YARA rules for APT40
113 rules · scoped to actor · back to APT40
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule IronTiger_PlugX_FastProxy
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX FastProxy"
reference = "http://goo.gl/T5fSJC"
id = "14e05823-6288-5f02-8060-add51084c446"
strings:
$str1 = "SAFEPROXY HTServerTimer Quit!" wide ascii
$str2 = "Useage: %s pid" wide ascii
$str3 = "%s PORT[%d] TO PORT[%d] SUCCESS!" wide ascii
$str4 = "p0: port for listener" wide ascii
$str5 = "\\users\\whg\\desktop\\plug\\" wide ascii
$str6 = "[+Y] cwnd : %3d, fligth:" wide ascii
condition:
uint16(0) == 0x5a4d and (any of ($str*))
}
rule IronTiger_PlugX_Server
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX Server"
reference = "http://goo.gl/T5fSJC"
id = "38011a23-3ed7-5f58-a814-2551526b27f3"
strings:
$str1 = "\\UnitFrmManagerKeyLog.pas" wide ascii
$str2 = "\\UnitFrmManagerRegister.pas" wide ascii
$str3 = "Input Name..." wide ascii
$str4 = "New Value#" wide ascii
$str5 = "TThreadRControl.Execute SEH!!!" wide ascii
$str6 = "\\UnitFrmRControl.pas" wide ascii
$str7 = "OnSocket(event is error)!" wide ascii
$str8 = "Make 3F Version Ok!!!" wide ascii
$str9 = "PELEASE DO NOT CHANGE THE DOCAMENT" wide ascii
$str10 = "Press [Ok] Continue Run, Press [Cancel] Exit" wide ascii
condition:
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule APT_Area1_SSF_PlugX {
meta:
description = "Detects send tool used in phishing campaign reported by Area 1 in December 2018"
reference = "https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf"
date = "2018-12-19"
author = "Area 1"
id = "a5b4e781-f0d1-55df-926c-2d321aa48139"
strings:
$feature_call = { 8b 0? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ??
6a 07 6a ff ff d0 8b f0 85 f6 74 14 }
$keylogger_reg = { 8b 4d 08 6a 0c 6a 01 8d 55 f4 52 c7 45 f4 01 00 06 00
c7 45 f8 00 01 00 00 89 4d fc ff d0 85 c0 75 1d }
$file_op = { 55 8b ec 83 ec 20 0f b7 56 18 8b 46 10 66 8b 4e 14 89 45 e4
8d 44 32 10 66 89 4d f0 0f b7 4e 1a 57 89 45 e8 33 ff 8d 45 e0 8d 54
31 10 50 89 7d e0 89 55 ec c7 45 fa ?? ?? ?? ?? 89 7d f2 89 7d f6 ff
15 1c 43 02 10 }
$ver_cmp = { 0f b6 8d b0 fe ff ff 0f b6 95 b4 fe ff ff 66 c1 e1 08 0f b7
c1 0b c2 3d 02 05 00 00 7f 2c }
$regedit = { c7 06 23 01 12 20 c7 46 04 01 90 00 00 89 5e 0c 89 5e 08 e8
51 fb ff ff 8b 4d 08 8b 50 38 68 30 75 00 00 56 51 ff d2 }
$get_device_caps = { 8b 1d ?? ?? ?? ?? 6a 08 50 ff d3 0f b7 56 12 8b c8 0f af ca
b8 1f 85 eb 51 f7 e9 c1 fa 05 8b c2 c1 e8 1f 03 c2 89 45 f8 8b 45 f0 6a 0a 50 ff d3
0f b7 56 14 8b c8 0f af ca b8 1f 85 eb 51 }
condition:
3 of them
}
rule Codoso_PlugX_3 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"
id = "55066812-3a8e-5099-afb4-ff7a59f1ccb2"
strings:
$s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
$s2 = "mcs.exe" fullword ascii
$s3 = "McAltLib.dll" fullword ascii
$s4 = "WinRAR self-extracting archive" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1200KB and all of them
}
rule Codoso_PlugX_2 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
id = "0402a0ff-5664-52db-a739-51c5181853f8"
strings:
$s1 = "%TEMP%\\HID" fullword wide
$s2 = "%s\\hid.dll" fullword wide
$s3 = "%s\\SOUNDMAN.exe" fullword wide
$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
$s5 = "%s\\HID.dllx" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
}
rule Codoso_PGV_PVID_4 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
id = "c1c753a6-77b6-5bfb-89f9-16127c264fd0"
strings:
$x1 = "dropper, Version 1.0" fullword wide
$x2 = "dropper" fullword wide
$x3 = "DROPPER" fullword wide
$x4 = "About dropper" fullword wide
$s1 = "Microsoft Windows Manager Utility" fullword wide
$s2 = "SYSTEM\\CurrentControlSet\\Services\\" ascii /* Goodware String - occured 9 times */
$s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */
$s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */
$s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 2 of ($x*) and 2 of ($s*)
}
rule Codoso_PlugX_1 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
