Skip to content

R
rules
Commit d931b223 by mmorenog
Options

Update and rename HackTools.yar to THOR_HackTools.yar

parent 6d63fd47
Showing with 326 additions and 585 deletions
malware/HackTools.yar malware/THOR_HackTools.yar
......@@ -3,8 +3,55 @@
*/
import "pe"
/*
THOR APT Scanner - Hack Tool Extract
This rulset is a subset of all hack tool rules included in our
APT Scanner THOR - the full featured APT scanner.
We will frequently update this file with new rules rated TLP:WHITE
Florian Roth
BSK Consulting GmbH
Web: bsk-consulting.de
revision: 20150510
License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)
Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/
*/
/* WCE */
rule WindowsCredentialEditor
{
meta:
description = "Windows Credential Editor" threat_level = 10 score = 90
strings:
$a = "extract the TGT session key"
$b = "Windows Credentials Editor"
condition:
$a or $b
}
rule Amplia_Security_Tool
{
meta:
description = "Amplia Security Tool"
score = 60
nodeepdive = 1
strings:
$a = "Amplia Security"
$b = "Hernan Ochoa"
$c = "getlsasrvaddr.exe"
$d = "Cannot get PID of LSASS.EXE"
$e = "extract the TGT session key"
$f = "PPWDUMP_DATA"
condition: 1 of them
}
/* pwdump/fgdump */
rule PwDump
{
......@@ -30,12 +77,12 @@ rule PScan_Portscan_1 {
$a = "00050;0F0M0X0a0v0}0"
$b = "vwgvwgvP76"
$c = "Pr0PhOFyP"
condition:
condition:
all of them
}
rule HackTool_Samples {
meta:
meta:
description = "Hacktool"
score = 50
strings:
......@@ -65,7 +112,7 @@ rule HackTool_Samples {
$x = "Impersonation Tokens Available"
$y = "failed to parse pwdump format string"
$z = "Dumping password"
condition:
condition:
1 of them
}
......@@ -77,289 +124,13 @@ rule HackTool_Producers {
$a3 = "ntsecurity.nu"
$a4 = "gentilkiwi.com"
$a6 = "Marcus Murray"
$extension = /extension: \.(ini|xml)\n/
condition: 1 of ($a*) and not $extension
}
/* Mimikatz */
rule Mimikatz_Memory_Rule_1 : APT {
meta:
author = "Florian Roth"
date = "12/22/2014"
score = 70
type = "memory"
description = "Detects password dumper mimikatz in memory"
strings:
$s1 = "sekurlsa::msv" fullword ascii
$s2 = "sekurlsa::wdigest" fullword ascii
$s4 = "sekurlsa::kerberos" fullword ascii
$s5 = "sekurlsa::tspkg" fullword ascii
$s6 = "sekurlsa::livessp" fullword ascii
$s7 = "sekurlsa::ssp" fullword ascii
$s8 = "sekurlsa::logonPasswords" fullword ascii
$s9 = "sekurlsa::process" fullword ascii
$s10 = "ekurlsa::minidump" fullword ascii
$s11 = "sekurlsa::pth" fullword ascii
$s12 = "sekurlsa::tickets" fullword ascii
$s13 = "sekurlsa::ekeys" fullword ascii
$s14 = "sekurlsa::dpapi" fullword ascii
$s15 = "sekurlsa::credman" fullword ascii
condition:
1 of them
}
rule Mimikatz_Memory_Rule_2 : APT {
meta:
description = "Mimikatz Rule generated from a memory dump"
author = "Florian Roth - Florian Roth"
type = "memory"
score = 80
strings:
$s0 = "sekurlsa::" ascii
$x1 = "cryptprimitives.pdb" ascii
$x2 = "Now is t1O" ascii fullword
$x4 = "ALICE123" ascii
$x5 = "BOBBY456" ascii
condition:
$s0 and 1 of ($x*)
}
rule Mimikatz_SampleSet_1 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
hash1 = "9ef9762169e8b44d01613234927f44d6"
hash2 = "35b34bb9f1ad0fdf48dc090ed4a8190f"
hash3 = "516fde1fe06f96a019c3ad063c78b760"
hash4 = "faf248ee5184b65d28786d91c02864a6"
hash5 = "5847659129c4e711809ab5b6ab1b8bd8"
score = 80
strings:
$s0 = "mimikatz_trunk/Win32/mimidrv.sys" fullword
$s1 = "Mimikatz 2.0\\x64\\mimidrv.sys" fullword
$s2 = "32\\kelloworld.dll"
$s3 = "64\\kelloworld.dll"
$s4 = "32/kelloworld.dll"
$s5 = "64/kelloworld.dll"
$s6 = "mimidrv.sys" fullword
$s7 = "sekurlsa.lib" fullword
$s8 = "mimilib.dll" fullword
$s9 = "mimikatz.exe" fullword
condition:
3 of them
}
rule Mimikatz_SampleSet_2 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
hash = "6f14b6744aad66ac017ab7733cdb51ad"
score = 50
strings:
$s0 = "notsupported" fullword
$s1 = "getKerberos" fullword
$s2 = "M(knN0123456789abcdefghijklmnopqrstuvwxyz" fullword
$s3 = "getLiveSSPFunctions" fullword
$s4 = "getKerberosFunctions" fullword
$s5 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
