YARA rules for MuddyWater
146 rules · scoped to actor · back to MuddyWater
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Empire_Write_HijackDll {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "155fa7168e28f15bb34f67344f47234a866e2c63b3303422ff977540623c70bf"
id = "6a80af21-fb01-5996-b14d-44ff55b7fb3e"
strings:
$s1 = "$DllBytes = Invoke-PatchDll -DllBytes $DllBytes -FindString \"debug.bat\" -ReplaceString $BatchPath" fullword ascii
$s2 = "$DllBytes32 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBw" ascii
$s3 = "[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)" fullword ascii
condition:
filesize < 500KB and 2 of them
}
rule Empire_skeleton_key {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "3d02f16dcc38faaf5e97e4c5dbddf761f2816004775e6af8826cde9e29bb750f"
id = "d508e09e-13e8-5866-bb5b-0d886f960bb5"
strings:
$s1 = "script += \"Invoke-Mimikatz -Command '\\\"\" + command + \"\\\"';\"" fullword ascii
$s2 = "script += '\"Skeleton key implanted. Use password \\'mimikatz\\' for access.\"'" fullword ascii
$s3 = "command = \"misc::skeleton\"" fullword ascii
$s4 = "\"ONLY APPLICABLE ON DOMAIN CONTROLLERS!\")," fullword ascii
condition:
filesize < 6KB and 2 of them
}
rule Empire_invoke_wmi {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "a914cb227f652734a91d3d39745ceeacaef7a8b5e89c1beedfd6d5f9b4615a1d"
id = "1e1d1e71-6ea9-500a-b8b8-c48a64bc2b54"
strings:
$s1 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
$s2 = "script += \";'Invoke-Wmi executed on \" +computerNames +\"'\"" fullword ascii
$s3 = "script = \"$PSPassword = \\\"\"+password+\"\\\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Man" ascii
condition:
filesize < 20KB and 2 of them
}
rule Empire_Invoke_MetasploitPayload {
meta:
description = "Detects Empire component - file Invoke-MetasploitPayload.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54"
id = "608c30b0-826a-55b1-afb8-756b476d6b55"
strings:
$s1 = "$ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"" fullword ascii
$s2 = "$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 9KB and 1 of them ) or all of them
}
rule Empire_Exploit_Jenkins {
meta:
description = "Detects Empire component - file Exploit-Jenkins.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729"
id = "f2162783-34cd-5db4-bd1c-6c58feb92e77"
strings:
$s1 = "$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"" ascii
$s2 = "$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"" fullword ascii
$s3 = "$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)" fullword ascii
condition:
( uint16(0) == 0x6620 and filesize < 7KB and 1 of them ) or all of them
}
rule Empire_Get_SecurityPackages {
meta:
description = "Detects Empire component - file Get-SecurityPackages.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1"
id = "a109eda1-a26d-5cf6-b6b5-1a1a1e770a0a"
strings:
$s1 = "$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)" fullword ascii
$s2 = "$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}
rule Empire_Invoke_PowerDump {
meta:
description = "Detects Empire component - file Invoke-PowerDump.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1"
id = "d1082a4e-d458-57fb-b332-7c775c8ef2dd"
strings:
$x16 = "$enc = Get-PostHashdumpScript" fullword ascii
$x19 = "$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;" fullword ascii
$x20 = "$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);" fullword ascii
condition:
( uint16(0) == 0x2023 and filesize < 60KB and 1 of them ) or all of them
}
rule Empire_Install_SSP {
meta:
description = "Detects Empire component - file Install-SSP.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165"
id = "06bbdcc5-c48b-5753-88a2-5c962d1b986f"
strings:
$s1 = "Install-SSP -Path .\\mimilib.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}
rule Empire_Invoke_ShellcodeMSIL {
meta:
description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f"
id = "06011b51-bad7-5656-ac37-e49f9b6d0498"
strings:
$s1 = "$FinalShellcode.Length" fullword ascii
$s2 = "@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)" fullword ascii
$s3 = "@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57," fullword ascii
$s4 = "$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule HKTL_Empire_PowerUp {
meta:
description = "Detects Empire component - file PowerUp.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
id = "e79d093e-7481-52a3-a350-4d1b6d8955cd"
strings:
$x2 = "$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_Get_GPPPassword {
meta:
description = "Detects Empire component - file Get-GPPPassword.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0"
id = "7791b009-19d3-5d08-8ef7-4723d28830ed"
strings:
$s1 = "$Base64Decoded = [Convert]::FromBase64String($Cpassword)" fullword ascii
$s2 = "$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recurse" ascii
$s3 = "function Get-DecryptedCpassword {" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Invoke_SmbScanner {
meta:
description = "Detects Empire component - file Invoke-SmbScanner.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd"
id = "63cd048b-04fd-5b4f-9d4d-3a001c31b4df"
strings:
$s1 = "$up = Test-Connection -count 1 -Quiet -ComputerName $Computer " fullword ascii
$s2 = "$out | add-member Noteproperty 'Password' $Password" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_Exploit_JBoss {
meta:
description = "Detects Empire component - file Exploit-JBoss.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653"
id = "a9c75cf5-9469-5a45-b750-69728ed0069f"
strings:
$s1 = "Exploit-JBoss" fullword ascii
$s2 = "$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)" ascii
$s3 = "\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" ascii
$s4 = "http://blog.rvrsh3ll.net" fullword ascii
$s5 = "Remote URL to your own WARFile to deploy." fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_dumpCredStore {
meta:
description = "Detects Empire component - file dumpCredStore.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350"
id = "cdb87ed4-fa90-5724-b37d-97cf8e4b8326"
strings:
$x1 = "[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"" ascii
$s12 = "[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"" fullword ascii
$s15 = "Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 40KB and 1 of them ) or all of them
}
rule Empire_Invoke_EgressCheck {
meta:
description = "Detects Empire component - file Invoke-EgressCheck.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534"
id = "21e09250-6853-5743-a6ef-aa6be8091d33"
strings:
$s1 = "egress -ip $ip -port $c -delay $delay -protocol $protocol" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_ReflectivePick_x64_orig {
meta:
description = "Detects Empire component - file ReflectivePick_x64_orig.dll"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
modified = "2022-12-21"
hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2"
id = "cd69a149-d881-5f93-9647-84241bd96ba5"
strings:
$a1 = "\\PowerShellRunner.pdb" ascii
$a2 = "PowerShellRunner.dll" fullword wide
$s1 = "ReflectivePick" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of ($a*) and $s1
}
rule Empire_Out_Minidump {
meta:
description = "Detects Empire component - file Out-Minidump.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1"
id = "8c53d2ab-afc5-5d7b-97e1-496425b9664f"
strings:
$s1 = "$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle," fullword ascii
$s2 = "$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_Invoke_PostExfil {
meta:
description = "Detects Empire component - file Invoke-PostExfil.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e"
id = "58d9e057-efde-56ab-9b7e-982342a910e2"
strings:
$s1 = "# upload to a specified exfil URI" fullword ascii
$s2 = "Server path to exfil to." fullword ascii
condition:
( uint16(0) == 0x490a and filesize < 2KB and 1 of them ) or all of them
}
rule Empire_Invoke_SMBAutoBrute {
meta:
description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2"
id = "a6b402ac-0925-5bc6-9d6a-b2b811496f9e"
strings:
$s1 = "[*] PDC: LAB-2008-DC1.lab.com" fullword ascii
$s2 = "$attempts = Get-UserBadPwdCount $userid $dcs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Get_Keystrokes {
meta:
description = "Detects Empire component - file Get-Keystrokes.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad"
id = "7fb57a0d-6b65-5ee8-96ef-9af303f15007"
strings:
$s1 = "$RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Invoke_DllInjection {
meta:
description = "Detects Empire component - file Invoke-DllInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
id = "6aa14e8f-9801-5cd3-beb0-955e19d25503"
strings:
$s1 = "-Dll evil.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 40KB and 1 of them ) or all of them
}
rule Empire_KeePassConfig {
meta:
description = "Detects Empire component - file KeePassConfig.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
id = "814a6ff9-a6ac-55e7-bb3f-597351ce421d"
strings:
$s1 = "$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )" fullword ascii
condition:
( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}
rule Empire_Invoke_SSHCommand {
meta:
description = "Detects Empire component - file Invoke-SSHCommand.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242"
id = "b06b507f-b6b8-5f4b-8d6d-920f141e9ac1"
strings:
$s1 = "$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA" ascii
$s2 = "Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"" fullword ascii
$s3 = "Write-Verbose \"[*] Error loading dll\"" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen1 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash3 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash4 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash5 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "8fdb48a0-5d40-55be-ae23-e9c8c4c2ecea"
strings:
$s1 = "Write-BytesToMemory -Bytes $Shellcode" ascii
$s2 = "$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_PowerUp_Gen {
meta:
description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
id = "ae6b0462-7193-54a4-8fb9-befc1b461b15"
strings:
$s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii
$s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen2 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash6 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash8 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "eab277ca-0dd4-5035-82aa-1ac2120bac94"
strings:
$x1 = "$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)" fullword ascii
$s20 = "#Shellcode: CallDllMain.asm" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Agent_Gen {
meta:
description = "Detects Empire component - from files agent.ps1, agent.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
hash2 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
id = "0fac915c-2502-50da-93d1-f81e9282aa9a"
strings:
$s1 = "$wc.Headers.Add(\"User-Agent\",$script:UserAgent)" fullword ascii
$s2 = "$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)" fullword ascii
$s3 = "if ($script:AgentDelay -ne 0){" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 100KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen3 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash3 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash4 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "b0f7ed41-be65-5e43-aeb1-56e5e7384e8f"
strings:
$s1 = "if (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))" fullword ascii
$s2 = "remote DLL injection" ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_InveighRelay_Gen {
meta:
description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41"
id = "0adebf6f-99e1-5461-8efc-e4660faf6d5d"
strings:
$s1 = "$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")" fullword ascii
$s2 = "$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 200KB and 1 of them ) or all of them
}
rule Empire_KeePassConfig_Gen {
meta:
description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
id = "e2bc88c5-50f8-5ddc-a449-41929b1d0528"
strings:
$s1 = "$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)" fullword ascii
condition:
( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}
rule Empire_Invoke_Portscan_Gen {
meta:
description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3"
id = "c2e01780-02d2-57d1-b38e-5c345ebccad6"
strings:
$s1 = "Test-Port -h $h -p $Port -timeout $Timeout" fullword ascii
$s2 = "1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 100KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen4 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "743c51334f17751cfd881be84b56f648edbdaf31f8186de88d094892edc644a9"
hash2 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash4 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
hash6 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash7 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
hash8 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash9 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
hash10 = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438"
id = "c390638a-0eb1-576d-a08c-203c31d414f3"
strings:
$s1 = "Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }" fullword ascii
$s2 = "# Get a handle to the module specified" fullword ascii
$s3 = "$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))" fullword ascii
$s4 = "$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_Gen {
meta:
description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "913f971d-e4e3-55e9-904b-82b25a4e6f0f"
strings:
$s1 = "$Shellcode1 += 0x48" fullword ascii
$s2 = "$PEHandle = [IntPtr]::Zero" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen5 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "4c23592e-5788-5b84-995a-028142cbc52f"
strings:
$s1 = "if ($ExeArgs -ne $null -and $ExeArgs -ne '')" fullword ascii
$s2 = "$ExeArgs = \"ReflectiveExe $ExeArgs\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them
}
rule ConnectWise_ScreenConnect_Authentication_Bypass_Feb_2024_Exploitation_IIS_Logs {
meta:
description = "Detects an http request to '/SetupWizard.aspx/' with anything following it, which when found in IIS logs is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Huntress DE&TH Team (modified by Florian Roth)"
reference = "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
date = "2024-02-20"
modified = "2024-02-21"
id = "2886530b-e164-4c4b-b01e-950e3c40acb4"
strings:
$s1 = " GET /SetupWizard.aspx/" ascii
$s2 = " POST /SetupWizard.aspx/" ascii
$s3 = " PUT /SetupWizard.aspx/" ascii
$s4 = " HEAD /SetupWizard.aspx/" ascii
condition:
1 of them
}
rule SUSP_ScreenConnect_User_PoC_Com_Unused_Feb24 {
meta:
description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account wasn't actually used yet to login"
author = "Florian Roth"
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
date = "2024-02-23"
score = 65
id = "c57e6c6a-298f-5ff3-b76a-03127ff88699"
strings:
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "@poc.com</Email>"
$s2 = "<LastLoginDate>0001"
condition:
filesize < 200KB
and all of ($a*)
and all of ($s*)
}
rule SUSP_ScreenConnect_User_PoC_Com_Used_Feb24 {
meta:
description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account was already used yet to login"
author = "Florian Roth"
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
date = "2024-02-23"
score = 75
id = "91990558-f145-5968-9722-b6815f6ad8d5"
strings:
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "@poc.com</Email>"
$f1 = "<LastLoginDate>0001"
condition:
filesize < 200KB
and all of ($a*)
and $s1
and not 1 of ($f*)
}
rule SUSP_ScreenConnect_Exploitation_Artefacts_Feb24 : SCRIPT {
meta:
description = "Detects post exploitation indicators observed by HuntressLabs in relation to the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
date = "2024-02-23"
score = 75
id = "079f4153-8bc7-574f-b6fa-af5536b842ab"
strings:
$x01 = "-c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}"
$x02 = ".msi c:\\mpyutd.msi"
$x03 = "/MyUserName_$env:UserName"
$x04 = " -OutFile C:\\Windows\\Help\\"
$x05 = "/Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_"
$x06 = "$e = $r + \"ssh.exe\""
$x07 = "Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id"
$x08 = "-R 9595:localhost:3389 -p 443 -N -oStrictHostKeyChecking=no "
$x09 = "chromeremotedesktophost.msi', $env:ProgramData+"
$x10 = "9595; iwr -UseBasicParsing "
$x11 = "curl https://cmctt.]com/pub/media/wysiwyg/"
$x12 = ":8080/servicetest2.dll"
$x13 = "/msappdata.msi c:\\mpyutd.msi"
$x14 = "/svchost.exe -OutFile "
$x15 = "curl http://minish.wiki.gd"
$x16 = " -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile "
$x17 = "rundll32.exe' -Headers @"
$x18 = "/nssm.exe' -Headers @"
$x19 = "c:\\programdata\\update.dat UpdateSystem"
$x20 = "::size -eq 4){\\\"TVqQAA" ascii wide
$x21 = "::size -eq 4){\"TVqQAA" ascii wide
$x22 = "-nop -c [System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:System_"
/* Persistence */
$xp0 = "/add default test@2021! /domain"
$xp1 = "/add default1 test@2021! /domain"
$xp2 = "oldadmin Pass8080!!"
$xp3 = "temp 123123qwE /add "
$xp4 = "oldadmin \"Pass8080!!\""
$xp5 = "nssm set xmrig AppDirectory "
condition:
1 of ($x*)
}
rule SUSP_ScreenConnect_User_Gmail_2024_Feb24 {
meta:
description = "Detects suspicious ScreenConnect user with Gmail address created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Florian Roth"
reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
date = "2024-02-22"
score = 65
id = "3c86f4ee-4e8c-566b-b54e-e94418e4ec7e"
strings:
$a1 = "<Users xmlns:xsi="
$s1 = "@gmail.com</Email>"
$s2 = "<CreationDate>2024-"
condition:
filesize < 200KB
and all of them
and filepath contains "\\ScreenConnect\\App_Data\\"
}
rule SUSP_ScreenConnect_New_User_2024_Feb24 {
meta:
description = "Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Florian Roth"
reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
date = "2024-02-22"
score = 50
id = "f6675ded-39a4-590a-a201-fcfe3c056e60"
strings:
$a1 = "<Users xmlns:xsi="
$s1 = "<CreationDate>2024-"
condition:
filesize < 200KB
and all of them
and filepath contains "\\ScreenConnect\\App_Data\\"
}
rule SUSP_ScreenConnect_User_2024_No_Logon_Feb24 {
meta:
description = "Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
author = "Florian Roth"
reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
date = "2024-02-23"
score = 60
id = "c0861f1c-08e2-565d-a468-2075c51b4004"
strings:
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "<CreationDate>2024-"
$s2 = "<LastLoginDate>0001-01-01T00:00:00</LastLoginDate>"
condition:
filesize < 200KB
and all of them
and filepath contains "\\ScreenConnect\\App_Data\\"
}
rule Sliver_Implant_32bit
{
meta:
description = "Sliver 32-bit implant (with and without --debug flag at compile)"
hash = "911f4106350871ddb1396410d36f2d2eadac1166397e28a553b28678543a9357"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
modified = "2025-03-21"
id = "6bc4d7d1-64cf-5920-8f07-54a8a7a94f26"
strings:
// We look for the specific switch/case statement case values.
// case "tcppivot":
/*
81 ?? 74 63 70 70 cmp dword ptr [ecx], 70706374h
.
.
.
81 ?? 04 69 76 6F 74 cmp dword ptr [ecx+4], 746F7669h
*/
$s_tcppivot = { 81 ?? 74 63 70 70 [2-20] 81 ?? 04 69 76 6F 74 }
// case "wg":
/*
66 81 ?? 77 67 cmp word ptr [eax], 6777h // "gw"
*/
$s_wg = { 66 81 ?? 77 67 }
// case "dns":
/*
66 81 ?? 64 6E cmp word ptr [eax], 6E64h // "nd"
.
.
.
80 ?? 02 73 cmp byte ptr [eax+2], 73h ; 's'
*/
$s_dns = { 66 81 ?? 64 6E [2-20] 80 ?? 02 73 }
// case "http":
/*
81 ?? 68 74 74 70 cmp dword ptr [eax], 70747468h // "ptth"
*/
$s_http = { 81 ?? 68 74 74 70 }
// case "https":
/*
81 ?? 68 74 74 70 cmp dword ptr [ecx], 70747468h // "ptth"
.
.
.
80 ?? 04 73 cmp byte ptr [ecx+4], 73h ; 's'
*/
$s_https = { 81 ?? 68 74 74 70 [2-20] 80 ?? 04 73 }
// case "mtls": NOTE: this one can be missing due to compilate time config
/*
81 ?? 6D 74 6C 73 cmp dword ptr [eax], 736C746Dh // "sltm"
*/
$s_mtls = { 81 ?? 6D 74 6C 73 }
$fp1 = "cloudfoundry" ascii fullword
$fp2 = "googleapi.Error" ascii
condition:
4 of ($s*)
and not 1 of ($fp*)
and not pe.number_of_signatures > 0
}
rule Sliver_Implant_64bit
{
meta:
description = "Sliver 64-bit implant (with and without --debug flag at compile)"
hash = "2d1c9de42942a16c88a042f307f0ace215cdc67241432e1152080870fe95ea87"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
modified = "2025-03-21"
id = "b84db933-0e11-5871-821d-43697c015665"
strings:
// We look for the specific switch/case statement case values.
// case "tcppivot":
/*
48 ?? 74 63 70 70 69 76 6F 74 mov rcx, 746F766970706374h
*/
$s_tcppivot = { 48 ?? 74 63 70 70 69 76 6F 74 }
// case "namedpipe":
/*
48 ?? 6E 61 6D 65 64 70 69 70 mov rsi, 70697064656D616Eh // "pipdeman"
.
.
.
80 ?? 08 65 cmp byte ptr [rdx+8], 65h ; 'e'
*/
$s_namedpipe = { 48 ?? 6E 61 6D 65 64 70 69 70 [2-32] 80 ?? 08 65 }
// case "https":
/*
81 3A 68 74 74 70 cmp dword ptr [rdx], 70747468h // "ptth"
.
.
.
80 7A 04 73 cmp byte ptr [rdx+4], 73h ; 's'
*/
$s_https = { 81 ?? 68 74 74 70 [2-32] 80 ?? 04 73 }
// case "wg":
/*
66 81 3A 77 67 cmp word ptr [rdx], 6777h // "gw"
*/
$s_wg = {66 81 ?? 77 67}
// case "dns":
/*
66 81 3A 64 6E cmp word ptr [rdx], 6E64h // "nd"
.
.
.
80 7A 02 73 cmp byte ptr [rdx+2], 73h ; 's'
*/
$s_dns = { 66 81 ?? 64 6E [2-20] 80 ?? 02 73 }
// case "mtls": // This one may or may not be in the file, depending on the config flags.
/*
81 ?? 6D 74 6C 73 cmp dword ptr [rdx], 736C746Dh // "mtls"
*/
$s_mtls = { 81 ?? 6D 74 6C 73 }
$fp1 = "cloudfoundry" ascii fullword
$fp2 = "googleapi.Error" ascii
condition:
5 of ($s*)
and not 1 of ($fp*)
and not pe.number_of_signatures > 0
}
rule MuddyWater_Mal_Doc_Feb18_1 {
meta:
description = "Detects malicious document used by MuddyWater"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - TI2T"
date = "2018-02-26"
hash1 = "3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c"
id = "5f275ee8-c6a9-532b-bc82-b109195171da"
strings:
/* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */
$x1 = "aWV4KFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVuaWNvZGUuR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmco" ascii
/* Double Base64 encoded : Invoke-Expression */
$x2 = "U1FCdUFIWUFid0JyQUdVQUxRQkZBSGdBY0FCeUFHVUFjd0J6QUdrQWJ3QnVBQ0FBS"
condition:
uint16(0) == 0xcfd0 and filesize < 3000KB and 1 of them
}
rule MuddyWater_Mal_Doc_Feb18_2 {
meta:
description = "Detects malicious document used by MuddyWater"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - TI2T"
date = "2018-02-26"
hash1 = "3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c"
hash2 = "366d8b84a43a528e6aaf9ecfc38980b148f983967803914471ccf011b9bb0832"
id = "117e1d33-63a3-52c8-acf6-bc61959193db"
strings:
$s1 = "*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\System32\\stdole2.tlb#OLE Automation" fullword wide
$s2 = "*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft " wide
$s3 = "*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Office16\\MSWORD.OLB#Microsoft Word 16.0 O" wide
$s4 = "scripting.filesystemobject$" fullword ascii
$s5 = "ID=\"{00000000-0000-0000-0000-000000000000}\"" fullword ascii
condition:
uint16(0) == 0xcfd0 and filesize < 6000KB and all of them
}
rule MAL_MuddyWater_DroppedTask_Jun18_1 {
meta:
description = "Detects a dropped Windows task as used by MudyWater in June 2018"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb"
date = "2018-06-12"
hash1 = "7ecc2e1817f655ece2bde39b7d6633f4f586093047ec5697a1fab6adc7e1da54"
id = "d9ef379d-161f-59f1-873e-3af12b24b76b"
strings:
$x1 = "%11%\\scrobj.dll,NI,c:" wide
$s1 = "AppAct = \"SOFTWARE\\Microsoft\\Connection Manager\"" fullword wide
$s2 = "[DefenderService]" fullword wide
$s3 = "UnRegisterOCXs=EventManager" fullword wide
$s4 = "ShortSvcName=\" \"" fullword wide
condition:
uint16(0) == 0xfeff and filesize < 1KB and ( 1 of ($x*) or 3 of them )
}