├── .gitignore ├── .yara-ci.yml ├── APT_Backdoor_SUNBURST_fnv1a_experimental.yar ├── CVE-2023-23397 ├── README.md └── munin_check-results_CVE-2023-23397.csv ├── README.md ├── capa2yara ├── README.md ├── capa.yar ├── capa_priv.yar ├── unsupported_capa_rules.txt └── unsupported_capa_rules.yml ├── gen_github_net_redteam_tools_guids.yara ├── mimikatz_icon.yar ├── poc_secret_rule.yar └── webshell ├── gen_webshells.yar ├── gen_webshells_no_private_rules.yar └── gen_webshells_no_private_rules__converted_to_hunting.yar /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | 131 | tmp/ 132 | *.swp 133 | vuln/ 134 | *test* 135 | x 136 | xx 137 | xxx 138 | y 139 | yy 140 | *delme* 141 | *.txt 142 | TO* 143 | *.old 144 | -------------------------------------------------------------------------------- /.yara-ci.yml: -------------------------------------------------------------------------------- 1 | branches: 2 | accept: 3 | - "**" 4 | 5 | files: 6 | accept: 7 | - "**.yar" 8 | - "**.yara" 9 | ignore: 10 | - "capa2yara/**" 11 | - "*hunting*" 12 | - "webshell/**" 13 | -------------------------------------------------------------------------------- /APT_Backdoor_SUNBURST_fnv1a_experimental.yar: -------------------------------------------------------------------------------- 1 | 2 | rule APT_fnv1a_plus_extra_XOR_in_MSIL_experimental 3 | { 4 | meta: 5 | description = "This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.)" 6 | reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" 7 | author = "Arnim Rupp" 8 | license = "https://creativecommons.org/licenses/by-nc/4.0/" 9 | date = "2020-12-22" 10 | hash1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77" 11 | hash2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6" 12 | hash3 = "019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134" 13 | strings: 14 | $fnv64a_offset = { 25 23 22 84 e4 9c f2 cb } 15 | $fnv64a_prime_plus_gap_plus_xor_ret = { B3 01 00 00 00 01 [8-40] 61 2A 00 00 } 16 | 17 | // use for less false positives, xor before fnv1a prime 18 | //$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A } 19 | // even less false positives, not sure if it misses beef 20 | //$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A 00 00 } 21 | condition: 22 | (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them 23 | } 24 | 25 | 26 | rule APT_fnv1a_plus_extra_XOR_in_x64_experimental 27 | { 28 | meta: 29 | description = "This rule detects the specific x64 implementation of fnv1a like used in the SUNBURST backdoor (standard fnv1a + one final XOR before RET), rewritten in c. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.)" 30 | reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" 31 | author = "Arnim Rupp" 32 | license = "https://creativecommons.org/licenses/by-nc/4.0/" 33 | date = "2020-12-22" 34 | strings: 35 | $fnv64a_offset = { 25 23 22 84 e4 9c f2 cb } 36 | 37 | // self compiled c examples end with 31 D0 C3 38 | // C3 followed by NOP/multibyte NOPs to reduce false positives 39 | $fnv64a_prime_plus_gap_plus_xor_ret = { B3 01 00 00 00 01 [4-44] ( 31 | 33 ) [0-1] C3 ( 90 | 66 90 | 0F 1F 00 | 0F 1F 40 00 | 0F 1F 44 00 00 | 66 0F 1F 44 00 00 | 0F 1F 80 00 00 00 00 | 0F 1F 84 00 00 00 00 00 | 66 0F 1F 84 00 00 00 00 00 ) } 40 | 41 | condition: 42 | // MZ or ELF 43 | ( uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46 ) and all of them 44 | } 45 | 46 | // todo: 47 | // Rules wouldn't work yet for bitshift instead of multiplication as described in http://www.isthe.com/chongo/tech/comp/fnv/index.html : hval += (hval << 1) + (hval << 4) + (hval << 5) + (hval << 7) + (hval << 8) + (hval << 40); 48 | 49 | 50 | 51 | // Deactivated. This rule is probably only useful for developers to check their own software repository 52 | /* 53 | rule TEST_false_positive_plain_fnv1a_in_x64 54 | { 55 | meta: 56 | description = "This rule detects x64 implementations of standard fnv1a just by looking for the standard fnv64a_offset and fnv64a_prime (unless bitshifting is used instead of multiplication). This rule would have found the SUNBURST backdoor at Solarwinds but will also find any other programm which implements fnv1a. Just useful for developers, pls check if that fnv1a was put there by you ;)" 57 | reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" 58 | author = "Arnim Rupp" 59 | license = "https://creativecommons.org/licenses/by-nc/4.0/" 60 | date = "2020-12-22" 61 | score = 10 62 | strings: 63 | $fnv64a_offset = { 25 23 22 84 e4 9c f2 cb } 64 | $fnv64a_prime = { B3 01 00 00 00 01 } 65 | condition: 66 | // MZ or ELF 67 | ( uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46 ) and all of them 68 | } 69 | */ 70 | -------------------------------------------------------------------------------- /CVE-2023-23397/README.md: -------------------------------------------------------------------------------- 1 | # Overview of CVE-2023-23397 email samples and IOCs 2 | 3 | The samples were found on Virustotal using these YARA rules form written by [delivr.to](https://delivr.to), [Florian Roth](https://github.com/Neo23x0), [Nils Kuhnert](https://github.com/3c7), [Arnim Rupp](https://github.com/ruppde), marcin@ulikowski.pl : 4 | 5 | 6 | CSV of [samples](munin_check-results_CVE-2023-23397.csv) as of 17th Mar 2023 including the IPs the samples connect to. It looks like the attackers always used one distinct IP per victim (not included in CSV) but you still might want to check your firewall logs. The date of first submission can be used to check for false positives. Also check if the connection originated from an outlook.exe process, if you have these logs so long into the past. 7 | 8 | New matches (mostly POCs at the moment): 9 | * 10 | * 11 | * 12 | 13 | -------------------------------------------------------------------------------- /CVE-2023-23397/munin_check-results_CVE-2023-23397.csv: -------------------------------------------------------------------------------- 1 | Lookup Hash,UNC-IP,First Submitted,Last Submitted,Positives,File Size,File Names,Virus,File Type,MD5,SHA1,VALHALLA,User Comments 2 | ece085c17ac5e822b78c533366e725bc845e215dcda78c0502ebd7f33ccb06ed,5.199.162.132,2022-04-01 06:21:07,2022-04-01 06:21:07,2,12.93 KB,2022-03-18 - лист.eml,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Email,9f4172d554bb9056c8ba28e32c606b1e,a059bedffc8b550264417b0bd7907f82bc1c6dbb,[{'positives': 2; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_SMTP_Mail_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 18:36:59 GMT'; 'total': 59}],['thor'] 3 | f5790499a32d1769f830397e532bda03f8aa756f01b5b4d5007e2153fa3b76e4,5.199.162.132,2022-04-01 06:22:18,2022-04-01 06:22:18,1,7.46 KB,winmail.dat,ClamAV: Win.Malware.CVE_2023_23397-9993083-0,unknown,0658f137afa793b361ec93c462cbf41b,fad0ce16b461ee3d7a0229036a2817158eece402,[],['-'] 4 | eedae202980c05697a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321fa,101.255.119.42,2022-04-14 11:49:27,2022-04-14 11:49:27,3,38.0 KB,Happy Birthday..msg,ESET-NOD32: a variant of Win32/Exploit.CVE-2023-23397.A / ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Outlook,3d4362e8fe86d2f33acb3e15f1dad341,1842348089c440827b6fd15f0de2dc558f44b66f,[{'positives': 1; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 01:43:57 GMT'; 'total': 60}; {'positives': 1; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 01:45:34 GMT'; 'total': 60}],['thor'; 'thor'; 'Slimplistic'; 'rich_warren_ncc'] 5 | 7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad,101.255.119.42,2022-05-18 07:26:26,2022-05-18 07:26:26,2,38.5 KB,Celebration.msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Outlook,f60350585fbfc5dc968f45c6ef4e434d,0f8878e8b6e2263d6a82b7346ebc580262708afc,[{'positives': 2; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 05:59:56 GMT'; 'total': 60}; {'positives': 2; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 05:59:58 GMT'; 'total': 60}],['thor'; 'thor'] 6 | 8ccc1c2bc251b7ebbe8ad001e9e9093bc29ebe8652c43b2f3cfc74bb53b10554,181.209.99.204,2022-08-05 08:22:49,2022-08-05 08:22:49,2,33.0 KB,Information!.msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Outlook,d0e6c5c888ff0baa7db12c776617112d,881435924d7b0cccebe35d04292df83e17244fd6,[{'positives': 2; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 06:07:50 GMT'; 'total': 60}; {'positives': 2; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 06:07:54 GMT'; 'total': 60}],['thor'; 'thor'] 7 | f929391fbdad0ae161bddb9110ca603b9d9b15f797170571dc1383b0b01d6c9f,213.32.252.221,2022-09-29 09:32:24,2022-09-29 09:32:24,0,8.97 KB,text.txt,-,Text,268e55491ac17e934cd9cee710dc4713,b1736631d2dcbebed365bfb76b839a9d7cbdd37d,[],['-'] 8 | 2986a00ce732edcd607f34f1c0fd37c3dfd4a249554d49c98fbc8a76368bcd09,213.32.252.221,2022-09-29 11:29:43,2022-09-29 11:29:43,1,6.55 KB,text.txt,ClamAV: Win.Malware.CVE_2023_23397-9993083-0,unknown,7b69acfdd6523394a4fc28d54aa3e839,a348b08322035646fd46aae3a0b930477c1013ea,[],['-'] 