YARA rules for Silk Typhoon
85 rules · scoped to actor · back to Silk Typhoon
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Empire_Invoke_PsExec {
meta:
description = "Detects Empire component - file Invoke-PsExec.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
id = "19aaec3e-3e8f-5d7d-9c70-a212756c0300"
strings:
$s1 = "Invoke-PsExecCmd" fullword ascii
$s2 = "\"[*] Executing service .EXE" fullword ascii
$s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
condition:
( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
}
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Lazagne_PW_Dumper {
meta:
description = "Detects Lazagne PW Dumper"
author = "Markus Neis / Florian Roth"
reference = "https://github.com/AlessandroZ/LaZagne/releases/"
date = "2018-03-22"
score = 70
id = "1904029e-9336-5278-ae2e-4bc853316600"
strings:
$s1 = "Crypto.Hash" fullword ascii
$s2 = "laZagne" fullword ascii
$s3 = "impacket.winregistry" fullword ascii
condition:
3 of them
}
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
meta:
description = "Detects password dumper Lazagne often used by middle eastern threat groups"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
date = "2018-12-11"
score = 85
hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
strings:
$s1 = "softwares.opera(" ascii
$s2 = "softwares.mozilla(" ascii
$s3 = "config.dico(" ascii
$s4 = "softwares.chrome(" ascii
$s5 = "softwares.outlook(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
rule HKTL_Lazagne_Gen_18 {
meta:
description = "Detects Lazagne password extractor hacktool"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/AlessandroZ/LaZagne"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
date = "2018-12-11"
score = 80
hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
strings:
$x1 = "lazagne.config.powershell_execute(" ascii
$x2 = "creddump7.win32." ascii
$x3 = "lazagne.softwares.windows.hashdump" ascii
$x4 = ".softwares.memory.libkeepass.common(" ascii
condition:
2 of them
}
rule EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1 : LOG {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
date = "2021-03-02"
id = "dcc1f741-cab0-5a0b-a261-a6bd05989723"
strings:
$s1 = "S:CMD=Set-OabVirtualDirectory.ExternalUrl='" ascii wide fullword
condition:
1 of them
}
rule EXPL_LOG_CVE_2021_26858_Exchange_Forensic_Artefacts_Mar21_1 : LOG {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-26858"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
date = "2021-03-02"
score = 65
modified = "2021-03-04"
id = "f6fa90c7-c2c0-56db-bf7b-dc146761a995"
strings:
$xr1 = /POST (\/owa\/auth\/Current\/themes\/resources\/logon\.css|\/owa\/auth\/Current\/themes\/resources\/owafont_ja\.css|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif|\/owa\/auth\/Current\/themes\/resources\/owafont_ko\.css|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiBold\.eot|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiLight\.ttf|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif)/
condition:
$xr1
}
rule LOG_APT_HAFNIUM_Exchange_Log_Traces_Mar21_1 : LOG {
meta:
description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
date = "2021-03-04"
score = 65
id = "a51f0bd5-c6fd-5ee4-9d30-9a6001778013"
strings:
$xr1 = /POST \/(ecp\/y\.js|ecp\/main\.css|ecp\/default\.flt|ecp\/auth\/w\.js|owa\/auth\/w\.js)[^\n]{100,600} (200|301|302) /
