YARA rules for Tick
68 rules · scoped to actor · back to Tick
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule hacktool_windows_mimikatz_copywrite
{
meta:
description = "Mimikatz credential dump tool: Author copywrite"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
md5_3 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"
md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
md5_5 = "09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca"
md5_6 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
strings:
$s1 = "Kiwi en C" fullword ascii wide
$s2 = "Benjamin DELPY `gentilkiwi`" fullword ascii wide
$s3 = "http://blog.gentilkiwi.com/mimikatz" fullword ascii wide
$s4 = "Build with love for POC only" fullword ascii wide
$s5 = "gentilkiwi (Benjamin DELPY)" fullword wide
$s6 = "KiwiSSP" fullword wide
$s7 = "Kiwi Security Support Provider" fullword wide
$s8 = "kiwi flavor !" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
any of them
}
rule hacktool_windows_mimikatz_errors
{
meta:
description = "Mimikatz credential dump tool: Error messages"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
strings:
$s1 = "[ERROR] [LSA] Symbols" fullword ascii wide
$s2 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii wide
$s3 = "[ERROR] [CRYPTO] Symbols" fullword ascii wide
$s4 = "[ERROR] [CRYPTO] Init" fullword ascii wide
condition:
all of them
}
rule hacktool_windows_mimikatz_files
{
meta:
description = "Mimikatz credential dump tool: Files"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
strings:
$s1 = "kiwifilter.log" fullword wide
$s2 = "kiwissp.log" fullword wide
$s3 = "mimilib.dll" fullword ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
any of them
}
rule hacktool_windows_mimikatz_modules
{
meta:
description = "Mimikatz credential dump tool: Modules"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
modified = "2023-07-26"
md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
md5_3 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
md5_5 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"
strings:
$s1 = "mimilib" fullword ascii wide
$s2 = "mimidrv" fullword ascii wide
$s3 = "mimilove" fullword ascii wide
$fp1 = "SgrmEnclave" wide
$fp2 = "Kaspersky Lab Anti-Rootkit Monitor Driver" wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
1 of ($s*) and
not 1 of ($fp*)
}
rule hacktool_windows_mimikatz_sekurlsa
{
meta:
description = "Mimikatz credential dump tool"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
SHA256_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
SHA256_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
strings:
$s1 = "dpapisrv!g_MasterKeyCacheList" fullword ascii wide
$s2 = "lsasrv!g_MasterKeyCacheList" fullword ascii wide
$s3 = "!SspCredentialList" ascii wide
$s4 = "livessp!LiveGlobalLogonSessionList" fullword ascii wide
$s5 = "wdigest!l_LogSessList" fullword ascii wide
$s6 = "tspkg!TSGlobalCredTable" fullword ascii wide
condition:
all of them
}
rule Empire_Invoke_Mimikatz {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "c5481864b757837ecbc75997fa24978ffde3672b8a144a55478ba9a864a19466"
id = "f7d6c1c4-2a24-54fd-b745-32d7894affc8"
strings:
$s1 = "$PEBytes64 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwc" ascii
$s2 = "[System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)" fullword ascii
$s3 = "Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii
condition:
filesize < 2500KB and 2 of them
}
rule Empire_lib_modules_credentials_mimikatz_pth {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file pth.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "6dee1cf931e02c5f3dc6889e879cc193325b39e18409dcdaf987b8bf7c459211"
id = "f954b7e8-e820-5111-ba8d-a9b9779381b0"
strings:
$s0 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
$s1 = "command = \"sekurlsa::pth /user:\"+self.options[\"user\"]['Value']" fullword ascii
condition:
filesize < 12KB and all of them
}
rule OPCLEAVER_mimikatzWrapper
{
meta:
description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "e9427e29-e581-5a5b-8f1d-4b9bfeec0946"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule OPCLEAVER_zhmimikatz
{
meta:
description = "Mimikatz wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "fba8ab6e-3b61-53a1-b4df-178442e3cf24"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule Powerkatz_DLL_Generic {
meta:
description = "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "PowerKatz Analysis"
date = "2016-02-05"
super_rule = 1
score = 80
hash1 = "c20f30326fcebad25446cf2e267c341ac34664efad5c50ff07f0738ae2390eae"
hash2 = "1e67476281c1ec1cf40e17d7fc28a3ab3250b474ef41cb10a72130990f0be6a0"
hash3 = "49e7bac7e0db87bf3f0185e9cf51f2539dbc11384fefced465230c4e5bce0872"
id = "7464f8a1-9f45-580b-8a97-a57071092e3c"
strings:
$s1 = "%3u - Directory '%s' (*.kirbi)" fullword wide
$s2 = "%*s pPublicKey : " fullword wide
$s4 = "<3 eo.oe ~ ANSSI E>" fullword wide
$s5 = "\\*.kirbi" wide
$c1 = "kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" fullword wide
$c2 = "kuhl_m_lsadump_getComputerAndSyskey ; kuhl_m_lsadump_getSyskey KO" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them ) or 2 of them
}
rule mimikatz_lsass_mdmp {
meta:
description = "LSASS minidump file for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
id = "3d850dbe-1342-55ac-b0f7-91343d88f147"
strings:
$lsass = "System32\\lsass.exe" wide nocase
condition:
(uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /WER/
}
rule MSBuild_Mimikatz_Execution_via_XML {
meta:
description = "Detects an XML that executes Mimikatz on an endpoint via MSBuild"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml"
date = "2016-10-07"
id = "98aa68b9-6de4-5353-8d87-9e974529c044"
strings:
$x1 = "<Project ToolsVersion=" ascii
$x2 = "</SharpLauncher>" fullword ascii
$s1 = "\"TVqQAAMAAAA" ascii
$s2 = "System.Convert.FromBase64String(" ascii
$s3 = ".Invoke(" ascii
$s4 = "Assembly.Load(" ascii
$s5 = ".CreateInstance(" ascii
condition:
all of them
}
rule Mimikatz_Gen_Strings {
meta:
description = "Detects Mimikatz by using some special strings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-06-19"
super_rule = 1
hash1 = "058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4"
hash2 = "eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85"
hash3 = "f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159"
id = "3f4ab5d7-5a9f-55f0-9dda-e2975df582a0"
strings:
$s1 = "[*] '%s' service already started" fullword wide
$s2 = "** Security Callback! **" fullword wide
$s3 = "Try to export a software CA to a crypto (virtual)hardware" fullword wide
$s4 = "enterpriseadmin" fullword wide
$s5 = "Ask debug privilege" fullword wide
$s6 = "Injected =)" fullword wide
$s7 = "** SAM ACCOUNT **" fullword wide
condition:
(uint16(0) == 0x5a4d and filesize < 12000KB and 1 of them)
}
rule Impacket_Tools_mimikatz {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1"
id = "0b1f5ad0-7070-58d5-946f-157dcb9627ab"
strings:
$s1 = "impacket" fullword ascii
$s2 = "smimikatz" fullword ascii
$s3 = "otwsdlc" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule HvS_APT37_mimikatz_loader_DF012 {
meta:
description = "Loader for encrypted Mimikatz variant used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Marc Stroebel"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "42e4a9aeff3744bbbc0e82fd5b93eb9b078460d8f40e0b61b27b699882f521be"
strings:
$s1 = ".?AVCEncryption@@" fullword ascii
$s2 = "afrfa"
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
(pe.imphash() == "fa0b87c7e07d21001355caf7b5027219") and (all of them)
}
rule mimikatz_kirbi_ticket
{
meta:
description = "KiRBi ticket for mimikatz"
author = "Benjamin DELPY (gentilkiwi); Didier Stevens"
id = "a37249e0-ab3b-50c2-9473-1e69185713cc"
strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
$asn1_84 = { 76 84 ?? ?? ?? ?? 30 84 ?? ?? ?? ?? a0 84 00 00 00 03 02 01 05 a1 84 00 00 00 03 02 01 16 }
condition:
$asn1 at 0 or $asn1_84 at 0
}
rule StegoKatz {
meta:
description = "Encoded Mimikatz in other file types"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/jWPBBY"
date = "2015-09-11"
score = 70
id = "78868bb0-af69-573d-afd2-350a46f69137"
strings:
$s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
$s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
condition:
filesize < 1000KB and 1 of them
}
rule Obfuscated_VBS_April17 {
meta:
description = "Detects cloaked Mimikatz in VBS obfuscation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "ca60b885-bb56-55ee-a2b3-dea6958883c2"
strings:
$s1 = "::::::ExecuteGlobal unescape(unescape(" ascii
condition:
filesize < 500KB and all of them
}
rule Obfuscated_JS_April17 {