9 | 52dbaf64ce1a5cd1db9a9d385f8204e5f665ca53a3d904033bf1a10369490646,213.32.252.221 (VT relations),2022-10-05 14:10:40,2022-10-05 14:10:40,0,38.5 KB,Interest..msg,-,Outlook,92e22b7e96aca3f9d733ca609ab0b589,7f54e1df38db9486d668557d6c46aca7d822ae7b,[{'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 16:48:43 GMT'; 'total': 60}],['thor'] 10 | 3f5db4a2387646ac3ec64b8476579f389f74c30ff483cfe51fb4ff1cc9cb4dda,168.205.200.55,2022-10-25 10:00:00,2022-10-25 10:00:00,2,40.5 KB,Information.msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Outlook,43a0441b35b3db061cde412541f4d1e1,fd80c80aacb6b7c9aae3f39dcd2a6c24d77281a2,[{'positives': 2; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 10:24:24 GMT'; 'total': 59}; {'positives': 2; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 10:24:26 GMT'; 'total': 59}],['thor'; 'thor'] 11 | fb85c8b587f3f127e54a7019ad8fde620ee76538cfa08a79de357d592719fdd3,213.32.252.221 (VT relations),2022-11-04 09:27:32,2022-11-04 09:27:32,0,36.0 KB,Fwd .msg,-,Outlook,8f2b1b066461246c017a6de356b1773d,ae76537abc7de4ee940ad35b43009c7b1c28eaa7,[],['Slimplistic'] 12 | 626a1ac262c3f094f1bcf54de5af7c5b9693f9bf7af39d0af4928438af58a534,213.32.252.221,2022-11-04 09:28:28,2022-11-04 09:28:28,4,38.0 KB,Fwd..msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / McAfee: CVE-2023-23397!C2586232C62C / Google: Detected / AhnLab-V3: Trojan/Msg.Agent,Outlook,c2586232c62cd890c09eac24b139c6f9,68e285402a47175a5246d5fafdd49de44e3d370b,[{'positives': 2; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 21:10:06 GMT'; 'total': 60}; {'positives': 4; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 06:04:33 GMT'; 'total': 60}],['thor'; 'thor'] 13 | cb8d3cce6f2722947ffa6cf195e5b93de39bfd79682f28377bd71a5b996b955b,213.32.252.221,2022-11-04 18:41:05,2022-11-04 18:41:05,2,32.5 KB,Silence..msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Outlook,e0b2c1781ae247f91d2976e8397c415c,e1f3f230cd1d0b072dfec2af534505b3c9a463ad,[{'positives': 2; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 06:02:16 GMT'; 'total': 60}; {'positives': 2; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 06:02:16 GMT'; 'total': 60}],['thor'; 'thor'] 14 | 03a81e52235b2b5ffb182f437941e3605218c52fd14b55c208b07065d770a8ef,213.32.252.221,2022-11-08 20:41:31,2022-11-08 20:41:31,3,26.5 KB,Silence..msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected / McAfee: CVE-2023-23397!6B5B2BD4C5F5,Outlook,6b5b2bd4c5f5780289cc5597ba3b850c,ce573e76909ebef29b6338d971328db738a066fb,[{'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 16:49:47 GMT'; 'total': 59}; {'positives': 3; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 06:01:06 GMT'; 'total': 60}],['thor'; 'thor'] 15 | d4ef1b6b08a175a5401ff7e9c1837c78d327a056f480ae8b3553ef88d4965d47,213.32.252.221,2022-11-09 06:50:41,2022-11-09 07:56:56,3,24.0 KB,Silence..msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected / McAfee: CVE-2023-23397!D22B29582727,Outlook,d22b295827278d9e3f303d9b8d70729f,9ff0b3d31bac03b4a7c8b1e2bfd137692a1cfe63,[{'positives': 1; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 21:07:54 GMT'; 'total': 60}; {'positives': 3; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 05:58:52 GMT'; 'total': 60}],['thor'; 'thor'] 16 | 68cd9628a83aca10be047cf6f8ac81e2597984b2c180f1bfb5f769041bbf7977,213.32.252.221,2022-11-10 07:00:54,2022-11-10 07:23:31,0,26.5 KB,Silence..msg,-,Outlook,7ed8cbb508a28e6b36f40c0aba14fcb4,6947c5342212720d23d74cd5a0776c7fc101e917,[],['-'] 17 | d544d82998bf9955610fe2b2163913c4ea4e6b51ef44e38fbe3f22d835ce58e5,69.162.253.21,2022-12-01 09:37:36,2022-12-01 09:37:36,3,38.5 KB,Fwd_.msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected / McAfee: CVE-2023-23397!EADB4B16755A,Outlook,eadb4b16755ac36aa9f4a85ebf23fd4c,0aac0dc9bdd21756f8f1f4aaeac25e411bf4de81,[{'positives': 3; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 05:58:52 GMT'; 'total': 60}; {'positives': 3; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 05:58:52 GMT'; 'total': 60}],['thor'; 'thor'] 18 | 0db4e30fb89fa2a97af589d1db4e6e049f121424281f1550db1acca48a8ee479,185.132.17.160,2022-12-01 12:19:18,2022-12-14 12:11:35,3,38.5 KB,Fwd_.msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected / McAfee: CVE-2023-23397!B21DDE4C19E2,Outlook,b21dde4c19e2f6fc08a922e25de38cf5,6a93c8af9c4db4afc3b469228b40bc2a27af3fbf,[{'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 16:47:36 GMT'; 'total': 59}; {'positives': 1; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 01:42:51 GMT'; 'total': 60}],['thor'; 'thor'] 19 | 1543677037fa339877e1d6ef2d077f94613afbcd6434d7181a18df74aca7742b,69.51.2.106,2022-12-14 08:47:25,2022-12-14 08:47:25,2,12.99 KB,Report.eml,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Email,b5d82be5813c7dacbd97ef5df073b260,77610614452bcf26fc5429fa5e2ef19efbaa6589,[{'positives': 2; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_SMTP_Mail_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 14:42:39 GMT'; 'total': 60}],['thor'] 20 | 6574128ee1dcfacb7a7d25428f15f8f74302ade8f3b96de06cd6f6c2a8a20f8c,69.51.2.106,2022-12-14 08:47:43,2022-12-14 08:47:43,1,7.0 KB,txt.docx,ClamAV: Win.Malware.CVE_2023_23397-9993083-0,unknown,40c03fcb4e44bbccf37125108aec5b26,73de4ce1da3037a4d45c9598a5194694af789708,[],['-'] 21 | 582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf,113.160.234.229,2022-12-29 13:00:43,2023-03-17 18:42:00,16,30.5 KB,9e103cb4644d9144a8edfe4d5690d23cbe78d8af.rl.msg; Ticaret.msg; 582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf.msg,Lionic: Trojan.Email.CVE-2023-23397.4!c / ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / VIPRE: Exploit.CVE-2023-23397.A / ESET-NOD32: a variant of Win32/Exploit.CVE-2023-23397.A / Kaspersky: HEUR:Exploit.MSOffice.CVE-2023-23397.gen / BitDefender: Exploit.CVE-2023-23397.A / MicroWorld-eScan: Exploit.CVE-2023-23397.A / McAfee-GW-Edition: Exploit-CVE-2023-23397.a / FireEye: Exploit.CVE-2023-23397.A / Emsisoft: Exploit.CVE-2023-23397.A (B) / MAX: malware (ai score=86) / Arcabit: Exploit.CVE-2023-23397.A / GData: Exploit.CVE-2023-23397.A / Google: Detected / AhnLab-V3: Trojan/Msg.Agent / ALYac: Exploit.CVE-2023-23397.A,Outlook,2bb4c6b32d077c0f80cda1006da90365,9e103cb4644d9144a8edfe4d5690d23cbe78d8af,[{'positives': 9; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 15:36:17 GMT'; 'total': 60}; {'positives': 14; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 04:36:56 GMT'; 'total': 60}],['thor'; 'thor'; 'soumend6'; 'joesecurity'] 22 | 24d3449a950b72a1cb6a4aa7d0f05a77f990de99ffebaef2da8bea30a7437bc6,24.142.165.2,2023-01-12 14:12:01,2023-01-12 14:12:01,2,6.98 KB,txt.docx,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,unknown,ce65c51078b7c69a6f50b0b37a36293f,0ac1cbad1b6df1ea2e1c1358e31791475c665da4,[{'positives': 2; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 16:31:43 GMT'; 'total': 58}],['thor'] 23 | Publication of CVE-2023-23397 by MS; mostly(?) POC testing below,,,,,,,,,,,, 24 | 47fee24586cd2858cfff2dd7a4e76dc95eb44c8506791ccc2d59c837786eafe3,,2023-03-15 10:59:20,2023-03-15 10:59:20,1,13.0 KB,appointment_mal2.msg,ESET-NOD32: a variant of Win32/Exploit.CVE-2023-23397.A,Outlook,699fb41067dda766b882da917b032555,4abd0c743b0b08217f08c5d8e83cf056cd003062,[{'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Thu; 16 Mar 2023 16:10:02 GMT'; 'total': 60}; {'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 16:10:02 GMT'; 'total': 60}],['thor'; 'thor'; 'rich_warren_ncc'] 25 | b33a0eb265d4679a429e9551b76e3ffbd5c4dca39ec50a6af1cda7c49fd14771,,2023-03-15 13:36:18,2023-03-15 13:36:18,2,11.0 KB,appointment.msg,ESET-NOD32: a variant of Win32/Exploit.CVE-2023-23397.A / McAfee-GW-Edition: Artemis!Trojan,Outlook,d668a86587d579a2f8bacc45dcb2024a,d9b367c69717d51aba79d203d975979c391c40dd,[{'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 18:31:32 GMT'; 'total': 60}; {'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Thu; 16 Mar 2023 18:31:32 GMT'; 'total': 60}],['thor'; 'thor'] 26 | 6c0087a5cbccb3c776a471774d1df10fe46b0f0eb11db6a32774eb716e1b7909,,2023-03-15 16:48:27,2023-03-17 13:34:57,4,11.5 KB,CVE_2023_23397.msg; Malicious.msg,ESET-NOD32: a variant of Win32/Exploit.CVE-2023-23397.A / McAfee-GW-Edition: Exploit-CVE-2023-23397.a / Ikarus: Exploit.CVE-2023-23397 / Google: Detected,Outlook,36405df90251020ba48e4f12713046d1,0949ade19b01b9246b71674aad93879ba881aadd,[{'positives': 1; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Thu; 16 Mar 2023 16:07:40 GMT'; 'total': 60}; {'positives': 1; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 16:07:40 GMT'; 'total': 60}],['thor'; 'thor'; 'NerbalOne'] 27 | f46301802feb133b3a036cd020c982bdce7edc63dc6718e42e2756265dee01a7,,2023-03-15 19:14:40,2023-03-17 15:01:21,0,11.0 KB,hax.msg,-,Outlook,781b006c9ee496b9fafa66c73b0ae2ec,861403e228b541ba95b98778a857c423a045de05,[{'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Thu; 