YARA rules for OilRig
133 rules · scoped to actor · back to OilRig
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Lazagne_PW_Dumper {
meta:
description = "Detects Lazagne PW Dumper"
author = "Markus Neis / Florian Roth"
reference = "https://github.com/AlessandroZ/LaZagne/releases/"
date = "2018-03-22"
score = 70
id = "1904029e-9336-5278-ae2e-4bc853316600"
strings:
$s1 = "Crypto.Hash" fullword ascii
$s2 = "laZagne" fullword ascii
$s3 = "impacket.winregistry" fullword ascii
condition:
3 of them
}
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
meta:
description = "Detects password dumper Lazagne often used by middle eastern threat groups"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
date = "2018-12-11"
score = 85
hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
strings:
$s1 = "softwares.opera(" ascii
$s2 = "softwares.mozilla(" ascii
$s3 = "config.dico(" ascii
$s4 = "softwares.chrome(" ascii
$s5 = "softwares.outlook(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
rule HKTL_Lazagne_Gen_18 {
meta:
description = "Detects Lazagne password extractor hacktool"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/AlessandroZ/LaZagne"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
date = "2018-12-11"
score = 80
hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
strings:
$x1 = "lazagne.config.powershell_execute(" ascii
$x2 = "creddump7.win32." ascii
$x3 = "lazagne.softwares.windows.hashdump" ascii
$x4 = ".softwares.memory.libkeepass.common(" ascii
condition:
2 of them
}
rule Impacket_Keyword {
meta:
description = "Detects Impacket Keyword in Executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-08-04"
score = 60
hash1 = "9388c78ea6a78dbea307470c94848ae2481481f593d878da7763e649eaab4068"
hash2 = "2f6d95e0e15174cfe8e30aaa2c53c74fdd13f9231406b7103da1e099c08be409"
id = "a92962e6-1b05-583b-8b06-f226bdea88e2"
strings:
$s1 = "impacket.smb(" ascii
$s2 = "impacket.ntlm(" ascii
$s3 = "impacket.nmb(" ascii
condition:
(uint16(0) == 0x5a4d and filesize < 14000KB and 1 of them)
}
rule Impacket_Tools_tracer {
meta:
description = "Compiled Impacket Tools"
author = "Florian Roth"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
modified = "2021-07-15"
hash1 = "e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b"
strings:
$s1 = "btk85.dll" fullword ascii
$s2 = "btcl85.dll" fullword ascii
$s3 = "xtk\\unsupported.tcl" fullword ascii
$fp1 = "Linden Research Inc" wide
condition:
( uint16(0) == 0x5a4d and filesize < 21000KB and all of ($s*) )
and not 1 of ($fp*)
}
rule Impacket_Tools_wmiexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4"
id = "3c2c7edf-da71-53dc-9ddf-dfbf10838a27"
strings:
$s1 = "bwmiexec.exe.manifest" fullword ascii
$s2 = "swmiexec" fullword ascii
$s3 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and 2 of them )
}
rule Impacket_Tools_sniffer {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769"
id = "07051edc-91a8-59d6-87bf-dba98ef28588"
strings:
$s1 = "ssniffer" fullword ascii
$s2 = "impacket.dhcp(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_mmcexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "263a1655a94b7920531e123a8c9737428f2988bf58156c62408e192d4b2a63fc"
id = "cca2082f-72a4-50c8-80b8-a9bed430dc4e"
strings:
$s1 = "smmcexec" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 16000KB and all of them )
}
rule Impacket_Tools_ifmap {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "20a1f11788e6cc98a76dca2db4691963c054fc12a4d608ac41739b98f84b3613"
id = "e5461916-ec2b-5f65-b938-267483f50bb2"
strings:
$s1 = "bifmap.exe.manifest" fullword ascii
$s2 = "impacket.dcerpc.v5.epm(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule karmaSMB {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
id = "32c810c7-02e7-5203-b2ed-4e930b318cc0"