$s6 = ".?AV_System_error@std@@" fullword
$s7 = "getCredmanFunctions" fullword
$s8 = "find_tokens" fullword
condition:
all of them
}
rule Mimikatz_SampleSet_3 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
hash = "f62848e3cd2f0316608c2696c6504b4a"
score = 50
strings:
$s8 = "x64/intra.kirbi" fullword
$s9 = "x64/intra.kirbi*kb" fullword
condition:
all of them
}
rule Mimikatz_SampleSet_4 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
hash1 = "8991aeef8b33049c5997c59afcea4a27"
hash2 = "a3e00b039f2d2ea04a4274506dd83be0"
hash3 = "cb5d40cc8db79c3d24f20f443f7e5926"
score = 40
strings:
$s0 = "notsupported" fullword
$s1 = "getLiveSSP" fullword
$s2 = "getKerberos" fullword
$s3 = "getLiveSSPFunctions" fullword
$s4 = "getKerberosFunctions" fullword
$s5 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
$s6 = "getCredmanFunctions" fullword
$s7 = "getCredman" fullword
$s8 = "find_tokens" fullword
condition:
all of them
}
rule Mimikatz_SampleSet_5 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
hash1 = "9ca015f05cc4cbae8d50bcd067e6d605"
score = 50
strings:
$s6 = "mimidrv.sys" fullword
condition:
all of them
}
rule Mimikatz_SampleSet_6 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
hash = "739c80bac405eb1b0ebbe10a75515ff1"
strings:
$s1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
$s2 = "Erreur : impossible d'ouvrir le bureau cible (" fullword
condition:
all of them
}
rule Mimikatz_SampleSet_7 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
super_rule = 1
hash0 = "821e5dc1ad4bbad2958e036c84bf7734"
hash1 = "e39e57fb7ff38e7be1a8da785ef83557"
hash2 = "9ecb8020b0989778009d5aaf13640ea4"
hash3 = "4bfe2b27a63678fa6b4bd27c8d309508"
hash4 = "fb164aadc2ae4a7aa3fc3f54cd8fa92a"
hash5 = "33786d2823e6d5e75b1a3a8bb2837b40"
hash6 = "a4c1feb5f3f5a71320aeca588cb1f14c"
hash7 = "36fc962a871cfb9f7d31dc9faaab5b54"
hash8 = "35bc4af0cbaa48e8a72884e3e690fc3b"
hash9 = "f1de7a81394efe6cc9438033a75cae0d"
hash10 = "a6e0cf20f2de5149885297188644f123"
hash11 = "bb7d4174e9ffae01a14993c528de8653"
hash12 = "ffd3df1ee7bfd6f1255221c3f82478f1"
hash13 = "eaf8dfbe80c42dd92740a9e71ea444ab"
hash14 = "e25b75621c03da7addc55dac378d77c4"
hash15 = "41ea9b05bcfceca78d51f776bfdee393"
hash16 = "a03a4272be8a2ee5e48ba2c417ff3b5b"
hash17 = "96501f7e9dc19a4012b1f5db1dce7018"
hash18 = "b6fe1b2e961c294155d8f48b6c57f28f"
hash19 = "1680c6afebcb77a21b6619aedc304931"
hash20 = "46820c90b2fb296e26b4bb8f7cad51ac"
hash21 = "a21634571795601f5eace5d503246b3b"
hash22 = "e6dda29f842ce3b7c72b5536fab4f860"
hash23 = "006480db3303a7ba9d73e32bc6c0bc11"
hash24 = "efa68dd73410c4be6f6b0a95a02762f2"
hash25 = "7194944aa418851631d7e614ff430b0a"
hash26 = "3a98b9190bf6ed5f75d9c3950a63dd08"
hash27 = "02f7536279480b73c9942c072c1b5316"
hash28 = "8638370c805dc92581eba34fa57eb45e"
hash29 = "6f393ab258b87790a45d6d2b125bbc24"
hash30 = "dbb01a015ab11266bae5d6381ffd41c2"
score = 80
strings:
$s0 = "# * Kernel mode * #" fullword
$s1 = "kerberos!KerbGlobalLogonSessionTable" fullword
$s2 = "Authentication Id : %u ; %u (%08x:%08x)" fullword
$s3 = "%p - lsasrv!InitializationVector" fullword
$s4 = "%p - lsasrv!LogonSessionListCount" fullword
$s7 = "# * User mode * #" fullword
$s8 = "## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )"
$s9 = "livessp!LiveGlobalLogonSessionList" fullword
condition:
all of them
}
rule Mimikatz_SampleSet_8 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
super_rule = 1
hash0 = "0a10fe0a341ac0b24347f183c83123cc"
hash1 = "d7e16bc11cdfc0f781e87f5df4ae24a5"
hash2 = "abdb41e32c447e703b03c9e307565ed3"
score = 40
strings:
$s0 = "?!?(?0?8?@?H?P?X?`?n?w?" fullword
$s1 = "2\"2'2.24292@2F2K2R2X2]2d2j2o2v2|2" fullword
$s2 = "7!7<7C7P7V7^7d7r7" fullword
$s3 = "0#0)0=0E0K0[0c0i0" fullword
$s4 = "878E8L8Y8`8f8l8r8" fullword
$s5 = ":*:/:7:=:B:I:O:T:[:a:f:m:s:x:" fullword
$s6 = "<'<4<9<D<K<Q<X<e<j<u<{<" fullword
$s7 = "8&878?8M8R8]8d8q8~8" fullword
$s8 = ";,;2;A;F;L;_;d;k;q;" fullword
$s9 = "3%3+31373=3C3I3N3_3s3" fullword
condition:
all of them
}