16 Mar 2023 17:32:41 GMT'; 'total': 60}; {'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 17:32:41 GMT'; 'total': 60}],['thor'; 'thor'] 28 | 7d94c1946abe60549dd724309257095f96d4a41784e22e7fdd2821048e666151,,2023-03-15 19:18:06,2023-03-15 19:18:06,0,106.5 KB,test.msg,-,Outlook,8f76e1cdb40b4a1fe5072966bf284804,dc0031d07f3163750c88da21dfcc00c330f70f52,[],['-'] 29 | 7a029dcbf7c69edc3d234596f669b20b1fd45b20f310668314117403187d9ebb,,2023-03-15 23:43:25,2023-03-15 23:44:14,0,11.5 KB,test.msg; test.msg_ignore,-,Outlook,17f80a1c5b5e1dad22613817610e6595,8654636192ea7eeef39fbbecbd24eb1003d511f9,[{'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Thu; 16 Mar 2023 17:34:50 GMT'; 'total': 60}; {'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 17:34:50 GMT'; 'total': 60}],['thor'; 'thor'] 30 | 6126e5de0d64e8b6da8e03c25b542a1d6a316413a8b364e3c9080f1ab10a2dec,,2023-03-16 03:22:01,2023-03-16 03:22:01,0,106.5 KB,test.msg,-,Outlook,30c814ab748f41221006a8d5d8d095a3,f430a9b1f5d2cb4b88a9f0d189f255e6f21113f4,[],['-'] 31 | e765645fe48644646e3305f44e2db9f4e9f0b71f2dd28830f784e3a81177170d,,2023-03-16 03:28:24,2023-03-16 03:28:24,0,106.5 KB,CVE-2023-23397.msg,-,Outlook,1ce81effb2aa9207d42d4cbe0c769992,e99e353425d02e5c8fbf542d8c048efcfab541c5,[],['-'] 32 | 07dd965b6f78dd3cf52542a9386f3421ec6b56c1eb5a8f139a7a67133390f595,,2023-03-16 06:18:22,2023-03-16 06:18:22,1,37.0 KB,test.msg,ESET-NOD32: a variant of Win32/Exploit.CVE-2023-23397.A,Outlook,a57b3b6f1b94b2c932e610c18c32eb81,78979eb356131c3d75397814432a1bb5451f6e6b,[{'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 17:25:32 GMT'; 'total': 60}; {'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 13:50:03 GMT'; 'total': 59}],['thor'; 'thor'] 33 | d440ae7072df94458a9da84ea3f91b03df4693f328066a80d18fead2c3125a16,,2023-03-16 09:41:39,2023-03-16 09:41:39,1,11.5 KB,cve_2023-23397.msg,McAfee: CVE-2023-23397!9AC69FB816A8,Outlook,9ac69fb816a8a630f6381f6d5befc0fa,5b62851ff9e6f1fbbccbed726afe18f21b288c15,[{'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Thu; 16 Mar 2023 20:19:53 GMT'; 'total': 60}; {'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 20:19:53 GMT'; 'total': 60}],['thor'; 'thor'] 34 | 1e7767eaaa659a1ef8b8e00c0fbb94d0629016c6a92fa5ab1191b91ec83d19c8,,2023-03-16 10:08:27,2023-03-16 19:41:35,0,11.5 KB,1e7767eaaa659a1ef8b8e00c0fbb94d0629016c6a92fa5ab1191b91ec83d19c8_test - kopie.msg; test - kopie.msg,-,Outlook,b6090ba7db8687637c09daeccb9cdd6a,a1258a78a75423799e50e36237a75502a74ee11f,[{'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Thu; 16 Mar 2023 17:32:37 GMT'; 'total': 60}; {'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Thu; 16 Mar 2023 17:32:37 GMT'; 'total': 60}],['thor'; 'thor'] 35 | 798f599af7823531acec897506cb8e91db0f2e3768c0c21c9500481490f69740,,2023-03-16 11:42:50,2023-03-16 11:42:50,0,11.5 KB,cve_test.msg,-,Outlook,7d37ab4d44a94aa35a087908a0144bf3,d89746fe4d3ebe5460871636fcbad404bee2ba34,[],['-'] 36 | ddbd6de8ff529569a5b286b25bd52f614840cd025cd30e30540a8829084ef4de,,2023-03-16 12:55:09,2023-03-16 12:55:09,1,42.0 KB,Test.msg,McAfee: CVE-2023-23397!A449A7A9C3E4,Outlook,a449a7a9c3e48151d2cf1fc655e622da,3b5b3376c321eff2322b38d82aa11749f991a2ca,[{'positives': 1; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 10:40:28 GMT'; 'total': 60}],['thor'] 37 | 078b5023cae7bd784a84ec4ee8df305ee7825025265bf2ddc1f5238c3e432f5f,,2023-03-16 13:02:30,2023-03-16 13:02:30,2,37.0 KB,Alarm!.msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Outlook,e1c030cfc3f1a842d93c4f47b19780d7,4f6a4ab3508d149be83acd473c01e6fab0367efe,[{'positives': 2; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 07:12:19 GMT'; 'total': 60}; {'positives': 2; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 07:13:30 GMT'; 'total': 60}],['thor'; 'thor'; 'StopMalvertising'] 38 | a034427fd8524fd62380c881c30b9ab483535974ddd567556692cffc206809d1,,2023-03-16 13:05:21,2023-03-17 06:00:29,3,31.5 KB,Ticaret.msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected / McAfee: CVE-2023-23397!32C25A5CEE09,Outlook,32c25a5cee09bbd33ca3d0b36ceffcc2,91a2f3e975e2fe51a0038526cbe1e6e3bb4ca724,[{'positives': 3; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 05:07:08 GMT'; 'total': 60}; {'positives': 3; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 05:07:08 GMT'; 'total': 60}],['thor'; 'thor'] 39 | 562e40daf01ca6a8f397fed437abbd21bd33ffb8eedda2db3f2d6768b58b0444,,2023-03-16 14:55:53,2023-03-16 20:25:31,5,6.94 KB,lrmng.txt,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / ESET-NOD32: Win32/Exploit.CVE-2023-23397.B / Google: Detected / AhnLab-V3: Exploit/BIN.Agent / Fortinet: Data/CVE202323397.A!exploit,unknown,748b980c81c04dc32e305c068fb8b148,a5c65a3e5598077ca5c3959c6d3be1e91c20d331,[{'positives': 4; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 06:26:13 GMT'; 'total': 59}],['thor'; 'VR11'] 40 | a4e13d564647b09a0966590005bc02d8121702e9dd35e956b9d6bad2024a411e,,2023-03-16 17:00:28,2023-03-16 17:00:28,0,106.5 KB,test.msg,-,Outlook,1d625c19865119c3dd7eb6477e216050,cd0d2dbbab862e7451671d99632b62838ed2921d,[],['-'] 41 | 0cdf5501352ba4de05b35e5dd394b3d1529b36a658952389c959c44cf8872882,,2023-03-17 00:26:38,2023-03-17 01:12:55,0,35.0 KB,CVE_2023_23397.msg,-,Outlook,ff7ae718b78db19159c8d57a1fd909d1,7c4c9c4ba59662ff67df1e146aa62be8f42e6a5b,[{'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 02:33:30 GMT'; 'total': 60}; {'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 02:33:30 GMT'; 'total': 60}],['thor'; 'thor'] 42 | 7c074489f47e76654abfc54321c6c4aa9443e4f607f9cb2dc6c5cfbe2bb18ffc,,2023-03-17 07:56:29,2023-03-17 07:56:29,0,106.5 KB,test.msg,-,Outlook,e9d4554aa5f1a02c3beacaabce4d4543,6ad04969ed4805643242f11eba45f6b2c48ad70e,[],['-'] 43 | e7a1391dd53f349094c1235760ed0642519fd87baf740839817d47488b9aef02,,2023-03-17 08:36:07,2023-03-17 08:36:07,2,28.5 KB,poc.msg,ClamAV: Win.Malware.CVE_2023_23397-9993083-0 / Google: Detected,Outlook,e42ffe48ed3115912513991e5e304f6c,1be094c961093fae11e4df741690a52f22daaff1,[],['-'] 44 | 0eca265b0c7352353bd56837fdc2c2b6222f7cc2656c395dc28431c4b38576f9,,2023-03-17 17:53:25,2023-03-17 17:53:25,0,106.5 KB,test 4.msg,,Outlook,65d0da62aa22608bd4fbb5a0e4cfd56e,77092365490fc95a65b47dc75e182f1a000c068a,[{'positives': 0; 'rulename': 'SUSP_EXPL_Msg_CVE_2023_23397_Mar23'; 'tags': []; 'timestamp': 'Fri; 17 Mar 2023 20:06:40 GMT'; 'total': 59}; {'positives': 0; 'rulename': 'EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23'; 'tags': ['EXPLOIT'; 'T1020'; 'CVE_2023_23397'; 'SUSP'; 'FILE']; 'timestamp': 'Fri; 17 Mar 2023 20:06:40 GMT'; 'total': 59}],['thor'; 'thor'] 45 | 530de2ee0d84c4082e748a7267b804ab6173b593c3bb72cef39a49fef450fb59,85.195.206.7,2023-03-20 07:55:32,2023-03-20 07:55:32,3,10 KB,emsulv926761298840.eml,,,,,, 46 | 089888384cefc0941a0088c8db7696dd77a22e66e01ecd164bf9101b599b141a,61.14.68.33,2023-03-21 12:10:29,2023-03-21 12:10:29,4,7 KB,text.txt;1peZvV-0009KN-AL.eml,,,,,, 47 | 40206568b417b3f2977f8b0adf1b96277b9c7468afb5e2fee738488de6211933,213.32.252.221,2023-03-23 09:03:23,2023-03-23 09:03:17,23,10 KB,Silence..eml,,,,,, 48 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Arnims YARA rules 2 | 3 | ## capa2yara 4 | 5 | See [capa2yara](capa2yara/README.md) 6 | 7 | 8 | ## Webshells 9 | 10 | This is the dev repo for my webshell YARA rules in 11 | 12 | 13 | Since the rules are included in [Thor]() they are run on all Virustotal uploads with dozens of matches per day: 14 | 15 | * 16 | * 17 | * 18 | * 19 | * 20 | * 21 | * 22 | * 23 | * 24 | * 25 | * 26 | * 27 | * 28 | * 29 | * 30 | * 31 | * 32 | * 33 | * 34 | * 35 | * 36 | * 37 | * 38 | * 39 | * 40 | * 41 | * 42 | * 43 | * 44 | * 45 | * 46 | * 47 | * 48 | * 49 | * 50 | * 51 | * 52 | * 53 | * 54 | * 55 | * 56 | * 57 | * 58 | * 59 | * 60 | * 61 | * 62 | * 63 | * 64 | * 65 | * 66 | * 67 | * 68 | * 69 | * 70 | * 71 | * 72 | 73 | Most of the rules are also active on Malware-Bazaar, e.g. 74 | * 75 | * 76 | 77 | ## C# red team tools 78 | 79 | YARA rules to find hack tools via C# GUIDs. Easily bypassed but not everybody does the effort :) 80 | 81 | * 82 | * 83 | 84 | VT matches of all rules: 85 | 86 | 87 | Matches for single rules can be found with the lower case name of the rule, e.g. HKTL_NET_GUID_C_Sharp_R_A_T_Client would be: 88 | 89 | 90 | 91 | On Malware-Bazaar by rulename, e.g.: 92 | * 93 | * -------------------------------------------------------------------------------- /capa2yara/README.md: -------------------------------------------------------------------------------- 1 | # capa2yara 2 | 3 | Rules from Fireeyes https://github.com/fireeye/capa-rules converted to YARA using capa2yara.py (will probaly end up on https://github.com/fireeye/capa/blob/master/scripts/capa2yara.py). 