strings:
$s1 = "bkarmaSMB.exe.manifest" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule samrdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
id = "cd274719-c8cc-5882-8d75-192ad822c6b3"
strings:
$s2 = "bsamrdump.exe.manifest" fullword ascii
$s3 = "ssamrdump" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_rpcdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9"
id = "3f998aa6-c260-5fef-99ef-e8b4770c68c6"
strings:
$s1 = "srpcdump" fullword ascii
$s2 = "impacket.dcerpc.v5.epm(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_secretsdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d"
id = "c944d051-ea24-5595-abef-59e326ad56de"
strings:
$s1 = "ssecretsdump" fullword ascii
$s2 = "impacket.ese(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_esentutl {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "70d854953d3ebb2c252783a4a103ba0e596d6ab447f238af777fb37d2b64c0cd"
id = "1965e2b3-54be-553a-83d6-a0d4919414dd"
strings:
$s1 = "impacket.ese(" ascii
$s2 = "sesentutl" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 11000KB and all of them )
}
rule Impacket_Tools_opdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
id = "1bb0e747-e9b7-5a54-8052-428351be8d0d"
strings:
$s2 = "bopdump.exe.manifest" fullword ascii
$s3 = "sopdump" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_sniff {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699"
id = "07051edc-91a8-59d6-87bf-dba98ef28588"
strings:
$s1 = "ssniff" fullword ascii
$s2 = "impacket.eap(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_smbexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2"
id = "02208817-2eab-54e2-90cf-44dbf5474607"
strings:
$s1 = "logging.config(" ascii
$s2 = "ssmbexec" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_goldenPac {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
id = "9894d16c-83fa-5e1d-9ca6-572deeec006a"
strings:
$s1 = "impacket.examples.serviceinstall(" ascii
$s2 = "bgoldenPac.exe" fullword ascii
$s3 = "json.scanner(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_netview {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6"
id = "1b9238d2-b9b1-5633-8481-05a3a97af5a6"
strings:
$s1 = "impacket.dcerpc.v5.wkst(" ascii
$s2 = "dummy_threading(" ascii
$s3 = "snetview" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_smbtorture {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
id = "4f9b55e2-93ce-5d08-a228-73233fb0a2c6"
strings:
$s1 = "impacket" fullword ascii
$s2 = "ssmbtorture" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_smbrelayx {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f"
id = "84abf3cf-841c-592d-a9d1-71d5e76eb43f"
strings:
$s1 = "impacket.examples.secretsdump" fullword ascii
$s2 = "impacket.examples.serviceinstall" fullword ascii
$s3 = "impacket.smbserver(" ascii
$s4 = "SimpleHTTPServer(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 18000KB and 3 of them )
}
rule Impacket_Tools_wmipersist {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086"
id = "29bda652-28f0-5ab6-9bc2-411f20ab0dda"
strings:
$s1 = "swmipersist" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_lookupsid {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "47756725d7a752d3d3cfccfb02e7df4fa0769b72e008ae5c85c018be4cf35cc1"
id = "27f13397-b044-54b4-b5e8-c5f7ed374f59"
strings:
$s1 = "slookupsid" fullword ascii
$s2 = "impacket.dcerpc" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_wmiquery {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094"
id = "e8bdf27a-9763-5947-854f-162f74ff53be"
strings:
$s1 = "swmiquery" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_atexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "337bd5858aba0380e16ee9a9d8f0b3f5bfc10056ced4e75901207166689fbedc"