rule Mimikatz_SampleSet_9 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
super_rule = 1
hash0 = "6e2eda476c141c63ff62c92d8b52ff7e"
hash1 = "f42b75103230cab39e4c58d5b0dca2c4"
hash2 = "dc6f62e3a0b584cb134633a12fd7d7b8"
hash3 = "d5918d735a23f746f0e83f724c4f26e5"
hash4 = "e98b714ccd14e61f776cc55a602d2dd0"
hash5 = "09a6e5cc589a485d9ab4eda772b46f2a"
hash6 = "4a51faef37af8b70fc9cf7c64f030b25"
hash7 = "e52e30811287426d4eef089a65cc2acf"
hash8 = "cd1606a1800150a33dea71d3f3ee9aed"
hash9 = "510fe825464dca92aadcd3d8289405aa"
hash10 = "0be87e16eb598006358cdaa9dfcd5af5"
hash11 = "1f0ce022ee9fe8d92235809eda73ce38"
hash12 = "e172a38ade3aa0a2bc1bf9604a54a3b5"
hash13 = "de20bddb9c3b1b09d980db5bbb5b5789"
hash14 = "c77db1ddffc7e6edac60bb5ca9a6e863"
hash15 = "6d8008edd86c5ca1a112018852777b1e"
hash16 = "525d6ca1446b01f912303f04f0c713ab"
score = 70
strings:
$s6 = "\\i386\\mimidrv.pdb"
condition:
all of them
}
rule Mimikatz_SampleSet_10 : APT {
meta:
description = "Mimikatz Rule generated from a big Mimikatz sample set"
author = "Florian Roth - Florian Roth"
super_rule = 1
hash0 = "5522fd8fe2e205b30f9e74a94da0352d"
hash1 = "ec428ed7d1cc4ba3023696ddc138a376"
hash2 = "13e88493f844a0df3352cd721bfa41a6"
hash3 = "483e5365e1f1d83c2dcd4bdb398e779f"
hash4 = "04d04a1f0ff9e2ff1d35b8c2950cce53"
hash5 = "97cbbd6c4153ae4a410439e2c02d77ce"
hash6 = "b43dfc8be8db7eacfc993e323229fb9f"
hash7 = "72e95180a2e4ab59e1b7c10f1054740a"
hash8 = "eaaecd5bd100923c72d2b39d84dfd411"
hash9 = "a8ae792f0384fd3e7f411c826b48b7c8"
score = 40
strings:
$s0 = "D$hL9(t" fullword
$s1 = "l$LfD9o" fullword
$s2 = "AHH90t?L" fullword
$s3 = "M9Qpv\"I9Ips" fullword
$s4 = "tSD8T$<u" fullword
$s5 = ";f9T$Xw" fullword
$s6 = "6f9L$Xw" fullword
$s7 = "f;\\$@u1E3" fullword
$s8 = "8\\$8uFH" fullword
$s9 = "L$DfD;O" fullword
condition:
all of them
1 of ($a*) and
not extension contains ".ini" and
not extension contains ".xml" and
not extension contains ".sqlite"
}
/* Removed Mimikatz samples set super rules 11 - 27 */
/* Disclosed hack tool set */
rule Fierce2
......@@ -477,12 +248,11 @@ rule CGISscan_CGIScan {
author = "yarGen Yara Rule Generator by Florian Roth"
hash = "338820e4e8e7c943074d5a5bc832458a"
strings:
$s1 = "Wang Products" fullword wide
$s2 = "WSocketResolveHost: Cannot convert host address '%s'"
$s3 = "tcp is the only protocol supported thru socks server"
$path1 = /filepath: .{,70}EPO.{,70}\n/
condition:
$s2 and $s3 and not $path1
all of ($s*)
}
rule IP_Stealing_Utilities {
......@@ -685,7 +455,7 @@ rule crack_Loader {
}
rule CN_GUI_Scanner {
meta:
meta:
description = "Detects an unknown GUI scanner tool - CN background"
author = "Florian Roth"
hash = "3c67bbb1911cdaef5e675c56145e1112"
......@@ -699,10 +469,10 @@ rule CN_GUI_Scanner {
$s1w = ").exe" fullword wide
condition:
all of them
}
}
rule CN_Packed_Scanner {
meta:
meta:
description = "Suspiciously packed executable"
author = "Florian Roth"
hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
......@@ -729,7 +499,7 @@ rule Tiny_Network_Tool_Generic {
hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
strings:
$magic = { 4d 5a }
$s0 = "KERNEL32.DLL" fullword ascii
$s1 = "CRTDLL.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii
......@@ -737,7 +507,7 @@ rule Tiny_Network_Tool_Generic {
$y1 = "WININET.DLL" fullword ascii
$y2 = "atoi" fullword ascii
$x1 = "ADVAPI32.DLL" fullword ascii
$x2 = "USER32.DLL" fullword ascii
$x3 = "wsock32.dll" fullword ascii
......@@ -748,7 +518,7 @@ rule Tiny_Network_Tool_Generic {
$z2 = "USER32.DLL" fullword ascii
$z3 = "FreeSid" fullword ascii
$z4 = "ToAscii" fullword ascii
condition:
( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
}
......@@ -998,7 +768,7 @@ rule iKAT_priv_esc_tasksch {
description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista."
author = "Florian Roth"
date = "05.11.14"
score = 75
score = 75
reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
hash = "84ab94bff7abf10ffe4446ff280f071f9702cf8b"
strings:
......@@ -1013,7 +783,7 @@ rule iKAT_priv_esc_tasksch {