4 | 5 | ## Advantages: 6 | * YARA is lots faster than CAPA so it's possible to search with these rules on millions of files 7 | * Many tools have integration for YARA rules, just throw them in. 8 | * The rules and strings can be reused as building blocks for creating your own YARA rules for PE files, like I use the webshell capa_ rules in https://github.com/ruppde/yara_rules/blob/main/gen_webshells.yar (These rules provide a big part of the hits in https://www.virustotal.com/gui/search/webshell/comments). Main obstacle is a missing way in YARA to have referenced child rules which show their matching strings in parent rules. That's why I use https://github.com/ruppde/yara_optimizer/blob/main/yara_push_private_rules.py to move all the child rules into the parent rules, result: https://github.com/ruppde/signature-base/blob/master/yara/gen_webshells.yar 9 | 10 | ## Disadvantages: 11 | * These are less rules than capa (because not all fit into YARA, see stats below) and is less precise because e.g. capas function scopes are applied to the whole file. 12 | * Some rules are incomplete because an optional branch was not supported by YARA. These rules are marked in a comment in meta: (search for "incomplete"). 13 | 14 | ## Stats 15 | * Converted rules : 403 16 | * Among those are incomplete : 20 17 | * Unconverted rules : 149 18 | 19 | ## Meta data 20 | Rule authors and license stay the same. 21 | 22 | att&ck and MBC tags are put into YARA rule tags. All rules are tagged with "CAPA" for easy filtering. 23 | 24 | The date = in meta: is the date of converting (there is no date in capa rules). 25 | 26 | Minimum YARA version is 3.8.0 plus PE module. 27 | 28 | ## TODO 29 | 30 | All rules which couldn't be converted are in [here](./unsupported_capa_rules.yml) 31 | 32 | These are technically possible but not done yet: 33 | * "2 or more" for strings: e.g.: 34 | * - https://github.com/fireeye/capa-rules/blob/master/collection/file-managers/gather-direct-ftp-information.yml 35 | * - https://github.com/fireeye/capa-rules/blob/master/collection/browser/gather-firefox-profile-information.yml 36 | * count(string (1 rule: /executable/subfile/pe/contain-an-embedded-pe-file.yml) 37 | * count(match( could be done by creating the referenced rule a 2nd time with the condition, that it hits x times (only 1 rule: ./anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml) 38 | * it would be technically possible to get the "basic blocks" working, but the rules contain mostly other non supported statements in there => not worth the effort. 39 | * make -t also include all the needed childs for the tagged rules 40 | 41 | 42 | ## Author 43 | arnim rupp 44 | -------------------------------------------------------------------------------- /capa2yara/unsupported_capa_rules.txt: -------------------------------------------------------------------------------- 1 | contain pusha popa sequence:Range:https://github.com/fireeye/capa-rules/blob/master/lib/contain-pusha-popa-sequence.yml 2 | validate payment card number using luhn algorithm with no lookup table:characteristic:https://github.com/fireeye/capa-rules/blob/master/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml 3 | contain loop:Multiple statements inside "- or:" where all unsupported, the last one was "characteristic":https://github.com/fireeye/capa-rules/blob/master/lib/contain-loop.yml 4 | calculate modulo 256 via x86 assembly:mnemonic:https://github.com/fireeye/capa-rules/blob/master/lib/calculate-modulo-256-via-x86-assembly.yml 5 | validate payment card number using luhn algorithm with lookup table:characteristic:https://github.com/fireeye/capa-rules/blob/master/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml 6 | allocate RW memory:Number too short:https://github.com/fireeye/capa-rules/blob/master/lib/allocate-rw-memory.yml 7 | PEB access:Multiple statements inside "- or:" where all unsupported, the last one was "And":https://github.com/fireeye/capa-rules/blob/master/lib/peb-access.yml 8 | overwrite Master Boot Record (MBR):Number too short:https://github.com/fireeye/capa-rules/blob/master/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml 9 | execute shell command and capture output:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/c2/shell/execute-shell-command-and-capture-output.yml 10 | patch process command line:Multiple statements inside "- or:" where all unsupported, the last one was "And":https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-forensic/patch-process-command-line.yml 11 | crash the Windows event logging service:Range:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml 12 | contain obfuscated stackstrings:characteristic:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml 13 | contain anti-disasm techniques:Multiple statements inside "- or:" where all unsupported, the last one was "Range":https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml 14 | 64-bit execution via heavens gate:mnemonic:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml 15 | packed with generic packer:mnemonic:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/packer/generic/packed-with-generic-packer.yml 16 | check for windows sandbox via dns suffix:offset:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml 17 | execute anti-VM instructions:Multiple statements inside "- or:" where all unsupported, the last one was "mnemonic":https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-vm/vm-detection/execute-anti-vm-instructions.yml 18 | check for unmoving mouse cursor:Range:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml 19 | check for windows sandbox via genuine state:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml 20 | check for unexpected memory writes:Number too short:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml 21 | check for software breakpoints:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml 22 | execute anti-debugging instructions:Multiple statements inside "- or:" where all unsupported, the last one was "mnemonic":https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml 23 | check for PEB BeingDebugged flag:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml 24 | check for protected handle exception:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml 25 | check for hardware breakpoints:Number too short:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml 26 | check for PEB NtGlobalFlag flag:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml 27 | check for trap flag exception:mnemonic:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml 28 | check for time delay via GetTickCount:Range:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml 29 | check process job object:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml 30 | check for kernel debugger via shared user data structure:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml 31 | check for time delay via QueryPerformanceCounter:Range:https://github.com/fireeye/capa-rules/blob/master/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml 32 | contain an embedded PE file:Multiple statements inside "- or:" where all unsupported, the last one was "Range":https://github.com/fireeye/capa-rules/blob/master/executable/subfile/pe/contain-an-embedded-pe-file.yml 33 | read file via mapping:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/host-interaction/file-system/read-file-via-mapping.yml 34 | get Program Files directory:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/file-system/get-program-files-directory.yml 35 | bypass Windows File Protection:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml 36 | enumerate files via ntdll functions:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/host-interaction/file-system/files/list/enumerate-files-via-ntdll-functions.yml 37 | enumerate files recursively:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/file-system/files/list/enumerate-files-recursively.yml 38 | check OS version:mnemonic:https://github.com/fireeye/capa-rules/blob/master/host-interaction/os/version/check-os-version.yml 39 | stop service:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/service/stop/stop-service.yml 40 | get number of processors:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/hardware/cpu/get-number-of-processors.yml 41 | enumerate disk properties:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/host-interaction/hardware/storage/enumerate-disk-properties.yml 42 | simulate CTRL ALT DEL:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml 43 | hide the Windows taskbar:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml 44 | hide graphical window:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/gui/window/hide/hide-graphical-window.yml 45 | get graphical window text:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/host-interaction/gui/window/get-text/get-graphical-window-text.yml 46 | change the wallpaper:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml 47 | get process heap flags:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/get-process-heap-flags.yml 48 | get process