id = "af777818-5cff-5571-b5e9-0f5a4c8b08ff"
strings:
$s1 = "GETPASSWORD1" fullword ascii
$s2 = "NvSmartMax.dll" fullword ascii
$s3 = "LICENSEDLG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule Dropper_DeploysMalwareViaSideLoading {
meta:
description = "Detects a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX"
author = "USG"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "
id = "2e7cdedd-2358-5d71-a3ec-73dec442d840"
strings:
$UniqueString = {2e 6c 6e 6b [0-14] 61 76 70 75 69 2e 65 78 65} // ".lnk" near "avpui.exe"
$PsuedoRandomStringGenerator = {b9 1a [0-6] f7 f9 46 80 c2 41 88 54 35 8b 83 fe 64} // Unique function that generates a 100 character pseudo random string.
condition:
any of them
}
rule PLUGX_RedLeaves {
meta:
author = "US-CERT Code Analysis Team"
date = "03.04.2017"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
incident = "10118538"
date = "2017-04-03"
MD5_1 = "598FF82EA4FB52717ACAFB227C83D474"
MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032"
MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630"
MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83"
MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D"
description = "Detects specific RedLeaves and PlugX binaries"
id = "ede8ad8f-31cf-5314-9777-bddd60e499f2"
strings:
$s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 }
$s1 = "C:\\Users\\user\\Desktop\\my_OK_2014\\bit9\\runsna\\Release\\runsna.pdb"
$s2 = "d:\\work\\plug4.0(shellcode)"
$s3 = "\\shellcode\\shellcode\\XSetting.h"
$s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 }
$s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 }
$s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 }
$s7 = { 8A043233C932043983C10288043283F90A7CF242890D18AA00103BD37CE2891514AA00106A006A006A0056 }
$s8 = { 293537675A402A333557B05E04D09CB05EB3ADA4A4A40ED0B7DAB7935F5B5B08 }
$s9 = "RedLeavesCMDSimulatorMutex"
condition:
$s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9
}
rule PlugX_J16_Gen {
meta:
description = "Detects PlugX Malware samples from June 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research"
date = "2016-06-08"
id = "13ef1e80-7090-5a1e-bca7-8d3de0dc2247"
strings:
$x1 = "%WINDIR%\\SYSTEM32\\SERVICES.EXE" fullword wide
$x2 = "\\\\.\\PIPE\\RUN_AS_USER(%d)" fullword wide
$x3 = "LdrLoadShellcode" fullword ascii
$x4 = "Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]" fullword ascii
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform" fullword wide
$s2 = "%s\\msiexec.exe %d %d" fullword wide
$s3 = "l%s\\sysprep\\CRYPTBASE.DLL" fullword wide
$s4 = "%s\\msiexec.exe UAC" fullword wide
$s5 = "CRYPTBASE.DLL" fullword wide
$s6 = "%ALLUSERSPROFILE%\\SxS" fullword wide
$s7 = "%s\\sysprep\\sysprep.exe" fullword wide
$s8 = "\\\\.\\pipe\\a%d" fullword wide
$s9 = "\\\\.\\pipe\\b%d" fullword wide
$s10 = "EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p" fullword ascii
$s11 = "Mozilla/4.0 (compatible; MSIE " fullword wide
$s12 = "; Windows NT %d.%d" fullword wide
$s13 = "SOFTWARE\\Microsoft\\Internet Explorer\\Version Vector" fullword wide
$s14 = "\\bug.log" wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 4 of ($s*) ) ) or ( 8 of them )
}
rule PlugX_J16_Gen2 {
meta:
description = "Detects PlugX Malware Samples from June 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research"
date = "2016-06-08"
id = "28e9cbb9-cd60-555d-b033-4e2bf293adf2"
strings:
$s1 = "XPlugKeyLogger.cpp" fullword ascii
$s2 = "XPlugProcess.cpp" fullword ascii
$s4 = "XPlgLoader.cpp" fullword ascii
$s5 = "XPlugPortMap.cpp" fullword ascii
$s8 = "XPlugShell.cpp" fullword ascii
$s11 = "file: %s, line: %d, error: [%d]%s" fullword ascii
$s12 = "XInstall.cpp" fullword ascii
$s13 = "XPlugTelnet.cpp" fullword ascii
$s14 = "XInstallUAC.cpp" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 2 of ($s*) ) ) or ( 5 of them )
}
rule APT28_CHOPSTICK {
meta:
description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/v3ebal"
date = "2015-06-02"
hash = "f4db2e0881f83f6a2387ecf446fcb4a4c9f99808"
score = 60
