1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Win7Elevatev2 {
meta:
description = "Detects Win7Elevate - Windows UAC bypass utility"
author = "Florian Roth"
reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html"
date = "2015-05-14"
hash1 = "4f53ff6a04e46eda92b403faf42219a545c06c29" /* x64 */
hash2 = "808d04c187a524db402c5b2be17ce799d2654bd1" /* x86 */
score = 60
strings:
$x1 = "This program attempts to bypass Windows 7's default UAC settings to run " wide
$x2 = "Win7ElevateV2\\x64\\Release\\" ascii
$x3 = "Run the command normally (without code injection)" wide
$x4 = "Inject file copy && elevate command" fullword wide
$x5 = "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" fullword wide
$x6 = "For injection, pick any unelevated Windows process with ASLR on:" fullword wide
$s1 = "\\cmd.exe" wide
$s2 = "runas" wide
$s3 = "explorer.exe" wide
$s4 = "Couldn't load kernel32.dll" wide
$s5 = "CRYPTBASE.dll" wide
$s6 = "shell32.dll" wide
$s7 = "ShellExecuteEx" ascii
$s8 = "COMCTL32.dll" ascii
$s9 = "ShellExecuteEx" ascii
$s10 = "HeapAlloc" ascii
condition:
uint16(0) == 0x5a4d and ( 1 of ($x*) or all of ($s*) )
}
rule UACME_Akagi {
meta:
description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor"
author = "Florian Roth"
reference = "https://github.com/hfiref0x/UACME"
date = "2015-05-14"
hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a"
hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a"
score = 60
strings:
$x1 = "UACMe injected, Fubuki at your service." wide fullword
$x3 = "%temp%\\Hibiki.dll" fullword wide
$x4 = "[UCM] Cannot write to the target process memory." fullword wide
$s1 = "%systemroot%\\system32\\cmd.exe" wide
$s2 = "D:(A;;GA;;;WD)" wide
$s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" fullword wide
$s4 = "/c wusa %ws /extract:%%windir%%\\system32" fullword wide
$s5 = "Fubuki.dll" ascii fullword
$l1 = "ntdll.dll" ascii
$l2 = "Cabinet.dll" ascii
$l3 = "GetProcessHeap" ascii
$l4 = "WriteProcessMemory" ascii
$l5 = "ShellExecuteEx" ascii
condition:
( 1 of ($x*) ) or ( 3 of ($s*) and all of ($l*) )
}
rule UACElevator {
meta:
description = "UACElevator bypassing UAC - file UACElevator.exe"
author = "Florian Roth"
reference = "https://github.com/MalwareTech/UACElevator"
date = "2015-05-14"
hash = "fd29d5a72d7a85b7e9565ed92b4d7a3884defba6"
strings:
$x1 = "\\UACElevator.pdb" ascii
$s1 = "%userprofile%\\Downloads\\dwmapi.dll" fullword ascii
$s2 = "%windir%\\system32\\dwmapi.dll" fullword ascii
$s3 = "Infection module: %s" fullword ascii
$s4 = "Could not save module to %s" fullword ascii
$s5 = "%s%s%p%s%ld%s%d%s" fullword ascii
$s6 = "Stack area around _alloca memory reserved by this function is corrupted" fullword ascii
$s7 = "Stack around the variable '" fullword ascii
$s8 = "MSVCR120D.dll" fullword wide
$s9 = "Address: 0x" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 172KB and
( $x1 or 8 of ($s*) )
}
rule s4u {
meta:
description = "Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe"
author = "Florian Roth"
reference = "https://github.com/aurel26/s-4-u-for-windows"
date = "2015-06-05"
hash = "cfc18f3d5306df208461459a8e667d89ce44ed77"
score = 50
strings:
// Specific strings (may change)
$x0 = "s4u.exe Domain\\Username [Extra SID]" fullword ascii
$x1 = "\\Release\\s4u.pdb" ascii
// Less specific strings
$s0 = "CreateProcessAsUser failed (error %u)." fullword ascii
$s1 = "GetTokenInformation failed (error: %u)." fullword ascii
$s2 = "LsaLogonUser failed (error 0x%x)." fullword ascii
$s3 = "LsaLogonUser: OK, LogonId: 0x%x-0x%x" fullword ascii
$s4 = "LookupPrivilegeValue failed (error: %u)." fullword ascii
$s5 = "The token does not have the specified privilege (%S)." fullword ascii
$s6 = "Unable to parse command line." fullword ascii
$s7 = "Unable to find logon SID." fullword ascii
$s8 = "AdjustTokenPrivileges failed (error: %u)." fullword ascii
$s9 = "AdjustTokenPrivileges (%S): OK" fullword ascii
// Generic
$g1 = "%systemroot%\\system32\\cmd.exe" wide
$g2 = "SeTcbPrivilege" wide
$g3 = "winsta0\\default" wide
$g4 = ".rsrc"
$g5 = "HeapAlloc"
$g6 = "GetCurrentProcess"
$g7 = "HeapFree"
$g8 = "GetProcessHeap"
$g9 = "ExpandEnvironmentStrings"
$g10 = "ConvertStringSidToSid"
$g11 = "LookupPrivilegeValue"
$g12 = "AllocateLocallyUniqueId"
$g13 = "ADVAPI32.dll"
$g14 = "LsaLookupAuthenticationPackage"
$g15 = "Secur32.dll"
$g16 = "MSVCR120.dll"
condition:
uint16(0) == 0x5a4d and filesize < 60KB and ( 1 of ($x*) or all of ($s*) or all of ($g*) )
}