id = "4f02e304-69d4-5952-80be-793379bccac0"
strings:
$s1 = "batexec.exe.manifest" fullword ascii
$s2 = "satexec" fullword ascii
$s3 = "impacket.dcerpc" fullword ascii
$s4 = "# CSZq" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and 3 of them )
}
rule Impacket_Tools_Generic_1 {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
super_rule = 1
hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
hash2 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
hash3 = "2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1"
hash4 = "ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6"
hash5 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
hash6 = "27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364"
hash7 = "dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98"
hash8 = "0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b"
hash9 = "21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9"
hash10 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
hash11 = "47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d"
hash12 = "7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2"
hash13 = "9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f"
hash14 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
hash15 = "8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699"
hash16 = "efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769"
hash17 = "e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b"
hash18 = "19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4"
hash19 = "2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086"
hash20 = "202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094"
id = "d2ce6426-d165-5569-a992-268f05622653"
strings:
$s1 = "bpywintypes27.dll" fullword ascii
$s2 = "hZFtPC" fullword ascii
$s3 = "impacket" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 21000KB and all of ($s*) ) or ( all of them )
}
rule Impacket_Lateral_Movement {
meta:
description = "Detects Impacket Network Aktivity for Lateral Movement"
author = "Markus Neis"
reference = "https://github.com/CoreSecurity/impacket"
date = "2018-03-22"
score = 60
id = "44db234c-ac81-5d21-bc2a-8cfd88807c0d"
strings:
$s1 = "impacket.dcerpc.v5.transport(" ascii
$s2 = "impacket.smbconnection(" ascii
$s3 = "impacket.dcerpc.v5.ndr(" ascii
$s4 = "impacket.spnego(" ascii
$s5 = "impacket.smb(" ascii
$s6 = "impacket.ntlm(" ascii
$s7 = "impacket.nmb(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 14000KB and 2 of them
}
rule HackTool_PY_ImpacketObfuscation_1
{
meta:
date = "2020-12-01"
modified = "2020-12-01"
description = "smbexec"
md5 = "0b1e512afe24c31531d6db6b47bac8ee"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "992d1132-3136-5e1b-a1ef-dcdf36ebf0f5"
strings:
$s1 = "class CMDEXEC" nocase
$s2 = "class RemoteShell" nocase
$s3 = "self.services_names"
$s4 = "import random"
$s6 = /self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]%CoMSpEC%[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase
$s7 = /self\.__serviceName[\x09\x20]{0,32}=[\x09\x20]{0,32}self\.services_names\[random\.randint\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}len\(self\.services_names\)[\x09\x20]{0,32}-[\x09\x20]{0,32}1\)\]/
condition:
all of them
}
rule HackTool_PY_ImpacketObfuscation_2
{
meta:
description = "Detects FireEye's wmiexec impacket obfuscation"
date = "2020-12-01"
modified = "2020-12-01"
md5 = "f3dd8aa567a01098a8a610529d892485"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "f1059f66-eaff-5866-bafb-c94236cf96a0"
strings:
$s1 = "import random"
$s2 = "class WMIEXEC" nocase
$s3 = "class RemoteShell" nocase
$s4 = /=[\x09\x20]{0,32}str\(int\(time\.time\(\)\)[\x09\x20]{0,32}-[\x09\x20]{0,32}random\.randint\(\d{1,10}[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,10}\)\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}str\(uuid\.uuid4\(\)\)\.split\([\x22\x27]\-[\x22\x27]\)\[0\]/