meta:
description = "Detects cloaked Mimikatz in JS obfuscation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-04-21"
id = "44abd2c0-5f8d-5a8c-b282-a09853e12054"
strings:
$s1 = "\";function Main(){for(var " ascii
$s2 = "=String.fromCharCode(parseInt(" ascii
$s3 = "));(new Function(" ascii
condition:
filesize < 500KB and all of them
}
rule Invoke_Mimikatz {
meta:
description = "Detects Invoke-Mimikatz String"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz"
date = "2016-08-03"
hash1 = "f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67"
id = "37de51a6-e1bb-5ee7-9b7f-8fe17b3697b5"
strings:
$x2 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm" ascii
$x3 = "Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii
condition:
1 of them
}
rule BadRabbit_Mimikatz_Comp {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://pastebin.com/Y7pJv3tK"
date = "2017-10-25"
hash1 = "2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035"
id = "52affd3f-6bf9-55f6-92a5-69314a2e76e0"
strings:
$s1 = "%lS%lS%lS:%lS" fullword wide
$s2 = "lsasrv" fullword wide
$s3 = "CredentialKeys" ascii
/* Primary\x00m\x00s\x00v */
$s4 = { 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00 }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 3 of them )
}
rule Chafer_Mimikatz_Custom {
meta:
description = "Detects Custom Mimikatz Version"
author = "Florian Roth (Nextron Systems) / Markus Neis"
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
date = "2018-03-22"
hash1 = "9709afeb76532566ee3029ecffc76df970a60813bcac863080cc952ad512b023"
id = "80f751c3-d7ca-5ff6-a905-38650e1c4ec5"
strings:
$x1 = "C:\\Users\\win7p\\Documents\\mi-back\\" ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them
}
rule Chafer_Packed_Mimikatz {
meta:
description = "Detects Oilrig Packed Mimikatz also detected as Chafer_WSC_x64 by FR"
author = "Florian Roth (Nextron Systems) / Markus Neis"
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
date = "2018-03-22"
hash1 = "5f2c3b5a08bda50cca6385ba7d84875973843885efebaff6a482a38b3cb23a7c"
id = "abd34c6a-7d99-5f52-be8e-a7d634d61255"
strings:
$s1 = "Windows Security Credentials" fullword wide
$s2 = "Minisoft" fullword wide
$x1 = "Copyright (c) 2014 - 2015 Minisoft" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and ( all of ($s*) or $x1 )
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAF0 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e"
hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919"
hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da"
hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1"
hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06"
hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f"
hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4"
hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5"
hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987"
hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1"
hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37"
hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2"
hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263"
hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2"
hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576"
hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0"
hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f"
hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0"
hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b"
hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905"
hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c"
hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa"
hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3"
hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524"
hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55"
hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778"
hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59"
hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719"
hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de"
hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254"
hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f"
hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a"
hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db"
hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe"
hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a"
hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908"
hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167"
hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96"
hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601"
hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875"
date = "2024-08-07"
score = 70
id = "57e5655e-1313-585f-931c-d892e8952d0e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000320030002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_DDF4 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a"
hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0"
hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895"
hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7"
hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2"
hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe"
hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8"
hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736"
hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3"
hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870"
hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab"
hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7"
hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39"
hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920"
hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6"
date = "2024-08-07"
score = 70
id = "0b38be06-60df-5b49-a748-eb175e1db33f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0F58 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597"
hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212"
hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35"
hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8"
hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a"
hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa"
hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03"
hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1"
hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66"
hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112"
hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0"
hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1"
hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3"
hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd"
date = "2024-08-07"
score = 70
id = "0531a88d-cb21-5055-b365-a80b6e99a6e9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310034002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d"
hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec"
hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9"
hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09"
hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff"
hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25"
hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe"
hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9"
hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2"
hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b"
hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85"
hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15"
hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd"
hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b"
hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19"
hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a"
hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715"
hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a"
hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b"
hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878"
hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be"
hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2"
hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e"
date = "2024-08-07"
score = 70
id = "2bb58484-03d2-5ccc-b165-cfe405f60f03"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925"
hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475"
hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653"
hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968"
hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38"
hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f"
hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f"
hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266"
hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6"
hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4"
hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550"
hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c"
hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c"
hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb"
hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be"
hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231"
hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb"
hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a"
hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47"
hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12"
hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972"
hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7"
hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7"
hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd"
hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96"
hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac"
hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93"
hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc"
hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad"
hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b"
hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852"
date = "2024-08-07"
score = 70
id = "a9965f8f-4969-52ae-953f-a06d8fabe951"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_41AD {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f"
hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7"
hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac"
hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad"
hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6"
hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80"
hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4"
hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a"
hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021"
hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392"
hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434"
hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c"
hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af"
hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c"
hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55"
hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9"
date = "2024-08-07"
score = 70
id = "8a8887dd-0f3d-5ab4-a945-b47966789b99"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8"
date = "2024-08-07"
score = 70
id = "0160f2aa-f60f-5590-be0a-6751487eab92"
strings:
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_2FD4 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21"
hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28"
hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553"
date = "2024-08-07"
score = 70
id = "e77f1fc7-4700-5afe-908f-b0d206757365"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 {
meta:
description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2"
hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640"
date = "2024-08-07"
score = 70
id = "888de0dc-5643-5e55-8272-9363cc55bfcf"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */
condition:
all of them
}
rule Mimikatz_Memory_Rule_1 : APT {
meta:
author = "Florian Roth"
date = "2014-12-22"
modified = "2023-07-04"
score = 70
nodeepdive = 1
description = "Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)"
id = "55cc7129-5ea0-5545-a8f6-b5306a014dd0"
strings:
$s1 = "sekurlsa::wdigest" fullword ascii
$s2 = "sekurlsa::logonPasswords" fullword ascii
$s3 = "sekurlsa::minidump" fullword ascii
$s4 = "sekurlsa::credman" fullword ascii
$fp1 = "\"x_mitre_version\": " ascii
$fp2 = "{\"type\":\"bundle\","
$fp3 = "use strict" ascii fullword
$fp4 = "\"url\":\"https://attack.mitre.org/" ascii
condition:
1 of ($s*) and not 1 of ($fp*)
}
rule Mimikatz_Memory_Rule_2 : APT {
meta:
description = "Mimikatz Rule generated from a memory dump"
author = "Florian Roth (Nextron Systems) - Florian Roth"
score = 75
date = "2014-12-22"
modified = "2023-05-19"
reference = "https://blog.gentilkiwi.com/mimikatz"
strings:
$s0 = "sekurlsa::" ascii
$x1 = "cryptprimitives.pdb" ascii
$x2 = "Now is t1O" ascii fullword
$x4 = "ALICE123" ascii
$x5 = "BOBBY456" ascii
condition:
$s0 and 1 of ($x*)
}
rule mimikatz : FILE {
meta:
description = "mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Benjamin DELPY (gentilkiwi)"
modified = "2022-11-16"
id = "840a5b8c-a311-50bc-a099-6b8ab1492e12"
strings:
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
$exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
$exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
$exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
/*
$dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
$dll_2 = { c7 0? 10 02 00 00 ?? 89 4? }
*/
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
condition:
(all of ($exe_x86_*)) or (all of ($exe_x64_*))
// or (all of ($dll_*))
or (any of ($sys_*))
}
rule Mimikatz_Logfile
{
meta:
description = "Detects a log file generated by malicious hack tool mimikatz"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 80
date = "2015/03/31"
id = "921d85fc-fb4d-57ed-b4ac-203d5c6f1e8e"
strings:
$s1 = "SID :" ascii fullword
$s2 = "* NTLM :" ascii fullword
$s3 = "Authentication Id :" ascii fullword
$s4 = "wdigest :" ascii fullword
condition:
all of them
}
rule Mimikatz_Strings {
meta:
description = "Detects Mimikatz strings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "not set"
date = "2016-06-08"
score = 65
id = "d8f63b71-c66c-5c10-9268-2d8970f7c8a1"
strings:
$x1 = "sekurlsa::logonpasswords" fullword wide ascii
$x2 = "List tickets in MIT/Heimdall ccache" fullword ascii wide
$x3 = "kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage %08x" fullword ascii wide
$x4 = "* Injecting ticket :" fullword wide ascii
$x5 = "mimidrv.sys" fullword wide ascii
$x6 = "Lists LM & NTLM credentials" fullword wide ascii
$x7 = "\\_ kerberos -" wide ascii
$x8 = "* unknow :" fullword wide ascii
$x9 = "\\_ *Password replace ->" wide ascii
$x10 = "KIWI_MSV1_0_PRIMARY_CREDENTIALS KO" ascii wide
$x11 = "\\\\.\\mimidrv" wide ascii
$x12 = "Switch to MINIDUMP :" fullword wide ascii
$x13 = "[masterkey] with password: %s (%s user)" fullword wide
$x14 = "Clear screen (doesn't work with redirections, like PsExec)" fullword wide
$x15 = "** Session key is NULL! It means allowtgtsessionkey is not set to 1 **" fullword wide
$x16 = "[masterkey] with DPAPI_SYSTEM (machine, then user): " fullword wide
condition:
(
( uint16(0) == 0x5a4d and 1 of ($x*) ) or
( 3 of them )
)
/* exclude false positives */
and not pe.imphash() == "77eaeca738dd89410a432c6bd6459907"
}
rule AppInitHook {
meta:
description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/Z292v6"
date = "2015-07-15"
score = 70
hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45"
id = "73713011-3083-5cdf-b59c-f4da67d2d2ab"
strings:
$s0 = "\\Release\\AppInitHook.pdb" ascii
$s1 = "AppInitHook.dll" fullword ascii
$s2 = "mimikatz.exe" fullword wide
$s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide
$s4 = "mhook\\disasm-lib\\disasm.c" fullword wide
$s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide
$s6 = "VoidFunc" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
}
rule HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1 {
meta:
description = "Detects Mimikatz SkeletonKey in Memory"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/sbousseaden/status/1292143504131600384?s=12"
date = "2020-08-09"
id = "e7c1c512-e944-5d87-ac57-cdc9ab7cf660"
strings:
$x1 = { 60 ba 4f ca c7 44 24 34 dc 46 6c 7a c7 44 24 38
03 3c 17 81 c7 44 24 3c 94 c0 3d f6 }
condition:
1 of them
}
rule HKTL_mimikatz_memssp_hookfn {
meta:
description = "Detects Default Mimikatz memssp module in-memory"
author = "SBousseaden"
date = "2020-08-26"
reference = "https://github.com/sbousseaden/YaraHunts/blob/master/mimikatz_memssp_hookfn.yara"
score = 70
id = "89940110-8a5e-5a28-bf64-3b568f8ef1f8"
strings:
$xc1 = { 48 81 EC A8 00 00 00 C7 84 24 88 00 00 00 ?? ??
?? ?? C7 84 24 8C 00 00 00 ?? ?? ?? ?? C7 84 24
90 00 00 00 ?? ?? ?? 00 C7 84 24 80 00 00 00 61
00 00 00 C7 44 24 40 5B 00 25 00 C7 44 24 44 30
00 38 00 C7 44 24 48 78 00 3A 00 C7 44 24 4C 25
00 30 00 C7 44 24 50 38 00 78 00 C7 44 24 54 5D
00 20 00 C7 44 24 58 25 00 77 00 C7 44 24 5C 5A
00 5C 00 C7 44 24 60 25 00 77 00 C7 44 24 64 5A
00 09 00 C7 44 24 68 25 00 77 00 C7 44 24 6C 5A
00 0A 00 C7 44 24 70 00 00 00 00 48 8D 94 24 80
00 00 00 48 8D 8C 24 88 00 00 00 48 B8 A0 7D ??