heap force flags:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/get-process-heap-force-flags.yml 49 | hijack thread execution:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/inject/hijack-thread-execution.yml 50 | inject thread:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/inject/inject-thread.yml 51 | allocate RWX memory:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/inject/allocate-rwx-memory.yml 52 | allocate user process RWX memory:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/inject/allocate-user-process-rwx-memory.yml 53 | inject pe:characteristic:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/inject/inject-pe.yml 54 | free user process memory:slow byte pattern for YARA search:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/inject/free-user-process-memory.yml 55 | use process replacement:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/inject/use-process-replacement.yml 56 | inject dll:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/inject/inject-dll.yml 57 | enumerate processes via NtQuerySystemInformation:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml 58 | create a process with modified I/O handles and window:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml 59 | create process suspended:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/create/create-process-suspended.yml 60 | terminate process via fastfail:mnemonic:https://github.com/fireeye/capa-rules/blob/master/host-interaction/process/terminate/terminate-process-via-fastfail.yml 61 | check mutex and exit:Number too short:https://github.com/fireeye/capa-rules/blob/master/host-interaction/mutex/check-mutex-and-exit.yml 62 | resolve function by FIN8 fasthash:Multiple statements inside "- or:" where all unsupported, the last one was "match":https://github.com/fireeye/capa-rules/blob/master/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml 63 | get kernel32 base address:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/linking/runtime-linking/get-kernel32-base-address.yml 64 | get ntdll base address:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/linking/runtime-linking/get-ntdll-base-address.yml 65 | link many functions at runtime:Range:https://github.com/fireeye/capa-rules/blob/master/linking/runtime-linking/link-many-functions-at-runtime.yml 66 | access PEB ldr_data:Multiple statements inside "- or:" where all unsupported, the last one was "And":https://github.com/fireeye/capa-rules/blob/master/linking/runtime-linking/access-peb-ldr_data.yml 67 | encode data using XOR:characteristic:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encoding/xor/encode-data-using-xor.yml 68 | encode data using Base64:mnemonic:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encoding/base64/encode-data-using-base64.yml 69 | encrypt data using HC-128:Number too short:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml 70 | encrypt data using DES via WinAPI:Number too short:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml 71 | encrypt data using AES via x86 extensions:Multiple statements inside "- or:" where all unsupported, the last one was "mnemonic":https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/aes/encrypt-data-using-aes-via-x86-extensions.yml 72 | encrypt data using AES via WinAPI:Number too short:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml 73 | decrypt data using AES via x86 extensions:Multiple statements inside "- or:" where all unsupported, the last one was "mnemonic":https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml 74 | encrypt data using RC4 with custom key via WinAPI:Number too short:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml 75 | encrypt data using RC4 PRGA:Range:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml 76 | encrypt data using RC4 via WinAPI:Number too short:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml 77 | encrypt data using RC4 KSA:Multiple statements inside "- or:" where all unsupported, the last one was "And":https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml 78 | encrypt data using Curve25519:Number too short:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml 79 | decompress data using QuickLZ:Multiple statements inside "- or:" where all unsupported, the last one was "And":https://github.com/fireeye/capa-rules/blob/master/data-manipulation/compression/decompress-data-using-quicklz.yml 80 | decompress data via IEncodingFilterFactory:Range:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml 81 | decompress data using aPLib:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/compression/decompress-data-using-aplib.yml 82 | validate payment card number using luhn algorithm:Multiple statements inside "- or:" where all unsupported, the last one was "match":https://github.com/fireeye/capa-rules/blob/master/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml 83 | compute adler32 checksum:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/checksum/adler32/compute-adler32-checksum.yml 84 | hash data using fnv:Number too short:https://github.com/fireeye/capa-rules/blob/master/data-manipulation/hashing/fnv/hash-data-using-fnv.yml 85 | schedule task via ITaskScheduler:offset:https://github.com/fireeye/capa-rules/blob/master/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml 86 | write file to startup folder:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/persistence/startup-folder/write-file-to-startup-folder.yml 87 | get startup folder:Number too short:https://github.com/fireeye/capa-rules/blob/master/persistence/startup-folder/get-startup-folder.yml 88 | disable AppInit_DLLs code signature enforcement:Number too short:https://github.com/fireeye/capa-rules/blob/master/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml 89 | set global application hook:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/set-global-application-hook.yml 90 | inspect load icon resource:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/inspect-load-icon-resource.yml 91 | hash data using MD4:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/hash-data-using-md4.yml 92 | spawn thread to RWX shellcode:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/nursery/spawn-thread-to-rwx-shellcode.yml 93 | create shortcut via IShellLink:offset:https://github.com/fireeye/capa-rules/blob/master/nursery/create-shortcut-via-ishelllink.yml 94 | check ProcessDebugPort:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/check-processdebugport.yml 95 | check ProcessDebugFlags:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/check-processdebugflags.yml 96 | encode data using Base64 via WinAPI:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/encode-data-using-base64-via-winapi.yml 97 | empty recycle bin quietly:mnemonic:https://github.com/fireeye/capa-rules/blob/master/nursery/empty-recycle-bin-quietly.yml 98 | terminate process by name:offset:https://github.com/fireeye/capa-rules/blob/master/nursery/terminate-process-by-name.yml 99 | hash data using sha256 via x86 extensions:Multiple statements inside "- or:" where all unsupported, the last one was "mnemonic":https://github.com/fireeye/capa-rules/blob/master/nursery/hash-data-using-sha256-via-x86-extensions.yml 100 | enumerate browser history:offset:https://github.com/fireeye/capa-rules/blob/master/nursery/enumerate-browser-history.yml 101 | hash data using murmur2:mnemonic:https://github.com/fireeye/capa-rules/blob/master/nursery/hash-data-using-murmur2.yml 102 | hide thread from debugger:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/hide-thread-from-debugger.yml 103 | search for credit card data:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/nursery/search-for-credit-card-data.yml 104 | get installed programs:characteristic:https://github.com/fireeye/capa-rules/blob/master/nursery/get-installed-programs.yml 105 | hash data using SHA1 via WinCrypt:Multiple statements inside "- or:" where all unsupported, the last one was "And":https://github.com/fireeye/capa-rules/blob/master/nursery/hash-data-using-sha1-via-wincrypt.yml 106 | hash data using sha1 via x86 extensions:Multiple statements inside "- or:" where all unsupported, the last one was "mnemonic":https://github.com/fireeye/capa-rules/blob/master/nursery/hash-data-using-sha1-via-x86-extensions.yml 107 | reference the VMWare IO port:mnemonic:https://github.com/fireeye/capa-rules/blob/master/nursery/reference-the-vmware-io-port.yml 108 | check for process debug object:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/nursery/check-for-process-debug-object.yml 109 | get inbound credentials handle via CredSSP:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/get-inbound-credentials-handle-via-credssp.yml 110 | enumerate network shares:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/nursery/enumerate-network-shares.yml 111 | encrypt data using