC BEAR"
292 | serial: 92:23:2f:6f:95:ec:8b:86:40:9c:96:5f:02:b0:c6:dd
293 | subject: foxcon@foxcon.com
294 |
295 | fake_microsoft1:
296 | added_by: David Cannings
297 | description: "Fake Microsoft certificate, used by Derusbi"
298 | serial: 45:91:69:47:db:98:c7:66:bf:09:78:78:9b:38:90:c9
299 | subject: Microsoft Certificate Authority
300 |
301 | fake_microsoft2:
302 | added_by: David Cannings
303 | description: "Fake Microsoft certificate, used by Derusbi"
304 | serial: 10:79:bf:56:f4:74:9e:a4:46:78:74:cb:4f:92:64:d8
305 | subject: Microsoft
306 |
307 | fake_microsoft3:
308 | added_by: David Cannings
309 | description: "Fake Microsoft certificate, used by Derusbi"
310 | serial: 24:2c:00:9f:8e:a4:a3:60:ba:35:40:5e:e8:17:76:9b
311 | subject: Microsoft Certificate Authority
312 |
313 | fake_microsoft4:
314 | added_by: David Cannings
315 | description: "Fake Microsoft certificate, used by Derusbi"
316 | serial: 69:ac:98:83:4f:d5:08:99:4e:0f:cf:4d:35:16:13:ac
317 | subject: CN=Microsoft Certificate Authority
318 |
319 | lenovo:
320 | added_by: David Cannings
321 | description: "Stolen Lenovo certificate, used by Derusbi"
322 | serial: 7f:01:fb:34:d5:06:90:99:5e:6f:42:c0:77:1c:e8:7f
323 | subject: Lenovo Information Products (Shenzhen) Co.,Ltd
324 |
325 | tehnoservis:
326 | added_by: David Cannings
327 | description: "OOO Tehnoservis certificate, used by Derusbi"
328 | serial: 35:78:99:18:22:94:cb:93:61:e0:42:ce:6d:7e:38
329 | subject: OOO Tehnoservis
330 |
331 | luzhoushi:
332 | added_by: David Cannings
333 | description: "Luzhousi Huicheng certificate, used by Derusbi"
334 | serial: 1f:28:51:fc:5d:f4:5d:a8:44:65:05:20:39:08:f4:22
335 | subject: Luzhoushi Huicheng Technology Co.,Ltd.
336 |
337 | clevertester:
338 | added_by: David Cannings
339 | description: "CleverTester@company.mail certificate, used to sign Bandook (note no serial)"
340 | subject: "/CN=Cnet Inc./O=Cnet Inc./L=CA/C=US/emailAddress=CleverTester@company.mail"
341 |
342 | martin_daly:
343 | added_by: David Cannings
344 | description: "Personal certificate (likely stolen), used to sign Bandook"
345 | subject: CN=Martin Daly/emailAddress=martin.daly1970@gmail.com
346 | serial: 30:ef:0d:97:10:fa:18:be:1d:54:3a:cc:99:8c:74:72
347 |
348 | saly_younes:
349 | added_by: David Cannings
350 | description: "Personal certificate (likely stolen), used to sign Bandook"
351 | subject: /O=Saly Younes/CN=Saly Younes
352 | serial: 09:81:3e:e7:31:84:52:c2:8a:1f:64:26:d1:ce:e1:2d
353 |
354 | ghada_saffarini:
355 | added_by: David Cannings
356 | description: "Personal certificate (likely stolen), used to sign Bandook"
357 | subject: /O=Ghada Saffarini/CN=Ghada Saffarini
358 | serial: 04:92:f5:c1:8e:26:fa:0c:d7:e1:50:67:67:4a:ff:1c
359 |
360 | nancy_razzouk:
361 | added_by: David Cannings
362 | description: "Personal certificate (likely stolen), used to sign Bandook"
363 | subject: /O=Nancy Razzouk/CN=Nancy Razzouk
364 | serial: 0c:3b:c3:99:ad:cc:42:35:c4:5d:ee:6d:a1:93:24:dc
365 |
366 | marc_chapon:
367 | added_by: David Cannings
368 | description: "Personal certificate (likely stolen), used to sign Bandook"
369 | subject: /O=Marc Chapon/CN=Open Source Developer, Marc Chapon
370 |
371 | movie_maker:
372 | added_by: David Cannings
373 | description: "Movie Maker certificate, used to sign Bandook"
374 | subject: /CN=Movie Maker/OU=Demos/O=Movie maker
375 | # Note serial is "01"
376 |
377 | mirage_international:
378 | added_by: David Cannings
379 | description: "Mirage International certificate, used to sign Bandook"
380 | subject: /OU=Protection/O=Mirage International
381 | # Note serial is "01"
382 |
383 | redduck:
384 | added_by: David Cannings
385 | description: "Redduck Inc., used to sign Winnti related samples"
386 | subject: CN=Redduck Inc.