$s5 = /self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]cmd.exe[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase
condition:
all of them
}
rule OilRig_Strings_Oct17 {
meta:
description = "Detects strings from OilRig malware and malicious scripts"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/"
date = "2017-10-18"
modified = "2022-12-21"
id = "edf7c7ca-0c58-5507-8d99-83078ff8947a"
strings:
$x1 = "%localappdata%\\srvHealth.exe" fullword wide ascii
$x2 = "%localappdata%\\srvBS.txt" fullword wide ascii
$x3 = "Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb" ascii
$x4 = "Agent Injector\\PolicyConverter\\Joiner\\obj\\Release\\Joiner.pdb" ascii
$s3 = ".LoadDll(\"Run\", arg, \"C:\\\\Windows\\\\" ascii
condition:
filesize < 800KB and 1 of them
}
rule OilRig_ISMAgent_Campaign_Samples1 {
meta:
description = "Detects OilRig malware from Unit 42 report in October 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/JQVfFP"
date = "2017-10-18"
hash1 = "119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc"
hash2 = "0ccb2117c34e3045a4d2c0d193f1963c8c0e8566617ed0a561546c932d1a5c0c"
id = "237fe7af-a2ab-51ae-bc96-3af46b08622a"
strings:
$s1 = "###$$$TVqQAAMAAAAEAAAA" ascii
$s2 = "C:\\Users\\J-Win-7-32-Vm\\Desktop\\error.jpg" fullword wide
$s3 = "$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText('%Base%'));[io.file]::WriteAllBytes(" ascii
$s4 = " /c echo powershell > " fullword wide ascii
$s5 = "\\Libraries\\servicereset.exe" wide
$s6 = "%DestFolder%" fullword wide ascii
condition:
uint16(0) == 0xcfd0 and filesize < 3000KB and 2 of them
}
rule OilRig_ISMAgent_Campaign_Samples2 {
meta:
description = "Detects OilRig malware from Unit 42 report in October 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/JQVfFP"
date = "2017-10-18"
hash1 = "fcad263d0fe2b418db05f47d4036f0b42aaf201c9b91281dfdcb3201b298e4f4"
hash2 = "33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647"
id = "08771b23-1d0e-5da7-b42c-005ed257e2d1"
strings:
$x1 = "PolicyConverter.exe" fullword wide
$x2 = "SrvHealth.exe" fullword wide
$x3 = "srvBS.txt" fullword wide
$s1 = "{a3538ba3-5cf7-43f0-bc0e-9b53a98e1643}, PublicKeyToken=3e56350693f7355e" fullword wide
$s2 = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 700KB and ( 2 of ($x*) or 3 of them )
}
rule OilRig_ISMAgent_Campaign_Samples3 {
meta:
description = "Detects OilRig malware from Unit 42 report in October 2017"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/JQVfFP"
date = "2017-10-18"
hash1 = "a9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821"
id = "e26510bd-d183-566a-a185-ebed7a81401c"
strings:
$x1 = "cmd /c schtasks /query /tn TimeUpdate > NUL 2>&1" ascii
$x2 = "schtasks /create /sc minute /mo 0002 /tn TimeUpdate /tr" fullword ascii
$x3 = "-c SampleDomain.com -m scheduleminutes" fullword ascii
$x4 = ".ntpupdateserver.com" fullword ascii
$x5 = ".msoffice365update.com" fullword ascii
$s1 = "out.exe" fullword ascii
$s2 = "\\Win32Project1\\Release\\Win32Project1.pdb" ascii
$s3 = "C:\\windows\\system32\\cmd.exe /c (" ascii
$s4 = "Content-Disposition: form-data; name=\"file\"; filename=\"a.a\"" fullword ascii
$s5 = "Agent configured successfully" fullword ascii
$s6 = "\\runlog*" ascii
$s7 = "can not specify username!!" fullword ascii
$s8 = "Agent can not be configured" fullword ascii
$s9 = "%08lX%04hX%04hX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX" fullword ascii
$s10 = "!!! can not create output file !!!" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (
pe.imphash() == "538805ecd776b9a42e71aebf94fde1b1" or
pe.imphash() == "861ac226fbe8c99a2c43ff451e95da97" or
( 1 of ($x*) or 3 of them )
)
}