$s13 = "output.writeline \" Should work on Vista/Win7/2008 x86/x64\"" fullword ascii
$s11 = "Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")" fullword ascii
$s12 = "objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"" ascii
$s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" fullword ascii
$s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" fullword ascii
$s20 = "Set ts = fso.createtextfile (\"wDw00t.xml\")" fullword ascii
condition:
2 of them
......@@ -1024,7 +794,7 @@ rule iKAT_command_lines_agent {
description = "iKAT hack tools set agent - file ikat.exe"
author = "Florian Roth"
date = "05.11.14"
score = 75
score = 75
reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
hash = "c802ee1e49c0eae2a3fc22d2e82589d857f96d94"
strings:
......@@ -1052,10 +822,10 @@ rule iKAT_cmd_as_dll {
$s1 = "cmd.exe" fullword wide
$s2 = "ReactOS Development Team" fullword wide
$s3 = "ReactOS Command Processor" fullword wide
$ext = "extension: .dll" nocase
condition:
all of ($s*) and $ext
all of ($s*) and $ext
}
rule iKAT_tools_nmap {
......@@ -1290,7 +1060,7 @@ rule MS08_067_Exploit_Hacktools_CN {
$s7 = "Maybe Patched!" fullword ascii
$s8 = "RpcExceptionCode() = %u" fullword ascii
$s11 = "ph4nt0m" fullword wide
$s12 = "\\\\%s\\IPC$" fullword ascii
$s12 = "\\\\%s\\IPC" ascii
condition:
4 of them
}
......@@ -1316,21 +1086,6 @@ rule Hacktools_CN_Burst_sql {
6 of them
}
rule Hacktools_CN_JoHor_Rdos {
meta:
description = "Disclosed hacktool set - file spec.vbp"
author = "Florian Roth"
date = "17.11.14"
score = 60
hash = "400a90c9eabeb94ae05e5036e21dc922b0c1ffad"
strings:
$s3 = "service@dywt.com.cn" fullword ascii
$s9 = "www.dywt.com.cn" fullword ascii
$s17 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
condition:
2 of them
}
rule Hacktools_CN_Panda_445TOOL {
meta:
description = "Disclosed hacktool set - file 445TOOL.rar"
......@@ -1505,23 +1260,6 @@ rule Hacktools_CN_JoHor_Posts_Killer {
5 of them
}
rule Hacktools_CN_JoHor_Rdos_3_6_uplis {
meta:
description = "Disclosed hacktool set - file uplis.vbp"
author = "Florian Roth"
date = "17.11.14"
score = 60
hash = "a87d00d78838c2d968b72330ee6f21f69b2caae5"
strings:
$s0 = "http://dywt.com.cn" fullword ascii
$s1 = "service@dywt.com.cn" fullword ascii
$s4 = "GetNewInf" fullword ascii
$s5 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
$s8 = "yiyuyan" fullword ascii
condition:
4 of them
}
rule Hacktools_CN_Panda_tesksd {
meta:
description = "Disclosed hacktool set - file tesksd.jpg"
......@@ -1537,22 +1275,6 @@ rule Hacktools_CN_Panda_tesksd {
all of them
}
rule Hacktools_CN_Panda_k {
meta:
description = "Disclosed hacktool set - file k.exe"
author = "Florian Roth"
date = "17.11.14"
score = 60
hash = "8d1170df533238ac2da7826bd8997917be1e1517"
strings:
$s0 = "(http://www.eyuyan.com)" fullword wide
$s1 = "trin" fullword wide
$s2 = "FAUL" fullword wide
$s10 = " program must be run " fullword ascii
condition:
all of them
}
rule Hacktools_CN_Http {
meta:
description = "Disclosed hacktool set - file Http.exe"
......@@ -1569,45 +1291,6 @@ rule Hacktools_CN_Http {
all of them and filesize < 10KB
}
rule Hacktools_CN_JoHor_Rdos_get {
meta:
description = "Disclosed hacktool set - file get.vbp"
author = "Florian Roth"
date = "17.11.14"
score = 60
hash = "09c32ca167136a17fd69df8c525ea5ffeca6c534"
strings:
$s1 = "http://dywt.com.cn" fullword ascii
$s2 = "service@dywt.com.cn" fullword ascii
$s3 = "Uncompress" fullword ascii
$s5 = "GetNewInf" fullword ascii
$s6 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
$s10 = "GetMD5" fullword ascii
$s12 = "RSACheck" fullword ascii
condition:
all of them
}
rule Hacktools_CN_JoHor_Rdos_LineExp {
meta:
description = "Disclosed hacktool set - file LineExp.vbp"
author = "Florian Roth"
date = "17.11.14"
score = 60
hash = "1bd2db477c68cdcba9ae5c3668bd76c51fc12d2e"
strings:
$s0 = "http://dywt.com.cn" fullword ascii
$s1 = "service@dywt.com.cn" fullword ascii
$s2 = "EThread.fne" fullword ascii
$s3 = "GetNewInf" fullword ascii
$s4 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