387 | serial: 0f:66:84:2b:4f:9c:45:8b:72:13:6f:0a:e9:69:24:b7
388 |
389 | neoact:
390 | added_by: David Cannings
391 | description: "Neoact Co, used to sign Winnti related samples"
392 | subject: CN=Neoact Co
393 | serial: 27:a4:33:ca:2f:e7:67:b6:5e:b9:6e:43:04:c9:2e:53
394 |
395 | zemi_interactive:
396 | added_by: David Cannings
397 | description: "Zemi Interactive, used to sign Winnti related samples"
398 | subject: O=Zemi Interactive Co
399 | serial: 45:05:e9:ac:8d:28:8d:76:3a:10:88:ed:1e:2c:8a:60
400 |
401 | runewaker:
402 | added_by: David Cannings
403 | description: "Runewaker Entertainment, used to sign Winnti related samples"
404 | subject: O=Runewaker Entertainment
405 | serial: 59:76:83:b6:8e:f6:b0:c8:be:2d:85:a2:12:b5:19:10
406 |
407 | webzen:
408 | added_by: David Cannings
409 | description: "Webzen Inc, used to sign Winnti related samples"
410 | subject: O=WEBZEN INC
411 | serial: 67:8c:0b:b9:bf:1f:6c:86:30:de:42:8d:8f:d1:4c:ad
412 |
413 | nexg:
414 | added_by: David Cannings
415 | description: "NexG certificate, used to sign Sakula"
416 | subject: O=NexG
417 | serial: 5e:3d:76:dc:7e:27:3e:2f:31:3f:c0:77:58:47:a2:a2
418 |
419 | gameus:
420 | added_by: David Cannings
421 | description: "GameUs certificate, possibly stolen by Wintti"
422 | subject: O=GameUS Inc
423 | serial: 54:c6:c1:40:6f:b4:ac:b5:d2:06:74:e9:93:92:c6:3e
424 |
425 | medinformatica:
426 | added_by: Richard Warren
427 | description: "Medinformatica SAS DI Meani Matteo & C. Used to sign .diagcab files, dropping LatentBot"
428 | ref: "https://www.proofpoint.com/us/threat-insight/post/windows-troubleshooting-platform-leveraged-deliver-malware"
429 | subject: CN=Medinformatica
430 | serial: 7c:a8:33:25:5e:b5:16:8d:70:b6:07:1c:04:9f:c5:b6
431 |
432 | hackingteam:
433 | added_by: David Cannings
434 | description: "HackingTeam fake code signing signature"
435 | subjeect: O=HT Srl
436 | serial: 3f:fc:eb:a8:3f:e0:0f:ef:97:f6:3c:d9:2e:77:eb:b9
437 |
438 | beijing_lianzhong:
439 | added_by: David Cannings
440 | description: "Used to sign zxshell"
441 | serial: 5c:2d:0a:4c:80:a3:59:97:b9:14:0a:3f:28:d9:69:d8
442 | subject: BEIJING LIANZHONG CO.
443 |
444 | liveplex:
445 | added_by: David Cannings
446 | description: "Used to sign zxshell"
447 | serial: 3f:55:42:e2:e7:1d:8d:b3:57:04:1c:9d:d4:5b:95:0a
448 | subject: O=LivePlex Corp
449 |
450 | whizzimo:
451 | added_by: David Cannings
452 | description: "Used to sign obfuscated Mimikatz (e.g. 2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29)"
453 | serial: 00:d3:50:ae:9f:f3:32:5e:43
454 | subject: O=Whizzimo, LLC
455 |
456 | green_partnership:
457 | added_by: David Cannings
458 | description: "Used to sign Lazarus group malware"
459 | serial: 50:29:da:ca:43:95:11:45:6d:9e:d8:15:37:03:f4:bc
460 | subject: O=THE GREEN PARTNERSHIP LTD
461 |
462 | corp8:
463 | added_by: David Cannings
464 | description: "Used to sign Lazarus group malware"
465 | serial: 4c:75:75:69:2c:2d:06:51:03:1a:77:ab:49:22:4c:cc
466 | subject: O=CORP 8 LIMITED
467 |
468 | 1549_limited:
469 | added_by: David Cannings
470 | description: "Used to sign Lazarus group malware"
471 | serial: 1c:7d:3f:6e:11:65:54:80:9f:49:ce:16:cc:b6:2e:84
472 | subject: O=1549 LIMITED
473 |
474 | cybasics:
475 | added_by: David Cannings
476 | description: "Used to sign Lazarus group malware"
477 | subject: O=CYBASICS LTD
478 | serial: 00:bb:ae:27:7a:c3:d9:cf:3f:85:00:86:a3:14:e7:0a:d7
479 |
480 | thesolutions:
481 | added_by: David Cannings
482 | description: "Used to sign Lazarus group malware"
483 | subject: O=THEESOLUTIONS LTD
484 | serial: 76:8d:dc:f9:ed:8d:16:a6:bc:77:45:1e:e8:8d:fd:90
485 |
486 | mikl_limited:
487 | added_by: David Cannings
488 | description: "Used to sign LockerGoga ransomware"
489 | subject: O=MIKL LIMITED
490 | serial: 3d:25:80:e8:95:26:f7:85:2b:57:06:54:ef:d9:a8:bf
491 |
492 | alisa_ltd:
493 | added_by: David Cannings
494 | description: "Used to sign LockerGoga ransomware"
495 | subject: O=ALISA LTD
496 | serial: 5d:a1:73:eb:1a:c7:63:40:ac:05:8e:1f:f4:bf:5e:1b
--------------------------------------------------------------------------------
/sample_data/office_exploits/ole.yaml:
--------------------------------------------------------------------------------
1 | # These OLE objects can all be used maliciously in some way or another. They
2 | # are typically used in Word documents (e.g. phishing) but can appear in any
3 | # other Office file.