?? ?? ?? 00 00 FF D0 } // memssp creds logging function
// $xc2 = {6D 69 6D 69 C7 84 24 8C 00 00 00 6C 73 61 2E C7 84 24 90 00 00 00 6C 6F 67} - mimilsa.log
condition:
$xc1 // you can set condition to $xc1 and not $xc2 to detect non lazy memssp users
}
rule HKTL_mimikatz_icon {
meta:
description = "Detects mimikatz icon in PE file"
license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License"
author = "Arnim Rupp"
reference = "https://blog.gentilkiwi.com/mimikatz"
date = "2023-02-18"
score = 60
hash1 = "61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1"
hash2 = "1c3f584164ef595a37837701739a11e17e46f9982fdcee020cf5e23bad1a0925"
hash3 = "c6bb98b24206228a54493274ff9757ce7e0cbb4ab2968af978811cc4a98fde85"
hash4 = "721d3476cdc655305902d682651fffbe72e54a97cd7e91f44d1a47606bae47ab"
hash5 = "c0f3523151fa307248b2c64bdaac5f167b19be6fccff9eba92ac363f6d5d2595"
id = "2a5ea476-a30d-5eac-b57a-3fb49386c046"
strings:
$ico = {79 e1 d7 ff 7e e5 db ff 7f e8 dc ff 85 eb dd ff ba ff f1 ff 66 a0 b6 ff 01 38 61 ff 22 50 75 c3}
condition:
uint16(0) == 0x5A4D and
$ico and
filesize < 10MB
}
rule Empire_Invoke_Mimikatz_Gen {
meta:
description = "Detects Empire component - file Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
id = "1f771a17-2534-5811-80bd-bc1bab37d97c"
strings:
$s1 = "= \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ" ascii
$s2 = "Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen {
meta:
description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
id = "d938aadf-6924-5964-9b5a-6bd1b817349f"
strings:
$s1 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle" fullword ascii
$s2 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule ps1_toolkit_Invoke_Mimikatz {
meta:
description = "Auto-generated rule - file Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/vysec/ps1-toolkit"
date = "2016-09-04"
score = 80
hash1 = "5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8"
id = "7c0252a1-fbe4-5519-949b-285073abb21f"
strings:
$s1 = "Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii
$s2 = "ps | where { $_.Name -eq $ProcName } | select ProcessName, Id, SessionId" fullword ascii
$s3 = "privilege::debug exit" ascii
$s4 = "Get-ProcAddress Advapi32.dll AdjustTokenPrivileges" fullword ascii
$s5 = "Invoke-Mimikatz -DumpCreds" fullword ascii
$s6 = "| Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002" fullword ascii
condition:
( uint16(0) == 0xbbef and filesize < 10000KB and 1 of them ) or ( 3 of them )
}
rule ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection {
meta:
description = "Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/vysec/ps1-toolkit"
date = "2016-09-04"
score = 80
super_rule = 1
hash1 = "5c31a2e3887662467cfcb0ac37e681f1d9b0f135e6dfff010aae26587e03d8c8"
hash2 = "510b345f821f93c1df5f90ac89ad91fcd0f287ebdabec6c662b716ec9fddb03a"
id = "e9471f95-48e1-57e0-b0be-f916c574a6a7"
strings:
$s1 = "[IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])" fullword ascii
$s2 = "if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)" fullword ascii
$s3 = "[Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)" fullword ascii
$s4 = "Function Import-DllInRemoteProcess" fullword ascii
$s5 = "FromBase64String('QwBvAG4AdABpAG4AdQBlAA==')))" fullword ascii
$s6 = "[Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)" fullword ascii
$s7 = "[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)" fullword ascii
$s8 = "[System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null" fullword ascii
$s9 = "::FromBase64String('RABvAG4AZQAhAA==')))" ascii
$s10 = "Write-Verbose \"PowerShell ProcessID: $PID\"" fullword ascii
$s11 = "[IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])" fullword ascii
condition:
( uint16(0) == 0xbbef and filesize < 10000KB and 3 of them ) or ( 6 of them )
}
rule APT28_CHOPSTICK {
meta:
description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/v3ebal"
date = "2015-06-02"
hash = "f4db2e0881f83f6a2387ecf446fcb4a4c9f99808"
score = 60
id = "08bc4cc2-1844-5218-bb89-20a3ac70a951"
strings:
$s0 = "jhuhugit.tmp" fullword ascii /* score: '14.005' */
$s8 = "KERNEL32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 14405 times */
$s9 = "IsDebuggerPresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3518 times */
$s10 = "IsProcessorFeaturePresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1383 times */
$s11 = "TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 13081 times */
$s13 = "DeleteFileA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1384 times */
$s15 = "GetProcessHeap" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5875 times */
$s16 = "!This program cannot be run in DOS mode." fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 20908 times */
$s17 = "LoadLibraryA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5461 times */
condition:
uint16(0) == 0x5a4d and filesize < 722KB and all of them
}
rule WEBSHELL_PHP_Generic_Backticks
{
meta:
description = "Generic PHP webshell which uses backticks directly on user input"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2023-04-05"
hash = "339f32c883f6175233f0d1a30510caa52fdcaa37"
hash = "8db86ad90883cd208cf86acd45e67c03f994998804441705d690cb6526614d00"
hash = "af987b0eade03672c30c095cee0c7c00b663e4b3c6782615fb7e430e4a7d1d75"
hash = "67339f9e70a17af16cf51686918cbe1c0604e129950129f67fe445eaff4b4b82"
hash = "144e242a9b219c5570973ca26d03e82e9fbe7ba2773305d1713288ae3540b4ad"
hash = "8db86ad90883cd208cf86acd45e67c03f994998804441705d690cb6526614d00"
id = "b2f1d8d0-8668-5641-8ce9-c8dd71f51f58"
strings:
$backtick = /`\s*\{?\$(_POST\[|_GET\[|_REQUEST\[|_SERVER\['HTTP_)/ wide ascii
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
condition:
(
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
and $backtick and filesize < 200
}
rule WEBSHELL_PHP_Generic_Backticks_OBFUSC
{
meta:
description = "Generic PHP webshell which uses backticks directly on user input"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2023-04-05"
hash = "23dc299f941d98c72bd48659cdb4673f5ba93697"
hash = "e3f393a1530a2824125ecdd6ac79d80cfb18fffb89f470d687323fb5dff0eec1"
hash = "1e75914336b1013cc30b24d76569542447833416516af0d237c599f95b593f9b"
hash = "8db86ad90883cd208cf86acd45e67c03f994998804441705d690cb6526614d00"
id = "5ecb329f-0755-536d-8bfa-e36158474a0b"
strings:
$s1 = /echo[\t ]{0,500}\(?`\$/ wide ascii
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
condition:
filesize < 500 and (
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
and $s1
}
rule WEBSHELL_PHP_By_String_Known_Webshell
{
meta:
description = "Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions."