$xr3 = /POST \/owa\/auth\/Current\/[^\n]{100,600} (DuckDuckBot\/1\.0;\+\(\+http:\/\/duckduckgo\.com\/duckduckbot\.html\)|facebookexternalhit\/1\.1\+\(\+http:\/\/www\.facebook\.com\/externalhit_uatext\.php\)|Mozilla\/5\.0\+\(compatible;\+Baiduspider\/2\.0;\+\+http:\/\/www\.baidu\.com\/search\/spider\.html\)|Mozilla\/5\.0\+\(compatible;\+Bingbot\/2\.0;\+\+http:\/\/www\.bing\.com\/bingbot\.htm\)|Mozilla\/5\.0\+\(compatible;\+Googlebot\/2\.1;\+\+http:\/\/www\.google\.com\/bot\.html|Mozilla\/5\.0\+\(compatible;\+Konqueror\/3\.5;\+Linux\)\+KHTML\/3\.5\.5\+\(like\+Gecko\)\+\(Exabot-Thumbnails\)|Mozilla\/5\.0\+\(compatible;\+Yahoo!\+Slurp;\+http:\/\/help\.yahoo\.com\/help\/us\/ysearch\/slurp\)|Mozilla\/5\.0\+\(compatible;\+YandexBot\/3\.0;\+\+http:\/\/yandex\.com\/bots\)|Mozilla\/5\.0\+\(X11;\+Linux\+x86_64\)\+AppleWebKit\/537\.36\+\(KHTML,\+like\+Gecko\)\+Chrome\/51\.0\.2704\.103\+Safari\/537\.3)/
$xr4 = /POST \/ecp\/[^\n]{100,600} (ExchangeServicesClient\/0\.0\.0\.0|python-requests\/2\.19\.1|python-requests\/2\.25\.1)[^\n]{200,600} (200|301|302) /
$xr5 = /POST \/(aspnet_client|owa)\/[^\n]{100,600} (antSword\/v2\.1|Googlebot\/2\.1\+\(\+http:\/\/www\.googlebot\.com\/bot\.html\)|Mozilla\/5\.0\+\(compatible;\+Baiduspider\/2\.0;\+\+http:\/\/www\.baidu\.com\/search\/spider\.html\))[^\n]{200,600} (200|301|302) /
condition:
1 of them
}
rule LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1 : LOG {
meta:
description = "Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/jdferrell3/status/1368626281970024448"
date = "2021-03-08"
score = 70
id = "95b19544-147b-5496-b717-669cbc488179"
strings:
$x1 = "cmd.exe /c cd /d C:/inetpub/wwwroot/aspnet_client" ascii wide
$x2 = "cmd.exe /c cd /d C:\\inetpub\\wwwroot\\aspnet_client" ascii wide
$s1 = "aspnet_client&del '"
$s2 = "aspnet_client&attrib +h +s +r "
$s3 = "&echo [S]"
condition:
1 of ($x*) or 2 of them
}
rule EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts : LOG {
meta:
description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity"
author = "Zach Stanford - @svch0st, Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log"
reference_2 = "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/"
date = "2021-03-10"
modified = "2021-03-15"
score = 65
id = "8b0110a9-fd03-5f7d-bdd8-03ff48bcac68"
strings:
$x1 = "ServerInfo~" ascii wide
$sr1 = /\/ecp\/[0-9a-zA-Z]{1,3}\.js/ ascii wide /* Adjusted to cover MSF exploit https://github.com/rapid7/metasploit-framework/blob/e5c76bfe13acddc4220d7735fdc3434d9c64736e/modules/exploits/windows/http/exchange_proxylogon_rce.rb */
$s1 = "/ecp/auth/w.js" ascii wide
$s2 = "/owa/auth/w.js" ascii wide
$s3 = "/owa/auth/x.js" ascii wide
$s4 = "/ecp/main.css" ascii wide
$s5 = "/ecp/default.flt" ascii wide
$s6 = "/owa/auth/Current/themes/resources/logon.css" ascii wide
condition:
$x1 and 1 of ($s*)
}
rule LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_2 : LOG {
meta:
description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/"
date = "2021-03-10"
score = 65
id = "37a26def-b360-518e-a4ab-9604a5b39afd"
strings:
$sr1 = /GET \/rpc\/ &CorrelationID=<empty>;&RequestId=[^\n]{40,600} (200|301|302)/
condition:
$sr1
}
rule APT_WEBSHELL_HAFNIUM_SecChecker_Mar21_1 {
meta:
description = "Detects HAFNIUM SecChecker webshell"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/markus_neis/status/1367794681237667840"
date = "2021-03-05"
hash1 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
id = "73db3d78-7ece-53be-9efb-d19801993d5e"
strings:
$x1 = "<%if(System.IO.File.Exists(\"c:\\\\program files (x86)\\\\fireeye\\\\xagt.exe" ascii