4 |
5 | otkloadr:
6 | added_by: David Cannings
7 | description: "otkloadr, can be used to bypass ASLR after triggering an exploit"
8 | ref: https://www.greyhathacker.net/?p=770
9 | clsid:
10 | - A08A033D-1A75-4AB6-A166-EAD02F547959 # otkloadr.WRAssembly
11 | - 05741520-C4EB-440A-AC3F-9643BBC9F847 # otkloadr.WRLoader
12 | strings:
13 | - otkloadr.WRAssembly
14 | - otkloadr.WRLoader
15 |
16 | bcsadmin:
17 | added_by: David Cannings
18 | description: "BCSAddin, potential exploit document (CVE-2016-0042 / MS16-014)"
19 | clsid:
20 | - 1461A561-24E8-4BA3-8D4A-FFEEF980556B # BCSAddin.Connect
21 | - 6AD4AE40-2FF1-4D88-B27A-F76FC7B40440 # BCSAddin.ManageSolutionHelper
22 | strings:
23 | - BCSAddin. # BCSAddin.Connect and BCSAddin.ManageSolutionHelper
24 |
25 | msdaora:
26 | added_by: David Cannings
27 | description: "MSDAORA, potential exploit document"
28 | clsid:
29 | - e8cc4cbe-fdff-11d0-b865-00a0c9081c1d # MSDAORA.1
30 | strings:
31 | - MSDAORA.1
32 |
33 | ssce:
34 | added_by: David Cannings
35 | description: "SQL Server Compact Edition, non-ASLR compatible"
36 | ref: http://www.greyhathacker.net/?cat=40&paged=2
37 | strings:
38 | - SSCE.DropTableListener
39 | - SSCE.Engine
40 | - SSCE.Error
41 | - SSCE.Param
42 | - SSCE.RemoteDataAccess
43 | - SSCE.Replication
44 |
45 | umoutlookaddin:
46 | added_by: David Cannings
47 | description: "UmOutlookAddin, potential exploit document (CVE-2016-0042 / MS16-014)"
48 | clsid:
49 | - 23CE100B-1390-49D6-BA00-F17D3AEE149C # UmOutlookAddin.UmEvmCtrl
50 | - 8627E73B-B5AA-4643-A3B0-570EDA17E3E7 # UmOutlookAddin.ButtonBar
51 | - F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3 # UmOutlookAddin.FormRegionAddin
52 | - ECF44975-786E-462F-B02A-CBCCB1A2C4A2 # UmOutlookAddin.FormRegionContext
53 | - CDF1C8AA-2D25-43C7-8AFE-01F73A3C66DA # UmOutlookAddin.InspectorContext
54 | - D50FED35-0A08-4B17-B3E0-A8DD0EDE375D # UmOutlookAddin.PlayOnPhoneDlg
55 | - CCD068CD-1260-4AEA-B040-A87974EB3AEF # UmOutlookAddin.RoomsCTP
56 | strings:
57 | - UmOutlookAddin.