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2021-01-09"
modified = "2025-08-18"
score = 70
hash = "d889da22893536d5965541c30896f4ed4fdf461d"
hash = "10f4988a191774a2c6b85604344535ee610b844c1708602a355cf7e9c12c3605"
hash = "7b6471774d14510cf6fa312a496eed72b614f6fc"
hash = "decda94d40c3fd13dab21e197c8d05f48020fa498f4d0af1f60e29616009e9bf"
hash = "ef178d332a4780e8b6db0e772aded71ac1a6ed09b923cc359ba3c4efdd818acc"
hash = "a7a937c766029456050b22fa4218b1f2b45eef0db59b414f79d10791feca2c0b"
hash = "e7edd380a1a2828929fbde8e7833d6e3385f7652ea6b352d26b86a1e39130ee8"
hash = "0038946739956c80d75fa9eeb1b5c123b064bbb9381d164d812d72c7c5d13cac"
hash = "3a7309bad8a5364958081042b5602d82554b97eca04ee8fdd8b671b5d1ddb65d"
hash = "a78324b9dc0b0676431af40e11bd4e26721a960c55e272d718932bdbb755a098"
hash = "a27f8cd10cedd20bff51e9a8e19e69361cc8a6a1a700cc64140e66d160be1781"
hash = "9bbd3462993988f9865262653b35b4151386ed2373592a1e2f8cf0f0271cdb00"
hash = "459ed1d6f87530910361b1e6065c05ef0b337d128f446253b4e29ae8cc1a3915"
hash = "12b34d2562518d339ed405fb2f182f95dce36d08fefb5fb67cc9386565f592d1"
hash = "96d8ca3d269e98a330bdb7583cccdc85eab3682f9b64f98e4f42e55103a71636"
hash = "312ee17ec9bed4278579443b805c0eb75283f54483d12f9add7d7d9e5f9f6105"
hash = "15c4e5225ff7811e43506f0e123daee869a8292fc8a38030d165cc3f6a488c95"
hash = "0c845a031e06925c22667e101a858131bbeb681d78b5dbf446fdd5bca344d765"
hash = "d52128bcfff5e9a121eab3d76382420c3eebbdb33cd0879fbef7c3426e819695"
//TODO regex for 96d8ca3d269e98a330bdb7583cccdc85eab3682f9b64f98e4f42e55103a71636 would it be fast enough?
id = "05ac0e0a-3a19-5c60-b89a-4a300d8c22e7"
strings:
$pbs1 = "b374k shell" wide ascii
$pbs2 = "b374k/b374k" wide ascii
$pbs3 = "\"b374k" wide ascii
$pbs4 = "$b374k(\"" wide ascii
$pbs5 = "b374k " wide ascii
$pbs6 = "0de664ecd2be02cdd54234a0d1229b43" wide ascii
$pbs7 = "pwnshell" wide ascii
$pbs8 = "reGeorg" fullword wide ascii
$pbs9 = "Georg says, 'All seems fine" fullword wide ascii
$pbs10 = "My PHP Shell - A very simple web shell" wide ascii
$pbs11 = "<title>My PHP Shell <?echo VERSION" wide ascii
$pbs12 = "F4ckTeam" fullword wide ascii
$pbs15 = "MulCiShell" fullword wide ascii
// crawler avoid string
$pbs30 = "bot|spider|crawler|slurp|teoma|archive|track|snoopy|java|lwp|wget|curl|client|python|libwww" wide ascii
// <?=($pbs_=@$_GET[2]).@$_($_GET[1])?>
$pbs35 = /@\$_GET\s?\[\d\]\)\.@\$_\(\$_GET\s?\[\d\]\)/ wide ascii
$pbs36 = /@\$_GET\s?\[\d\]\)\.@\$_\(\$_POST\s?\[\d\]\)/ wide ascii
$pbs37 = /@\$_POST\s?\[\d\]\)\.@\$_\(\$_GET\s?\[\d\]\)/ wide ascii
$pbs38 = /@\$_POST\[\d\]\)\.@\$_\(\$_POST\[\d\]\)/ wide ascii
$pbs39 = /@\$_REQUEST\[\d\]\)\.@\$_\(\$_REQUEST\[\d\]\)/ wide ascii
$pbs42 = "array(\"find config.inc.php files\", \"find / -type f -name config.inc.php\")" wide ascii
$pbs43 = "$_SERVER[\"\\x48\\x54\\x54\\x50" wide ascii
$pbs52 = "preg_replace(\"/[checksql]/e\""
$pbs53 = "='http://www.zjjv.com'"
$pbs54 = "=\"http://www.zjjv.com\""
$pbs60 = /setting\["AccountType"\]\s?=\s?3/
$pbs61 = "~+d()\"^\"!{+{}"
$pbs62 = "use function \\eval as "
$pbs63 = "use function \\assert as "
$pbs64 = "eval(`/*" wide ascii
$pbs65 = "/* Reverse engineering of this file is strictly prohibited. File protected by copyright law and provided under license. */" wide ascii
$pbs66 = "Tas9er" fullword wide ascii
$pbs67 = "\"TSOP_\";" fullword wide ascii // reverse _POST
$pbs68 = "str_rot13('nffreg')" wide ascii // rot13(assert)
$pbs69 = "<?=`{$'" wide ascii
$pbs70 = "{'_'.$_}[\"_\"](${'_'.$_}[\"_" wide ascii
$pbs71 = "\"e45e329feb5d925b\"" wide ascii
$pbs72 = "| PHP FILE MANAGER" wide ascii
$pbs73 = "\neval(htmlspecialchars_decode(gzinflate(base64_decode($" wide ascii
$pbs74 = "/*\n\nShellindir.org\n\n*/" wide ascii
$pbs75 = "$shell = 'uname -a; w; id; /bin/sh -i';" wide ascii
$pbs76 = "'password' . '/' . 'id' . '/' . " wide ascii
$pbs77 = "= create_function /*" wide ascii
$pbs78 = "W3LL M!N! SH3LL" wide ascii
$pbs79 = "extract($_REQUEST)&&@$" wide ascii
$pbs80 = "\"P-h-p-S-p-y\"" wide ascii
$pbs81 = "\\x5f\\x72\\x6f\\x74\\x31\\x33" wide ascii
$pbs82 = "\\x62\\x61\\x73\\x65\\x36\\x34\\x5f" wide ascii
$pbs83 = "*/base64_decode/*" wide ascii
$pbs84 = "\n@eval/*" wide ascii
$pbs85 = "*/eval/*" wide ascii
$pbs86 = "*/ array /*" wide ascii
$pbs87 = "2jtffszJe" wide ascii
$pbs88 = "edocne_46esab" wide ascii
$pbs89 = "eval($_HEADERS" wide ascii
$pbs90 = ">Infinity-Sh3ll<" ascii
$front1 = "<?php eval(" nocase wide ascii
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
//strings from private rule capa_bin_files
$dex1 = "dex\n0"
$dex2 = "dey\n0"
$pack = { 50 41 43 4b 00 00 00 02 00 }
condition:
filesize < 1000KB and (
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
and not (
uint16(0) == 0x5a4d or
$dex1 at 0 or
$dex2 at 0 or
$pack at 0 or
// fp on jar with zero compression
uint16(0) == 0x4b50
)
and
( any of ( $pbs* ) or $front1 in ( 0 .. 60 ) )
}
rule WEBSHELL_PHP_Strings_SUSP
{
meta:
description = "typical webshell strings, suspicious"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2021/01/12"
modified = "2023-07-05"
score = 50
hash = "0dd568dbe946b5aa4e1d33eab1decbd71903ea04"
hash = "dde2bdcde95730510b22ae8d52e4344997cb1e74"
hash = "499db4d70955f7d40cf5cbaf2ecaf7a2"
hash = "281b66f62db5caab2a6eb08929575ad95628a690"
hash = "1ab3ae4d613b120f9681f6aa8933d66fa38e4886"
id = "25f25df5-4398-562b-9383-e01ccb17e8de"
strings:
$sstring1 = "eval(\"?>\"" nocase wide ascii
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
//strings from private rule php_false_positive
// try to use only strings which would be flagged by themselves as suspicious by other rules, e.g. eval
// a good choice is a string with good atom quality = ideally 4 unusual characters next to each other
$gfp1 = "eval(\"return [$serialised_parameter" // elgg
$gfp2 = "$this->assert(strpos($styles, $"
$gfp3 = "$module = new $_GET['module']($_GET['scope']);"
$gfp4 = "$plugin->$_POST['action']($_POST['id']);"
$gfp5 = "$_POST[partition_by]($_POST["
$gfp6 = "$object = new $_REQUEST['type']($_REQUEST['id']);"
$gfp7 = "The above example code can be easily exploited by passing in a string such as" // ... ;)
$gfp8 = "Smarty_Internal_Debug::start_render($_template);"
$gfp9 = "?p4yl04d=UNION%20SELECT%20'<?%20system($_GET['command']);%20?>',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php"
$gfp10 = "[][}{;|]\\|\\\\[+=]\\|<?=>?"