$s5 = "CloseThreadHandle" fullword ascii
$s6 = "WaitThread" fullword ascii
$s8 = "CreateCriticalSection" fullword ascii
condition:
all of them
}
rule Hacktools_CN_Burst_Start {
meta:
description = "Disclosed hacktool set - file Start.bat - DoS tool"
......@@ -1664,21 +1347,6 @@ rule Hacktools_CN_Burst_Clear {
5 of them
}
rule Hacktools_CN_Panda_andrew {
meta:
description = "Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor"
author = "Florian Roth"
date = "17.11.14"
score = 60
hash = "abd03ebb08314297b83e6c795cc85bb85e1f4d71"
strings:
$s0 = "(http://www.eyuyan.com)" fullword wide
$s1 = "ClosePrinter" fullword ascii
$s18 = "version=\"1.0\" encoding" fullword ascii
condition:
all of them
}
rule Hacktools_CN_Burst_Thecard {
meta:
description = "Disclosed hacktool set - file Thecard.bat"
......@@ -1887,10 +1555,10 @@ rule EditServer {
$s13 = "Service Name: %s" fullword ascii
$s14 = "Server Password: %s" fullword ascii
$s17 = "Inject Process Name: %s" fullword ascii
$x1 = "WinEggDrop Shell Congirator" fullword ascii
condition:
5 of ($s*) or $x1
5 of ($s*) or $x1
}
rule sig_238_letmein {
......@@ -2176,23 +1844,6 @@ rule aspfile2 {
all of them
}
rule Jc_ALL_WinEggDropShell_rar_Folder_SOCKS {
meta:
description = "Disclosed hacktool set (old stuff) - file SOCKS.exe"
author = "Florian Roth"
date = "23.11.14"
score = 60
hash = "ad2168e9837592eeb120fc6798648b2fe996f79c"
strings:
$s0 = "http://go.163.com/~sdemo" fullword ascii
$s1 = "http://go.163.com/sdemo" fullword wide
$s4 = "Player.EXE" fullword wide
$s5 = "mailto:sdemo@263.net" fullword ascii
$s6 = "S-Player.exe" fullword ascii
condition:
all of them
}
rule UnPack_rar_Folder_InjectT {
meta:
description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
......@@ -2209,9 +1860,9 @@ rule UnPack_rar_Folder_InjectT {
$s7 = "Fail To Set The Port" fullword ascii
$s11 = "\\psapi.dll" fullword ascii
$s20 = "TInject.Dll" fullword ascii
$x1 = "Software\\Microsoft\\Internet Explorer\\WinEggDropShell" fullword ascii
$x2 = "injectt.exe" fullword ascii
$x2 = "injectt.exe" fullword ascii
condition:
( 1 of ($x*) ) and ( 3 of ($s*) )
}
......@@ -2979,14 +2630,14 @@ rule Ammyy_Admin_AA_v3 {
date = "2014/12/22"
score = 55
hash1 = "b130611c92788337c4f6bb9e9454ff06eb409166"
hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb"
hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb"
strings:
$x1 = "S:\\Ammyy\\sources\\target\\TrService.cpp" fullword ascii
$x2 = "S:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cpp" fullword ascii
$x3 = "Global\\Ammyy.Target.IncomePort" fullword ascii
$x4 = "S:\\Ammyy\\sources\\target\\TrFmFileSys.cpp" fullword ascii
$x5 = "Please enter password for accessing remote computer" fullword ascii
$s1 = "CreateProcess1()#3 %d error=%d" fullword ascii
$s2 = "CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name." fullword ascii
$s3 = "ERROR: CreateProcessAsUser() error=%d, session=%d" fullword ascii
......@@ -2997,84 +2648,6 @@ rule Ammyy_Admin_AA_v3 {
/* Other dumper and custom hack tools */
rule Mimikatz_Samples_2014b_1 {
meta:
description = "Mimikatz pwassword dumper samples from the second half of 2014"
author = "Florian Roth with the help of YarGen Rule Generator"
reference = "not set"
date = "2014/12/23"
score = 80
hash = "ef5bd09b2e5836b58a8b27c1fb3650621aaf6488"
strings:
$s1 = "Raw command (not implemented yet) : %s" fullword wide
$s3 = " ! ZwSetInformationProcess 0x%08x for %u/%-14S" fullword wide
$s6 = "PsSetCreateProcessNotifyRoutineEx" fullword wide
$s10 = "\\Device\\mimidrv" fullword wide
$s16 = "\\DosDevices\\mimidrv" fullword wide
$s17 = "All privileges for the access token from %u/%-14S" fullword wide
$s20 = "in (0x%p - %u) ; out (0x%p - %u)" fullword wide
condition:
all of them
}
rule Mimikatz_Samples_2014b_2 {
meta:
description = "Mimikatz pwassword dumper samples from the second half of 2014"
author = "Florian Roth with the help of YarGen Rule Generator"
reference = "not set"
date = "2014/12/23"
score = 80
hash = "98033f5bbdd79b12a7804bad0698c91e6d5067ad"
strings:
$s0 = "0: kd> .process /r /p <EPROCESS address>" fullword ascii
$s4 = "%p - lsasrv!LogonSessionListCount" fullword ascii
$s7 = "%p - lsasrv!LogonSessionList" fullword ascii
$s12 = "livessp!LiveGlobalLogonSessionList" fullword ascii
$s13 = "UndefinedLogonType" fullword ascii
$s14 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii
$s15 = "masterkey" fullword ascii
$s16 = "kerberos!KerbGlobalLogonSessionTable" fullword ascii
$s17 = "RemoteInteractive" fullword ascii
$s18 = "mimilib.dll" fullword wide
$s19 = "%p - lsasrv!InitializationVector" fullword ascii
$s20 = "lsasrv!LogonSessionListCount" fullword ascii
condition:
all of them
}
rule Mimikatz_Samples_2014b_Family_2 {
meta:
description = "Mimikatz pwassword dumper samples from the second half of 2014"
author = "Florian Roth with the help of YarGen Rule Generator"
date = "2014/12/23"
super_rule = 1
score = 80
hash0 = "61001a32c5388e629dd0441a77974200057816ef"
hash1 = "46df272cecb541aebca3c863802c0d0a0dc5fcb4"
hash2 = "c3307bb70efa19fc5049dfd829d07ea52a65bb74"
hash3 = "29d9bfc4e4884bc7b2f3cd01960b727c17fb50cb"
hash4 = "ac1d1db32ca6e7af5625f0f6fbe210fe68002b5c"
strings:
$s0 = "ncryptprov.dll" fullword wide
$s1 = "CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY" fullword wide
$s2 = "logonPasswords" fullword wide
$s3 = "CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE" fullword wide
$s4 = "CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY" fullword wide
$s5 = "inject" fullword wide
$s6 = "MS_DEF_RSA_SCHANNEL_PROV" fullword wide
$s7 = "MS_ENHANCED_PROV" fullword wide
$s8 = "MS_DEF_RSA_SIG_PROV" fullword wide
$s9 = "privilege" fullword wide
$s10 = "MS_ENH_RSA_AES_PROV" fullword wide
$s16 = "sekurlsa" fullword wide
$s17 = "answer" fullword wide
$s18 = "secrets" fullword wide
$s19 = "MS_DEF_DSS_PROV" fullword wide
$s20 = "MS_DEF_PROV" fullword wide
condition:
all of them
}
rule LinuxHacktool_eyes_screen {
meta:
description = "Linux hack tools - file screen"
......@@ -3119,27 +2692,7 @@ rule LinuxHacktool_eyes_scanssh {
condition:
all of them
}
rule LinuxHacktool_eyes_scanner {
meta:
description = "Linux hack tools - file scanner"
author = "Florian Roth"
reference = "not set"
date = "2015/01/19"
hash = "5488698b7f9090f45096517e61768efd32299d5b"
strings:
$s0 = "%s: line %d: list delimiter not followed by keyword" fullword ascii
$s1 = "checking for version `%s' in file %s required by file %s" fullword ascii
$s3 = "%s: line %d: expected service, found `%s'" fullword ascii
$s4 = "truncated dump file; tried to read %d header bytes, only got %lu" fullword ascii
$s5 = "%s: line %d: list delimiter not followed by domain" fullword ascii
$s7 = "'protochain' not supported with radiotap headers" fullword ascii
$s8 = "%s(): unsuported injection type" fullword ascii
$s9 = "ELF load command address/offset not properly aligned" fullword ascii
$s10 = "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.27 2005/07/14 16:01:46" ascii
$s20 = "%s%s%s:%u: %s%sAssertion `%s' failed." fullword ascii
condition:
4 of them
}
rule LinuxHacktool_eyes_pscan2 {
meta:
description = "Linux hack tools - file pscan2"
......@@ -3225,7 +2778,7 @@ rule CN_Portscan : APT
($s1 at 0) and $s2
}
rule WMI_vbs : APT
rule WMI_vbs : APT
{
meta:
description = "WMI Tool - APT"
......@@ -3234,101 +2787,289 @@ rule WMI_vbs : APT
confidential = false
score = 70
strings:
$s3 = "WScript.Echo \" $$\\ $$\\ $$\\ $$\\ $$$$$$\\ $$$$$$$$\\ $$\\ $$\\ $$$$$$$$\\ $$$$$$"
$s3 = "WScript.Echo \" $$\\ $$\\ $$\\ $$\\ $$$$$$\\ $$$$$$$$\\ $$\\ $$\\ $$$$$$$$\\ $$$$$$"
condition:
all of them
all of them
}
rule mimikatz
rule CN_Toolset__XScanLib_XScanLib_XScanLib {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
date = "2015/03/30"
score = 70
super_rule = 1
hash0 = "af419603ac28257134e39683419966ab3d600ed2"
hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
strings:
$s1 = "Plug-in thread causes an exception, failed to alert user." fullword
$s2 = "PlugGetUdpPort" fullword
$s3 = "XScanLib.dll" fullword
$s4 = "PlugGetTcpPort" fullword
