YARA rules for APT40
113 rules · scoped to actor · back to APT40
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Impacket_Tools_Generic_1 {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
super_rule = 1
hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
hash2 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
hash3 = "2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1"
hash4 = "ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6"
hash5 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
hash6 = "27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364"
hash7 = "dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98"
hash8 = "0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b"
hash9 = "21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9"
hash10 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
hash11 = "47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d"
hash12 = "7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2"
hash13 = "9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f"
hash14 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
hash15 = "8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699"
hash16 = "efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769"
hash17 = "e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b"
hash18 = "19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4"
hash19 = "2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086"
hash20 = "202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094"
id = "d2ce6426-d165-5569-a992-268f05622653"
strings:
$s1 = "bpywintypes27.dll" fullword ascii
$s2 = "hZFtPC" fullword ascii
$s3 = "impacket" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 21000KB and all of ($s*) ) or ( all of them )
}
rule Impacket_Lateral_Movement {
meta:
description = "Detects Impacket Network Aktivity for Lateral Movement"
author = "Markus Neis"
reference = "https://github.com/CoreSecurity/impacket"
date = "2018-03-22"
score = 60
id = "44db234c-ac81-5d21-bc2a-8cfd88807c0d"
strings:
$s1 = "impacket.dcerpc.v5.transport(" ascii
$s2 = "impacket.smbconnection(" ascii
$s3 = "impacket.dcerpc.v5.ndr(" ascii
$s4 = "impacket.spnego(" ascii
$s5 = "impacket.smb(" ascii
$s6 = "impacket.ntlm(" ascii
$s7 = "impacket.nmb(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 14000KB and 2 of them
}
rule HackTool_PY_ImpacketObfuscation_1
{
meta:
date = "2020-12-01"
modified = "2020-12-01"
description = "smbexec"
md5 = "0b1e512afe24c31531d6db6b47bac8ee"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "992d1132-3136-5e1b-a1ef-dcdf36ebf0f5"
strings:
$s1 = "class CMDEXEC" nocase
$s2 = "class RemoteShell" nocase
$s3 = "self.services_names"
$s4 = "import random"
$s6 = /self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]%CoMSpEC%[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase
$s7 = /self\.__serviceName[\x09\x20]{0,32}=[\x09\x20]{0,32}self\.services_names\[random\.randint\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}len\(self\.services_names\)[\x09\x20]{0,32}-[\x09\x20]{0,32}1\)\]/
condition:
all of them
}
rule HackTool_PY_ImpacketObfuscation_2
{
meta:
description = "Detects FireEye's wmiexec impacket obfuscation"
date = "2020-12-01"
modified = "2020-12-01"
md5 = "f3dd8aa567a01098a8a610529d892485"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "f1059f66-eaff-5866-bafb-c94236cf96a0"
strings:
$s1 = "import random"
$s2 = "class WMIEXEC" nocase
$s3 = "class RemoteShell" nocase
$s4 = /=[\x09\x20]{0,32}str\(int\(time\.time\(\)\)[\x09\x20]{0,32}-[\x09\x20]{0,32}random\.randint\(\d{1,10}[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,10}\)\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}str\(uuid\.uuid4\(\)\)\.split\([\x22\x27]\-[\x22\x27]\)\[0\]/
$s5 = /self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]cmd.exe[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase
condition:
all of them
}
rule hacktool_multi_bloodhound_owned
{
meta:
description = "Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains"
reference = "https://github.com/porterhau5/BloodHound-Owned/"
author = "@fusionrace"
strings:
$s1 = "Find all owned Domain Admins" fullword ascii wide
$s2 = "Find Shortest Path from owned node to Domain Admins" fullword ascii wide
$s3 = "List all directly owned nodes" fullword ascii wide
$s4 = "Set owned and wave properties for a node" fullword ascii wide
$s5 = "Find spread of compromise for owned nodes in wave" fullword ascii wide
$s6 = "Show clusters of password reuse" fullword ascii wide
$s7 = "Something went wrong when creating SharesPasswordWith relationship" fullword ascii wide
$s8 = "reference doc of custom Cypher queries for BloodHound" fullword ascii wide
$s9 = "Created SharesPasswordWith relationship between" fullword ascii wide
$s10 = "Skipping finding spread of compromise due to" fullword ascii wide
condition:
any of them
}
rule Leviathan_CobaltStrike_Sample_1 {
meta:
description = "Detects Cobalt Strike sample from Leviathan report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
hash1 = "5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362"
id = "e29072d8-b4ea-5e94-8a1c-0a1baec5f423"
strings:
$x1 = "a54c81.dll" fullword ascii
$x2 = "%d is an x64 process (can't inject x86 content)" fullword ascii
$x3 = "Failed to impersonate logged on user %d (%u)" fullword ascii
$s1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
$s2 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
$s3 = "could not run command (w/ token) because of its length of %d bytes!" fullword ascii
$s4 = "could not write to process memory: %d" fullword ascii
$s5 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
$s6 = "Could not connect to pipe (%s): %d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 3 of them )
}
rule VBScript_Favicon_File {
meta:
description = "VBScript cloaked as Favicon file used in Leviathan incident"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/MZ7dRg"
date = "2017-10-18"
modified = "2023-01-06"
hash1 = "39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36"
id = "84147d4e-d062-5ba4-8019-6bf4b72c36c6"
strings:
$x1 = "myxml = '<?xml version=\"\"1.0\"\" encoding=\"\"UTF-8\"\"?>';myxml = myxml +'<root>" ascii
$x2 = ".Run \"taskkill /im mshta.exe" ascii
$x3 = "<script language=\"VBScript\">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 :" ascii
$s1 = ".ExpandEnvironmentStrings(\"%ALLUSERSPROFILE%\") &" ascii
$s2 = ".ExpandEnvironmentStrings(\"%temp%\") & " ascii
condition:
filesize < 100KB and ( uint16(0) == 0x733c and 1 of ($x*) )
or ( 3 of them )
}
rule apt_hellsing_implantstrings {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing implants"
id = "00aa5885-ae79-5d68-8587-13d3e8965630"
strings:
$a1 = "the file uploaded failed !"