58 |
59 | xmlcontentfilter:
60 | added_by: David Cannings
61 | description: "Search.XmlContentFilter, potential exploit document"
62 | strings:
63 | - Search.XmlContentFilter
64 | clsid:
65 | - 41B9BE05-B3AF-460C-BF0B-2CDD44A093B1
66 |
67 | psisdecd:
68 | added_by: David Cannings
69 | description: "Psisdecd.*, potential exploit document"
70 | # Credit Richard Warren
71 | # Word will try to load ehTrace.dll
72 | strings:
73 | - Psisdecd.AnalogCable
74 | - Psisdecd.ATSCTerrestrial
75 |
76 | infopath:
77 | added_by: David Cannings
78 | description: "InfoPath.Designer, potential exploit document (CVE-2016-0021 / MS16-029)"
79 | strings:
80 | - InfoPath.DesignerExcelImport
81 | - InfoPath.DesignerWordImport
82 |
83 | vba_addin:
84 | added_by: David Cannings
85 | description: "Microsoft.VbaAddinForOutlook, potential exploit document (CVE-2016-0042 / MS16-014)"
86 | clsid:
87 | - 799ED9EA-FB5E-11D1-B7D6-00C04FC2AAE2 # Microsoft.VbaAddin
88 | strings:
89 | - Microsoft.VbaAddin
90 |
91 | onenotemobile:
92 | added_by: David Cannings
93 | description: "OneNoteMobile.SpnSync, potential exploit document (reported privately to Microsoft)"
94 | # Credit Richard Warren
95 | # Word to attempt to load the DLL "ceutil.dll".
96 | strings:
97 | - OneNoteMobile.SpnSync
98 |
99 | osf_sandbox:
100 | added_by: David Cannings
101 | description: "osf.Sandbox, potential exploit document (CVE-2015-1770 / MS15-059)"
102 | clsid:
103 | - CDDBCC7C-BE18-4A58-9CBF-D62A012272CE # osf.Sandbox
104 | - 3BA59FA5-41BF-4820-98E4-04645A806698 # osf.SandboxContent
105 | - 33BD73C2-7BB4-48F4-8DBC-82B8B313AE16 # osf.SandboxManager
106 | strings:
107 | - osf.Sandbox
108 |
109 | elsext:
110 | added_by: David Cannings
111 | description: "els.dll, potential DLL planting exploit document (CVE-2015-6128 / MS15-134)"
112 | ref: https://bugs.chromium.org/p/project-zero/issues/detail?id=514
113 | # Word will try to load elsext.dll
114 | clsid:
115 | - 394c052e-b830-11d0-9a86-00c04fd8dbf7 # No class name?
116 | - 975797fc-4e2a-11d0-b702-00c04fd8dbf7 # No class name?
117 | - 394c052e-b830-11d0-9a86-00c04fd8dbf7 # No class name?
118 |
119 | wuaext:
120 | added_by: David Cannings
121 | description: "wua.dll, potential DLL planting exploit document (CVE-2015-6128 / MS15-132)"
122 | ref: https://www.securify.nl/exploit/SFY20151201/ms15_132_dll_sideload.html
123 | # Word will try to load wuaext.dll
124 | clsid:
125 | - D93CE8B5-3BF8-462C-A03F-DED2730078BA # Slide To Shut Down Screen / authui.dll
126 | - 14ce31dc-abc2-484c-b061-cf3416aed8ff # Authentication UI Shutdown Choices / authui.dll
127 |
128 | mqrt:
129 | added_by: David Cannings
130 | description: "els.dll, potential DLL planting exploit document (CVE-2015-6128 / MS15-132)"
131 | ref: https://www.securify.nl/exploit/SFY20151201/ms15_132_dll_sideload.html
132 | # Word will try to load mqrt.dll
133 | clsid:
134 | - ecabafc9-7f19-11d2-978e-0000f8757e2a
135 |
136 | oci:
137 | added_by: David Cannings
138 | description: "oci.dll, potential DLL planting exploit document (MS15-132)"
139 | # Word will try to load oci.dll
140 | clsid:
141 | - e8cc4cbf-fdff-11d0-b865-00a0c9081c1d # OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013
142 |
143 | upnp:
144 | added_by: David Cannings
145 | description: "UPnP.DescriptionDocument, potential exploit document (reported privately to Microsoft)"
146 | # Credit Richard Warren
147 | # Word will try to load peerdist.dll
148 | clsid:
149 | - 1d8a9b47-3a28-4ce2-8a4b-bd34e45bceeb # UPnP.DescriptionDocument
150 | - 33fd0563-d81a-4393-83cc-0195b1da2f91 # UPnP.DescriptionDocumentEx
151 | strings:
152 | - UPnP.DescriptionDocument
153 |
154 | mscomctl:
155 | added_by: David Cannings
156 | description: "MSComctlLib.*, potential exploit document (CVE-2012-0158 / MS12-027)"