$gfp11 = "(eval (getenv \"EPROLOG\")))"
$gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ"
//strings from private rule capa_php_input
$inp1 = "php://input" wide ascii
$inp2 = /_GET\s?\[/ wide ascii
// for passing $_GET to a function
$inp3 = /\(\s?\$_GET\s?\)/ wide ascii
$inp4 = /_POST\s?\[/ wide ascii
$inp5 = /\(\s?\$_POST\s?\)/ wide ascii
$inp6 = /_REQUEST\s?\[/ wide ascii
$inp7 = /\(\s?\$_REQUEST\s?\)/ wide ascii
// PHP automatically adds all the request headers into the $_SERVER global array, prefixing each header name by the "HTTP_" string, so e.g. @eval($_SERVER['HTTP_CMD']) will run any code in the HTTP header CMD
$inp15 = "_SERVER['HTTP_" wide ascii
$inp16 = "_SERVER[\"HTTP_" wide ascii
$inp17 = /getenv[\t ]{0,20}\([\t ]{0,20}['"]HTTP_/ wide ascii
$inp18 = "array_values($_SERVER)" wide ascii
$inp19 = /file_get_contents\("https?:\/\// wide ascii
condition:
filesize < 700KB and (
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
and not (
any of ( $gfp* )
)
and
( 1 of ( $sstring* ) and (
any of ( $inp* )
)
)
}
rule WEBSHELL_PHP_In_Htaccess
{
meta:
description = "Use Apache .htaccess to execute php code inside .htaccess"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2023-07-05"
hash = "c026d4512a32d93899d486c6f11d1e13b058a713"
hash = "d79e9b13a32a9e9f3fa36aa1a4baf444bfd2599a"
hash = "e1d1091fee6026829e037b2c70c228344955c263"
hash = "c026d4512a32d93899d486c6f11d1e13b058a713"
hash = "8c9e65cd3ef093cd9c5b418dc5116845aa6602bc92b9b5991b27344d8b3f7ef2"
id = "0f5edff9-22b2-50c9-ae81-72698ea8e7db"
strings:
$hta = "AddType application/x-httpd-php .htaccess" wide ascii
condition:
filesize <100KB and $hta
}
rule WEBSHELL_PHP_Function_Via_Get
{
meta:
description = "Webshell which sends eval/assert via GET"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/09"
modified = "2023-04-05"
hash = "ce739d65c31b3c7ea94357a38f7bd0dc264da052d4fd93a1eabb257f6e3a97a6"
hash = "d870e971511ea3e082662f8e6ec22e8a8443ca79"
hash = "73fa97372b3bb829835270a5e20259163ecc3fdbf73ef2a99cb80709ea4572be"
id = "5fef1063-2f9f-516e-86f6-cfd98bb05e6e"
strings:
$sr0 = /\$_GET\s?\[.{1,30}\]\(\$_GET\s?\[/ wide ascii
$sr1 = /\$_POST\s?\[.{1,30}\]\(\$_GET\s?\[/ wide ascii
$sr2 = /\$_POST\s?\[.{1,30}\]\(\$_POST\s?\[/ wide ascii
$sr3 = /\$_GET\s?\[.{1,30}\]\(\$_POST\s?\[/ wide ascii
$sr4 = /\$_REQUEST\s?\[.{1,30}\]\(\$_REQUEST\s?\[/ wide ascii
$sr5 = /\$_SERVER\s?\[HTTP_.{1,30}\]\(\$_SERVER\s?\[HTTP_/ wide ascii
//strings from private rule php_false_positive
// try to use only strings which would be flagged by themselves as suspicious by other rules, e.g. eval
// a good choice is a string with good atom quality = ideally 4 unusual characters next to each other
$gfp1 = "eval(\"return [$serialised_parameter" // elgg
$gfp2 = "$this->assert(strpos($styles, $"
$gfp3 = "$module = new $_GET['module']($_GET['scope']);"
$gfp4 = "$plugin->$_POST['action']($_POST['id']);"
$gfp5 = "$_POST[partition_by]($_POST["
$gfp6 = "$object = new $_REQUEST['type']($_REQUEST['id']);"
$gfp7 = "The above example code can be easily exploited by passing in a string such as" // ... ;)
$gfp8 = "Smarty_Internal_Debug::start_render($_template);"
$gfp9 = "?p4yl04d=UNION%20SELECT%20'<?%20system($_GET['command']);%20?>',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php"
$gfp10 = "[][}{;|]\\|\\\\[+=]\\|<?=>?"