$a2 = "ping 127.0.0.1"
$b1 = "the file downloaded failed !"
$b2 = "common.asp"
$c = "xweber_server.exe"
$d = "action="
$debugpath1 = "d:\\Hellsing\\release\\msger\\" nocase
$debugpath2 = "d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3 = "D:\\Hellsing\\release\\exe\\" nocase
$debugpath4 = "d:\\hellsing\\sys\\xkat\\" nocase
$debugpath5 = "e:\\Hellsing\\release\\clare" nocase
$debugpath6 = "e:\\Hellsing\\release\\irene\\" nocase
$debugpath7 = "d:\\hellsing\\sys\\irene\\" nocase
$e = "msger_server.dll"
$f = "ServiceMain"
condition:
uint16(0) == 0x5a4d and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
}
rule apt_hellsing_installer {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing xweber/msger installers"
id = "0aca838e-813a-59ee-8a04-7d2f4e854075"
strings:
$cmd = "cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1 = "xweber_install_uac.exe"
$a2 = "system32\\cmd.exe" wide
$a4 = "S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
$a5 = "S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg="
$a6 = "7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
$a8 = "vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSINjl2tyI"
$a9 = "C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
$a10 = "%SystemRoot%\\system32\\cmd.exe" wide
$a11 = "msger_install.dll"
$a12 = {00 65 78 2E 64 6C 6C 00}
condition:
uint16(0) == 0x5a4d and ($cmd and (2 of ($a*))) and filesize < 500000
}
rule apt_hellsing_proxytool {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing proxy testing tool"
id = "54454f07-11a9-5456-b489-9a9610e53123"
strings:
$a1 = "PROXY_INFO: automatic proxy url => %s"
$a2 = "PROXY_INFO: connection type => %d"
$a3 = "PROXY_INFO: proxy server => %s"
$a4 = "PROXY_INFO: bypass list => %s"
$a5 = "InternetQueryOption failed with GetLastError() %d"
$a6 = "D:\\Hellsing\\release\\exe\\exe\\" nocase
condition:
uint16(0) == 0x5a4d and (2 of ($a*)) and filesize < 300000
}
rule apt_hellsing_xkat {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing xKat tool"
id = "c831ce04-8fb2-5790-8aaf-c88b370835ac"
strings:
$a1 = "\\Dbgv.sys" $a2="XKAT_BIN" $a3="release sys file error."
$a4 = "driver_load error. "
$a5 = "driver_create error."
$a6 = "delete file:%s error."
$a7 = "delete file:%s ok."
$a8 = "kill pid:%d error."
$a9 = "kill pid:%d ok."
$a10 = "-pid-delete"
$a11 = "kill and delete pid:%d error."
$a12 = "kill and delete pid:%d ok."
condition:
uint16(0) == 0x5a4d and (6 of ($a*)) and filesize < 300000
}
rule apt_hellsing_msgertype2 {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing msger type 2 implants"
id = "98f151de-c1c2-56c1-8c64-5d1f437e0742"
strings:
$a1 = "%s\\system\\%d.txt"
$a2 = "_msger"
$a3 = "http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
$a4 = "http://%s/data/%s.1000001000"
$a5 = "/lib/common.asp?action=user_upload&file="
$a6 = "%02X-%02X-%02X-%02X-%02X-%02X"
condition:
uint16(0) == 0x5a4d and (4 of ($a*)) and filesize < 500000
}
rule apt_hellsing_irene {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing msger irene installer"
id = "b57d1a10-4e5c-511f-b98c-8ce7d766c227"
strings:
$a1 = "\\Drivers\\usbmgr.tmp" wide
$a2 = "\\Drivers\\usbmgr.sys" wide
$a3 = "common_loadDriver CreateFile error!"
$a4 = "common_loadDriver StartService error && GetLastError():%d!"
$a5 = "irene" wide
$a6 = "aPLib v0.43 - the smaller the better"
condition:
uint16(0) == 0x5a4d and (4 of ($a*)) and filesize < 500000
}