$x2 = "\\csfalconservice.exe\")){Response.Write( \"3\");}%></head>" ascii fullword
condition:
uint16(0) == 0x253c and
filesize < 1KB and
1 of them or 2 of them
}
rule APT_HAFNIUM_Forensic_Artefacts_Mar21_1 {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-02"
id = "872822b0-34d9-5ae4-a532-6a8786494fa9"
strings:
$s1 = "lsass.exe C:\\windows\\temp\\lsass" ascii wide fullword
$s2 = "c:\\ProgramData\\it.zip" ascii wide fullword
$s3 = "powercat.ps1'); powercat -c" ascii wide fullword
condition:
1 of them
}
rule APT_WEBSHELL_HAFNIUM_Chopper_WebShell: APT Hafnium WebShell {
meta:
description = "Detects Chopper WebShell Injection Variant (not only Hafnium related)"
author = "Markus Neis,Swisscom"
date = "2021-03-05"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
id = "25dcf166-4aea-5680-b161-c5fc8d74b987"
strings:
$x1 = "runat=\"server\">" nocase
$s1 = "<script language=\"JScript\" runat=\"server\">function Page_Load(){eval(Request" nocase
$s2 = "protected void Page_Load(object sender, EventArgs e){System.IO.StreamWriter sw = new System.IO.StreamWriter(Request.Form[\"p\"] , false, Encoding.Default);sw.Write(Request.Form[\"f\"]);"
$s3 = "<script language=\"JScript\" runat=\"server\"> function Page_Load(){eval (Request[\"" nocase
condition:
filesize < 10KB and $x1 and 1 of ($s*)
}
rule WEBSHELL_CVE_2021_27065_Webshells {
meta:
description = "Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE"
author = "Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)"
date = "2021-03-05"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
id = "27677f35-24a3-59cc-a3ad-b83884128da7"
strings:
$script1 = "script language" ascii wide nocase
$script2 = "page language" ascii wide nocase
$script3 = "runat=\"server\"" ascii wide nocase
$script4 = "/script" ascii wide nocase
$externalurl = "externalurl" ascii wide nocase
$internalurl = "internalurl" ascii wide nocase
$internalauthenticationmethods = "internalauthenticationmethods" ascii wide nocase
$extendedprotectiontokenchecking = "extendedprotectiontokenchecking" ascii wide nocase
condition:
filesize < 50KB and any of ($script*) and ($externalurl or $internalurl) and $internalauthenticationmethods and $extendedprotectiontokenchecking
}
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_3 {
meta:
description = "Detects HAFNIUM ASPX files dropped on compromised servers"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-07"
score = 85
id = "9c2ba123-63c4-5e9c-a08f-bd9db3304691"
strings:
$s1 = "runat=\"server\">void Page_Load(object" ascii wide
$s2 = "Request.Files[0].SaveAs(Server.MapPath(" ascii wide
condition:
filesize < 50KB and
all of them
}
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4 {
meta:
description = "Detects HAFNIUM ASPX files dropped on compromised servers"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-07"
score = 85
id = "93f5b682-642d-5edf-84a9-296bf12cd72b"
strings:
$s1 = "<%@Page Language=\"Jscript\"%>" ascii wide nocase
$s2 = ".FromBase64String(" ascii wide nocase
$s3 = "eval(System.Text.Encoding." ascii wide nocase
condition:
filesize < 850 and
all of them
}
rule APT_HAFNIUM_ForensicArtefacts_WER_Mar21_1 {
meta:
description = "Detects a Windows Error Report (WER) that indicates and exploitation attempt of the Exchange server as described in CVE-2021-26857 after the corresponding patches have been applied. WER files won't be written upon successful exploitation before applying the patch. Therefore, this indicates an unsuccessful attempt."