id = "08bc4cc2-1844-5218-bb89-20a3ac70a951"
strings:
$s0 = "jhuhugit.tmp" fullword ascii /* score: '14.005' */
$s8 = "KERNEL32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 14405 times */
$s9 = "IsDebuggerPresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3518 times */
$s10 = "IsProcessorFeaturePresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1383 times */
$s11 = "TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 13081 times */
$s13 = "DeleteFileA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1384 times */
$s15 = "GetProcessHeap" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5875 times */
$s16 = "!This program cannot be run in DOS mode." fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 20908 times */
$s17 = "LoadLibraryA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5461 times */
condition:
uint16(0) == 0x5a4d and filesize < 722KB and all of them
}
rule IMPLANT_3_v1 {
meta:
description = "X-Agent/CHOPSTICK Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "d539bb31-18b2-5cf5-b994-daecd5f8c771"
strings:
$STR1 = ">process isn't exist<" ascii wide
$STR2 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" ascii wide
$STR3 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" ascii wide
$STR4 = "webhp?rel=psy&hl=7&ai=" ascii wide
$STR5 = {0f b6 14 31 88 55 ?? 33 d2 8b c1 f7 75 ?? 8b 45 ?? 41 0f b6 14
02 8a 45 ?? 03 fa}
condition:
any of them
}
rule IMPLANT_3_v2 {
meta:
description = "X-Agent/CHOPSTICK Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "349c65cf-547f-5837-af71-f9721e029b74"
strings:
$base_key_moved = {C7 45 ?? 3B C6 73 0F C7 45 ?? 8B 07 85 C0 C7 45 ?? 74
02 FF D0 C7 45 ?? 83 C7 04 3B C7 45 ?? FE 72 F1 5F C7 45 ?? 5E C3 8B
FF C7 45 ?? 56 B8 D8 78 C7 45 ?? 75 07 50 E8 C7 45 ?? B1 D1 FF FF C7
45 ?? 59 5D C3 8B C7 45 ?? FF 55 8B EC C7 45 ?? 83 EC 10 A1 66 C7 45
?? 33 35}
$base_key_b_array = {3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE
72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B
FF 55 8B EC 83 EC 10 A1 33 35 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
}
rule IMPLANT_3_v3 {
meta:
description = "X-Agent/CHOPSTICK Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
modified = "2021-03-15"
score = 65
id = "ce82511e-715a-53cb-98e5-5d51b94726d5"
strings:
$STR1 = ".?AVAgentKernel@@"
$STR2 = ".?AVIAgentModule@@"
$STR3 = "AgentKernel"
$fp1 = "Panda Security S.L." wide
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 1 of ($STR*)
and not 1 of ($fp*)
}
rule PAExec {
meta:
description = "Detects remote access tool PAEXec (like PsExec) - file PAExec.exe"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 40
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "ee564534-b921-5639-a7ed-5da79d6bf86a"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
(uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*)) or (3 of them)
}
rule APT_Cloaked_PsExec
{
meta:
description = "Looks like a cloaked PsExec. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3"
strings:
$s0 = "psexesvc.exe" wide fullword
$s1 = "Sysinternals PsExec" wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1
and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is
and not filepath matches /RECYCLE.BIN\\S-1/
}
rule PAExec_Cloaked {
meta:
description = "Detects a renamed remote access tool PAEXec (like PsExec)"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 70
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) )
and not filename == "paexec.exe"
and not filename == "PAExec.exe"
and not filename == "PAEXEC.EXE"
and not filename matches /Install/
and not filename matches /uninstall/
}
rule Impacket_Tools_psexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364"
id = "5e8d0964-7e6a-5ff6-b9db-e37f997c3e05"
strings:
$s1 = "impacket.examples.serviceinstall(" ascii
$s2 = "spsexec" fullword ascii
$s3 = "impacket.examples.remcomsvc(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and 2 of them )
}
rule Empire_Invoke_PsExec {
meta:
description = "Detects Empire component - file Invoke-PsExec.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
id = "19aaec3e-3e8f-5d7d-9c70-a212756c0300"
strings:
$s1 = "Invoke-PsExecCmd" fullword ascii
$s2 = "\"[*] Executing service .EXE" fullword ascii
$s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
condition:
( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
}
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Lazagne_PW_Dumper {
meta:
description = "Detects Lazagne PW Dumper"
author = "Markus Neis / Florian Roth"
reference = "https://github.com/AlessandroZ/LaZagne/releases/"
date = "2018-03-22"
score = 70
id = "1904029e-9336-5278-ae2e-4bc853316600"
strings:
$s1 = "Crypto.Hash" fullword ascii
$s2 = "laZagne" fullword ascii
$s3 = "impacket.winregistry" fullword ascii
condition:
3 of them
}
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
meta:
description = "Detects password dumper Lazagne often used by middle eastern threat groups"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
date = "2018-12-11"
score = 85
hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
strings:
$s1 = "softwares.opera(" ascii
$s2 = "softwares.mozilla(" ascii
$s3 = "config.dico(" ascii
$s4 = "softwares.chrome(" ascii
$s5 = "softwares.outlook(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
rule HKTL_Lazagne_Gen_18 {
meta:
description = "Detects Lazagne password extractor hacktool"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/AlessandroZ/LaZagne"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
date = "2018-12-11"
score = 80
hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
strings:
$x1 = "lazagne.config.powershell_execute(" ascii
$x2 = "creddump7.win32." ascii
$x3 = "lazagne.softwares.windows.hashdump" ascii
$x4 = ".softwares.memory.libkeepass.common(" ascii
condition:
2 of them
}
rule Impacket_Keyword {
meta:
description = "Detects Impacket Keyword in Executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-08-04"
score = 60
hash1 = "9388c78ea6a78dbea307470c94848ae2481481f593d878da7763e649eaab4068"
hash2 = "2f6d95e0e15174cfe8e30aaa2c53c74fdd13f9231406b7103da1e099c08be409"
id = "a92962e6-1b05-583b-8b06-f226bdea88e2"
strings:
$s1 = "impacket.smb(" ascii
$s2 = "impacket.ntlm(" ascii
$s3 = "impacket.nmb(" ascii
condition:
(uint16(0) == 0x5a4d and filesize < 14000KB and 1 of them)
}
rule Impacket_Tools_tracer {
meta:
description = "Compiled Impacket Tools"
author = "Florian Roth"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
modified = "2021-07-15"
hash1 = "e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b"
strings:
$s1 = "btk85.dll" fullword ascii
$s2 = "btcl85.dll" fullword ascii
$s3 = "xtk\\unsupported.tcl" fullword ascii
$fp1 = "Linden Research Inc" wide
condition:
( uint16(0) == 0x5a4d and filesize < 21000KB and all of ($s*) )
and not 1 of ($fp*)
}
rule Impacket_Tools_wmiexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4"
id = "3c2c7edf-da71-53dc-9ddf-dfbf10838a27"
strings:
$s1 = "bwmiexec.exe.manifest" fullword ascii
$s2 = "swmiexec" fullword ascii
$s3 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and 2 of them )
}
rule Impacket_Tools_sniffer {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769"
id = "07051edc-91a8-59d6-87bf-dba98ef28588"
strings:
$s1 = "ssniffer" fullword ascii
$s2 = "impacket.dhcp(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_mmcexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "263a1655a94b7920531e123a8c9737428f2988bf58156c62408e192d4b2a63fc"
id = "cca2082f-72a4-50c8-80b8-a9bed430dc4e"
strings:
$s1 = "smmcexec" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 16000KB and all of them )
}
rule Impacket_Tools_ifmap {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "20a1f11788e6cc98a76dca2db4691963c054fc12a4d608ac41739b98f84b3613"
id = "e5461916-ec2b-5f65-b938-267483f50bb2"
strings:
$s1 = "bifmap.exe.manifest" fullword ascii
$s2 = "impacket.dcerpc.v5.epm(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule karmaSMB {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