157 | ref: http://blog.ropchain.com/2015/07/27/analyzing-vupens-cve-2012-1856/
158 | clsid:
159 | - C74190B6-8589-11D1-B16A-00C0F0283628 # MSComctlLib.TreeCtrl
160 | - 66833FE6-8583-11D1-B16A-00C0F0283628 # MSComctlLib.Toolbar
161 | - BDD1F04B-858B-11D1-B16A-00C0F0283628 # MSComctlLib.ListViewCtrl
162 | strings:
163 | - MSComctlLib.TreeCtrl
164 | - MSComctlLib.Toolbar
165 | - MSComctlLib.ListViewCtrl
166 |
167 | mscomctl2:
168 | added_by: David Cannings
169 | description: "MSComctlLib.TabStrip, potential exploit document (CVE-2012-1856 / MS12-060)"
170 | ref: http://blog.ropchain.com/2015/07/27/analyzing-vupens-cve-2012-1856/
171 | clsid:
172 | - 1EFB6596-857C-11D1-B16A-00C0F0283628 # MSComctlLib.TabStrip
173 | strings:
174 | - MSComctlLib.TabStrip
175 |
176 | ctasksymbol:
177 | added_by: David Cannings
178 | description: "CTaskSymbol, potential use-after-free exploit document (CVE-2015-1642 / MS15-081)"
179 | ref: https://labs.mwrinfosecurity.com/advisories/microsoft-office-ctasksymbol-use-after-free-vulnerability/
180 | clsid:
181 | - 44F9A03B-A3EC-4F3B-9364-08E0007F21DF # Control.TaskSymbol
182 | strings:
183 | - Control.TaskSymbol
184 |
185 | package_manager:
186 | added_by: David Cannings
187 | description: "Office Package Manager, may load unsafe content including scripts"
188 | ref: http://quicksand.io/
189 | clsid:
190 | - 0003000C-0000-0000-c000-000000000046 # The original clsid used by exploit docs
191 | # The name for this is "Package" / "Package2" , which is not unique enough to include
192 |
193 | package_manager_poss:
194 | added_by: David Cannings
195 | description: "Office Package Manager, needs triage, these clsids are all surrogates"
196 | clsid:
197 | - 00020C01-0000-0000-C000-000000000046 # All of these use TreatAs to load the F20D.. clsid
198 | - 00022601-0000-0000-C000-000000000046
199 | - 00022602-0000-0000-C000-000000000046
200 | - 00022603-0000-0000-C000-000000000046
201 | - 0003000D-0000-0000-C000-000000000046
202 | - 0003000E-0000-0000-C000-000000000046
203 | - 00020C01-0000-0000-C000-000000000046
204 | - F20DA720-C02F-11CE-927B-0800095AE340 # Generic surrogate for packager.dll, check for FP
205 |
206 | stdolelink:
207 | added_by: David Cannings
208 | description: "StdOleLink, used to embed various exploits (note the vulnerability is in the embedded object or underlying handler, not StdOleLink itself)"
209 | clsid:
210 | - 00000300-0000-0000-C000-000000000046
211 | strings:
212 | - StdOleLink
213 | - OLE2Link
214 |
215 | devicemoniker:
216 | added_by: David Cannings
217 | description: "DeviceMoniker, used in CVE-2016-0015 and should not be seen in a typical document"
218 | clsid:
219 | - 4315D437-5B8C-11D0-BD3B-00A0C911CE86
220 | strings:
221 | - DeviceMoniker
222 |
223 | urlmoniker:
224 | added_by: David Cannings
225 | description: "URLMoniker, used to load remote content for CVE-2017-0199 (note vulnerability is in the HTA handler, not URLMoniker itself)"
226 | clsid:
227 | - 79eac9e0-baf9-11ce-8c82-00aa004ba90b # URL Moniker
228 | - 79EAC9F1-BAF9-11CE-8C82-00AA004BA90B # URLMoniker ProxyStub Factory
229 | strings:
230 | - URLMoniker
231 | - URL Moniker
232 |
233 | generic_links:
234 | added_by: David Cannings
235 | description: "Unusual CLSIDs to see in a document file, investigate further"
236 | clsid:
237 | - 79eac9d0-baf9-11ce-8c82-00aa004ba90b # StdHlink
238 | - 79eac9d1-baf9-11ce-8c82-00aa004ba90b # StdHlinkBrowseContext
239 | - 79eac9e2-baf9-11ce-8c82-00aa004ba90b # http: Asychronous Pluggable Protocol Handler
240 | - 79eac9e3-baf9-11ce-8c82-00aa004ba90b # ftp: Asychronous Pluggable Protocol Handler
241 | - 79eac9e5-baf9-11ce-8c82-00aa004ba90b # https: Asychronous Pluggable Protocol Handler