rule OilRig_Malware_Campaign_Gen1 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34"
hash2 = "80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e"
hash3 = "662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f"
hash4 = "903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996"
hash5 = "c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da"
hash6 = "57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4"
hash7 = "1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1"
hash8 = "9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777"
hash9 = "0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e"
hash10 = "4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281"
hash11 = "4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353"
hash12 = "c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51"
hash13 = "f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2"
hash14 = "0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39"
hash15 = "d874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d"
hash16 = "8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9"
hash17 = "55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579"
hash18 = "528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b"
hash19 = "93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0"
hash20 = "e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa"
hash21 = "9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471"
hash22 = "a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064"
hash23 = "3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff"
hash24 = "3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4"
hash25 = "f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e"
id = "d291edf1-b086-5c61-b131-61c9f6e1267b"
strings:
$x1 = "Get-Content $env:Public\\Libraries\\update.vbs) -replace" ascii
$x2 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {waitfor haha /T 2}\" & Chr(34), 0" fullword ascii
$x3 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
$s4 = "CreateObject(\"WScript.Shell\").Run cmd, 0o" fullword ascii
/* Base64 encode config */
/* $global:myhost = */
$b1 = "JGdsb2JhbDpteWhvc3QgP" ascii
/* HOME="%public%\Libraries\" */
$b2 = "SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzX" ascii
/* Set wss = CreateObject("wScript.Shell") */
$b3 = "U2V0IHdzcyA9IENyZWF0ZU9iamVjdCgid1NjcmlwdC5TaGV" ascii
/* $scriptdir = Split-Path -Parent -Path $ */
$b4 = "JHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCA" ascii
/* \x0aSet wss = CreateObject("wScript.Shell") */
$b5 = "DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN" ascii
/* whoami & hostname */
$b6 = "d2hvYW1pICYgaG9zdG5hb" ascii
condition:
( uint16(0) == 0xcfd0 and filesize < 700KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal1 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "e17e1978563dc10b73fd54e7727cbbe95cc0b170a4e7bd0ab223e059f6c25fcc"
id = "c577f0ff-1a33-5d7f-93b2-27df8d414bce"
strings:
$x1 = "DownloadExecute=\"powershell \"\"&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile(" ascii
$x2 = "-ExecutionPolicy Bypass -File \"&HOME&\"dns.ps1\"" fullword ascii
$x3 = "CreateObject(\"WScript.Shell\").Run Replace(DownloadExecute,\"-_\",\"bat\")" fullword ascii
$x4 = "CreateObject(\"WScript.Shell\").Run DnsCmd,0" fullword ascii
$s1 = "http://winodwsupdates.me" ascii
condition:
( uint16(0) == 0x4f48 and filesize < 4KB and 1 of them ) or ( 2 of them )
}
rule OilRig_Malware_Campaign_Mal1 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "e17e1978563dc10b73fd54e7727cbbe95cc0b170a4e7bd0ab223e059f6c25fcc"
id = "c577f0ff-1a33-5d7f-93b2-27df8d414bce"
strings:
$x1 = "DownloadExecute=\"powershell \"\"&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile(" ascii