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyb3rops/status/1368471533048446976"
date = "2021-03-07"
score = 40
id = "06771101-10ce-5d6b-99f7-a321aade7f69"
strings:
$s1 = "AppPath=c:\\windows\\system32\\inetsrv\\w3wp.exe" wide fullword
$s7 = ".Value=w3wp#MSExchangeECPAppPool" wide
condition:
uint16(0) == 0xfeff and
filesize < 8KB and
all of them
}
rule APT_HAFNIUM_ForensicArtefacts_Cab_Recon_Mar21_1 {
meta:
description = "Detects suspicious CAB files used by HAFNIUM for recon activity"
author = "Florian Roth (Nextron Systems)"
reference = "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3?u=dstepanic"
date = "2021-03-11"
score = 70
id = "b0caf9d9-af0a-5181-85e4-6091cd6699e3"
strings:
$s1 = "ip.txt" ascii fullword
$s2 = "arp.txt" ascii fullword
$s3 = "system" ascii fullword
$s4 = "security" ascii fullword
condition:
uint32(0) == 0x4643534d and
filesize < 10000KB and (
$s1 in (0..200) and
$s2 in (0..200) and
$s3 in (0..200) and
$s4 in (0..200)
)
}
rule APT_MAL_ASP_DLL_HAFNIUM_Mar21_1 {
meta:
description = "Detects HAFNIUM compiled ASP.NET DLLs dropped on compromised servers"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-05"
score = 65
hash1 = "097f5f700c000a13b91855beb61a931d34fb0abb738a110368f525e25c5bc738"
hash2 = "15744e767cbaa9b37ff7bb5c036dda9b653fc54fc9a96fe73fbd639150b3daa3"
hash3 = "52ae4de2e3f0ef7fe27c699cb60d41129a3acd4a62be60accc85d88c296e1ddb"
hash4 = "5f0480035ee23a12302c88be10e54bf3adbcf271a4bb1106d4975a28234d3af8"
hash5 = "6243fd2826c528ee329599153355fd00153dee611ca33ec17effcf00205a6e4e"
hash6 = "ebf6799bb86f0da2b05e66a0fe5a9b42df6dac848f4b951b2ed7b7a4866f19ef"
id = "68b8252e-a07d-5507-b556-a4d473f98157"
strings:
$s1 = "Page_Load" ascii fullword
$sc1 = { 20 00 3A 00 20 00 68 00 74 00 74 00 70 00 3A 00
2F 00 2F 00 (66|67) 00 2F 00 00 89 A3 0D 00 0A 00 }
$op1 = { 00 43 00 58 00 77 00 30 00 4a 00 45 00 00 51 7e 00 2f }
$op2 = { 58 00 77 00 30 00 4a 00 45 00 00 51 7e 00 2f 00 61 00 }
$op3 = { 01 0e 0e 05 20 01 01 11 79 04 07 01 12 2d 04 07 01 12 31 02 }
$op4 = { 5e 00 03 00 bc 22 00 00 00 00 01 00 85 03 2b 00 03 00 cc }
condition:
uint16(0) == 0x5a4d and
filesize < 50KB and
all of ($s*) or all of ($op*)
}
rule WEBSHELL_HAFNIUM_CISA_10328929_01 : trojan webshell exploit CVE_2021_27065 {
meta:
author = "CISA Code & Media Analysis"
date = "2021-03-17"
description = "Detects CVE-2021-27065 Webshellz"
hash = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
reference = "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a"
id = "81916396-8aaa-5045-b31c-4bcce8d295a5"
strings:
$s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
$s1 = { 65 76 61 6C 28 }
$s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
$s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
$s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
condition:
$s0 or ($s1 and $s2) or ($s3 and $s4)
}
rule WEBSHELL_HAFNIUM_CISA_10328929_02 : trojan webshell exploit CVE_2021_27065 {
meta:
author = "CISA Code & Media Analysis"
date = "2021-03-17"
description = "Detects CVE-2021-27065 Exchange OAB VD MOD"
hash = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
reference = "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a"
id = "34a89a6e-fa8a-5c64-a325-30202e20b30f"
strings:
$s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
$s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
$s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
condition:
$s0 and $s1 and $s2
}
rule APT_UNC5221_Ivanti_ForensicArtifacts_Jan24_1 {
meta:
description = "Detects forensic artifacts found in the Ivanti VPN exploitation campaign by APT UNC5221"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"
date = "2024-01-11"
score = 75
id = "49ba2a96-379d-5a58-979d-45e83fa546e7"
strings:
$x1 = "system(\"chmod a+x /home/etc/sql/dsserver/sessionserver.sh\");"
$x2 = "SSH-2.0-OpenSSH_0.3xx."