242 | - 79eac9e6-baf9-11ce-8c82-00aa004ba90b # mk: Asychronous Pluggable Protocol Handler
243 | - 79eac9e7-baf9-11ce-8c82-00aa004ba90b # file:, local: Asychronous Pluggable Protocol Handler
244 | strings:
245 | - StdHlink
246 | - Asynchronous Pluggable
247 |
248 | hidden_explorer_window:
249 | added_by: David Cannings
250 | description: "Hidden Explorer shell browser window"
251 | ref: https://twitter.com/enigma0x3/status/890980564420788224
252 | clsid:
253 | - c08afd90-f2a1-11d1-8455-00a0c91f3880
254 | strings:
255 | - ShellBrowserWindow
256 |
257 | terminal_services_scripting:
258 | added_by: David Cannings
259 | description: "Microsoft Terminal Services Client Control (not safe for scripting)"
260 | ref: https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D
261 | clsid:
262 | - 7cacbd7b-0d99-468f-ac33-22e495c0afe5 # MsTscAx.MsTscAx.2
263 | - 3523c2fb-4031-44e4-9a3b-f1e94986ee7f # MsTscAx.MsTscAx.3
264 | - ace575fd-1fcf-4074-9401-ebab990fa9de # MsTscAx.MsTscAx.4
265 | - 6AE29350-321B-42be-BBE5-12FB5270C0DE # MsTscAx.MsTscAx.5
266 | - 4eb2f086-c818-447e-b32c-c51ce2b30d31 # MsTscAx.MsTscAx.6
267 | - d2ea46a7-c2bf-426b-af24-e19c44456399 # MsTscAx.MsTscAx.7
268 | - 54d38bf7-b1ef-4479-9674-1bd6ea465258 # MsTscAx.MsTscAx.8
269 | - A3BC03A0-041D-42E3-AD22-882B7865C9C5 # MsTscAx.MsTscAx.9
270 | - 8B918B82-7985-4C24-89DF-C33AD2BBFBCD # MsTscAx.MsTscAx.10
271 | - A0C63C30-F08D-4AB4-907C-34905D770C7D # MsTscAx.MsTscAx.11
272 | - 1DF7C823-B2D4-4B54-975A-F2AC5D7CF8B8 # MsTscAx.MsTscAx.12
273 | strings:
274 | - MsTscAx.MsTscAx
--------------------------------------------------------------------------------
/sample_data/resources/icons.yaml:
--------------------------------------------------------------------------------
1 | # This file contains icons frequently seen used by malware.
2 | #
3 | # To compile the initial file I chose icons used in a high number of
4 | # samples (e.g. fake Adobe Flash player updates) and those which
5 | # should never be used by an executable (e.g. Word Document icons).
6 | #
7 | # Note these are not all necessarily malicious. NSIS installers and
8 | # RAR archives are perfectly good uses of executable files!
9 |
10 | picture_icon:
11 | added_by: David Cannings
12 | description: Icon looks like a picture file
13 | hash:
14 | - 32d5f5f3228c1bfd1df68af222a1f186
15 | - 3468c535ee649017775ff3e4485b6288
16 | - 360e0deb81fe8e135a0414f9e4b1b1f4
17 | - 376cc20009dadb65c9d0199248148495
18 | - 6f007bf13b5cce45ea9751db29aa77f2
19 | - 720e58813013b450d74afd2e8cf2cbd6
20 | - 781bf3cf2fe5f1c976fce99863bde5ec
21 | - e0affc0388e04826309a64a6c8c952a6
22 |
23 | lanfiltrator_icon:
24 | added_by: David Cannings
25 | description: Icon from the Lanfiltrator malware
26 | hash:
27 | - 67cffb14e434526c453e04be5e3a908d
28 | - 97506f2349fc4276ec7566c77951214b
29 |
30 | word_icon:
31 | added_by: David Cannings
32 | description: Icon looks like a Microsoft Word document
33 | hash:
34 | - 137f549d5ca7b9fbe85d17c2cde1947d
35 | - 1899bcc2d01cf773f8de7d36d4cf71be
36 | - 30834ec3cf0fa7f523dcbacfcb29f96b
37 | - 64580af1e3b4739e5fb8ec58b79ee7f8
38 | - 87296f8f8be3838bd1578cc933115352
39 | - a1fe17d347b1156212cdc11e9007b60c
40 | - c618c9640e539622e4a3789e801b1867
41 | - e4d0a554ccb5bc70ae04708bae42290b
42 | - fcc3b023cb0ef6694b74bcdc456d52b4
43 |
44 | excel_icon:
45 | added_by: David Cannings
46 | description: Icon looks like a Microsoft Excel document
47 | hash:
48 | - 0eb92d7392ee79adeae9fb6dd79369bd
49 | - 11e050fa9184385d5d3eaead0028c659
50 | - 5ee01927605e4703cee0f2e5d5812b90
51 | - 7bd38937d4711b70b0b985f4f07fe8fd
52 | - 86b067a58c669bf96610a854c15d2832
53 | - bef052a836721603944223065df03278
54 | - c71d2b63fbe3f38bba270a74853c64b4
55 | - de40ecff2f08541e4a5a0d94470ffe86