$x2 = "-ExecutionPolicy Bypass -File \"&HOME&\"dns.ps1\"" fullword ascii
$x3 = "CreateObject(\"WScript.Shell\").Run Replace(DownloadExecute,\"-_\",\"bat\")" fullword ascii
$x4 = "CreateObject(\"WScript.Shell\").Run DnsCmd,0" fullword ascii
$s1 = "http://winodwsupdates.me" ascii
condition:
( uint16(0) == 0x4f48 and filesize < 4KB and 1 of them ) or ( 2 of them )
}
rule OilRig_Malware_Campaign_Gen2 {
meta:
description = "Detects Oilrig malware samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
modified = "2023-01-07"
hash1 = "c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d"
hash2 = "293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb"
id = "2ca0aadf-c5a8-5c89-ab1e-0c06d2ab8516"
strings:
$s1 = "%userprofile%\\AppData\\Local\\Microsoft\\" ascii
$s2 = "$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('" fullword ascii
$s3 = "&{$rn = Get-Random; $id = 'TR" fullword ascii
$s4 = "') -replace '__',('DNS'+$id) | " fullword ascii
$s5 = "\\upd.vbs" ascii
$s6 = "schtasks /create /F /sc minute /mo " fullword ascii
$s7 = "') -replace '__',('HTP'+$id) | " fullword ascii
$s8 = "&{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZ" fullword ascii
$s9 = "http://www.israirairlines.com/?mode=page&page=14635&lang=eng<" fullword ascii
condition:
( uint16(0) == 0xcfd0 and filesize < 4000KB and 2 of ($s*) ) or ( 4 of them )
}
rule OilRig_Malware_Campaign_Gen3 {
meta:
description = "Detects Oilrig malware samples"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
modified = "2023-01-07"
hash1 = "5e9ddb25bde3719c392d08c13a295db418d7accd25d82d020b425052e7ba6dc9"
hash2 = "bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9"
hash3 = "90639c7423a329e304087428a01662cc06e2e9153299e37b1b1c90f6d0a195ed"
id = "1cd5f7ea-4ae6-5642-b8b3-050cfe724e69"
strings:
$x1 = "source code from https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr" fullword ascii
$x2 = "\\Libraries\\fireueye.vbs" ascii
$x3 = "\\Libraries\\fireeye.vbs&" wide
condition:
( uint16(0) == 0xcfd0 and filesize < 100KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal2 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf"
id = "7a6c38e7-bed9-524b-b4a5-c6c895b9c049"
strings:
$x1 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {(Get-Content $env:Public\\Libraries\\update.vbs) -replace '__',(Get-Random) | Set-C" ascii
$x2 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii
$x3 = "mailto:Mohammed.sarah@gratner.com" fullword wide
$x4 = "mailto:Tarik.Imam@gartner.com" fullword wide
$x5 = "Call Extract(DnsPs1, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\dns.ps1\")" fullword ascii
$x6 = "2dy53My5vcmcvMjAw" fullword wide /* base64 encoded string 'w.w3.org/200' */
condition:
( uint16(0) == 0xcfd0 and filesize < 200KB and 1 of them )
}
rule OilRig_Campaign_Reconnaissance {
meta:
description = "Detects Windows discovery commands - known from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "5893eae26df8e15c1e0fa763bf88a1ae79484cdb488ba2fc382700ff2cfab80c"
id = "a4fe24b8-290a-5a4a-9f81-bbbd9aae6c6e"
strings:
$s1 = "whoami & hostname & ipconfig /all" ascii
$s2 = "net user /domain 2>&1 & net group /domain 2>&1" ascii
$s3 = "net group \"domain admins\" /domain 2>&1 & " ascii
condition:
( filesize < 1KB and 1 of them )
}
rule OilRig_Malware_Campaign_Mal3 {
meta:
description = "Detects malware from OilRig Campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QMRZ8K"
date = "2016-10-12"
hash1 = "02226181f27dbf59af5377e39cf583db15200100eea712fcb6f55c0a2245a378"
id = "e5967b39-5d21-5a6a-a1b5-2ec122f16444"
strings:
$x1 = "(Get-Content $env:Public\\Libraries\\dns.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\\Libraries\\dns.ps1" fullword ascii
$x2 = "Invoke-Expression ($global:myhome+'tp\\'+$global:filename+'.bat > '+$global:myhome+'tp\\'+$global:filename+'.txt')" fullword ascii