FAKEM cipher:characteristic:https://github.com/fireeye/capa-rules/blob/master/nursery/encrypt-data-using-fakem-cipher.yml 112 | authenticate HMAC:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/authenticate-hmac.yml 113 | get outbound credentials handle via CredSSP:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/get-outbound-credentials-handle-via-credssp.yml 114 | get client handle via SChannel:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/nursery/get-client-handle-via-schannel.yml 115 | check SystemKernelDebuggerInformation:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/check-systemkerneldebuggerinformation.yml 116 | reference processor manufacturer constants:mnemonic:https://github.com/fireeye/capa-rules/blob/master/nursery/reference-processor-manufacturer-constants.yml 117 | decode data using Base64 via WinAPI:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/decode-data-using-base64-via-winapi.yml 118 | get remote cert context via SChannel:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/get-remote-cert-context-via-schannel.yml 119 | schedule task via ITaskService:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/nursery/schedule-task-via-itaskservice.yml 120 | enumerate disk volumes:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/nursery/enumerate-disk-volumes.yml 121 | check thread yield allowed:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/nursery/check-thread-yield-allowed.yml 122 | hash data using CRC32b:Number too short:https://github.com/fireeye/capa-rules/blob/master/nursery/hash-data-using-crc32b.yml 123 | generate random numbers using the Delphi LCG:mnemonic:https://github.com/fireeye/capa-rules/blob/master/nursery/generate-random-numbers-using-the-delphi-lcg.yml 124 | compiled with perl2exe:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/compiler/perl2exe/compiled-with-perl2exe.yml 125 | compiled with rust:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/compiler/rust/compiled-with-rust.yml 126 | receive HTTP request:Multiple statements inside "- or:" where all unsupported, the last one was "And":https://github.com/fireeye/capa-rules/blob/master/communication/http/server/receive-http-request.yml 127 | check HTTP status code:Number too short:https://github.com/fireeye/capa-rules/blob/master/communication/http/client/check-http-status-code.yml 128 | decompress HTTP response via IEncodingFilterFactory:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml 129 | get HTTP response content encoding:Number too short:https://github.com/fireeye/capa-rules/blob/master/communication/http/client/get-http-response-content-encoding.yml 130 | extract HTTP body:offset:https://github.com/fireeye/capa-rules/blob/master/communication/http/client/extract-http-body.yml 131 | get HTTP document via IWebBrowser2:offset:https://github.com/fireeye/capa-rules/blob/master/communication/http/client/get-http-document-via-iwebbrowser2.yml 132 | connect TCP socket:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/communication/socket/tcp/connect-tcp-socket.yml 133 | create TCP socket:Number too short:https://github.com/fireeye/capa-rules/blob/master/communication/socket/tcp/create-tcp-socket.yml 134 | send TCP data via WFP API:Number too short:https://github.com/fireeye/capa-rules/blob/master/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml 135 | create UDP socket:Range:https://github.com/fireeye/capa-rules/blob/master/communication/socket/udp/send/create-udp-socket.yml 136 | start TCP server:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/communication/tcp/serve/start-tcp-server.yml 137 | act as TCP client:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/communication/tcp/client/act-as-tcp-client.yml 138 | create two anonymous pipes:Range:https://github.com/fireeye/capa-rules/blob/master/communication/named-pipe/create/create-two-anonymous-pipes.yml 139 | enumerate PE sections:offset:https://github.com/fireeye/capa-rules/blob/master/load-code/pe/enumerate-pe-sections.yml 140 | parse PE exports:offset:https://github.com/fireeye/capa-rules/blob/master/load-code/pe/parse-pe-exports.yml 141 | rebuild import table:offset:https://github.com/fireeye/capa-rules/blob/master/load-code/pe/rebuild-import-table.yml 142 | inject DLL reflectively:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/load-code/pe/inject-dll-reflectively.yml 143 | parse PE header:Multiple statements inside "- or:" where all unsupported, the last one was "And":https://github.com/fireeye/capa-rules/blob/master/load-code/pe/parse-pe-header.yml 144 | inspect section memory permissions:Some aka x or more (TODO):https://github.com/fireeye/capa-rules/blob/master/load-code/pe/inspect-section-memory-permissions.yml 145 | steal KeePass passwords using KeeFarce:needed sub-rule not converted:https://github.com/fireeye/capa-rules/blob/master/collection/password-manager/steal-keepass-passwords-using-keefarce.yml 146 | log keystrokes via application hook:Number too short:https://github.com/fireeye/capa-rules/blob/master/collection/keylog/log-keystrokes-via-application-hook.yml 147 | parse credit card information:Depending on myself = basic block:https://github.com/fireeye/capa-rules/blob/master/collection/credit-card/parse-credit-card-information.yml 148 | get MAC address:offset:https://github.com/fireeye/capa-rules/blob/master/collection/network/get-mac-address.yml 149 | gather firefox profile information:Some aka x or more (TODO):https://github.com/fireeye/capa-rules/blob/master/collection/browser/gather-firefox-profile-information.yml 150 | -------------------------------------------------------------------------------- /mimikatz_icon.yar: -------------------------------------------------------------------------------- 1 | rule HKTL_mimikatz_icon { 2 | meta: 3 | description = "Detects mimikatz kiwi icon in PE file" 4 | reference = "https://www.virustotal.com/gui/search/main_icon_dhash%253Ae1cd969ac674f863/files" 5 | license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License" 6 | author = "Arnim Rupp" 7 | date = "2023-02-18" 8 | score = 65 9 | hash1 = "61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1" 10 | hash2 = "1c3f584164ef595a37837701739a11e17e46f9982fdcee020cf5e23bad1a0925" 11 | hash3 = "c6bb98b24206228a54493274ff9757ce7e0cbb4ab2968af978811cc4a98fde85" 12 | hash4 = "721d3476cdc655305902d682651fffbe72e54a97cd7e91f44d1a47606bae47ab" 13 | hash5 = "c0f3523151fa307248b2c64bdaac5f167b19be6fccff9eba92ac363f6d5d2595" 14 | strings: 15 | // random part grabbed from raw mimikatz kiwi icon in binary 16 | $kiwi = {5a c4 bf ff 52 c4 c0 ff 5b c7 c2 ff 68 d4 cc ff 6b d6 cb ff 81 e1 d7 ff 85 e5 da ff 85 e7 db ff 8b ea dd ff 9d f0 e5 ff a3 f1 e7 ff a5 ee e5 ff ad f1 ea ff aa f0 e9 ff bc ff f7 ff 73 d2 d8 ff} 17 | condition: 18 | uint16(0) == 0x5A4D and 19 | $kiwi 20 | // filesize not limited because some files like ab96a7267f4ddb5b2fc4f6dc47a95a2dbc7f98559581eedabdd8edcbfb908a68 have 100MB+ 21 | } 22 | -------------------------------------------------------------------------------- /poc_secret_rule.yar: -------------------------------------------------------------------------------- 1 | import "hash" 2 | 3 | rule POC_secret_rule { 4 | meta: 5 | description = "POC: Detects hashed strings allowing to keep it secret, what the rule is actually looking for. This rule finds itself. Inspired by Solarwinds fnv1a hashed AV products." 6 | reference = "https://yara.readthedocs.io/en/v4.2.0/modules/hash.html" 7 | license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License" 8 | author = "Arnim Rupp" 9 | date = "2023-02-13" 10 | strings: 11 | $public = "reference = \"" 12 | condition: 13 | $public and 14 | filesize < 100KB and 15 | // not as slow as it looks like because hash.md5 is only executed if $public and the filesize matched (YARA short circuit) 16 | hash.md5(@public, 69) == "fcb7f398e250ba5f1a2d532df3a938b2" // md5(reference = "https://yara.readthedocs.io/en/v4.2.0/modules/hash.html") 17 | } 18 | -------------------------------------------------------------------------------- /webshell/gen_webshells.yar: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 4 | Webshell rules by Arnim Rupp 5 | 6 | Rationale behind the rules: 7 | 1. a webshell must always execute some kind of payload (in $payload*). the payload is either: 8 | -- direct php function like exec, file write, sql, ... 9 | -- indirect via eval, self defined functions, callbacks, reflection, ... 10 | 2. a webshell must always have some way to get the attackers input, e.g. for PHP in $_GET, php://input or $_SERVER (HTTP for headers). 