$x3 = "sed -i '/retval=$(exec $installer $@)/d' /pkg/do-install"
condition:
filesize < 5MB and 1 of them
}
rule MAL_G_APT_Backdoor_BRICKSTORM_3 {
meta:
description = "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)"
author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
date = "2025-09-25"
score = 75
reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
md5 = "931eacd7e5250d29903924c31f41b7e5"
strings:
$str1 = { 48 8B 05 ?? ?? ?? ?? 48 89 04 24 E8 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 04 24 [0-5] E8 ?? ?? ?? ?? EB ?? }
$str4 = "decompress" ascii // wide nocase
$str5 = "MIMEHeader" ascii // wide nocase
$str6 = "ResolveReference" ascii // wide nocase
$str7 = "115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951" ascii // wide nocase
condition:
uint16(0) == 0x457F and all of them
}
rule MAL_G_Backdoor_BRICKSTORM_2 {
meta:
description = "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)"
author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
date = "2025-09-25"
score = 75
reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
strings:
// $obf_func = /[a-z]{20}\/[a-z]{20}\/[a-z]{20}\/[a-z]{20}.go/
$decr1 = { 0F B6 4C 04 ?? 0F B6 54 04 ?? 31 D1 88 4C 04 ?? 48 FF C0 [0-4] 48 83 F8 ?? 7C }
$decr2 = { 40 88 7C 34 34 48 FF C3 48 FF C6 48 39 D6 7D 18 0F B6 3B 48 39 CE 73 63 44 0F B6 04 30 44 31 C7 48 83 FE 04 72 DA }
$decr3 = { 0F B6 54 0C ?? 0F B6 5C 0C ?? 31 DA 88 14 08 48 FF C1 48 83 F9 ?? 7C E8 }
$str1 = "main.selfWatcher"
$str2 = "main.copyFile"
$str3 = "main.startNew"
$str4 = "WRITE_LOG=true"
$str5 = "WRITE_LOGWednesday"
$str6 = "vami-httpdvideo/webm"
$str7 = "/opt/vmware/sbin/"
$str8 = "/home/vsphere-ui/"
$str9 = "/opt/vmware/sbin/vami-http"
$str10 = "main.getVFromEnv"
condition:
uint32(0) == 0x464c457f
and filesize < 10MB
and (
1 of ($decr*)
and 1 of ($str*)
or 5 of ($str*)
)
}
rule MAL_G_APT_Backdoor_BRICKSTORM_1 {
meta:
description = "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)"
author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
date = "2025-09-25"
score = 75
reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
md5 = "4645f2f6800bc654d5fa812237896b00"
strings:
$ = "WRITE_LOGWednesday"
$ = "/home/vsphere-ui/"
$ = "WRITE_LOG=true"
$ = "dns rcode: %v"
$ = "/libs/doh.createDnsMessage"
$ = "/libs/func1.(*Client).BackgroundRun"
$ = "/libs/func1.CreateClient"
$ = "/core/extends/command.CommandNoContext"
$ = "/core/extends/command.ExecuteCmd"
$ = "/core/extends/command.RunShell"
$ = "/libs/fs.(*RemoteDriver).DeleteFile"
$ = "/libs/fs.(*RemoteDriver).GetFile"
$ = "/libs/fs.(*RemoteDriver).PutFile"
$ = "/libs/doh/doh.go"
condition:
uint32(0) == 0x464c457f and 5 of them
}
rule MAL_G_APT_Backdoor_BRICKSTORM_2 {
meta:
description = "Detects BRICKSTORM backdoor used by APT group UNC5221 (China Nexus)"
author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
date = "2025-09-25"
score = 75
reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
strings:
$str1 = { 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? C6 44 ?? ?? 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? 0F 11 84 ?? ?? ?? ?? ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 04 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 4C ?? ?? E8 ?? ?? ?? ?? 4? 83 7C ?? ?? 00 0F 84 ?? ?? ?? ?? 4? 8D 05 ?? ?? ?? ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 4? 8B 7C ?? ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 47 08 83 3D ?? ?? ?? ?? 00 75 ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 07 4? 89 BC ?? ?? ?? ?? ?? 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? ?? 4? 81 C4 ?? ?? ?? ?? C3 }
$str2 = { 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 04 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 4C ?? ?? E8 ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 85 C0 0F 84 ?? ?? ?? ?? 4? 8D 05 ?? ?? ?? ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 48 08 8B 0D ?? ?? ?? ?? 85 C9 75 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 08 84 00 4? 89 84 ?? ?? ?? ?? ?? 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 90 E8 ?? ?? ?? ?? 4? 8B ?? ?4 D8 00 00 00 4? 81 C4 E0 00 00 00 C3 }
condition:
uint32be(0) == 0x7F454C46 and any of them
}
rule WEBSHELL_G_APT_BackdoorWebshell_SLAYSTYLE_2 {
meta:
description = "Detects webshell used by APT group UNC5221 (China Nexus)"
author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
date = "2025-09-25"
score = 75
reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
strings:
$str1 = "request.getParameter"
$str2 = "/bin/sh"
$str3 = "java.io.InputStream"
$str4 = "Runtime.getRuntime().exec("
$str5 = "2>&1"
condition:
(uint16(0) != 0x5A4D and uint32(0) != 0x464C457F) and filesize < 7KB and all of them and @str4 > @str2
}
rule MAL_G_Backdoor_BRICKSTEAL_1 {
meta:
description = "Detects backdoor BRICKSTEAL used by APT group UNC5221 (China Nexus)"
author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
date = "2025-09-25"
score = 75
reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
strings:
$str1 = "comvmware"
$str2 = "abcdABCD1234!@#$"
$str3 = "ads.png"
$str4 = "User-Agent"
$str5 = "com/vmware/"
condition:
all of them and filesize < 10KB
}
rule MAL_G_Dropper_BRICKSTEAL_1 {
meta:
description = "Detects backdoor BRICKSTEAL dropper used by APT group UNC5221 (China Nexus)"
author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
date = "2025-09-25"
score = 75
reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
strings:
$str1 = "Base64.getDecoder().decode"
$str2 = "Thread.currentThread().getContextClassLoader()"
$str3 = ".class.getDeclaredMethod"
$str4 = "byte[].class"
$str5 = "method.invoke"
$str6 = "filterClass.newInstance()"
$str7 = "/websso/SAML2/SSO/*"
condition:
all of them
}
rule MAL_G_Dropper_BRICKSTEAL_2 {
meta:
description = "Detects backdoor BRICKSTEAL dropper used by APT group UNC5221 (China Nexus)"
author = "Google Threat Intelligence Group (GTIG) (modified by Florian Roth)"
date = "2025-09-25"
score = 75
reference = "https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"
strings:
// $str1 = /\(Class<\?>\)\smethod\.invoke\(\w{1,20},\s\w{1,20},\s0,\s\w{1,20}\.length\);/i ascii wide
$str1_alt = "(Class<?>) method.invoke(" ascii wide
$str2 = "(\"yv66vg" ascii wide
$str3 = "request.getSession().getServletContext" ascii wide
$str4 = ".getClass().getDeclaredField(" ascii wide
$str5 = "new FilterDef();" ascii wide
$str6 = "new FilterMap();" ascii wide
condition:
all of them
}