$x3 = "('00000000'+(convertTo-Base36(Get-Random -Maximum 46655)))" fullword ascii
condition:
( filesize < 10KB and 1 of them )
}
rule OilRig_Malware_Nov17_13 {
meta:
description = ""
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/ClearskySec/status/933280188733018113"
date = "2017-11-22"
hash1 = "4f1e2df85c538875a7da877719555e21c33a558ac121eb715cf4e779d77ab445"
id = "c45b8d30-6a5f-5dac-a202-6748ba7b7bd2"
strings:
$x1 = "\\Release\\dnscat2.pdb" ascii
$x2 = "cscript.exe //T:20 //Nologo " fullword ascii
$a1 = "taskkill /F /IM cscript.exe" fullword ascii
$a2 = "cmd.exe /c " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
pe.imphash() == "0160250adfc97f9d4a12dd067323ec61" or
1 of ($x*) or
all of ($a*)
)
}
rule Oilrig_IntelSecurityManager_macro {
meta:
description = "Detects OilRig malware"
author = "Eyal Sela (slightly modified by Florian Roth)"
reference = "Internal Research"
date = "2018-01-19"
id = "4cccc0df-a225-5500-be55-f4ae346e066e"
strings:
$one1 = "$c$m$$d$.$$" ascii wide
$one2 = "$C$$e$r$$t$u$$t$i$$l$" ascii wide
$one3 = "$$%$a$$p$p$$d$a$" ascii wide
$one4 = ".$t$$x$t$$" ascii wide
$one5 = "cu = Replace(cu, \"$\", \"\")" ascii wide
$one6 = "Shell Environ$(\"COMSPEC\") & \" /c"
$one7 = "echo \" & Chr(32) & cmd & Chr(32) & \" > \" & Chr(34)" ascii wide
$two1 = "& SchTasks /Delete /F /TN " ascii wide
$two2 = "SecurityAssist" ascii wide
$two3 = "vbs = \"cmd.exe /c SchTasks" ascii wide
$two4 = "/Delete /F /TN Conhost & del" ascii wide
$two5 = "NullRefrencedException" ascii wide
$two6 = "error has occurred in user32.dll by" ascii wide
$two7 = "NullRefrencedException" ascii wide
condition:
filesize < 300KB and 1 of ($one*) or 2 of ($two*)
}
rule Oilrig_IntelSecurityManager {
meta:
description = "Detects OilRig malware"
author = "Eyal Sela"
reference = "Internal Research"
date = "2018-01-19"
id = "4cccc0df-a225-5500-be55-f4ae346e066e"
strings:
$one1 = "srvResesponded" ascii wide fullword
$one2 = "InetlSecurityAssistManager" ascii wide fullword
$one3 = "srvCheckresponded" ascii wide fullword
$one4 = "IntelSecurityManager" ascii wide
$one5 = "msoffice365cdn.com" ascii wide
$one6 = "\\tmpCa.vbs" ascii wide
$one7 = "AAZFinish" ascii wide fullword
$one8 = "AAZUploaded" ascii wide fullword
$one9 = "ABZFinish" ascii wide fullword
$one10 = "\\tmpCa.vbs" ascii wide
condition:
filesize < 300KB and any of them
}
rule OilRig_RGDoor_Gen1 {
meta:
description = "Detects RGDoor backdoor used by OilRig group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
date = "2018-01-27"
score = 80
hash1 = "a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa"
id = "68ac1f35-4eaa-5899-b66c-296d7c5fa462"
strings:
$c1 = { 00 63 6D 64 24 00 00 00 00 72 00 00 00 00 00 00 00 75 70 6C 6F
61 64 24 }
$c2 = { 63 61 6E 27 74 20 6F 70 65 6E 20 66 69 6C 65 3A 20 00 00 00 00
00 00 00 64 6F 77 6E 6C 6F 61 64 24 }
$s1 = "MyNativeModule.dll" fullword ascii
$s2 = "RGSESSIONID=" fullword ascii
$s3 = "download$" fullword ascii
$s4 = ".?AVCHelloWorld@@" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
pe.imphash() == "47cb127aad6c7c9954058e61a2a6429a" or
1 of ($c*) or
2 of them
)
}
rule Chafer_Exploit_Copyright_2017 {
meta:
description = "Detects Oilrig Internet Server Extension with Copyright (C) 2017 Exploit"
author = "Markus Neis"
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
date = "2018-03-22"
hash1 = "cdac69caad8891c5e1b8eabe598c869674dee30af448ce4e801a90eb79973c66"
id = "f78ae4f5-0569-5fc8-ab25-ebe38afd9f3c"
strings:
$x1 = "test3 Internet Server Extension" fullword wide
$x2 = "Copyright (C) 2017 Exploit" fullword wide
$a1 = "popen() failed!" fullword ascii
$a2 = "cmd2cmd=" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and (
1 of ($x*) or all of ($a*)
)
}