56 | - de6ad028f9014f7d62c3939eba34c995
57 |
58 | powerpoint_icon:
59 | added_by: David Cannings
60 | description: Icon looks like a Microsoft Powerpoint document
61 | hash:
62 | - 0faab9105319c78cbcbf513c44264717
63 | - 1b2c01b50b525cb3bd29fa4977d2f94f
64 | - 36e26f21f8b78411ad8a882a8e355fbc
65 | - 441ed48614c47f8e84425d6eb7bc0443
66 | - 4a7e819311988977b2eafb89e22db78e
67 | - 4ceeaab17956c1a76b436e09bb601129
68 | - 85c77f3bf33a083be1574f16025f311f
69 | - b10c0f2ba9becfb38e81ddb6db98dc5a
70 | - cd44986dcb0c9e828d84ff7886c97a76
71 |
72 | generic_doc_icon:
73 | added_by: David Cannings
74 | description: Icon looks like a generic Office document
75 | hash:
76 | - 022cf931375284674e8efa021c6dbf89
77 | - 082d902e9dac4a611abeb5e5254031dd
78 | - 315a487481d78010d269378be16b8e5b
79 | - 363e8b9515d82e4eec37f54756aaefe7
80 | - 408e3453e2839ab43e6cfb7e5b32836f
81 | - 4d6f1cb813db90e55a89f8b1cc20a7c7
82 | - 5a2ed703d2b737b809e616ec65886ba5
83 | - c5e35166cb10e362132963d8a8053827
84 | - eec0d743689769c365450aed5e131c16
85 |
86 | pdf_icon:
87 | added_by: David Cannings
88 | description: Icon looks like an Adobe Acrobat PDF
89 | hash:
90 | - 07719e9a1bfe3bdb00653c03c9646064
91 | - 157e93f142da0938bdfbec079b473809
92 | - 1daffb0d65ab793fafce375e6f8c93c4
93 | - b0681b3b4f35d66f842ec45712278844
94 | - ba94ca63109ce80f7ff07f8b32f48bad
95 | - baca0bd675b44b8db1263e690e15acbe
96 | - bca790b2bd380d03c12f6db36844201b
97 | - f9130bc5914f37d08883508b0e569659
98 | - e0ae31d8a36f6d871e02beddb28f9991
99 | - 21760bb3ca58573d00fcabd28e89483e
100 |
101 | winrar_icon:
102 | added_by: David Cannings
103 | description: Icon looks like a WinRAR archive
104 | hash:
105 | - 1f9620bbff17ddebb3f850ead9bc016f
106 | - 2b15ab8515848243b12d928ef15cc8bc
107 | - 3c55ffb3d78eb6f96af32ffaed057779
108 | - b524cff7507513c7b0e86629347056ee
109 | - 41491a39d90ed5934e44c6a505f15ee5
110 | - de81bccb6410c9e4acb325f67f268bc5
111 | - e9356775b7b8159cfad335fa2c2b22d5
112 |
113 | nsis_icon:
114 | added_by: David Cannings
115 | description: Icon looks like an NSIS installer
116 | hash:
117 | - 0ec0a0948a526b9c7eebe39bb02b6b0b
118 | - 6b224e01af48ec8e4c17a59d9534e885
119 | - d9ee3a2962251a241bce41b0524cfc0e
120 | - ca82d899b1d402941b5c92ed9028cd95
121 |
122 |
123 | folder_icon:
124 | added_by: David Cannings
125 | description: Icon looks like an Explorer folder
126 | hash:
127 | - ab44cba7fc88c86cae78d18616ba83e6
128 | - ab18205aa448ea37f42d29fd693bb1ae
129 | - e8f7620c5428108ed857933621be0178
130 | - 7e8ed20b06ec05773b6a9b43860375f4
131 |
--------------------------------------------------------------------------------
/sample_data/resources/malware.yaml:
--------------------------------------------------------------------------------
1 |
2 | plugx_fast:
3 | added_by: David Cannings
4 | description: "PlugX FAST variant"
5 | hash:
6 | - b76393ee5270472899b22f8ef7f8b5a51a8d12e91bd9b52254351528be23157b # String table
7 | - 8ddbaefabe8f49e504dc0e9bb910b3401906782eff7c8a0b3ea5724b2e935a1a # FAST dialog box
8 |
--------------------------------------------------------------------------------
/yaml2yara/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/yaml2yara/74eba7f4e124c6ecf9b7261d4c886f5cdcc71211/yaml2yara/__init__.py
--------------------------------------------------------------------------------
/yaml2yara/templates/authenticode.html:
--------------------------------------------------------------------------------
1 | {% import 'helpers.html' as helpers -%}
2 | {% extends "base.html" %}
3 | {% macro condition(field, condition, value, out) -%}
4 | {%- if out %}{{ out }}{% endif -%}
5 | {#- Only output the condition if the value is set -#}
6 | {%- if value %}
7 | {#- Is there a previous condition? -#}
8 | {%- if out %}and {% endif -%}