$s11 = "PlugGetVulnNum" fullword
condition:
all of them
}
rule CN_Toolset_NTscan_PipeCmd {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
date = "2015/03/30"
score = 70
hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
strings:
$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
$s3 = "PipeCmd.exe" fullword wide
$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s5 = "%s\\pipe\\%s%s%d" fullword ascii
$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
$s9 = "PipeCmdSrv.exe" fullword ascii
$s10 = "This is a service executable! Couldn't start directly." fullword ascii
$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
$s14 = "PIPECMDSRV" fullword wide
$s15 = "PipeCmd Service" fullword ascii
condition:
4 of them
}
rule CN_Toolset_LScanPortss_2 {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
date = "2015/03/30"
score = 70
hash = "4631ec57756466072d83d49fbc14105e230631a0"
strings:
$s1 = "LScanPort.EXE" fullword wide
$s3 = "www.honker8.com" fullword wide
$s4 = "DefaultPort.lst" fullword ascii
$s5 = "Scan over.Used %dms!" fullword ascii
$s6 = "www.hf110.com" fullword wide
$s15 = "LScanPort Microsoft " fullword wide
$s18 = "L-ScanPort2.0 CooFly" fullword wide
condition:
4 of them
}
rule CN_Toolset_sig_1433_135_sqlr {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
date = "2015/03/30"
score = 70
hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
strings:
$s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
$s11 = ";DATABASE=master" fullword ascii
$s12 = "xp_cmdshell '" fullword ascii
$s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
condition:
all of them
}
rule DarkComet_Keylogger_File
{
meta:
description = "mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Benjamin DELPY (gentilkiwi)"
meta:
author = "Florian Roth"
description = "Looks like a keylogger file created by DarkComet Malware"
date = "25.07.14"
score = 50
strings:
$magic = "::"
$entry = /\n:: [A-Z]/
$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
condition:
($magic at 0) and #entry > 10 and #timestamp > 10
}
/* Mimikatz */
rule Mimikatz_Memory_Rule_1 : APT {
meta:
author = "Florian Roth"
date = "12/22/2014"
score = 70
type = "memory"
description = "Detects password dumper mimikatz in memory"
strings:
$s1 = "sekurlsa::msv" fullword ascii
$s2 = "sekurlsa::wdigest" fullword ascii
$s4 = "sekurlsa::kerberos" fullword ascii
$s5 = "sekurlsa::tspkg" fullword ascii
$s6 = "sekurlsa::livessp" fullword ascii
$s7 = "sekurlsa::ssp" fullword ascii
$s8 = "sekurlsa::logonPasswords" fullword ascii
$s9 = "sekurlsa::process" fullword ascii
$s10 = "ekurlsa::minidump" fullword ascii
$s11 = "sekurlsa::pth" fullword ascii
$s12 = "sekurlsa::tickets" fullword ascii
$s13 = "sekurlsa::ekeys" fullword ascii
$s14 = "sekurlsa::dpapi" fullword ascii
$s15 = "sekurlsa::credman" fullword ascii
condition:
1 of them
}
rule Mimikatz_Memory_Rule_2 : APT {
meta:
description = "Mimikatz Rule generated from a memory dump"
author = "Florian Roth - Florian Roth"
type = "memory"
score = 80
strings:
$s0 = "sekurlsa::" ascii
$x1 = "cryptprimitives.pdb" ascii
$x2 = "Now is t1O" ascii fullword
$x4 = "ALICE123" ascii
$x5 = "BOBBY456" ascii
condition:
$s0 and 1 of ($x*)
}
strings:
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
$exe_x86_2 = { 89 79 04 89 [0-3] 38 8d 04 b5 }
rule mimikatz
{
meta:
description = "mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Benjamin DELPY (gentilkiwi)"
score = 80
strings:
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
$exe_x86_2 = { 89 79 04 89 [0-3] 38 8d 04 b5 }
$exe_x64_1 = { 4c 03 d8 49 [0-3] 8b 03 48 89 }
$exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
$exe_x64_1 = { 4c 03 d8 49 [0-3] 8b 03 48 89 }
$exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
$dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
$dll_2 = { c7 0? 10 02 00 00 ?? 89 4? }
$dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
$dll_2 = { c7 0? 10 02 00 00 ?? 89 4? }
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
condition:
(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
condition:
(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}
rule mimikatz_lsass_mdmp
{
meta:
description = "LSASS minidump file for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
meta:
description = "LSASS minidump file for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$lsass = "System32\\lsass.exe" wide nocase
strings:
$lsass = "System32\\lsass.exe" wide nocase
condition:
(uint32(0) == 0x504d444d) and $lsass
condition:
(uint32(0) == 0x504d444d) and $lsass
}
rule mimikatz_kirbi_ticket
{
meta:
description = "KiRBi ticket for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
meta:
description = "KiRBi ticket for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
condition:
$asn1 at 0
condition:
$asn1 at 0
}
rule wce
{
meta:
description = "wce"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Hernan Ochoa (hernano)"
meta:
description = "wce"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Hernan Ochoa (hernano)"
strings:
$hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }
$hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }
$hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }
strings:
$hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }
$hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }
$hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }
condition:
any of them
condition:
any of them
}
rule lsadump
{
meta:
description = "LSA dump programe (bootkey/syskey) – pwdump and others"
author = "Benjamin DELPY (gentilkiwi)"
meta:
description = "LSA dump programe (bootkey/syskey) - pwdump and others"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$str_sam_inc = "\\Domains\\Account" ascii nocase
$str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
$hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
$str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
$hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
strings:
$str_sam_inc = "\\Domains\\Account" ascii nocase
$str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
$hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
$str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
$hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
condition:
($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey
condition:
( ($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey )
and not uint16(0) == 0x5a4d
}
rule power_pe_injection
rule Mimikatz_Logfile
{
meta:
description = "PowerShell with PE Reflective Injection"
author = "Benjamin DELPY (gentilkiwi)"
meta:
description = "Detects a log file generated by malicious hack tool mimikatz"
author = "Florian Roth"
score = 80
date = "2015/03/31"
strings:
$s1 = "SID :" ascii fullword
$s2 = "* NTLM :" ascii fullword
$s3 = "Authentication Id :" ascii fullword
$s4 = "wdigest :" ascii fullword
condition:
all of them
}
strings:
$str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9"
rule AppInitHook {
meta:
description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll"
author = "Florian Roth"
reference = "https://goo.gl/Z292v6"
date = "2015-07-15"
score = 70
hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45"
strings:
$s0 = "\\Release\\AppInitHook.pdb" ascii
$s1 = "AppInitHook.dll" fullword ascii
$s2 = "mimikatz.exe" fullword wide
$s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide
$s4 = "mhook\\disasm-lib\\disasm.c" fullword wide
$s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide
$s6 = "VoidFunc" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
}
condition:
$str_loadlib
rule VSSown_VBS {
meta:
description = "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere"
author = "Florian Roth"
date = "2015-10-01"
score = 75
strings:
$s0 = "Select * from Win32_Service Where Name ='VSS'" ascii
$s1 = "Select * From Win32_ShadowCopy" ascii
$s2 = "cmd /C mklink /D " ascii
$s3 = "ClientAccessible" ascii
$s4 = "WScript.Shell" ascii
$s5 = "Win32_Process" ascii
condition:
all of them
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment