/*
Phishing Kit Emails
*/
rule PhishingKitEmail
{
strings:
$domain1 = "@gmail.com"
$domain2 = "@yandex.com"
$domain3 = "@outlook.com"
$domain4 = "@protonmail.com"
$domain5 = "@yahoo.com"
$domain6 = "@hotmail.com"
$domain7 = "@zoho.com"
$domain8 = "@yandex.ru"
$domain9 = "@163.com"
$domain10 = "@aol.com"
$domain11 = "@mail.ru"
condition:
(file_type contains "php") and (file_name contains "mail" or file_name contains "result" or file_name contains "next" or file_name contains "send" or file_name contains "connect" or file_name contains "info" or file_name contains "config" or file_name contains "process" or file_name contains "step" or file_name contains "success" or file_name contains "to" or file_name contains "login" or file_name contains "logon" or file_name contains "3d" or file_name contains "action" or file_name contains "pass" or file_name contains "user" or file_name contains "verif" or file_name contains "post" or file_name contains "finish" or file_name contains "log" or file_name contains "submit" or file_name contains "check") and any of ($domain*)
}
Showing posts with label yara. Show all posts
Showing posts with label yara. Show all posts
Monday, April 27, 2020
Friday, April 10, 2020
Find all Malware in a Folder with a Single String in it
# the keyword string to search for
$stringToSearchFor = "http://nsis.sf.net/NSIS_Error";
# run strings on all malware *.bin files in the directory and output strings to .bin.txt files
get-childitem \ -filter *.bin |select name,fullname|foreach-object {$cmd = "/c strings64.exe -n 8 `""+$_.fullname +"`" > `""+$_.name+".txt`""; start-process -filepath "cmd.exe" -argumentlist $cmd}
# search each *.bin.txt strings results for that keyword
get-childitem \ -filter *.bin.txt| select name,fullname|foreach-object{[string []] $lines = Get-Content -Path $_.f
ullname;if($lines -contains $stringToSearchFor){$_.name}}
----------
search all malware files for a single string
----------
sample output
----------
EasyPDFCombine.bin.txt
EverydayLookup.bin.txt
FromDocToPdf.bin.txt
Internet Speed Tracker.bin.txt
YourTemplateFinder.bin.txt
$stringToSearchFor = "http://nsis.sf.net/NSIS_Error";
# run strings on all malware *.bin files in the directory and output strings to .bin.txt files
get-childitem \ -filter *.bin |select name,fullname|foreach-object {$cmd = "/c strings64.exe -n 8 `""+$_.fullname +"`" > `""+$_.name+".txt`""; start-process -filepath "cmd.exe" -argumentlist $cmd}
# search each *.bin.txt strings results for that keyword
get-childitem \ -filter *.bin.txt| select name,fullname|foreach-object{[string []] $lines = Get-Content -Path $_.f
ullname;if($lines -contains $stringToSearchFor){$_.name}}
----------
search all malware files for a single string
----------
sample output
----------
EasyPDFCombine.bin.txt
EverydayLookup.bin.txt
FromDocToPdf.bin.txt
Internet Speed Tracker.bin.txt
YourTemplateFinder.bin.txt
Use Powershell to Run Yara against entire Folder of Malware
# run "myrules.yar" against all *.bin files in a folder and print to standard output
get-childitem \ -filter *.bin |select fullname|foreach-object {$cmd ="&./yara64.exe myrules.yar "+ $_.fullname + " -s"; iex $cmd }
---------
---------
sample output
---------
MindsparkToolbar \EasyPDFCombine.bin
0x4a34e:$eula: http://eula.mindspark.com/ask/0
0x4b2e6:$eula: http://eula.mindspark.com/ask/0
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafca:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb090:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
MindsparkToolbar \EverydayLookup.bin
0x5c276:$eula: http://eula.mindspark.com/ask/0
0x5d20e:$eula: http://eula.mindspark.com/ask/0
0xc414:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xc55a:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xc620:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
MindsparkToolbar \FromDocToPdf.bin
0x5fbce:$eula: http://eula.mindspark.com/ask/0
0x60b69:$eula: http://eula.mindspark.com/ask/0
0x5f05f:$publisher: Mindspark Interactive Network, Inc.
0x5f08d:$publisher: Mindspark Interactive Network, Inc.
0x600be:$publisher: Mindspark Interactive Network, Inc.
0x600ec:$publisher: Mindspark Interactive Network, Inc.
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafca:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb090:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
error: could not open file: \Internet
MindsparkToolbar \YourTemplateFinder.bin
0x5b498:$eula: http://eula.mindspark.com/ask/0
0x5c43a:$eula: http://eula.mindspark.com/ask/0
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafe2:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb0a8:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
get-childitem \ -filter *.bin |select fullname|foreach-object {$cmd ="&./yara64.exe myrules.yar "+ $_.fullname + " -s"; iex $cmd }
---------
run yara against all malware files in a folder
sample output
---------
MindsparkToolbar \EasyPDFCombine.bin
0x4a34e:$eula: http://eula.mindspark.com/ask/0
0x4b2e6:$eula: http://eula.mindspark.com/ask/0
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafca:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb090:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
MindsparkToolbar \EverydayLookup.bin
0x5c276:$eula: http://eula.mindspark.com/ask/0
0x5d20e:$eula: http://eula.mindspark.com/ask/0
0xc414:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xc55a:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xc620:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
MindsparkToolbar \FromDocToPdf.bin
0x5fbce:$eula: http://eula.mindspark.com/ask/0
0x60b69:$eula: http://eula.mindspark.com/ask/0
0x5f05f:$publisher: Mindspark Interactive Network, Inc.
0x5f08d:$publisher: Mindspark Interactive Network, Inc.
0x600be:$publisher: Mindspark Interactive Network, Inc.
0x600ec:$publisher: Mindspark Interactive Network, Inc.
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafca:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb090:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
error: could not open file: \Internet
MindsparkToolbar \YourTemplateFinder.bin
0x5b498:$eula: http://eula.mindspark.com/ask/0
0x5c43a:$eula: http://eula.mindspark.com/ask/0
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafe2:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb0a8:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
Yara Basics - Regular Expression
rule HasUrls
{
strings:
$urlregex = /http(s|):\/\/[^\s]+\.[^\s]{2,5}/
$urlregexwide = /http(s|):\/\/[^\s]+\.[^\s]{2,5}/ wide
condition:
any of them
}
{
strings:
$urlregex = /http(s|):\/\/[^\s]+\.[^\s]{2,5}/
$urlregexwide = /http(s|):\/\/[^\s]+\.[^\s]{2,5}/ wide
condition:
any of them
}
Yara Basics - Unicode wide
rule IsNullsoftInstaller
{
strings:
$nullsoft = "http://nsis.sf.net/NSIS_Error" wide
condition:
any of them
}
{
strings:
$nullsoft = "http://nsis.sf.net/NSIS_Error" wide
condition:
any of them
}
Thursday, December 5, 2019
yaraOneLiner.py
# Run Yara Rules against a file ONE LINE AT A TIME instead of against the whole file
import os
import subprocess
import traceback
import argparse
import sys
yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""
arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()
with open(settings.inputFileName, "r") as lines:
for line in lines:
line = line.rstrip()
if settings.debug:
print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
if settings.status:
if (lineNumber % 50) == 0 and lineNumber != 0:
print("STATUS: processing line %s" % (str(lineNumber)))
with open(tempFileName,"w") as tempfile:
tempfile.write(line)
try:
yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
if settings.debug:
print("ABOUT TO RUN: %s" % yaraCommand)
if settings.debug:
pause = input()
if settings.debug:
print("STARTED: YARA")
output = subprocess.check_output(yaraCommand, shell=True)
if settings.debug:
print("OUTPUT: %s" % str(output))
except Exception as e:
error = str(e)
print("COMMAND: %s" % yaraCommand)
print("OUTPUT: %s" % output)
print("ERROR: %s" % error)
output = ""
if output is None or len(output) == 0:
if settings.debug:
print("MATCHES: 0 (no output)")
else:
output = str(output).replace("b'","").rstrip()
if output[-1:] == "'":
output = output[:-1]
if tempFileName in output:
if settings.debug:
print("MATCHES: 1+")
print("MATCH LINE NUMBER %s:" % str(lineNumber))
print(" LINE: %s" + line)
print(" YARA:")
for row in output.split("\\r\\n"):
row = row.replace("\\r\\n", "")
if row.startswith("0x"):
print(" %s" % row)
else:
print(" %s" % row)
else:
print("MATCHES: 0 (with output)")
lineNumber = lineNumber + 1
import os
import subprocess
import traceback
import argparse
import sys
yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""
arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()
with open(settings.inputFileName, "r") as lines:
for line in lines:
line = line.rstrip()
if settings.debug:
print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
if settings.status:
if (lineNumber % 50) == 0 and lineNumber != 0:
print("STATUS: processing line %s" % (str(lineNumber)))
with open(tempFileName,"w") as tempfile:
tempfile.write(line)
try:
yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
if settings.debug:
print("ABOUT TO RUN: %s" % yaraCommand)
if settings.debug:
pause = input()
if settings.debug:
print("STARTED: YARA")
output = subprocess.check_output(yaraCommand, shell=True)
if settings.debug:
print("OUTPUT: %s" % str(output))
except Exception as e:
error = str(e)
print("COMMAND: %s" % yaraCommand)
print("OUTPUT: %s" % output)
print("ERROR: %s" % error)
output = ""
if output is None or len(output) == 0:
if settings.debug:
print("MATCHES: 0 (no output)")
else:
output = str(output).replace("b'","").rstrip()
if output[-1:] == "'":
output = output[:-1]
if tempFileName in output:
if settings.debug:
print("MATCHES: 1+")
print("MATCH LINE NUMBER %s:" % str(lineNumber))
print(" LINE: %s" + line)
print(" YARA:")
for row in output.split("\\r\\n"):
row = row.replace("\\r\\n", "")
if row.startswith("0x"):
print(" %s" % row)
else:
print(" %s" % row)
else:
print("MATCHES: 0 (with output)")
lineNumber = lineNumber + 1
Neo23x0 Sigma Proxy Rules converted to simple Yara
rule Neo23x0SigmaUserAgentMatch
{
meta:
author = "@neonprimetime"
description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
$string1 = "(compatible;MSIE"
$string2 = "BFAC"
$string3 = "BGroom"
$string4 = "CholTBAgent"
$string5 = "Havij"
$string7 = "adlib/"
$string8 = "arachni/"
$string9 = "asd"
$string10 = "brutus"
$string11 = "cgichk"
$string12 = "changhuatong"
$string13 = "crimscanner/"
$string14 = "inspath"
$string15 = "mdms"
$string16 = "metis"
$string17 = "pxyscand"
$string18 = "tiny"
$string19 = "vega/"
$string20 = "whcc/"
$string21 = "zmeu"
$string22 = "(Charon; Inferno)"
$string23 = "(hydra)"
$string24 = ".0;Windows NT"
$string25 = "<|>"
$string26 = "Bot"
$string27 = "Microsoft Internet Explorer"
$string28 = "Telegram"
$string29 = "absinthe"
$string30 = "bsqlbf"
$string31 = "core-project/1.0"
$string32 = "datacha0s"
$string33 = "dirbuster"
$string34 = "domino hunter"
$string35 = "dotdotpwn"
$string36 = "exploit"
$string37 = "floodgate"
$string38 = "get-minimal"
$string39 = "gootkit auto-rooter scanner"
$string40 = "grendel-scan"
$string41 = "internet ninja"
$string42 = "jaascois"
$string43 = "masscan"
$string44 = "morfeus fucking scanner"
$string45 = "mysqloit"
$string46 = "n-stealth"
$string47 = "nsauditor"
$string48 = "pangolin"
$string49 = "pmafind"
$string50 = "security scan"
$string51 = "springenwerk"
$string52 = "sql power injector"
$string53 = "sqlmap"
$string54 = "sqlninja"
$string55 = "teh forest lobster"
$string56 = "toata dragostea"
$string57 = "uil2pn"
$string58 = "voideye"
$string59 = "webshag"
$string60 = "webvulnscan"
$string61 = "wordpress hash grabber"
$string62 = "zeroup"
$string63 = "AutoIt"
$string64 = "CertUtil URL Agent"
$string65 = "DotDotPwn v2.1"
$string66 = "FHScan Core"
$string67 = "HttpBrowser/1.0"
$string68 = "IczelionDownLoad"
$string69 = "Internet Explorer"
$string75 = "Moxilla"
$string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
$string79 = "Mozilla v5.1"
$string80 = "Mozilla/1.0"
$string81 = "Mozilla/2.0"
$string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
$string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
$string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
$string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
$string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
$string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
$string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
$string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
$string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
$string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
$string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
$string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
$string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
$string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
$string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
$string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
$string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
$string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
$string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
$string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
$string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
$string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
$string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
$string110 = "Mozilla/4.0 (compatible; RMS)"
$string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
$string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
$string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
$string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
$string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
$string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
$string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
$string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
$string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
$string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
$string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
$string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
$string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
$string128 = "Mozilla/5.0 (Windows NT 9;"
$string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
$string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
$string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
$string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
$string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
$string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
$string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
$string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
$string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0"
$string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
$string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
$string140 = "Mozilla/5.0 WinInet"
$string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
$string143 = "Netscape"
$string144 = "O/9.27 (W; U; Z)"
$string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
$string147 = "RookIE/1.0"
$string148 = "SIPDROID"
$string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
$string150 = "Sametime Community Agent"
$string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
$string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
$string154 = "X-FORWARDED-FOR"
$string155 = "XMRig"
$string157 = "backdoorbot"
$string158 = "ccminer"
$string159 = "hots scot"
$string160 = "nocase"
$string161 = "nsis_inetc (mozilla)"
$string162 = "ruler"
$string163 = "sample"
$string164 = "user-agent"
condition:
1 of them
}
{
meta:
author = "@neonprimetime"
description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
$string1 = "(compatible;MSIE"
$string2 = "BFAC"
$string3 = "BGroom"
$string4 = "CholTBAgent"
$string5 = "Havij"
$string7 = "adlib/"
$string8 = "arachni/"
$string9 = "asd"
$string10 = "brutus"
$string11 = "cgichk"
$string12 = "changhuatong"
$string13 = "crimscanner/"
$string14 = "inspath"
$string15 = "mdms"
$string16 = "metis"
$string17 = "pxyscand"
$string18 = "tiny"
$string19 = "vega/"
$string20 = "whcc/"
$string21 = "zmeu"
$string22 = "(Charon; Inferno)"
$string23 = "(hydra)"
$string24 = ".0;Windows NT"
$string25 = "<|>"
$string26 = "Bot"
$string27 = "Microsoft Internet Explorer"
$string28 = "Telegram"
$string29 = "absinthe"
$string30 = "bsqlbf"
$string31 = "core-project/1.0"
$string32 = "datacha0s"
$string33 = "dirbuster"
$string34 = "domino hunter"
$string35 = "dotdotpwn"
$string36 = "exploit"
$string37 = "floodgate"
$string38 = "get-minimal"
$string39 = "gootkit auto-rooter scanner"
$string40 = "grendel-scan"
$string41 = "internet ninja"
$string42 = "jaascois"
$string43 = "masscan"
$string44 = "morfeus fucking scanner"
$string45 = "mysqloit"
$string46 = "n-stealth"
$string47 = "nsauditor"
$string48 = "pangolin"
$string49 = "pmafind"
$string50 = "security scan"
$string51 = "springenwerk"
$string52 = "sql power injector"
$string53 = "sqlmap"
$string54 = "sqlninja"
$string55 = "teh forest lobster"
$string56 = "toata dragostea"
$string57 = "uil2pn"
$string58 = "voideye"
$string59 = "webshag"
$string60 = "webvulnscan"
$string61 = "wordpress hash grabber"
$string62 = "zeroup"
$string63 = "AutoIt"
$string64 = "CertUtil URL Agent"
$string65 = "DotDotPwn v2.1"
$string66 = "FHScan Core"
$string67 = "HttpBrowser/1.0"
$string68 = "IczelionDownLoad"
$string69 = "Internet Explorer"
$string75 = "Moxilla"
$string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
$string79 = "Mozilla v5.1"
$string80 = "Mozilla/1.0"
$string81 = "Mozilla/2.0"
$string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
$string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
$string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
$string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
$string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
$string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
$string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
$string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
$string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
$string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
$string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
$string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
$string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
$string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
$string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
$string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
$string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
$string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
$string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
$string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
$string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
$string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
$string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
$string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
$string110 = "Mozilla/4.0 (compatible; RMS)"
$string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
$string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
$string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
$string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
$string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
$string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
$string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
$string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
$string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
$string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
$string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
$string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
$string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
$string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
$string128 = "Mozilla/5.0 (Windows NT 9;"
$string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
$string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
$string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
$string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
$string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
$string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
$string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
$string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
$string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0"
$string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
$string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
$string140 = "Mozilla/5.0 WinInet"
$string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
$string143 = "Netscape"
$string144 = "O/9.27 (W; U; Z)"
$string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
$string147 = "RookIE/1.0"
$string148 = "SIPDROID"
$string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
$string150 = "Sametime Community Agent"
$string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
$string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
$string154 = "X-FORWARDED-FOR"
$string155 = "XMRig"
$string157 = "backdoorbot"
$string158 = "ccminer"
$string159 = "hots scot"
$string160 = "nocase"
$string161 = "nsis_inetc (mozilla)"
$string162 = "ruler"
$string163 = "sample"
$string164 = "user-agent"
condition:
1 of them
}
Generic Triage Yara Rules
rule RemoteControlUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud Remote Control Url Accessed"
strings:
$string0 = "teamviewer" nocase
$string1 = "splashtop" nocase
$string2 = "ammyy" nocase
$string3 = "mikogo" nocase
$string4 = "uvnc" nocase
$string5 = "gbchcmhmhahfdphkhkmpfmihenigjmpp" nocase
$string6 = "logmein" nocase
$string7 = "join.me" nocase
$string8 = "realvnc" nocase
$string9 = "dameware" nocase
$string10 = "dwservice" nocase
$string11 = "anydesk" nocase
condition:
1 of them
}
rule WebMailUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Web Mail Url Accessed"
strings:
$string0 = "mail.yahoo.com" nocase
$string1 = "@gmail.com" nocase
$string2 = "outlook.live.com" nocase
$string3 = "mail.protonmail.com" nocase
$string4 = "zoho.com" nocase
$string5 = "yandex.com" nocase
$string6 = "tutanota.com" nocase
$string7 = "kolbanow.com" nocase
$string8 = "fastmail.com" nocase
$string10 = "posteo.de" nocase
$string11 = "startmail.com" nocase
$string12 = "runbox.com" nocase
$string13 = "mailfence.com" nocase
$string14 = "countermail.com" nocase
condition:
1 of them
}
rule CloudFileStorageUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud File Storage Url Accessed"
strings:
$string0 = "dropbox.com" nocase
$string1 = "drive.google.com" nocase
$string2 = "wetransfer.com" nocase
$string3 = "pcloud.com" nocase
$string4 = "tresorit.com" nocase
$string5 = "sync.com" nocase
$string6 = "onedrive.live.com" nocase
$string7 = ".box.com" nocase
$string8 = "spideroak.com" nocase
$string9 = "mega.nz" nocase
$string10 = "jottacloud.com" nocase
$string11 = "teamdrive.com" nocase
$string12 = "mediafire.com" nocase
$string13 = "cloudup.com" nocase
$string14 = "cloudme.com" nocase
condition:
1 of them
}
rule LateralMovementAttempt
{
meta:
author = "@neonprimetime"
description = "Lateral Movement Attempt"
strings:
$string0 = "mstsc" nocase
$string1 = "psexec" nocase
$string2 = "\\nc.exe" nocase
$string3 = "/nc.exe" nocase
$string2 = "\\nc64.exe" nocase
$string3 = "/nc64.exe" nocase
$string2 = "\\netcat.exe" nocase
$string3 = "/netcat.exe" nocase
$string4 = "putty.exe" nocase
$string5 = "mobax" nocase
$string6 = "securecrt" nocase
$string7 = "ssh.exe" nocase
$string8 = "winrs" nocase
condition:
1 of them
}
rule ShortExecutableName
{
meta:
author = "@neonprimetime"
description = "Short Executable Name"
strings:
$string0 = "/0.exe" nocase
$string1 = "/1.exe" nocase
$string2 = "/2.exe" nocase
$string3 = "/3.exe" nocase
$string4 = "/4.exe" nocase
$string5 = "/5.exe" nocase
$string6 = "/6.exe" nocase
$string7 = "/7.exe" nocase
$string8 = "/8.exe" nocase
$string9 = "/9.exe" nocase
$string10 = "\\0.exe" nocase
$string11 = "\\1.exe" nocase
$string12 = "\\2.exe" nocase
$string13 = "\\3.exe" nocase
$string14 = "\\4.exe" nocase
$string15 = "\\5.exe" nocase
$string16 = "\\6.exe" nocase
$string17 = "\\7.exe" nocase
$string18 = "\\8.exe" nocase
$string19 = "\\9.exe" nocase
$string20 = "/a.exe" nocase
$string21 = "/b.exe" nocase
$string22 = "/c.exe" nocase
$string23 = "/d.exe" nocase
$string24 = "/e.exe" nocase
$string25 = "/f.exe" nocase
$string26 = "/g.exe" nocase
$string27 = "/h.exe" nocase
$string28 = "/i.exe" nocase
$string29 = "/j.exe" nocase
$string30 = "/k.exe" nocase
$string31 = "/l.exe" nocase
$string32 = "/m.exe" nocase
$string33 = "/n.exe" nocase
$string34 = "/o.exe" nocase
$string35 = "/p.exe" nocase
$string36 = "/q.exe" nocase
$string37 = "/r.exe" nocase
$string38 = "/s.exe" nocase
$string39 = "/t.exe" nocase
$string40 = "/u.exe" nocase
$string41 = "/v.exe" nocase
$string42 = "/w.exe" nocase
$string43 = "/x.exe" nocase
$string44 = "/y.exe" nocase
$string45 = "/z.exe" nocase
$string46 = "\\a.exe" nocase
$string47 = "\\b.exe" nocase
$string48 = "\\c.exe" nocase
$string49 = "\\d.exe" nocase
$string50 = "\\e.exe" nocase
$string51 = "\\f.exe" nocase
$string52 = "\\g.exe" nocase
$string53 = "\\h.exe" nocase
$string54 = "\\i.exe" nocase
$string55 = "\\j.exe" nocase
$string56 = "\\k.exe" nocase
$string57 = "\\l.exe" nocase
$string58 = "\\m.exe" nocase
$string59 = "\\n.exe" nocase
$string60 = "\\o.exe" nocase
$string61 = "\\p.exe" nocase
$string62 = "\\q.exe" nocase
$string63 = "\\r.exe" nocase
$string64 = "\\s.exe" nocase
$string65 = "\\t.exe" nocase
$string66 = "\\u.exe" nocase
$string67 = "\\v.exe" nocase
$string68 = "\\w.exe" nocase
$string69 = "\\x.exe" nocase
$string70 = "\\y.exe" nocase
$string71 = "\\z.exe" nocase
condition:
1 of them
}
rule PolicyViolation
{
meta:
author = "@neonprimetime"
description = "Policy Violation"
strings:
$string0 = "disableuac" nocase
condition:
1 of them
}
rule LivingOffLandCommand
{
meta:
author = "@neonprimetime"
description = "Living Off the Land Command"
strings:
$string0 = "mshta.exe" nocase
$string1 = "nbstat.exe" nocase
$string5 = "/query.exe" nocase
$string6 = "\\query.exe" nocase
$string8 = "bitsadmin.exe" nocase
$string9 = "curl.exe" nocase
$string10 = "wget.exe" nocase
$string11 = "systeminfo.exe" nocase
$string12 = "certutil.exe" nocase
condition:
1 of them
}
rule PhishingAttachmentThemePossible
{
meta:
author = "@neonprimetime"
description = "Phishing Attachment Theme Possible"
strings:
$string0a = "invoice." nocase
$string0b = "invoice " nocase
$string1 = "factura" nocase
$string2 = "wiretransfer" nocase
$string4a = "payment" nocase
$string4b = "payment." nocase
$string6a = "eFAX " nocase
$string6b = "eFAX." nocase
$string7 = "Fattura" nocase
$string8 = "Enquiry" nocase
$string9 = "QUOTATION" nocase
$string10 = "receipt " nocase
$string10 = "receipt." nocase
$string11a = "payroll." nocase
$string11b = "payroll " nocase
$string12 = "PO#" nocase
$string13 = "Proforma" nocase
$string14 = "Purchase." nocase
$string14 = "Purchase " nocase
$string14 = "PurchaseOrder" nocase
condition:
1 of them
}
rule ClearTextPasswordFile
{
meta:
author = "@neonprimetime"
description = "Clear Text Password File"
strings:
$string0 = "password.txt" nocase
$string1 = "pwd.txt" nocase
$string2 = "passwd.txt" nocase
$string3 = "password.doc" nocase
$string4 = "pwd.doc" nocase
$string5 = "passwd.doc" nocase
$string6 = "password.xls" nocase
$string7 = "pwd.xls" nocase
$string8 = "passwd.xls" nocase
$string9 = "passwords.txt" nocase
$string10 = "pwds.txt" nocase
$string11 = "passwds.txt" nocase
$string12 = "passwords.doc" nocase
$string13 = "pwds.doc" nocase
$string14 = "passwds.doc" nocase
$string15 = "passwords.xls" nocase
$string16 = "pwds.xls" nocase
$string17 = "passwds.xls" nocase
$string18 = "web.config" nocase
$string19 = "application.config" nocase
condition:
1 of them
}
rule AdminUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Admin Web Pages"
strings:
$string0 = "/admin/" nocase
$string1 = "/wp-admin/" nocase
condition:
1 of them
}
rule HackingToolFound
{
meta:
author = "@neonprimetime"
description = "Hacking Tool Found"
strings:
$string0 = "kali.exe" nocase
$string2 = "wireshark" nocase
$string3 = "bloodhound" nocase
$string4 = "obfuscation" nocase
$string5 = "shellcode" nocase
$string6 = "keylogger" nocase
$string7 = "bypassuac" nocase
$string8 = "tokenmanipulation" nocase
$string10 = "passhash" nocase
$string11 = "kerberoast" nocase
$string12 = "ninja" nocase
$string13 = "memorynps" nocase
$string14 = "metasploit" nocase
$string15 = "smbexec" nocase
$string16 = "gpppassword" nocase
$string17 = "arpscan" nocase
$string18 = "dnscat" nocase
$string19 = "aircrack" nocase
$string20 = "bulletspassview" nocase
$string21 = "chromepass" nocase
$string22 = "credentialsfileview" nocase
$string23 = "echo.exe" nocase
$string24 = "hydra.exe" nocase
$string25 = "iepv.exe" nocase
$string26 = "inssidersetup" nocase
$string28 = "mailpv.exe" nocase
$string29 = "ministumblersetup" nocase
$string33 = "netpass.exe" nocase
$string34 = "netstumbler" nocase
$string35 = "nltest.exe" nocase
$string36 = "ophcrack" nocase
$string37 = "rdpv.exe" nocase
$string38 = "setspn" nocase
$string39 = "sniffpass" nocase
$string40 = "vaultpasswordview" nocase
$string41 = "\\ver.exe" nocase
$string42 = "vncpassview" nocase
$string43 = "webbrowserpassview" nocase
condition:
1 of them
}
rule HackingCodeFound
{
meta:
author = "@neonprimetime"
description = "Hacking Code Found"
strings:
$string0 = "WriteProcessMemory" nocase
$string1 = "VirtualAlloc" nocase
$string2 = "SetWindowsHook" nocase
$string3 = "SHCreateThread" nocase
$string4 = "FromBase64String" nocase
$string5 = "PromptForCredential" nocase
$string6 = "AdjustTokenPrivileges" nocase
$string7 = "KerberosRequestorSecurityToken" nocase
$string8 = "UnsafeNativeMethods" nocase
$string9 = "ReadProcessMemoryMiniDumpWriteDump" nocase
$string10 = "TOKEN_ADJUST_PRIVILEGES" nocase
$string11 = "TOKEN_IMPERSONATE" nocase
$string12 = "TOKEN_ELEVATION" nocase
$string13 = "TOKEN_ALL_ACCESS" nocase
condition:
1 of them
}
rule PasswordDumpAttempt
{
meta:
author = "@neonprimetime"
description = "Password Dump Temp"
strings:
$string0 = "mimikatz" nocase
$string1 = "procdump" nocase
$string3 = "hashdump" nocase
$string4 = "pwdump" nocase
$string5 = "lsadump" nocase
condition:
1 of them
}
rule ExternalDriveAccessed
{
meta:
author = "@neonprimetime"
description = "External Drive Accessed"
strings:
$string4 = "file:///f:/" nocase
$string6 = "file:///g:/" nocase
$string8 = "mfeprom" nocase
condition:
1 of them
}
rule HackerOutputFile
{
meta:
author = "@neonprimetime"
description = "Hacker Output Files"
strings:
$string0 = "acls.csv" nocase
$string1 = "bloodhound.csv" nocase
$string2 = "dump.csv" nocase
$string3 = "dump.xml" nocase
$string4 = "dump.zip" nocase
$string5 = "firewall.txt" nocase
$string6 = "group_memberships.csv" nocase
$string7 = "hashdump.txt" nocase
$string8 = "local_admins.csv" nocase
$string9 = "lsadump.txt" nocase
$string10 = "lsass.dmp" nocase
$string11 = "lsassdump.dmp" nocase
$string12 = "mimikatz.xls" nocase
$string13 = "mini.dmp" nocase
$string14 = "netscan.xml" nocase
$string15 = "nmap.csv" nocase
$string16 = "nmap.txt" nocase
$string17 = "nmap.xml" nocase
$string18 = "openvas.csv" nocase
$string19 = "pwdump.txt" nocase
$string20 = "secretsdump.txt" nocase
$string21 = "targets.txt" nocase
$string22 = "trusts.csv" nocase
$string23 = "user_sessions.csv" nocase
$string24 = "bloodhound.bin" nocase
$string25 = ".gnmap" nocase
$string26 = ".nessus" nocase
$string27 = ".nmap" nocase
$string28 = "p0wn" nocase
condition:
1 of them
}
rule HackerUrl
{
meta:
author = "@neonprimetime"
description = "Hacker Url"
strings:
$string1 = "kali." nocase
$string2 = "/kali/" nocase
$string3 = "kali-" nocase
$string4 = "backbox." nocase
$string5 = "/backbox/" nocase
$string6 = "backbox-" nocase
$string7 = "blackarch." nocase
$string8 = "/blackarch/" nocase
$string9 = "blackarch-" nocase
$string10 = "caine-live." nocase
$string11 = "/caine-live/" nocase
$string12 = "caine-live-" nocase
$string13 = "deftlinux." nocase
$string14 = "/deftlinux/" nocase
$string15 = "deftlinux-" nocase
$string16 = "parrotsec." nocase
$string17 = "/parrotsec/" nocase
$string18 = "parrotsec-" nocase
$string19 = "altlinux./altlinux/" nocase
$string20 = "altlinux-" nocase
$string21 = "digi77." nocase
$string22 = "/digi77/" nocase
$string23 = "digi77-" nocase
$string24 = ".paterva." nocase
$string25 = "portswigger." nocase
$string26 = "exploit-db." nocase
$string27 = "/exploit-db/" nocase
$string28 = "exploit-db-" nocase
$string29 = "parrot.sh" nocase
$string30 = "/parrot.sh/" nocase
$string31 = "basealt.ru" nocase
$string32 = "/basealt.ru/" nocase
$string33 = "basealt.ru-" nocase
$string34 = "0day.today" nocase
$string35 = "/0day.today/" nocase
$string36 = "0day.today-archstrike." nocase
$string37 = "/archstrike/" nocase
$string38 = "archstrike-" nocase
condition:
1 of them
}
rule PUPSoftware
{
meta:
author = "@neonprimetime"
description = "Potentially Unwanted Software"
strings:
$string0 = "adusetup" nocase
$string1 = "advanced driver" nocase
$string2 = "anytimeastrology" nocase
$string3 = "aplusgamer" nocase
$string4 = "apnsetup" nocase
$string5 = "apnstub" nocase
$string6 = "ascsetup" nocase
$string7 = "astromenda" nocase
$string8 = "atozmanuals" nocase
$string9 = "atwrun" nocase
$string10 = "audiotoaudio" nocase
$string11 = "bringmesports" nocase
$string12 = "bytefence" nocase
$string13 = "calendarspark" nocase
$string14 = "ccleaner" nocase
$string15 = "citysearch" nocase
$string16 = "convertpdfsnowtooltab" nocase
$string17 = "coupon companion" nocase
$string18 = "couponscom" nocase
$string19 = "cursormania" nocase
$string20 = "dailybibleguide" nocase
$string21 = "dailyrecipeguidetooltab" nocase
$string22 = "dailywellnessguide" nocase
$string23 = "dictionaryboss" nocase
$string24 = "directionsandmap" nocase
$string25 = "discoverancestry" nocase
$string26 = "discoverliveradio" nocase
$string27 = "disk-defrag-setup" nocase
$string28 = "downspeedtest" nocase
$string29 = "driver-updater-setup" nocase
$string30 = "driver.talent" nocase
$string31 = "driverassist-setup" nocase
$string32 = "driverdoc" nocase
$string33 = "drivereasy" nocase
$string34 = "driverrestore" nocase
$string35 = "driversupport" nocase
$string36 = "drivertalent" nocase
$string37 = "drivertoolkit" nocase
$string38 = "driverupdate-" nocase
$string39 = "driverupdate-downloader" nocase
$string40 = "driverupdate-setup" nocase
$string41 = "driverwhiz" nocase
$string42 = "easeware" nocase
$string43 = "easydriverpro" nocase
$string44 = "easyhomedecorating" nocase
$string45 = "easypdfcombine" nocase
$string46 = "easyphotoedit" nocase
$string47 = "eliteunzip" nocase
$string48 = "emailaccessonline" nocase
$string49 = "everyday lookup" nocase
$string50 = "everydaylookup" nocase
$string51 = "filefanatic" nocase
$string52 = "filesharefanatic" nocase
$string53 = "flashplayerpro" nocase
$string54 = "flightsearchapp" nocase
$string55 = "freemakevideoconvertersetup" nocase
$string56 = "freemanuals" nocase
$string57 = "freeradiocast" nocase
$string58 = "fromdoctopdftooltab" nocase
$string59 = "funcustomcreations" nocase
$string60 = "gamingassassin" nocase
$string61 = "gamingwonderland" nocase
$string62 = "garden enthusiast" nocase
$string63 = "gardeningenthusiast" nocase
$string64 = "getflightinfo" nocase
$string65 = "getformsonline" nocase
$string66 = "gettvstreamnow" nocase
$string67 = "gifables" nocase
$string68 = "happinessinfusion" nocase
$string69 = "headlinealley" nocase
$string70 = "howtosimplified" nocase
$string71 = "howtosuite" nocase
$string72 = "inboxace" nocase
$string73 = "internetspeedtracker" nocase
$string74 = "knowthebible" nocase
$string75 = "localcrimewatcher" nocase
$string76 = "mapsgalaxy" nocase
$string77 = "marineaquariumlite" nocase
$string78 = "mergedocsonline" nocase
$string79 = "mydailyrunway" nocase
$string80 = "myeasylotto" nocase
$string81 = "myformsfinder" nocase
$string82 = "myfuncards" nocase
$string83 = "mynewsguide" nocase
$string84 = "mypcbackup" nocase
$string85 = "myradioplayer" nocase
$string86 = "myscrapnook" nocase
$string87 = "mysocialshortcut" nocase
$string88 = "mytelevisionhq" nocase
$string89 = "mytransitguide" nocase
$string90 = "myweatherradar" nocase
$string91 = "mywebface" nocase
$string92 = "notehomepage" nocase
$string93 = "onlinemapfinder" nocase
$string94 = "openfreely" nocase
$string95 = "packagetracer" nocase
$string96 = "pckeeper" nocase
$string97 = "pdfconverterhq" nocase
$string98 = "photofriendzy" nocase
$string99 = "playpoptrivia" nocase
$string100 = "playthruplayer" nocase
$string101 = "popularscreensavers" nocase
$string102 = "ppc-software" nocase
$string103 = "premierdownloadmanager" nocase
$string104 = "procleaningsoftware" nocase
$string105 = "productivityboss" nocase
$string106 = "productmanualsfinder" nocase
$string107 = "propccleaner" nocase
$string108 = "puzzlegamesdaily" nocase
$string109 = "quotationcafe" nocase
$string110 = "qyuninst" nocase
$string111 = "radiorage" nocase
$string112 = "readingfanatic" nocase
$string113 = "registry-cleaner" nocase
$string114 = "regservo" nocase
$string115 = "removedt" nocase
$string116 = "safepcrepair" nocase
$string117 = "scenichomepage" nocase
$string118 = "searchbar" nocase
$string119 = "searchformsonline" nocase
$string120 = "searchpredict" nocase
$string121 = "slimcleanerplus" nocase
$string122 = "smsfrombrowser" nocase
$string123 = "snapmyscreen" nocase
$string124 = "soccerinferno" nocase
$string125 = "spyhunter" nocase
$string126 = "studyhq" nocase
$string127 = "sweepstakesalley" nocase
$string128 = "tbieaddin.dll" nocase
$string129 = "televisionfanatic" nocase
$string130 = "ticketxplorer" nocase
$string131 = "timewhackers" nocase
$string132 = "tooltabextension.dll" nocase
$string133 = "totalrecipesearch" nocase
$string134 = "trackapackage" nocase
$string135 = "translationbuddy" nocase
$string136 = "unifiedlogger.dll" nocase
$string137 = "utility chest" nocase
$string138 = "videodownloadconverter" nocase
$string139 = "votinstw" nocase
$string140 = "votprx" nocase
$string141 = "wb-setup" nocase
$string142 = "web_bar" nocase
$string143 = "webdiscover" nocase
$string144 = "webdiscoverbrowserdownloaderwebesc" nocase
$string145 = "webext_dl" nocase
$string146 = "winwb" nocase
$string147 = "yourtemplatefindertooltab" nocase
$string148 = "ysearchsettool" nocase
$string149 = "ysearchutilsvc" nocase
condition:
1 of them
}
rule ActiveDirectoryDomainFlag
{
meta:
author = "@neonprimetime"
description = "AD domain flag"
strings:
$string0 = " /domain " nocase
condition:
1 of them
}
rule ActiveDirectoryCreateFlag
{
meta:
author = "@neonprimetime"
description = "AD Create flag"
strings:
$string0 = " /add " nocase
$string1 = " /create " nocase
condition:
1 of them
}
rule MetasploitPort
{
meta:
author = "@neonprimetime"
description = "Metasploit Port"
strings:
$string0 = ":4444" nocase
condition:
1 of them
}
rule AdminFileShareAccess
{
meta:
author = "@neonprimetime"
description = "Admin File Share Access"
strings:
$string0 = "admin$" nocase
condition:
1 of them
}
rule TeamViewerPort
{
meta:
author = "@neonprimetime"
description = "TeamViewer Port"
strings:
$string0 = ":5938" nocase
condition:
1 of them
}
rule ActiveDirectoryCriticalGroup
{
meta:
author = "@neonprimetime"
description = "Critical AD groups"
strings:
$string0 = "domain admins" nocase
$string1 = "enterprise admins" nocase
$string2 = "schema admins" nocase
$string3 = "workstation admins" nocase
$string4 = "dns admins" nocase
$string5 = "server admins" nocase
condition:
1 of them
}
rule NewUser
{
meta:
author = "@neonprimetime"
description = "New User Commands"
strings:
$string0 = "new-localuser" nocase
$string1 = "new-aduser" nocase
condition:
1 of them
}
rule WebDownloader
{
meta:
author = "@neonprimetime"
description = "Web Downloader"
strings:
$string0 = "DownloadFile(" nocase
$string1 = "DownloadString" nocase
$string2 = "WebRequest" nocase
$string3 = "wget" nocase
$string4 = "bitstransfer" nocase
condition:
1 of them
}
rule McAfeeQuarantineFile
{
meta:
author = "@neonprimetime"
description = "McAfee Quarantine File"
strings:
$string0 = "\\quarantine\\" nocase
$string1 = ".bup" nocase
condition:
1 of them
}
rule VulnerabilityScanner
{
meta:
author = "@neonprimetime"
description = "Vulnerability Scanner"
strings:
$string0 = "AngryIP" nocase
$string1a = "\\Nmap " nocase
$string1b = "/Nmap." nocase
$string1c = " Nmap " nocase
$string1d = " Nmap." nocase
$string2 = "Nessus" nocase
$string3 = "sqlmap" nocase
$string4 = "nikto" nocase
$string5 = "wpscan" nocase
$string6 = "hyrda" nocase
$string7 = "dirbuster" nocase
$string8 = "masscan" nocase
$string9 = "morfeus" nocase
$string10 = "sqlninja" nocase
condition:
1 of them
}
rule SqlInjection
{
meta:
author = "@neonprimetime"
description = "Sql Injection"
strings:
$string0 = "UNION+ALL+SELECT" nocase
$string1 = ",NULL,NULL" nocase
$string2 = "AND+SLEEP" nocase
$string3 = "PG_SLEEP" nocase
$string4 = "WAITFOR+DELAY" nocase
$string5 = "CONCAT(0x" nocase
$string6 = "UNION+SELECT" nocase
$string7 = "--+" nocase
$string8 = "')UNION ALL SELECT" nocase
$string9 = ",NULL,NULL" nocase
$string10 = "AND SLEEP" nocase
$string11 = "WAITFOR DELAY" nocase
$string12 = "CONTACT(0x" nocase
$string13 = "UNION SELECT" nocase
$string14 = "UNION+ALL+SELECT" nocase
$string15 = "AND+SLEEP" nocase
$string16 = "WAITFOR+DELAY" nocase
$string17 = "UNION+SELECT)" nocase
condition:
1 of them
}
{
meta:
author = "@neonprimetime"
description = "Cloud Remote Control Url Accessed"
strings:
$string0 = "teamviewer" nocase
$string1 = "splashtop" nocase
$string2 = "ammyy" nocase
$string3 = "mikogo" nocase
$string4 = "uvnc" nocase
$string5 = "gbchcmhmhahfdphkhkmpfmihenigjmpp" nocase
$string6 = "logmein" nocase
$string7 = "join.me" nocase
$string8 = "realvnc" nocase
$string9 = "dameware" nocase
$string10 = "dwservice" nocase
$string11 = "anydesk" nocase
condition:
1 of them
}
rule WebMailUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Web Mail Url Accessed"
strings:
$string0 = "mail.yahoo.com" nocase
$string1 = "@gmail.com" nocase
$string2 = "outlook.live.com" nocase
$string3 = "mail.protonmail.com" nocase
$string4 = "zoho.com" nocase
$string5 = "yandex.com" nocase
$string6 = "tutanota.com" nocase
$string7 = "kolbanow.com" nocase
$string8 = "fastmail.com" nocase
$string10 = "posteo.de" nocase
$string11 = "startmail.com" nocase
$string12 = "runbox.com" nocase
$string13 = "mailfence.com" nocase
$string14 = "countermail.com" nocase
condition:
1 of them
}
rule CloudFileStorageUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Cloud File Storage Url Accessed"
strings:
$string0 = "dropbox.com" nocase
$string1 = "drive.google.com" nocase
$string2 = "wetransfer.com" nocase
$string3 = "pcloud.com" nocase
$string4 = "tresorit.com" nocase
$string5 = "sync.com" nocase
$string6 = "onedrive.live.com" nocase
$string7 = ".box.com" nocase
$string8 = "spideroak.com" nocase
$string9 = "mega.nz" nocase
$string10 = "jottacloud.com" nocase
$string11 = "teamdrive.com" nocase
$string12 = "mediafire.com" nocase
$string13 = "cloudup.com" nocase
$string14 = "cloudme.com" nocase
condition:
1 of them
}
rule LateralMovementAttempt
{
meta:
author = "@neonprimetime"
description = "Lateral Movement Attempt"
strings:
$string0 = "mstsc" nocase
$string1 = "psexec" nocase
$string2 = "\\nc.exe" nocase
$string3 = "/nc.exe" nocase
$string2 = "\\nc64.exe" nocase
$string3 = "/nc64.exe" nocase
$string2 = "\\netcat.exe" nocase
$string3 = "/netcat.exe" nocase
$string4 = "putty.exe" nocase
$string5 = "mobax" nocase
$string6 = "securecrt" nocase
$string7 = "ssh.exe" nocase
$string8 = "winrs" nocase
condition:
1 of them
}
rule ShortExecutableName
{
meta:
author = "@neonprimetime"
description = "Short Executable Name"
strings:
$string0 = "/0.exe" nocase
$string1 = "/1.exe" nocase
$string2 = "/2.exe" nocase
$string3 = "/3.exe" nocase
$string4 = "/4.exe" nocase
$string5 = "/5.exe" nocase
$string6 = "/6.exe" nocase
$string7 = "/7.exe" nocase
$string8 = "/8.exe" nocase
$string9 = "/9.exe" nocase
$string10 = "\\0.exe" nocase
$string11 = "\\1.exe" nocase
$string12 = "\\2.exe" nocase
$string13 = "\\3.exe" nocase
$string14 = "\\4.exe" nocase
$string15 = "\\5.exe" nocase
$string16 = "\\6.exe" nocase
$string17 = "\\7.exe" nocase
$string18 = "\\8.exe" nocase
$string19 = "\\9.exe" nocase
$string20 = "/a.exe" nocase
$string21 = "/b.exe" nocase
$string22 = "/c.exe" nocase
$string23 = "/d.exe" nocase
$string24 = "/e.exe" nocase
$string25 = "/f.exe" nocase
$string26 = "/g.exe" nocase
$string27 = "/h.exe" nocase
$string28 = "/i.exe" nocase
$string29 = "/j.exe" nocase
$string30 = "/k.exe" nocase
$string31 = "/l.exe" nocase
$string32 = "/m.exe" nocase
$string33 = "/n.exe" nocase
$string34 = "/o.exe" nocase
$string35 = "/p.exe" nocase
$string36 = "/q.exe" nocase
$string37 = "/r.exe" nocase
$string38 = "/s.exe" nocase
$string39 = "/t.exe" nocase
$string40 = "/u.exe" nocase
$string41 = "/v.exe" nocase
$string42 = "/w.exe" nocase
$string43 = "/x.exe" nocase
$string44 = "/y.exe" nocase
$string45 = "/z.exe" nocase
$string46 = "\\a.exe" nocase
$string47 = "\\b.exe" nocase
$string48 = "\\c.exe" nocase
$string49 = "\\d.exe" nocase
$string50 = "\\e.exe" nocase
$string51 = "\\f.exe" nocase
$string52 = "\\g.exe" nocase
$string53 = "\\h.exe" nocase
$string54 = "\\i.exe" nocase
$string55 = "\\j.exe" nocase
$string56 = "\\k.exe" nocase
$string57 = "\\l.exe" nocase
$string58 = "\\m.exe" nocase
$string59 = "\\n.exe" nocase
$string60 = "\\o.exe" nocase
$string61 = "\\p.exe" nocase
$string62 = "\\q.exe" nocase
$string63 = "\\r.exe" nocase
$string64 = "\\s.exe" nocase
$string65 = "\\t.exe" nocase
$string66 = "\\u.exe" nocase
$string67 = "\\v.exe" nocase
$string68 = "\\w.exe" nocase
$string69 = "\\x.exe" nocase
$string70 = "\\y.exe" nocase
$string71 = "\\z.exe" nocase
condition:
1 of them
}
rule PolicyViolation
{
meta:
author = "@neonprimetime"
description = "Policy Violation"
strings:
$string0 = "disableuac" nocase
condition:
1 of them
}
rule LivingOffLandCommand
{
meta:
author = "@neonprimetime"
description = "Living Off the Land Command"
strings:
$string0 = "mshta.exe" nocase
$string1 = "nbstat.exe" nocase
$string5 = "/query.exe" nocase
$string6 = "\\query.exe" nocase
$string8 = "bitsadmin.exe" nocase
$string9 = "curl.exe" nocase
$string10 = "wget.exe" nocase
$string11 = "systeminfo.exe" nocase
$string12 = "certutil.exe" nocase
condition:
1 of them
}
rule PhishingAttachmentThemePossible
{
meta:
author = "@neonprimetime"
description = "Phishing Attachment Theme Possible"
strings:
$string0a = "invoice." nocase
$string0b = "invoice " nocase
$string1 = "factura" nocase
$string2 = "wiretransfer" nocase
$string4a = "payment" nocase
$string4b = "payment." nocase
$string6a = "eFAX " nocase
$string6b = "eFAX." nocase
$string7 = "Fattura" nocase
$string8 = "Enquiry" nocase
$string9 = "QUOTATION" nocase
$string10 = "receipt " nocase
$string10 = "receipt." nocase
$string11a = "payroll." nocase
$string11b = "payroll " nocase
$string12 = "PO#" nocase
$string13 = "Proforma" nocase
$string14 = "Purchase." nocase
$string14 = "Purchase " nocase
$string14 = "PurchaseOrder" nocase
condition:
1 of them
}
rule ClearTextPasswordFile
{
meta:
author = "@neonprimetime"
description = "Clear Text Password File"
strings:
$string0 = "password.txt" nocase
$string1 = "pwd.txt" nocase
$string2 = "passwd.txt" nocase
$string3 = "password.doc" nocase
$string4 = "pwd.doc" nocase
$string5 = "passwd.doc" nocase
$string6 = "password.xls" nocase
$string7 = "pwd.xls" nocase
$string8 = "passwd.xls" nocase
$string9 = "passwords.txt" nocase
$string10 = "pwds.txt" nocase
$string11 = "passwds.txt" nocase
$string12 = "passwords.doc" nocase
$string13 = "pwds.doc" nocase
$string14 = "passwds.doc" nocase
$string15 = "passwords.xls" nocase
$string16 = "pwds.xls" nocase
$string17 = "passwds.xls" nocase
$string18 = "web.config" nocase
$string19 = "application.config" nocase
condition:
1 of them
}
rule AdminUrlAccessed
{
meta:
author = "@neonprimetime"
description = "Admin Web Pages"
strings:
$string0 = "/admin/" nocase
$string1 = "/wp-admin/" nocase
condition:
1 of them
}
rule HackingToolFound
{
meta:
author = "@neonprimetime"
description = "Hacking Tool Found"
strings:
$string0 = "kali.exe" nocase
$string2 = "wireshark" nocase
$string3 = "bloodhound" nocase
$string4 = "obfuscation" nocase
$string5 = "shellcode" nocase
$string6 = "keylogger" nocase
$string7 = "bypassuac" nocase
$string8 = "tokenmanipulation" nocase
$string10 = "passhash" nocase
$string11 = "kerberoast" nocase
$string12 = "ninja" nocase
$string13 = "memorynps" nocase
$string14 = "metasploit" nocase
$string15 = "smbexec" nocase
$string16 = "gpppassword" nocase
$string17 = "arpscan" nocase
$string18 = "dnscat" nocase
$string19 = "aircrack" nocase
$string20 = "bulletspassview" nocase
$string21 = "chromepass" nocase
$string22 = "credentialsfileview" nocase
$string23 = "echo.exe" nocase
$string24 = "hydra.exe" nocase
$string25 = "iepv.exe" nocase
$string26 = "inssidersetup" nocase
$string28 = "mailpv.exe" nocase
$string29 = "ministumblersetup" nocase
$string33 = "netpass.exe" nocase
$string34 = "netstumbler" nocase
$string35 = "nltest.exe" nocase
$string36 = "ophcrack" nocase
$string37 = "rdpv.exe" nocase
$string38 = "setspn" nocase
$string39 = "sniffpass" nocase
$string40 = "vaultpasswordview" nocase
$string41 = "\\ver.exe" nocase
$string42 = "vncpassview" nocase
$string43 = "webbrowserpassview" nocase
condition:
1 of them
}
rule HackingCodeFound
{
meta:
author = "@neonprimetime"
description = "Hacking Code Found"
strings:
$string0 = "WriteProcessMemory" nocase
$string1 = "VirtualAlloc" nocase
$string2 = "SetWindowsHook" nocase
$string3 = "SHCreateThread" nocase
$string4 = "FromBase64String" nocase
$string5 = "PromptForCredential" nocase
$string6 = "AdjustTokenPrivileges" nocase
$string7 = "KerberosRequestorSecurityToken" nocase
$string8 = "UnsafeNativeMethods" nocase
$string9 = "ReadProcessMemoryMiniDumpWriteDump" nocase
$string10 = "TOKEN_ADJUST_PRIVILEGES" nocase
$string11 = "TOKEN_IMPERSONATE" nocase
$string12 = "TOKEN_ELEVATION" nocase
$string13 = "TOKEN_ALL_ACCESS" nocase
condition:
1 of them
}
rule PasswordDumpAttempt
{
meta:
author = "@neonprimetime"
description = "Password Dump Temp"
strings:
$string0 = "mimikatz" nocase
$string1 = "procdump" nocase
$string3 = "hashdump" nocase
$string4 = "pwdump" nocase
$string5 = "lsadump" nocase
condition:
1 of them
}
rule ExternalDriveAccessed
{
meta:
author = "@neonprimetime"
description = "External Drive Accessed"
strings:
$string4 = "file:///f:/" nocase
$string6 = "file:///g:/" nocase
$string8 = "mfeprom" nocase
condition:
1 of them
}
rule HackerOutputFile
{
meta:
author = "@neonprimetime"
description = "Hacker Output Files"
strings:
$string0 = "acls.csv" nocase
$string1 = "bloodhound.csv" nocase
$string2 = "dump.csv" nocase
$string3 = "dump.xml" nocase
$string4 = "dump.zip" nocase
$string5 = "firewall.txt" nocase
$string6 = "group_memberships.csv" nocase
$string7 = "hashdump.txt" nocase
$string8 = "local_admins.csv" nocase
$string9 = "lsadump.txt" nocase
$string10 = "lsass.dmp" nocase
$string11 = "lsassdump.dmp" nocase
$string12 = "mimikatz.xls" nocase
$string13 = "mini.dmp" nocase
$string14 = "netscan.xml" nocase
$string15 = "nmap.csv" nocase
$string16 = "nmap.txt" nocase
$string17 = "nmap.xml" nocase
$string18 = "openvas.csv" nocase
$string19 = "pwdump.txt" nocase
$string20 = "secretsdump.txt" nocase
$string21 = "targets.txt" nocase
$string22 = "trusts.csv" nocase
$string23 = "user_sessions.csv" nocase
$string24 = "bloodhound.bin" nocase
$string25 = ".gnmap" nocase
$string26 = ".nessus" nocase
$string27 = ".nmap" nocase
$string28 = "p0wn" nocase
condition:
1 of them
}
rule HackerUrl
{
meta:
author = "@neonprimetime"
description = "Hacker Url"
strings:
$string1 = "kali." nocase
$string2 = "/kali/" nocase
$string3 = "kali-" nocase
$string4 = "backbox." nocase
$string5 = "/backbox/" nocase
$string6 = "backbox-" nocase
$string7 = "blackarch." nocase
$string8 = "/blackarch/" nocase
$string9 = "blackarch-" nocase
$string10 = "caine-live." nocase
$string11 = "/caine-live/" nocase
$string12 = "caine-live-" nocase
$string13 = "deftlinux." nocase
$string14 = "/deftlinux/" nocase
$string15 = "deftlinux-" nocase
$string16 = "parrotsec." nocase
$string17 = "/parrotsec/" nocase
$string18 = "parrotsec-" nocase
$string19 = "altlinux./altlinux/" nocase
$string20 = "altlinux-" nocase
$string21 = "digi77." nocase
$string22 = "/digi77/" nocase
$string23 = "digi77-" nocase
$string24 = ".paterva." nocase
$string25 = "portswigger." nocase
$string26 = "exploit-db." nocase
$string27 = "/exploit-db/" nocase
$string28 = "exploit-db-" nocase
$string29 = "parrot.sh" nocase
$string30 = "/parrot.sh/" nocase
$string31 = "basealt.ru" nocase
$string32 = "/basealt.ru/" nocase
$string33 = "basealt.ru-" nocase
$string34 = "0day.today" nocase
$string35 = "/0day.today/" nocase
$string36 = "0day.today-archstrike." nocase
$string37 = "/archstrike/" nocase
$string38 = "archstrike-" nocase
condition:
1 of them
}
rule PUPSoftware
{
meta:
author = "@neonprimetime"
description = "Potentially Unwanted Software"
strings:
$string0 = "adusetup" nocase
$string1 = "advanced driver" nocase
$string2 = "anytimeastrology" nocase
$string3 = "aplusgamer" nocase
$string4 = "apnsetup" nocase
$string5 = "apnstub" nocase
$string6 = "ascsetup" nocase
$string7 = "astromenda" nocase
$string8 = "atozmanuals" nocase
$string9 = "atwrun" nocase
$string10 = "audiotoaudio" nocase
$string11 = "bringmesports" nocase
$string12 = "bytefence" nocase
$string13 = "calendarspark" nocase
$string14 = "ccleaner" nocase
$string15 = "citysearch" nocase
$string16 = "convertpdfsnowtooltab" nocase
$string17 = "coupon companion" nocase
$string18 = "couponscom" nocase
$string19 = "cursormania" nocase
$string20 = "dailybibleguide" nocase
$string21 = "dailyrecipeguidetooltab" nocase
$string22 = "dailywellnessguide" nocase
$string23 = "dictionaryboss" nocase
$string24 = "directionsandmap" nocase
$string25 = "discoverancestry" nocase
$string26 = "discoverliveradio" nocase
$string27 = "disk-defrag-setup" nocase
$string28 = "downspeedtest" nocase
$string29 = "driver-updater-setup" nocase
$string30 = "driver.talent" nocase
$string31 = "driverassist-setup" nocase
$string32 = "driverdoc" nocase
$string33 = "drivereasy" nocase
$string34 = "driverrestore" nocase
$string35 = "driversupport" nocase
$string36 = "drivertalent" nocase
$string37 = "drivertoolkit" nocase
$string38 = "driverupdate-" nocase
$string39 = "driverupdate-downloader" nocase
$string40 = "driverupdate-setup" nocase
$string41 = "driverwhiz" nocase
$string42 = "easeware" nocase
$string43 = "easydriverpro" nocase
$string44 = "easyhomedecorating" nocase
$string45 = "easypdfcombine" nocase
$string46 = "easyphotoedit" nocase
$string47 = "eliteunzip" nocase
$string48 = "emailaccessonline" nocase
$string49 = "everyday lookup" nocase
$string50 = "everydaylookup" nocase
$string51 = "filefanatic" nocase
$string52 = "filesharefanatic" nocase
$string53 = "flashplayerpro" nocase
$string54 = "flightsearchapp" nocase
$string55 = "freemakevideoconvertersetup" nocase
$string56 = "freemanuals" nocase
$string57 = "freeradiocast" nocase
$string58 = "fromdoctopdftooltab" nocase
$string59 = "funcustomcreations" nocase
$string60 = "gamingassassin" nocase
$string61 = "gamingwonderland" nocase
$string62 = "garden enthusiast" nocase
$string63 = "gardeningenthusiast" nocase
$string64 = "getflightinfo" nocase
$string65 = "getformsonline" nocase
$string66 = "gettvstreamnow" nocase
$string67 = "gifables" nocase
$string68 = "happinessinfusion" nocase
$string69 = "headlinealley" nocase
$string70 = "howtosimplified" nocase
$string71 = "howtosuite" nocase
$string72 = "inboxace" nocase
$string73 = "internetspeedtracker" nocase
$string74 = "knowthebible" nocase
$string75 = "localcrimewatcher" nocase
$string76 = "mapsgalaxy" nocase
$string77 = "marineaquariumlite" nocase
$string78 = "mergedocsonline" nocase
$string79 = "mydailyrunway" nocase
$string80 = "myeasylotto" nocase
$string81 = "myformsfinder" nocase
$string82 = "myfuncards" nocase
$string83 = "mynewsguide" nocase
$string84 = "mypcbackup" nocase
$string85 = "myradioplayer" nocase
$string86 = "myscrapnook" nocase
$string87 = "mysocialshortcut" nocase
$string88 = "mytelevisionhq" nocase
$string89 = "mytransitguide" nocase
$string90 = "myweatherradar" nocase
$string91 = "mywebface" nocase
$string92 = "notehomepage" nocase
$string93 = "onlinemapfinder" nocase
$string94 = "openfreely" nocase
$string95 = "packagetracer" nocase
$string96 = "pckeeper" nocase
$string97 = "pdfconverterhq" nocase
$string98 = "photofriendzy" nocase
$string99 = "playpoptrivia" nocase
$string100 = "playthruplayer" nocase
$string101 = "popularscreensavers" nocase
$string102 = "ppc-software" nocase
$string103 = "premierdownloadmanager" nocase
$string104 = "procleaningsoftware" nocase
$string105 = "productivityboss" nocase
$string106 = "productmanualsfinder" nocase
$string107 = "propccleaner" nocase
$string108 = "puzzlegamesdaily" nocase
$string109 = "quotationcafe" nocase
$string110 = "qyuninst" nocase
$string111 = "radiorage" nocase
$string112 = "readingfanatic" nocase
$string113 = "registry-cleaner" nocase
$string114 = "regservo" nocase
$string115 = "removedt" nocase
$string116 = "safepcrepair" nocase
$string117 = "scenichomepage" nocase
$string118 = "searchbar" nocase
$string119 = "searchformsonline" nocase
$string120 = "searchpredict" nocase
$string121 = "slimcleanerplus" nocase
$string122 = "smsfrombrowser" nocase
$string123 = "snapmyscreen" nocase
$string124 = "soccerinferno" nocase
$string125 = "spyhunter" nocase
$string126 = "studyhq" nocase
$string127 = "sweepstakesalley" nocase
$string128 = "tbieaddin.dll" nocase
$string129 = "televisionfanatic" nocase
$string130 = "ticketxplorer" nocase
$string131 = "timewhackers" nocase
$string132 = "tooltabextension.dll" nocase
$string133 = "totalrecipesearch" nocase
$string134 = "trackapackage" nocase
$string135 = "translationbuddy" nocase
$string136 = "unifiedlogger.dll" nocase
$string137 = "utility chest" nocase
$string138 = "videodownloadconverter" nocase
$string139 = "votinstw" nocase
$string140 = "votprx" nocase
$string141 = "wb-setup" nocase
$string142 = "web_bar" nocase
$string143 = "webdiscover" nocase
$string144 = "webdiscoverbrowserdownloaderwebesc" nocase
$string145 = "webext_dl" nocase
$string146 = "winwb" nocase
$string147 = "yourtemplatefindertooltab" nocase
$string148 = "ysearchsettool" nocase
$string149 = "ysearchutilsvc" nocase
condition:
1 of them
}
rule ActiveDirectoryDomainFlag
{
meta:
author = "@neonprimetime"
description = "AD domain flag"
strings:
$string0 = " /domain " nocase
condition:
1 of them
}
rule ActiveDirectoryCreateFlag
{
meta:
author = "@neonprimetime"
description = "AD Create flag"
strings:
$string0 = " /add " nocase
$string1 = " /create " nocase
condition:
1 of them
}
rule MetasploitPort
{
meta:
author = "@neonprimetime"
description = "Metasploit Port"
strings:
$string0 = ":4444" nocase
condition:
1 of them
}
rule AdminFileShareAccess
{
meta:
author = "@neonprimetime"
description = "Admin File Share Access"
strings:
$string0 = "admin$" nocase
condition:
1 of them
}
rule TeamViewerPort
{
meta:
author = "@neonprimetime"
description = "TeamViewer Port"
strings:
$string0 = ":5938" nocase
condition:
1 of them
}
rule ActiveDirectoryCriticalGroup
{
meta:
author = "@neonprimetime"
description = "Critical AD groups"
strings:
$string0 = "domain admins" nocase
$string1 = "enterprise admins" nocase
$string2 = "schema admins" nocase
$string3 = "workstation admins" nocase
$string4 = "dns admins" nocase
$string5 = "server admins" nocase
condition:
1 of them
}
rule NewUser
{
meta:
author = "@neonprimetime"
description = "New User Commands"
strings:
$string0 = "new-localuser" nocase
$string1 = "new-aduser" nocase
condition:
1 of them
}
rule WebDownloader
{
meta:
author = "@neonprimetime"
description = "Web Downloader"
strings:
$string0 = "DownloadFile(" nocase
$string1 = "DownloadString" nocase
$string2 = "WebRequest" nocase
$string3 = "wget" nocase
$string4 = "bitstransfer" nocase
condition:
1 of them
}
rule McAfeeQuarantineFile
{
meta:
author = "@neonprimetime"
description = "McAfee Quarantine File"
strings:
$string0 = "\\quarantine\\" nocase
$string1 = ".bup" nocase
condition:
1 of them
}
rule VulnerabilityScanner
{
meta:
author = "@neonprimetime"
description = "Vulnerability Scanner"
strings:
$string0 = "AngryIP" nocase
$string1a = "\\Nmap " nocase
$string1b = "/Nmap." nocase
$string1c = " Nmap " nocase
$string1d = " Nmap." nocase
$string2 = "Nessus" nocase
$string3 = "sqlmap" nocase
$string4 = "nikto" nocase
$string5 = "wpscan" nocase
$string6 = "hyrda" nocase
$string7 = "dirbuster" nocase
$string8 = "masscan" nocase
$string9 = "morfeus" nocase
$string10 = "sqlninja" nocase
condition:
1 of them
}
rule SqlInjection
{
meta:
author = "@neonprimetime"
description = "Sql Injection"
strings:
$string0 = "UNION+ALL+SELECT" nocase
$string1 = ",NULL,NULL" nocase
$string2 = "AND+SLEEP" nocase
$string3 = "PG_SLEEP" nocase
$string4 = "WAITFOR+DELAY" nocase
$string5 = "CONCAT(0x" nocase
$string6 = "UNION+SELECT" nocase
$string7 = "--+" nocase
$string8 = "')UNION ALL SELECT" nocase
$string9 = ",NULL,NULL" nocase
$string10 = "AND SLEEP" nocase
$string11 = "WAITFOR DELAY" nocase
$string12 = "CONTACT(0x" nocase
$string13 = "UNION SELECT" nocase
$string14 = "UNION+ALL+SELECT" nocase
$string15 = "AND+SLEEP" nocase
$string16 = "WAITFOR+DELAY" nocase
$string17 = "UNION+SELECT)" nocase
condition:
1 of them
}
Wednesday, November 6, 2019
Python IoT search with Wget and Yara Rules
# Given a list of urls, determine what type of IoT device (or any device for that matter) they are based on you plugging in Yara rules into the .yar files
import os
import subprocess
import traceback
debug = "false"
skipDownload = "false"
input = "urls.txt"
yaraSpecificRuleFile = "IoTSpecific.yar"
yaraGenericRuleFile = "IoTGeneric.yar"
wgetParams = "--quiet --no-check-certificate --timeout=2 --tries=3"
yaraParams = ""
outputExt = ".html"
urls = open(input, "r")
if skipDownload == "false":
for url in urls:
url = url.rstrip()
cleanurl = url.rstrip().replace('/','_').replace('\\','_').replace(':','_').replace('.','_').replace('&','_').replace('?','_').replace('=','_').replace('%','_') + outputExt
wgetCommand = ("wget %s --output-document=%s %s 2>/dev/null" % (wgetParams, cleanurl, url))
if(debug == "true"):
print(("DEBUG,Starting Download of '%s' to '%s'" % (url, cleanurl)))
try:
output = subprocess.check_output(wgetCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand, output)))
except Exception:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Download of '%s' to '%s'" % (url, cleanurl)))
for htmlfile in os.listdir('.'):
if htmlfile.endswith(".html"):
if os.stat(htmlfile).st_size == 0:
print(("NoResponse,%s" % (htmlfile)))
else:
yaraCommand = ("yara %s %s %s" % (yaraParams, yaraSpecificRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting Scanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
yaraRescanCommand = ("yara %s %s %s" % (yaraParams, yaraGenericRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting ReScanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraRescanCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
print(("NoMatch,%s" % (htmlfile)))
except Exception:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished ReScanning: '%s'" % (htmlfile)))
except Exception:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Scanning: '%s'" % (htmlfile)))
urls.close()
import os
import subprocess
import traceback
debug = "false"
skipDownload = "false"
input = "urls.txt"
yaraSpecificRuleFile = "IoTSpecific.yar"
yaraGenericRuleFile = "IoTGeneric.yar"
wgetParams = "--quiet --no-check-certificate --timeout=2 --tries=3"
yaraParams = ""
outputExt = ".html"
urls = open(input, "r")
if skipDownload == "false":
for url in urls:
url = url.rstrip()
cleanurl = url.rstrip().replace('/','_').replace('\\','_').replace(':','_').replace('.','_').replace('&','_').replace('?','_').replace('=','_').replace('%','_') + outputExt
wgetCommand = ("wget %s --output-document=%s %s 2>/dev/null" % (wgetParams, cleanurl, url))
if(debug == "true"):
print(("DEBUG,Starting Download of '%s' to '%s'" % (url, cleanurl)))
try:
output = subprocess.check_output(wgetCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand, output)))
except Exception:
print(("ERROR,Unable to download '%s' error '%s'" % (wgetCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Download of '%s' to '%s'" % (url, cleanurl)))
for htmlfile in os.listdir('.'):
if htmlfile.endswith(".html"):
if os.stat(htmlfile).st_size == 0:
print(("NoResponse,%s" % (htmlfile)))
else:
yaraCommand = ("yara %s %s %s" % (yaraParams, yaraSpecificRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting Scanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
yaraRescanCommand = ("yara %s %s %s" % (yaraParams, yaraGenericRuleFile, htmlfile))
if(debug == "true"):
print(("DEBUG,Starting ReScanning: '%s'" % (htmlfile)))
try:
output = subprocess.check_output(yaraRescanCommand, shell=True)
if "error" in output:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand, output)))
if output:
output = output.rstrip()
print(output.replace(" ",","))
else:
print(("NoMatch,%s" % (htmlfile)))
except Exception:
print(("ERROR,Unable to ReScan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished ReScanning: '%s'" % (htmlfile)))
except Exception:
print(("ERROR,Unable to Scan '%s' error '%s'" % (yaraCommand,traceback.print_exc())))
if(debug == "true"):
print(("DEBUG,Finished Scanning: '%s'" % (htmlfile)))
urls.close()
Monday, February 18, 2019
malware yara rules
/* ------------------------- ------ NanoCore ------------ --------------------------- */ rule NanoCoreByName { meta: author = "@neonprimetime" description = "NanoCore" strings: $string0 = "NanoCore Client" nocase $string1 = "NanoCore.Client" nocase $string2 = "NanoCoreBase" nocase $string5 = "NanoCoreSwiss" nocase $string6 = "NanoCoreStressTester" nocase condition: 1 of them } rule NanoCoreByKeyword { meta: author = "@neonprimetime" description = "NanoCore" strings: $string1 = "NanoBrowser" nocase $string2 = "NanoScript" nocase $string3 = "SurveillanceEx" nocase $string4 = "NanoCoreStressTester" nocase $string5 = "accident-investigation.aero" nocase $string6 = "KeyboardLogging" nocase condition: 3 of them } /* ------------------------- ------ Remcos RAT----------- --------------------------- */ rule RemcosRATByName { meta: author = "@neonprimetime" description = "Remcos RAT" strings: $string0 = "Software\\Remcos" nocase $string1 = "\\remcos\\" nocase $string2 = "REMCOS v" nocase $string4 = "Remcos_" nocase condition: 1 of them } rule RemcosRATByKeyword { meta: author = "@neonprimetime" description = "Remcos RAT" strings: $string1 = "Keylogger Started" nocase $string2 = "Connected to C&C" nocase $string3 = "Screenshots" nocase $string4 = "OpenCamera" nocase $string5 = "Uploading file to C&C" nocase $string6 = "Initializing connection to C&C" nocase $string7 = "cleared!]" nocase $string8 = "EnableLUA /t REG_DWORD /d 0" nocase $string9 = "RemWatchdog" nocase $string10 = "restarted by watchdog" nocase condition: 3 of them } /* ------------------------- ------ Revil/Sodinokibi Ransomware----------- --------------------------- */ rule RevilRansomwareByName { meta: author = "@neonprimetime" description = "Revil/Sodinokibi Ransomware" strings: $string1 = "Sodinokibi" nocase $string2 = "For google: Revil" nocase condition: any of them } rule RevilRansomwareByKeyword { meta: author = "@neonprimetime" description = "Revil/Sodinokibi Ransomware" strings: $string1 = "decryptor.top" nocase $string2 = "nbody" nocase $string3 = "bedbg" nocase condition: 3 of them } /* ------------------------- ------ NjRat ------------- --------------------------- */ rule NjRatByKeyword { meta: author = "@neonprimetime" description = "NjRat" strings: $string0 = "vitimas_" nocase $string1 = "|'|'||'|'|" nocase condition: 1 of them } /* ------------------------- ------ Lokibot ------------- --------------------------- */ rule LokibotByKeyword { meta: author = "@neonprimetime" description = "Lokibot" strings: $string0a = "five/fre.php" nocase $string0b = "Panel/five" nocase $string1 = "fre.php" nocase $string2 = "Yandex\\YandexBrowser" nocase $string3 = "\\Mozilla\\SeaMonkey\\profiles.ini" nocase $string4 = "POP3 Password" nocase $string5 = "Software\\SimonTatham\\PuTTY\\Sessions" nocase $string6 = "EasyFTP\\data" nocase $string7 = "aPLib v1.01" nocase $string8 = "wcx_ftp.ini" nocase condition: $string0a or $string0b or ($string1 and ($string2 or $string3 or $string4 or $string5 or $string6 or $string7 or $string8)) } /* ------------------------- ------ Revenge RAT ------------- --------------------------- */ rule RevengeRATByName { meta: author = "@neonprimetime" description = "Revenge RAT" strings: $string0 = "Revenge-RAT" nocase condition: 1 of them } rule RevengeRATByKeyword { meta: author = "@neonprimetime" description = "Revenge RAT" strings: $capture1 = "Start Capture" nocase $capture2 = "CaptureScreen" nocase $dotnet1 = ".NET" nocase $agent1 = "FirewallProduct" nocase $agent2 = "AntiVirusProduct" nocase $exfil1 = "USERDOMAIN=" nocase condition: $dotnet1 and ($capture1 or $capture2) and ($agent1 or $agent2) and $exfil1 } /* ------------------------- ------ BrushaLoader ------------- --------------------------- */ rule BrushaLoaderByKeyword { meta: author = "@neonprimetime" description = "BrushaLoader" strings: $vbe = ".shellexecute" nocase $xyzdomain = "xyz" nocase $google = "www.google.com" nocase condition: $vbe and $xyzdomain and $google } /* ------------------------- ------ Agent Tesla ------------- --------------------------- */ rule AgentTeslaByKeyword { meta: author = "@neonprimetime" description = "Agent Tesla" strings: $checkip1 = "checkip.aws" nocase $checkip2 = "checkip.amazon" nocase $smtpexfil1 = "smtp." nocase $smtpexfil2 = ":587" nocase $dotnet1 = ".net" nocase condition: ($checkip1 or $checkip2) and ($smtpexfil1 or $smtpexfil2) and $dotnet1 } /* ------------------------- ------ Trickbot ------------ --------------------------- */ rule TrickbotByKeyword { meta: author = "@neonprimetime" description = "Trickbot" strings: $string1 = "serialNumber=" nocase $string2 = "emailAddress=" nocase $string3 = "/snapshot/" nocase $string4 = "Login Data.bak" nocase $string5 = "Grab_Passwords_Chrome" nocase $string6 = "Dinkumware" nocase $string7 = "tablecredit_cards" nocase $string8 = "server_addresses" nocase condition: 3 of them } /* ------------------------- ------ Azorult ------------- --------------------------- */ rule AzorultByKeyword { meta: author = "@neonprimetime" description = "Azorult" strings: $string1 = "wallet.dat" nocase $string2 = "PasswordsList.txt" nocase $string3 = "timeout.exe" nocase $string4 = "Wscript.Shell" nocase $string5 = "dotbit.me" nocase condition: 3 of them } /* ------------------------- ------ Netwire ------------- --------------------------- */ rule NetwireByName { meta: author = "@neonprimetime" description = "Netwire" strings: $string1 = "SOFTWARE\\NetWire" nocase condition: 1 of them }/* -------------------------------------- Emotete by Keyword ------------------------------- */rule EmotetByKeyword{meta: author = "@neonprimetime"description = "Emotet Keyword"strings:$string1 = "acquiremailbox.exe" nocase $string2 = "fillmailbox.exe" nocase $string3 = "inboxmailbox.exe" nocase $string4 = "mailboxacquire.exe" nocase $string5 = "mailboxinbox.exe" nocase $string6 = "mailboxmailbox.exe" nocase $string7 = "manualmailbox.exe" nocase $string8 = "monthlymailbox.exe" nocase $string9 = "pdfmailbox.exe" nocase $string10 = "publishmailbox.exe" nocase $string11 = "deployinbox.exe" nocase $string12 = "inboxinbox.exe" nocase $string13 = "inboxnetsh.exe" nocase $string14 = "mailboxinbox.exe" nocase $string15 = "netshinbox.exe" nocase $string16 = "createatargets.exe" nocase $string17 = "ducktargets.exe" nocase $string18 = "restoretargets.exe" nocase $string19 = "sendtargets.exe" nocasecondition:1 of them}/* ------------------------- ------ Phoenix Keylogger ------------- --------------------------- */ rule PhoenixKeyloggerByName { meta: author = "@neonprimetime" description = "Phoenix Keylogger" strings: $string1 = "Phoenix Keylogger" nocase condition: 1 of them } /* ------------------------- ------ BetaBot ------------- --------------------------- */ rule BetaBotByKeyword { meta: author = "@neonprimetime" description = "BetaBot" strings: $string1 = "OnAsyncDestroy" nocase $string2 = "OnDestroySubject" nocase $string3 = "OnRemoveExisting" nocase $string4 = "ccnumber" nocase condition: all of them } /* ------------------------- ------ Generic Malware ------------- --------------------------- */ rule GenericDotNetFramework { meta: author = "@neonprimetime" description = "Generic .NET Framework detection" strings: $string1 = ".NETFramework" condition: 1 of them } rule GenericBitcoinStealer { meta: author = "@neonprimetime" description = "Generic Bitcoin Stealer" strings: $string1 = "wallet.dat" nocase $string2 = "\\wallets\\" nocase $string3 = "\\Electrum" nocase $string4 = "Coins\\" nocase $string5 = "\\bitcoin" nocase $string6 = "\\monero" nocase $string7 = "electrum.dat" nocase $string8 = "wallet_path" nocase condition: 1 of them } rule GenericUPXPacker { meta: author = "@neonprimetime" description = "Generic UpX packet" strings: $string1 = "UPX" nocase condition: 1 of them } rule GenericAutoItPacker { meta: author = "@neonprimetime" description = "Generic AutoItPacker" strings: $string1 = "AutoIt" nocase $string2 = "Auto-It" nocase condition: 1 of them } rule GenericCreditCardStealer { meta: author = "@neonprimetime" description = "Generic Credit Card Stealer" strings: $string1 = "ccnumber" nocase $string2 = "expirationmonth" nocase $string3 = "monthexpiration" nocase $string4 = "card_number" nocase $string5 = "securitycode=" nocase $string6 = "=amex" nocase $string7 = "=visa" nocase $string8 = "cardnumber" nocase condition: 1 of them } rule GenericWebTraffic { meta: author = "@neonprimetime" description = "Generic Web Traffic" strings: $string1 = "Server: lighttpd" nocase $string2 = "Host: %s" nocase $string3 = "POST %s" nocase $string4 = ".php" nocase condition: 1 of them } rule GenericNetworkTraffic { meta: author = "@neonprimetime" description = "Generic Network Traffic" strings: $string1 = /\..{2,3}\:\d+/ nocase condition: 1 of them } rule GenericScheduledTask { meta: author = "@neonprimetime" description = "Generic Scheduled Task" strings: $string1 = "schtasks" nocase condition: 1 of them } rule GenericDomainFlag { meta: author = "@neonprimetime" description = "Generic Domain Flag from AD" strings: $string1 = "/domain" nocase condition: 1 of them } rule GenericCreateFlag { meta: author = "@neonprimetime" description = "Generic Create Flag from AD" strings: $string1 = "/create" nocase condition: 1 of them } rule GenericAddFlag { meta: author = "@neonprimetime" description = "Generic Add Flag from AD" strings: $string1 = "/add" nocase condition: 1 of them } rule GenericSpamMailer { meta: author = "@neonprimetime" description = "Generic Spam Mailer" strings: $string1 = "SEND FROM:" nocase $string2 = ":587" nocase $string3 = "smtp." nocase condition: 1 of them } rule GenericIPLookup { meta: author = "@neonprimetime" description = "Generic IP Lookup" strings: $string1 = "checkip.amazonaws.com" nocase $string2 = "check-ip.aws." nocase$string3 = "ipecho.net" nocase condition: 1 of them } rule GenericWebcamAccess { meta: author = "@neonprimetime" description = "Generic Webcam Access" strings: $string1 = "webcam" nocase $string2 = "OpenCamera" nocase $string3 = "CloseCamera" nocase condition: 1 of them } rule GenericScreenCapture { meta: author = "@neonprimetime" description = "Generic Screen Capture" strings: $string1 = "CaptureScreen" nocase condition: 1 of them } rule GenericCredentialStealer { meta: author = "@neonprimetime" description = "Generic Credential Stealer" strings: $string1 = "Profiles\\Outlook" nocase $string2 = "Login Data" nocase $string3 = "encryptedPassword" nocase $string4 = "HTTP Password" nocase $string5 = "\\profiles.ini" nocase $string6 = "\\POP3 Password" nocase $string7 = "PuTTY\\Sessions" nocase $string8 = "EasyFTP\\data" nocase $string9 = "Ftplist.txt" nocase $string10 = "\\Login Data" nocase $string11 = "\\ws_ftp.ini" nocase $string13 = "\\accounts.ini" nocase $string14 = "\\accounts.dat" nocase $string15 = "CREATE TABLE logins" nocase $string16 = "CREATE INDEX logins_signon" nocase $string17 = "DecryptIePassword" nocase $string18 = "GetSavedPasswords" nocase $string19 = "\\Passwords\\" nocase $string20 = "WinSCP 2\\Sessions" nocase $string21 = "\\HTTP Password" nocase $string22 = "\\IMAP Password" nocase $string23 = "\\SMTP Password" nocase $string24 = "\\HTTP Password" nocase $string25 = "[passwords]" nocase $string26 = "login-form" nocase $string27 = "recentservers.xml" nocase $string28 = "type=passwords" nocase $string29 = "user-password" nocase $string30 = "PasswordsList.txt" nocase condition: 1 of them } rule GenericBrowserHistoryStealer { meta: author = "@neonprimetime" description = "Generic Browser History Stealer" strings: $string1 = "from urls" nocase $string2 = "from moz_places" nocase condition: 1 of them } rule GenericDataStealer { meta: author = "@neonprimetime" description = "Generic Data Stealer" strings: $string0 = "\\User Data" nocase $string1 = "360Chrome\\" nocase $string2 = "7Star\\" nocase $string3 = "Cyberfox\\" nocase $string4 = "Amigo\\" nocase $string5 = "Apple Computer\\" nocase $string6 = "BraveSoftware\\" nocase $string7 = "CatalinaGroup\\" nocase $string8 = "CentBrowser\\" nocase $string9 = "Chedot\\" nocase $string10 = "Chromium\\" nocase $string11 = "Claws-mail\\" nocase $string12 = "CocCoc\\" nocase $string13 = "Comodo\\" nocase $string14 = "Coowon\\" nocase $string15 = "CoreFTP\\" nocase $string16 = "Elements Browser\\" nocase $string17 = "Epic Privacy Browser\\" nocase $string18 = "falkon\\" nocase $string19 = "Fenrir Inc\\" nocase $string20 = "FileZilla\\" nocase $string21 = "Flock\\" nocase $string22 = "FTPGetter\\" nocase $string23 = "Google\\" nocase $string24 = "Ipswitch\\" nocase $string25 = "Iridium\\" nocase $string26 = "K-Meleon\\" nocase $string27 = "Kometa\\" nocase $string28 = "liebao\\" nocase $string29 = "MapleStudio\\" nocase $string31 = "Moonchild Productions\\" nocase $string32 = "Mozilla\\" nocase $string35 = "NETGATE Technologies\\" nocase $string36 = "Opera Mail\\" nocase $string37 = "Opera Software\\" nocase $string38 = "Orbitum\\" nocase $string39 = "Pocomail\\" nocase $string40 = "Postbox\\" nocase $string41 = "Psi\\" nocase $string42 = "Psi+\\" nocase $string43 = "QIP Surf\\" nocase $string45 = "SmartFTP\\" nocase $string46 = "Sputnik\\" nocase $string47 = "Tencent\\" nocase $string48 = "The Bat!" nocase $string49 = "Thunderbird\\" nocase $string50 = "Torch\\" nocase $string51 = "Trillian\\" nocase $string52 = "UCBrowser\\" nocase $string53 = "uCozMedia\\" nocase $string54 = "VirtualStore\\" nocase $string55 = "Vivaldi\\" nocase $string56 = "Waterfox\\" nocase $string57 = "Yandex\\" nocase $string58 = "keychain.plist" nocase $string59 = "GetSavedCookies" nocase $string60 = "wcx_ftp.ini" nocase $string61 = "Start Capture" nocase $string62 = "\\accounts.xml" nocase $string63 = "\\places.sqlite" nocase $string67 = "cookies.sqlite" nocase condition: 1 of them } rule GenericDeletesItself { meta: author = "@neonprimetime" description = "Generic Deletes Itself" strings: $string1 = "DEL /s" nocase $string2 = "cmd /c del" nocase $string3 = "deleteSelf" nocase $string4 = "/c del %s" nocase $string5 = "%del" nocase $string6 = "& del" nocase condition: 1 of them } rule GenericMaliciousCommand { meta: author = "@neonprimetime" description = "Generic Malicious Command" strings: $string1 = "CompSpec" nocase condition: 1 of them } rule GenericKeylogger { meta: author = "@neonprimetime" description = "Generic Keylogger" strings: $string1 = "Keylog" nocase $string2 = "KeyboardLogging" nocase $string3 = "[Enter]" nocase $string4 = "[Ctrl + C]" nocase $string5 = "[Ctrl + V]" nocase condition: 1 of them } rule GenericDelay { meta: author = "@neonprimetime" description = "Generic Delay" strings: $string1 = "ping 192" nocase $string2 = "ping 127" nocase condition: 1 of them } rule GenericSecurityToolDetection { meta: author = "@neonprimetime" description = "Generic Security Tool Detection" strings: $string1 = "FROM FirewallProduct" nocase $string2 = "from AntiVirusProduct" nocase condition: 1 of them }rule GenericDisableAntivirus{meta: author = "@neonprimetime" description = "Generic Disable AntiVirus" strings: $string1 = "DisableBehaviorMonitoring" nocase $string2 = "DisableOnAccessProtection" nocase$string3 = "DisableScanOnRealtime" nocase$string4 = "DisableRealtimeMonitoring" nocase$string5 = "DisableBlockAtFirstSeen" nocase$string6 = "DisableIOAVProtection" nocase$string7 = "DisableAntiSpyware" nocase$string8 = "DisableArchiveScanning" nocase$string9 = "DisableScriptScanning" nocase$string10 = "Set-MpPreference" nocase condition: 1 of them}rule GenericFirewallModification { meta: author = "@neonprimetime" description = "Generic Firewall Modifiction" strings: $string1 = "netsh advfirewall" nocase $string2 = "firewall add" nocase condition: 1 of them } rule GenericPHPPanel { meta: author = "@neonprimetime" description = "Generic PHP Panel" strings: $string1 = "/gate.php" nocase $string2 = "/fre.php" nocase condition: 1 of them } rule GenericBase64 { meta: author = "@neonprimetime" description = "Generic PHP Panel" strings: $string1 = /\=\=\r\n/ nocase condition: 1 of them } rule GenericDynamicDns { meta: author = "@neonprimetime" description = "Generic Dynamic DNS" strings: $string1 = ".duckdns.org" nocase condition: 1 of them } rule GenericVisualBasicScript { meta: author = "@neonprimetime" description = "Generic Visual Basic Script" strings: $string1 = ".shellexecute" nocase $string2 = "shell.application" nocase $string3 = "Wscript.Sleep" nocase $string4 = "ExecuteGlobal" nocase $string5 = "Shell.run" nocase $string6 = "Scripting.FileSystemObject" nocase $string7 = ":::const " nocase $string8 = "vbscontent" nocase $string9 = "Execute(" nocase $string10 = "ChrW(48) & ChrW(" nocase $string11 = "ChrW(48)&ChrW(" nocase condition: 1 of them } rule GenericHackerTerms { meta: author = "@neonprimetime" description = "Generic Hacker Terms" strings: $string1 = "payloadpath" nocase $string2 = "payloadexist" nocase condition: 1 of them } rule GenericAntiDebug { meta: author = "@neonprimetime" description = "Generic Anti Debug techniques" strings: $string1 = "CheckRemoteDebuggerPresent" nocase condition: 1 of them } rule GenericTor { meta: author = "@neonprimetime" description = "Generic Tor Dark Web" strings: $string1 = "torproject.org" nocase $string2 = ".onion" nocase $string3 = "TOR browser" nocase condition: 1 of them }rule GenericPasswordList { meta: author = "@neonprimetime" description = "Generic Password List" strings: $string1 = "peternorth" nocase $string2 = "motherfucker" nocase $string3 = "pimpdaddy" nocase$string4 = "ihavenopass" nocase $string5 = "fuckoff" nocase$string6 = "dickhead" nocase$string7 = "passw0rd" nocase$string8 = "changeme" nocasecondition: 1 of them }
rule GenericUserAgent
{
meta:
author = "@neonprimetime"
description = "Generic User Agents oddities"
strings:
$string1 = "User-Agent: curl" nocase
$string2 = "User-Agent: wget" nocase
condition:
1 of them
}
rule GenericWebServer
{
meta:
author = "@neonprimetime"
description = "Generic Web Server info"
strings:
$string1 = "nginx"
$string2 = "apache"
condition:
1 of them
}
Subscribe to:
Posts (Atom)