9 | pe.signatures[i].{{ field }} {{ condition }} "{{ value }}"
10 | {% endif -%}
11 | {%- endmacro -%}
12 | {% block imports %}
13 | import "pe"
14 | {% endblock %}
15 |
16 | {% block condition %}
17 | for any i in (0..pe.number_of_signatures - 1):
18 | (
19 | {% set out = condition('serial', "==", item.serial, "") -%}
20 | {% set out = condition('subject', "contains", item.subject, out) -%}
21 | {% set out = condition('issuer', "contains", item.issuer, out) -%}
22 | {{ out }}
23 | )
24 | {% endblock %}
25 |
--------------------------------------------------------------------------------
/yaml2yara/templates/authenticode_raw.html:
--------------------------------------------------------------------------------
1 | {% import 'helpers.html' as helpers -%}
2 | {% extends "base.html" %}
3 |
4 | {% block strings %}
5 |
6 | strings:
7 | {{- helpers.add_hex('serial', item.serial|replace(':', ' ')) -}}
8 | {{ helpers.add_str('subject', item.subject, 'wide ascii') -}}
9 | {{ helpers.add_str('issuer', item.issuer, 'wide ascii') }}
10 | {% endblock %}
11 |
12 | {% block condition %}
13 | all of them
14 | {% endblock %}
15 |
--------------------------------------------------------------------------------
/yaml2yara/templates/base.html:
--------------------------------------------------------------------------------
1 | {% import 'helpers.html' as helpers -%}
2 | {% block imports %}{% endblock %}
3 |
4 | /*
5 | * These rules were auto-generated by yaml2yara - do not edit this file!
6 | */
7 | {%- block rules %}
8 | {%- for name,item in data.items() %}
9 |
10 | {{ helpers.rule_name(name, prefix, item, global_tags) }} {
11 | meta:
12 | {{- helpers.meta(item) }}
13 |
14 | {%- block strings scoped %}{% endblock %}
15 |
16 | condition:
17 | {%- block condition scoped %}{% endblock %}
18 | }
19 | {%- endfor %}
20 | {%- endblock %}
21 |
--------------------------------------------------------------------------------
/yaml2yara/templates/helpers.html:
--------------------------------------------------------------------------------
1 | {% macro make_tags(tags) -%}
2 | {%- if tags %} :
3 | {%- for tag in tags|sort %} {{ tag }}{%- endfor -%}
4 | {% endif %}
5 | {%- endmacro %}
6 |
7 | {% macro rule_name(name, prefix, item, tags) -%}
8 | rule {% if prefix %}{{ prefix }}_{% endif %}{{ name }}{{ make_tags(item.tags) }}
9 | {%- endmacro %}
10 |
11 | {% macro meta(item) %}
12 | {{- add_meta('author', item.added_by) -}}
13 | {{ add_meta('description', item.description) -}}
14 | {{ add_meta('ref', item.ref) -}}
15 | {{ add_meta('generated_by', 'yaml2yara, see https://github.com/nccgroup/yaml2yara/') -}}
16 | {% endmacro %}
17 |
18 | {% macro add_hex(name, value) %}
19 | {#- Only output the condition if the value is set -#}
20 | {%- if value %}
21 | ${{ name }} = { {{ value }} }
22 | {%- endif -%}
23 | {% endmacro %}
24 |
25 | {% macro add_str(name, value, modifiers) %}
26 | {#- Only output the condition if the value is set -#}
27 | {%- if value %}
28 | ${{ name }} = "{{ value }}" {{ modifiers }}
29 | {%- endif -%}
30 | {% endmacro %}
31 |
32 | {% macro add_meta(name, value) %}
33 | {#- Only output meta information if the value is set -#}
34 | {%- if value %}
35 | {{ name }} = "{{ value }}"
36 | {%- endif -%}
37 | {% endmacro %}
38 |
39 |
--------------------------------------------------------------------------------
/yaml2yara/templates/office_exploits.html:
--------------------------------------------------------------------------------
1 | {% import 'helpers.html' as helpers -%}
2 | {% extends "base.html" %}
3 |
4 | {% block strings %}
5 |
6 | strings:
7 | // Parsers will open files without the full 'rtf'
8 | $header_rtf = "{\\rt" nocase
9 | $header_office = { D0 CF 11 E0 }
10 | $header_xml = "