11 | 12 | The input may be hidden in obfuscated code, so we look for either: 13 | a) payload + input 14 | b) eval-style-payloads + obfuscation 15 | c) includers (webshell is split in 2+ files) 16 | d) unique strings, if the coder doesn't even intend to hide 17 | 18 | Additional conditions will be added to reduce false positves. Check all findings for unintentional webshells aka vulnerabilities ;) 19 | 20 | The rules named "suspicous_" are commented by default. uncomment them to find more potentially malicious files at the price of more false positives. if that finds too many results to manually check, you can compare the hashes to virustotal with e.g. https://github.com/Neo23x0/munin 21 | 22 | Some samples in the collection where UTF-16 and at least PHP and Java support it, so I use "wide ascii" for all strings. The performance impact is 1%. See also https://thibaud-robin.fr/articles/bypass-filter-upload/ 23 | 24 | Rules tested on the following webshell repos and collections: 25 | https://github.com/sensepost/reGeorg 26 | https://github.com/WhiteWinterWolf/wwwolf-php-webshell 27 | https://github.com/k8gege/Ladon 28 | https://github.com/x-o-r-r-o/PHP-Webshells-Collection 29 | https://github.com/mIcHyAmRaNe/wso-webshell 30 | https://github.com/LandGrey/webshell-detect-bypass 31 | https://github.com/threedr3am/JSP-Webshells 32 | https://github.com/02bx/webshell-venom 33 | https://github.com/pureqh/webshell 34 | https://github.com/secwiki/webshell-2 35 | https://github.com/zhaojh329/rtty 36 | https://github.com/modux/ShortShells 37 | https://github.com/epinna/weevely3 38 | https://github.com/chrisallenlane/novahot 39 | https://github.com/malwares/WebShell 40 | https://github.com/tanjiti/webshellSample 41 | https://github.com/L-codes/Neo-reGeorg 42 | https://github.com/bayufedra/Tiny-PHP-Webshell 43 | https://github.com/b374k/b374k 44 | https://github.com/wireghoul/htshells 45 | https://github.com/securityriskadvisors/cmd.jsp 46 | https://github.com/WangYihang/Webshell-Sniper 47 | https://github.com/Macr0phag3/WebShells 48 | https://github.com/s0md3v/nano 49 | https://github.com/JohnTroony/php-webshells 50 | https://github.com/linuxsec/indoxploit-shell 51 | https://github.com/hayasec/reGeorg-Weblogic 52 | https://github.com/nil0x42/phpsploit 53 | https://github.com/mperlet/pomsky 54 | https://github.com/FunnyWolf/pystinger 55 | https://github.com/tanjiti/webshellsample 56 | https://github.com/lcatro/php-webshell-bypass-waf 57 | https://github.com/zhzyker/exphub 58 | https://github.com/dotcppfile/daws 59 | https://github.com/lcatro/PHP-WebShell-Bypass-WAF 60 | https://github.com/ysrc/webshell-sample 61 | https://github.com/JoyChou93/webshell 62 | https://github.com/k4mpr3t/b4tm4n 63 | https://github.com/mas1337/webshell 64 | https://github.com/tengzhangchao/pycmd 65 | https://github.com/bartblaze/PHP-backdoors 66 | https://github.com/antonioCoco/SharPyShell 67 | https://github.com/xl7dev/WebShell 68 | https://github.com/BlackArch/webshells 69 | https://github.com/sqlmapproject/sqlmap 70 | https://github.com/Smaash/quasibot 71 | https://github.com/tennc/webshell 72 | 73 | Webshells in these repos after fdupes run: 4722 74 | Old signature-base rules found: 1315 75 | This rules found: 3286 76 | False positives in 8gb of common webapps plus yara-ci: 2 77 | 78 | TODO: move "not php_false_positive" down once https://github.com/plyara/plyara/pull/114 is merged 79 | 80 | */ 81 | 82 | // _ 83 | // __ _ ___ _ __ ___ _ __(_) ___ 84 | // / _` |/ _ \ '_ \ / _ \ '__| |/ __| 85 | // | (_| | __/ | | | __/ | | | (__ 86 | // \__, |\___|_| |_|\___|_| |_|\___| 87 | // |___/ 88 | 89 | 90 | import "math" 91 | 92 | private rule webshell_encoded_stats : WEBSHELL PROD { 93 | meta: 94 | description = "Webshell having statistical signs of encoded code which gets dynamically executed" 95 | license = "https://creativecommons.org/licenses/by-nc/4.0/" 96 | author = "Arnim Rupp" 97 | date = "2021/02/07" 98 | condition: 99 | // file shouldn't be too small to have big enough data for math.entropy 100 | filesize > 2KB and 101 | ( 102 | // base64: 103 | // ignore first and last 500bytes because they usually contain code for decoding and executing 104 | math.entropy(500, filesize-500) >= 5.7 and 105 | // encoded text has a higher mean than text or code because it's missing the spaces and special chars with the low numbers 106 | math.mean(500, filesize-500) > 80 and 107 | // deviation of base64 is ~20 according to CyberChef_v9.21.0.html#recipe=Generate_Lorem_Ipsum(3,'Paragraphs')To_Base64('A-Za-z0-9%2B/%3D')To_Charcode('Space',10)Standard_Deviation('Space') 108 | // lets take a bit more because it might not be pure base64 also include some xor, shift, replacement, ... 109 | // 89 is the mean of the base64 chars 110 | math.deviation(500, filesize-500, 89.0) < 23 111 | ) or ( 112 | // gzinflated binary sometimes used in php webshells 113 | // ignore first and last 500bytes because they usually contain code for decoding and executing 114 | math.entropy(500, filesize-500) >= 7.7 and 115 | // encoded text has a higher mean than text or code because it's missing the spaces and special chars with the low numbers 116 | math.mean(500, filesize-500) > 120 and 117 | math.mean(500, filesize-500) < 136 and 118 | // deviation of base64 is ~20 according to CyberChef_v9.21.0.html#recipe=Generate_Lorem_Ipsum(3,'Paragraphs')To_Base64('A-Za-z0-9%2B/%3D')To_Charcode('Space',10)Standard_Deviation('Space') 119 | // lets take a bit more because it might not be pure base64 also include some xor, shift, replacement, ... 120 | // 89 is the mean of the base64 chars 121 | math.deviation(500, filesize-500, 89.0) > 65 122 | ) 123 | } 124 | 125 | private rule capa_bin_files : WEBSHELL PROD { 126 | meta: 127 | description = "Detects MZ, dex and zip/jar for exclusion" 128 | license = "https://creativecommons.org/licenses/by-nc/4.0/" 129 | author = "Arnim Rupp" 130 | date = "2021/03/03" 131 | strings: 132 | $dex = { 64 65 ( 78 | 79 ) 0a 30 } 133 | $pack = { 50 41 43 4b 00 00 00 02 00 } 134 | $rar = { 52 61 72 21 1A 07 00 } 135 | condition: 136 | uint16(0) == 0x5a4d or 137 | //gzip 138 | uint16(0) == 0x8b1f or 139 | $dex at 0 or 140 | $pack at 0 or 141 | $rar at 0 or 142 | // fp on jar with zero compression 143 | uint16(0) == 0x4b50 144 | } 145 | 146 | private rule capa_gen_sus : WEBSHELL PROD { 147 | meta: 148 | description = "suspicious strings from webshells" 149 | license = "https://creativecommons.org/licenses/by-nc/4.0/" 150 | author = "Arnim Rupp" 151 | date = "2021/04/16" 152 | strings: 153 | 154 | // these strings are just a bit suspicious, so several of them are needed, depending on filesize 155 | $gen_bit_sus1 = /:\s{0,20}eval}/ nocase wide ascii 156 | $gen_bit_sus2 = /\.replace\(\/\w\/g/ nocase wide ascii 157 | $gen_bit_sus6 = "self.delete" 158 | $gen_bit_sus9 = "\"cmd /c" nocase 159 | $gen_bit_sus10 = "\"cmd\"" nocase 160 | $gen_bit_sus11 = "\"cmd.exe" nocase 161 | $gen_bit_sus12 = "%comspec%" wide ascii 162 | $gen_bit_sus13 = "%COMSPEC%" wide ascii 163 | //TODO:$gen_bit_sus12 = ".UserName" nocase 164 | $gen_bit_sus18 = "Hklm.GetValueNames();" nocase 165 | // bonus string for proxylogon exploiting webshells 166 | $gen_bit_sus19 = "http://schemas.microsoft.com/exchange/" wide ascii 167 | $gen_bit_sus21 = "\"upload\"" wide ascii 168 | $gen_bit_sus22 = "\"Upload\"" wide ascii 169 | $gen_bit_sus23 = "UPLOAD" fullword wide ascii 170 | $gen_bit_sus24 = "fileupload" wide ascii 171 | $gen_bit_sus25 = "file_upload" wide ascii 172 | // own base64 func 173 | $gen_bit_sus29 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" fullword wide ascii 174 | $gen_bit_sus30 = "serv-u" wide ascii 175 | $gen_bit_sus31 = "Serv-u" wide ascii 176 | $gen_bit_sus32 = "Army" fullword wide ascii 177 | // single letter paramweter 178 | $gen_bit_sus33 = /\$_(GET|POST|REQUEST)\["\w"\]/ fullword wide ascii 179 | $gen_bit_sus34 = "Content-Transfer-Encoding: Binary" wide ascii 180 | $gen_bit_sus35 = "crack" fullword wide ascii 181 | 182 | $gen_bit_sus44 = "
" wide ascii
 183 |         $gen_bit_sus45 = "
" wide ascii
 184 |         $gen_bit_sus46 = "shell_" wide ascii
 185 |         $gen_bit_sus47 = "Shell" fullword wide ascii
 186 |         $gen_bit_sus50 = "bypass" wide ascii
 187 |         $gen_bit_sus51 = "suhosin" wide ascii
 188 |         $gen_bit_sus52 = " ^ $" wide ascii
 189 |         $gen_bit_sus53 = ".ssh/authorized_keys" wide ascii
 190 |         $gen_bit_sus55 = /\w'\.'\w/ wide ascii
 191 |         $gen_bit_sus56 = /\w\"\.\"\w/ wide ascii
 192 |         $gen_bit_sus57 = "dumper" wide ascii
 193 |         $gen_bit_sus59 = "'cmd'" wide ascii
 194 |         $gen_bit_sus60 = "\"execute\"" wide ascii
 195 |         $gen_bit_sus61 = "/bin/sh" wide ascii
 196 |         $gen_bit_sus62 = "Cyber" wide ascii
 197 |         $gen_bit_sus63 = "portscan" fullword wide ascii
 198 |         //$gen_bit_sus64 = "\"command\"" fullword wide ascii
 199 |         //$gen_bit_sus65 = "'command'" fullword wide ascii
 200 |         $gen_bit_sus66 = "whoami" fullword wide ascii
 201 |         $gen_bit_sus67 = "$password='" fullword wide ascii
 202 |         $gen_bit_sus68 = "$password=\"" fullword wide ascii
 203 |         $gen_bit_sus69 = "$cmd" fullword wide ascii