$gfp11 = "(eval (getenv \"EPROLOG\")))"
$gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ"
condition:
filesize < 500KB and not (
any of ( $gfp* )
)
and any of ( $sr* )
}
rule WEBSHELL_PHP_Writer
{
meta:
description = "PHP webshell which only writes an uploaded file to disk"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2021/04/17"
modified = "2023-07-05"
score = 50
hash = "ec83d69512aa0cc85584973f5f0850932fb1949fb5fb2b7e6e5bbfb121193637"
hash = "407c15f94a33232c64ddf45f194917fabcd2e83cf93f38ee82f9720e2635fa64"
hash = "988b125b6727b94ce9a27ea42edc0ce282c5dfeb"
hash = "0ce760131787803bbef216d0ee9b5eb062633537"
hash = "20281d16838f707c86b1ff1428a293ed6aec0e97"
id = "05bb3e0c-69b2-5176-a3eb-e6ba2d72a205"
strings:
$sus3 = "'upload'" wide ascii
$sus4 = "\"upload\"" wide ascii
$sus5 = "\"Upload\"" wide ascii
$sus6 = "gif89" wide ascii
//$sus13= "<textarea " wide ascii
$sus16= "Army" fullword wide ascii
$sus17= "error_reporting( 0 )" wide ascii
$sus18= "' . '" wide ascii
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
//strings from private rule capa_php_input
$inp1 = "php://input" wide ascii
$inp2 = /_GET\s?\[/ wide ascii
// for passing $_GET to a function
$inp3 = /\(\s?\$_GET\s?\)/ wide ascii
$inp4 = /_POST\s?\[/ wide ascii
$inp5 = /\(\s?\$_POST\s?\)/ wide ascii
$inp6 = /_REQUEST\s?\[/ wide ascii
$inp7 = /\(\s?\$_REQUEST\s?\)/ wide ascii
// PHP automatically adds all the request headers into the $_SERVER global array, prefixing each header name by the "HTTP_" string, so e.g. @eval($_SERVER['HTTP_CMD']) will run any code in the HTTP header CMD
$inp15 = "_SERVER['HTTP_" wide ascii
$inp16 = "_SERVER[\"HTTP_" wide ascii
$inp17 = /getenv[\t ]{0,20}\([\t ]{0,20}['"]HTTP_/ wide ascii
$inp18 = "array_values($_SERVER)" wide ascii
$inp19 = /file_get_contents\("https?:\/\// wide ascii
//strings from private rule capa_php_write_file
$php_multi_write1 = "fopen(" wide ascii
$php_multi_write2 = "fwrite(" wide ascii
$php_write1 = "move_uploaded_file" fullword wide ascii
$php_write2 = "copy" fullword wide ascii
condition:
//any of them or
(
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
and (
any of ( $inp* )
)
and (
any of ( $php_write* ) or
all of ( $php_multi_write* )
)
and
(
filesize < 400 or
(
filesize < 4000 and 1 of ( $sus* )
)
)
}
rule WEBSHELL_ASP_Writer
{
meta:
description = "ASP webshell which only writes an uploaded file to disk"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2021/03/07"
modified = "2023-07-05"
score = 60
hash = "df6eaba8d643c49c6f38016531c88332e80af33c"
hash = "83642a926291a499916e8c915dacadd0d5a8b91f"
hash = "5417fad68a6f7320d227f558bf64657fe3aa9153"
hash = "97d9f6c411f54b56056a145654cd00abca2ff871"
hash = "fc44fd7475ee6c0758ace2b17dd41ed7ea75cc73"
id = "a1310e22-f485-5f06-8f1a-4cf9ae8413a1"
strings:
$sus1 = "password" fullword wide ascii
$sus2 = "pwd" fullword wide ascii
$sus3 = "<asp:TextBox" fullword nocase wide ascii
$sus4 = "\"upload\"" wide ascii
$sus5 = "\"Upload\"" wide ascii
$sus6 = "gif89" wide ascii
$sus7 = "\"&\"" wide ascii
$sus8 = "authkey" fullword wide ascii
$sus9 = "AUTHKEY" fullword wide ascii
$sus10= "test.asp" fullword wide ascii
$sus11= "cmd.asp" fullword wide ascii
$sus12= ".Write(Request." wide ascii
$sus13= "<textarea " wide ascii
$sus14= "\"unsafe" fullword wide ascii
$sus15= "'unsafe" fullword wide ascii
$sus16= "Army" fullword wide ascii
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
//strings from private rule capa_asp_input
// Request.BinaryRead
// Request.Form
$asp_input1 = "request" fullword nocase wide ascii
$asp_input2 = "Page_Load" fullword nocase wide ascii
// base64 of Request.Form(
$asp_input3 = "UmVxdWVzdC5Gb3JtK" fullword wide ascii
$asp_xml_http = "Microsoft.XMLHTTP" fullword nocase wide ascii
$asp_xml_method1 = "GET" fullword wide ascii
$asp_xml_method2 = "POST" fullword wide ascii
$asp_xml_method3 = "HEAD" fullword wide ascii
// dynamic form
$asp_form1 = "<form " wide ascii
$asp_form2 = "<Form " wide ascii
$asp_form3 = "<FORM " wide ascii
$asp_asp = "<asp:" wide ascii
$asp_text1 = ".text" wide ascii
$asp_text2 = ".Text" wide ascii
//strings from private rule capa_asp_write_file
// $asp_write1 = "ADODB.Stream" wide ascii # just a string, can be easily obfuscated
$asp_always_write1 = /\.write/ nocase wide ascii
$asp_always_write2 = /\.swrite/ nocase wide ascii
//$asp_write_way_one1 = /\.open\b/ nocase wide ascii
$asp_write_way_one2 = "SaveToFile" fullword nocase wide ascii
$asp_write_way_one3 = "CREAtEtExtFiLE" fullword nocase wide ascii
$asp_cr_write1 = "CreateObject(" nocase wide ascii
$asp_cr_write2 = "CreateObject (" nocase wide ascii
$asp_streamwriter1 = "streamwriter" fullword nocase wide ascii
$asp_streamwriter2 = "filestream" fullword nocase wide ascii
condition:
(
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and (
any of ( $asp_input* ) or
(
$asp_xml_http and
any of ( $asp_xml_method* )
) or
(
any of ( $asp_form* ) and
any of ( $asp_text* ) and
$asp_asp
)
)
and (
any of ( $asp_always_write* ) and
(
any of ( $asp_write_way_one* ) and
any of ( $asp_cr_write* )
) or (
any of ( $asp_streamwriter* )
)
)
and
( filesize < 400 or
( filesize < 6000 and 1 of ( $sus* ) ) )
}
rule WEBSHELL_ASP_OBFUSC
{
meta:
description = "ASP webshell obfuscated"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/12"
modified = "2023-07-05"
hash = "ad597eee256de51ffb36518cd5f0f4aa0f254f27517d28fb7543ae313b15e112"
hash = "e0d21fdc16e0010b88d0197ebf619faa4aeca65243f545c18e10859469c1805a"