id = "32c810c7-02e7-5203-b2ed-4e930b318cc0"
strings:
$s1 = "bkarmaSMB.exe.manifest" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule samrdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
id = "cd274719-c8cc-5882-8d75-192ad822c6b3"
strings:
$s2 = "bsamrdump.exe.manifest" fullword ascii
$s3 = "ssamrdump" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_rpcdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9"
id = "3f998aa6-c260-5fef-99ef-e8b4770c68c6"
strings:
$s1 = "srpcdump" fullword ascii
$s2 = "impacket.dcerpc.v5.epm(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_secretsdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d"
id = "c944d051-ea24-5595-abef-59e326ad56de"
strings:
$s1 = "ssecretsdump" fullword ascii
$s2 = "impacket.ese(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_esentutl {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "70d854953d3ebb2c252783a4a103ba0e596d6ab447f238af777fb37d2b64c0cd"
id = "1965e2b3-54be-553a-83d6-a0d4919414dd"
strings:
$s1 = "impacket.ese(" ascii
$s2 = "sesentutl" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 11000KB and all of them )
}
rule Impacket_Tools_opdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
id = "1bb0e747-e9b7-5a54-8052-428351be8d0d"
strings:
$s2 = "bopdump.exe.manifest" fullword ascii
$s3 = "sopdump" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_sniff {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699"
id = "07051edc-91a8-59d6-87bf-dba98ef28588"
strings:
$s1 = "ssniff" fullword ascii
$s2 = "impacket.eap(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_smbexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2"
id = "02208817-2eab-54e2-90cf-44dbf5474607"
strings:
$s1 = "logging.config(" ascii
$s2 = "ssmbexec" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_goldenPac {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
id = "9894d16c-83fa-5e1d-9ca6-572deeec006a"
strings:
$s1 = "impacket.examples.serviceinstall(" ascii
$s2 = "bgoldenPac.exe" fullword ascii
$s3 = "json.scanner(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_netview {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6"
id = "1b9238d2-b9b1-5633-8481-05a3a97af5a6"
strings:
$s1 = "impacket.dcerpc.v5.wkst(" ascii
$s2 = "dummy_threading(" ascii
$s3 = "snetview" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_smbtorture {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
id = "4f9b55e2-93ce-5d08-a228-73233fb0a2c6"
strings:
$s1 = "impacket" fullword ascii
$s2 = "ssmbtorture" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_smbrelayx {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f"
id = "84abf3cf-841c-592d-a9d1-71d5e76eb43f"
strings:
$s1 = "impacket.examples.secretsdump" fullword ascii
$s2 = "impacket.examples.serviceinstall" fullword ascii
$s3 = "impacket.smbserver(" ascii
$s4 = "SimpleHTTPServer(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 18000KB and 3 of them )
}
rule Impacket_Tools_wmipersist {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086"
id = "29bda652-28f0-5ab6-9bc2-411f20ab0dda"
strings:
$s1 = "swmipersist" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_lookupsid {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "47756725d7a752d3d3cfccfb02e7df4fa0769b72e008ae5c85c018be4cf35cc1"
id = "27f13397-b044-54b4-b5e8-c5f7ed374f59"
strings:
$s1 = "slookupsid" fullword ascii
$s2 = "impacket.dcerpc" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_wmiquery {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094"
id = "e8bdf27a-9763-5947-854f-162f74ff53be"
strings:
$s1 = "swmiquery" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_atexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "337bd5858aba0380e16ee9a9d8f0b3f5bfc10056ced4e75901207166689fbedc"
id = "4f02e304-69d4-5952-80be-793379bccac0"
strings:
$s1 = "batexec.exe.manifest" fullword ascii
$s2 = "satexec" fullword ascii
$s3 = "impacket.dcerpc" fullword ascii
$s4 = "# CSZq" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and 3 of them )
}