 204 |         $gen_bit_sus70 = "\"?>\"." fullword wide ascii
 205 |         $gen_bit_sus71 = "Hacking" fullword wide ascii
 206 |         $gen_bit_sus72 = "hacking" fullword wide ascii
 207 |         $gen_bit_sus73 = ".htpasswd" wide ascii
 208 |         $gen_bit_sus74 = /\btouch\(\$[^,]{1,30},/ wide ascii
 209 |         $gen_bit_sus75 = "\n                                                                                                                                                                                                                                                       " wide ascii
 210 |         $gen_bit_sus77 = "r00t" fullword wide ascii
 211 |         // 1 char param
 212 |         $gen_bit_sus78 = /request.getParameter\("\w"\)/ wide ascii
 213 | 
 214 |         // very suspicious strings, one is enough
 215 |         $gen_much_sus7  = "Web Shell" nocase
 216 |         $gen_much_sus8  = "WebShell" nocase
 217 |         $gen_much_sus3  = "hidded shell" 
 218 |         $gen_much_sus4  = "WScript.Shell.1" nocase
 219 |         $gen_much_sus5  = "AspExec" 
 220 |         $gen_much_sus14 = "\\pcAnywhere\\" nocase
 221 |         $gen_much_sus15 = "antivirus" nocase
 222 |         $gen_much_sus16 = "McAfee" nocase
 223 |         $gen_much_sus17 = "nishang" 
 224 |         $gen_much_sus18 = "\"unsafe" fullword wide ascii
 225 |         $gen_much_sus19 = "'unsafe" fullword wide ascii
 226 |         $gen_much_sus24 = "exploit" fullword wide ascii
 227 |         $gen_much_sus25 = "Exploit" fullword wide ascii
 228 |         $gen_much_sus26 = "TVqQAAMAAA" wide ascii
 229 |         $gen_much_sus30 = "Hacker" wide ascii
 230 |         $gen_much_sus31 = "HACKED" fullword wide ascii
 231 |         $gen_much_sus32 = "hacked" fullword wide ascii
 232 |         $gen_much_sus33 = "hacker" wide ascii
 233 |         $gen_much_sus34 = "grayhat" nocase wide ascii
 234 |         $gen_much_sus35 = "Microsoft FrontPage" wide ascii
 235 |         $gen_much_sus36 = "Rootkit" wide ascii
 236 |         $gen_much_sus37 = "rootkit" wide ascii
 237 |         $gen_much_sus38 = "/*-/*-*/" wide ascii
 238 |         $gen_much_sus39 = "u\"+\"n\"+\"s" wide ascii
 239 |         $gen_much_sus40 = "\"e\"+\"v" wide ascii
 240 |         $gen_much_sus41 = "a\"+\"l\"" wide ascii
 241 |         $gen_much_sus42 = "\"+\"(\"+\"" wide ascii
 242 |         $gen_much_sus43 = "q\"+\"u\"" wide ascii
 243 |         $gen_much_sus44 = "\"u\"+\"e" wide ascii
 244 |         $gen_much_sus45 = "/*//*/" wide ascii
 245 |         $gen_much_sus46 = "(\"/*/\"" wide ascii
 246 |         $gen_much_sus47 = "eval(eval(" wide ascii
 247 |         // self remove
 248 |         $gen_much_sus48 = "unlink(__FILE__)" wide ascii
 249 |         $gen_much_sus49 = "Shell.Users" wide ascii
 250 |         $gen_much_sus50 = "PasswordType=Regular" wide ascii
 251 |         $gen_much_sus51 = "-Expire=0" wide ascii
 252 |         $gen_much_sus60 = "_=$$_" wide ascii
 253 |         $gen_much_sus61 = "_=$$_" wide ascii
 254 |         $gen_much_sus62 = "++;$" wide ascii
 255 |         $gen_much_sus63 = "++; $" wide ascii
 256 |         $gen_much_sus64 = "_.=$_" wide ascii
 257 |         $gen_much_sus70 = "-perm -04000" wide ascii
 258 |         $gen_much_sus71 = "-perm -02000" wide ascii
 259 |         $gen_much_sus72 = "grep -li password" wide ascii
 260 |         $gen_much_sus73 = "-name config.inc.php" wide ascii
 261 |         // touch without parameters sets the time to now, not malicious and gives fp
 262 |         $gen_much_sus75 = "password crack" wide ascii
 263 |         $gen_much_sus76 = "mysqlDll.dll" wide ascii
 264 |         $gen_much_sus77 = "net user" wide ascii
 265 |         $gen_much_sus78 = "suhosin.executor.disable_" wide ascii
 266 |         $gen_much_sus79 = "disabled_suhosin" wide ascii
 267 |         $gen_much_sus80 = "fopen(\".htaccess\",\"w" wide ascii
 268 |         $gen_much_sus81 = /strrev\(['"]/ wide ascii
 269 |         $gen_much_sus82 = "PHPShell" fullword wide ascii
 270 |         $gen_much_sus821= "PHP Shell" fullword wide ascii
 271 |         $gen_much_sus83 = "phpshell" fullword wide ascii
 272 |         $gen_much_sus84 = "PHPshell" fullword wide ascii
 273 |         $gen_much_sus87 = "deface" wide ascii
 274 |         $gen_much_sus88 = "Deface" wide ascii
 275 |         $gen_much_sus89 = "backdoor" wide ascii
 276 |         $gen_much_sus91 = "xp_cmdshell" fullword wide ascii
 277 |         $gen_much_sus92 = ",3306,3389," wide ascii
 278 |         $gen_much_sus93 = "#l@$ak#.lk;0@P" wide ascii
 279 |         $gen_much_sus94 = "YmFzZTY0X2RlY29kZQ==" fullword wide ascii
 280 | 
 281 |         $gif = { 47 49 46 38 }
 282 | 
 283 | 	condition:
 284 |         $gif at 0 or
 285 |         (
 286 |             filesize < 500 and 
 287 |             (
 288 |                 1 of ( $gen_much_sus* ) or
 289 |                 1 of ( $gen_bit_sus* )
 290 |             )
 291 |         ) or (
 292 |             filesize < 4KB and 
 293 |             (
 294 |                 1 of ( $gen_much_sus* ) or
 295 |                 2 of ( $gen_bit_sus* )
 296 |             )
 297 |         ) or (
 298 |             filesize < 20KB and 
 299 |             (
 300 |                 2 of ( $gen_much_sus* ) or
 301 |                 3 of ( $gen_bit_sus* )
 302 |             )
 303 |         ) or (
 304 |             filesize < 50KB and 
 305 |             (
 306 |                 2 of ( $gen_much_sus* ) or
 307 |                 4 of ( $gen_bit_sus* )
 308 |             )
 309 |         ) or (
 310 |             filesize < 100KB and 
 311 |             (
 312 |                 2 of ( $gen_much_sus* ) or
 313 |                 6 of ( $gen_bit_sus* )
 314 |             )
 315 |         ) or (
 316 |             filesize < 150KB and 
 317 |             (
 318 |                 3 of ( $gen_much_sus* ) or
 319 |                 7 of ( $gen_bit_sus* )
 320 |             )
 321 |         ) or (
 322 |             filesize < 500KB and 
 323 |             (
 324 |                 4 of ( $gen_much_sus* ) or
 325 |                 8 of ( $gen_bit_sus* )
 326 |             )
 327 |         )
 328 | }
 329 | 
 330 | //           _
 331 | //     _ __ | |__  _ __ 
 332 | //    | '_ \| '_ \| '_ \
 333 | //    | |_) | | | | |_) |
 334 | //    | .__/|_| |_| .__/
 335 | //    |_|         |_|
 336 | 
 337 | private rule php_false_positive : WEBSHELL PROD {
 338 | 	meta:
 339 | 		description = "PHP false positives"
 340 | 		license = "https://creativecommons.org/licenses/by-nc/4.0/"
 341 | 		author = "Arnim Rupp"
 342 | 		date = "2021/01/14"
 343 | 	strings:
 344 | 		// try to use only strings which would be flagged by themselves as suspicous by other rules, e.g. eval 
 345 |         // a good choice is a string with good atom quality = ideally 4 unusual characters next to each other
 346 | 		$gfp1  = "eval(\"return [$serialised_parameter" // elgg
 347 | 		$gfp2  = "$this->assert(strpos($styles, $"
 348 | 		$gfp3  = "$module = new $_GET['module']($_GET['scope']);"
 349 | 		$gfp4  = "$plugin->$_POST['action']($_POST['id']);"
 350 | 		$gfp5  = "$_POST[partition_by]($_POST["
 351 | 		$gfp6  = "$object = new $_REQUEST['type']($_REQUEST['id']);"
 352 | 		$gfp7  = "The above example code can be easily exploited by passing in a string such as" // ... ;)
 353 | 		$gfp8  = "Smarty_Internal_Debug::start_render($_template);"
 354 | 		$gfp9  = "?p4yl04d=UNION%20SELECT%20'',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php"
 355 | 		$gfp10 = "[][}{;|]\\|\\\\[+=]\\|?"
 356 | 		$gfp11 = "(eval (getenv \"EPROLOG\")))"
 357 | 		$gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ"
 358 | 	condition:
 359 | 		any of ( $gfp* )
 360 | }
 361 | 
 362 | private rule php_false_positive_tiny : WEBSHELL PROD {
 363 | 	meta:
 364 | 		description = "PHP false positives"
 365 | 		license = "https://creativecommons.org/licenses/by-nc/4.0/"
 366 | 		author = "Arnim Rupp"
 367 | 		date = "2021/02/25"
 368 | 	strings:
 369 | 		// try to use only strings which would be flagged by themselves as suspicous by other rules, e.g. eval 
 370 | 		//$gfp_tiny1 = "addslashes" fullword
 371 | 		//$gfp_tiny2 = "escapeshellarg" fullword
 372 | 		$gfp_tiny3 = "include \"./common.php\";" // xcache
 373 | 		$gfp_tiny4 = "assert('FALSE');"
 374 | 		$gfp_tiny5 = "assert(false);"
 375 | 		$gfp_tiny6 = "assert(FALSE);"
 376 | 		$gfp_tiny7 = "assert('array_key_exists("
 377 | 		$gfp_tiny8 = "echo shell_exec($aspellcommand . ' 2>&1');"
 378 | 		$gfp_tiny9 = "throw new Exception('Could not find authentication source with id ' . $sourceId);"
 379 | 		$gfp_tiny10= "return isset( $_POST[ $key ] ) ? $_POST[ $key ] : ( isset( $_REQUEST[ $key ] ) ? $_REQUEST[ $key ] : $default );"
 380 | 	condition:
 381 | 		any of ( $gfp_tiny* )
 382 | }
 383 | 
 384 | /*
 385 | private rule capa_php {
 386 | 	meta:
 387 | 		description = "PHP short tag or