hash = "54a5620d4ea42e41beac08d8b1240b642dd6fd7c"
hash = "fc44fd7475ee6c0758ace2b17dd41ed7ea75cc73"
hash = "be2fedc38fc0c3d1f925310d5156ccf3d80f1432"
hash = "3175ee00fc66921ebec2e7ece8aa3296d4275cb5"
hash = "d6b96d844ac395358ee38d4524105d331af42ede"
hash = "cafc4ede15270ab3f53f007c66e82627a39f4d0f"
id = "3960b692-9f6f-52c5-b881-6f9e1b3ac555"
strings:
$asp_obf1 = "/*-/*-*/" wide ascii
$asp_obf2 = "u\"+\"n\"+\"s" wide ascii
$asp_obf3 = "\"e\"+\"v" wide ascii
$asp_obf4 = "a\"+\"l\"" wide ascii
$asp_obf5 = "\"+\"(\"+\"" wide ascii
$asp_obf6 = "q\"+\"u\"" wide ascii
$asp_obf7 = "\"u\"+\"e" wide ascii
$asp_obf8 = "/*//*/" wide ascii
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
//strings from private rule capa_asp_payload
$asp_payload0 = "eval_r" fullword nocase wide ascii
$asp_payload1 = /\beval\s/ nocase wide ascii
$asp_payload2 = /\beval\(/ nocase wide ascii
$asp_payload3 = /\beval\"\"/ nocase wide ascii
// var Fla = {'E':eval}; Fla.E(code)
$asp_payload4 = /:\s{0,10}eval\b/ nocase wide ascii
$asp_payload8 = /\bexecute\s?\(/ nocase wide ascii
$asp_payload9 = /\bexecute\s[\w"]/ nocase wide ascii
$asp_payload11 = "WSCRIPT.SHELL" fullword nocase wide ascii
$asp_payload13 = "ExecuteGlobal" fullword nocase wide ascii
$asp_payload14 = "ExecuteStatement" fullword nocase wide ascii
$asp_payload15 = "ExecuteStatement" fullword nocase wide ascii
$asp_multi_payload_one1 = "CreateObject" nocase fullword wide ascii
$asp_multi_payload_one2 = "addcode" fullword wide ascii
$asp_multi_payload_one3 = /\.run\b/ wide ascii
$asp_multi_payload_two1 = "CreateInstanceFromVirtualPath" fullword wide ascii
$asp_multi_payload_two2 = "ProcessRequest" fullword wide ascii
$asp_multi_payload_two3 = "BuildManager" fullword wide ascii
$asp_multi_payload_three1 = "System.Diagnostics" wide ascii
$asp_multi_payload_three2 = "Process" fullword wide ascii
$asp_multi_payload_three3 = ".Start" wide ascii
// this is about "MSXML2.DOMDocument" but since that's easily obfuscated, lets not search for it
$asp_multi_payload_four1 = "CreateObject" fullword nocase wide ascii
$asp_multi_payload_four2 = "TransformNode" fullword nocase wide ascii
$asp_multi_payload_four3 = "loadxml" fullword nocase wide ascii
// execute cmd.exe /c with arguments using ProcessStartInfo
$asp_multi_payload_five1 = "ProcessStartInfo" fullword nocase wide ascii
$asp_multi_payload_five2 = ".Start" nocase wide ascii
$asp_multi_payload_five3 = ".Filename" nocase wide ascii
$asp_multi_payload_five4 = ".Arguments" nocase wide ascii
//strings from private rule capa_asp_write_file
// $asp_write1 = "ADODB.Stream" wide ascii # just a string, can be easily obfuscated
$asp_always_write1 = /\.write/ nocase wide ascii
$asp_always_write2 = /\.swrite/ nocase wide ascii
//$asp_write_way_one1 = /\.open\b/ nocase wide ascii
$asp_write_way_one2 = "SaveToFile" fullword nocase wide ascii
$asp_write_way_one3 = "CREAtEtExtFiLE" fullword nocase wide ascii
$asp_cr_write1 = "CreateObject(" nocase wide ascii
$asp_cr_write2 = "CreateObject (" nocase wide ascii
$asp_streamwriter1 = "streamwriter" fullword nocase wide ascii
$asp_streamwriter2 = "filestream" fullword nocase wide ascii
//strings from private rule capa_asp_obfuscation_multi
// many Chr or few and a loop????
//$loop1 = "For "
//$o1 = "chr(" nocase wide ascii
//$o2 = "chr (" nocase wide ascii
// not excactly a string function but also often used in obfuscation
$o4 = "\\x8" wide ascii
$o5 = "\\x9" wide ascii
// just picking some random numbers because they should appear often enough in a long obfuscated blob and it's faster than a regex
$o6 = "\\61" wide ascii
$o7 = "\\44" wide ascii
$o8 = "\\112" wide ascii
$o9 = "\\120" wide ascii
//$o10 = " & \"" wide ascii
//$o11 = " += \"" wide ascii
// used for e.g. "scr"&"ipt"
$m_multi_one1 = "Replace(" wide ascii
$m_multi_one2 = "Len(" wide ascii
$m_multi_one3 = "Mid(" wide ascii
$m_multi_one4 = "mid(" wide ascii
$m_multi_one5 = ".ToString(" wide ascii
/*
$m_multi_one5 = "InStr(" wide ascii
$m_multi_one6 = "Function" wide ascii
$m_multi_two1 = "for each" wide ascii
$m_multi_two2 = "split(" wide ascii
$m_multi_two3 = " & chr(" wide ascii
$m_multi_two4 = " & Chr(" wide ascii
$m_multi_two5 = " & Chr (" wide ascii
$m_multi_three1 = "foreach" fullword wide ascii
$m_multi_three2 = "(char" wide ascii
$m_multi_four1 = "FromBase64String(" wide ascii
$m_multi_four2 = ".Replace(" wide ascii
$m_multi_five1 = "String.Join(\"\"," wide ascii
$m_multi_five2 = ".Trim(" wide ascii
$m_any1 = " & \"2" wide ascii
$m_any2 = " += \"2" wide ascii
*/
$m_fp1 = "Author: Andre Teixeira - andret@microsoft.com" /* FPs with 0227f4c366c07c45628b02bae6b4ad01 */
$m_fp2 = "DataBinder.Eval(Container.DataItem" ascii wide
//strings from private rule capa_asp_obfuscation_obviously
$oo1 = /\w\"&\"\w/ wide ascii
$oo2 = "*/\").Replace(\"/*" wide ascii
condition:
filesize < 100KB and (
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and
( ( (
any of ( $asp_payload* ) or
all of ( $asp_multi_payload_one* ) or
all of ( $asp_multi_payload_two* ) or
all of ( $asp_multi_payload_three* ) or
all of ( $asp_multi_payload_four* ) or
all of ( $asp_multi_payload_five* )
)
or (
any of ( $asp_always_write* ) and
(
any of ( $asp_write_way_one* ) and
any of ( $asp_cr_write* )
) or (
any of ( $asp_streamwriter* )
)
)
) and
( (
(
filesize < 100KB and
(
//( #o1+#o2 ) > 50 or
( #o4+#o5+#o6+#o7+#o8+#o9 ) > 20
)
) or (
filesize < 5KB and
(
//( #o1+#o2 ) > 10 or
( #o4+#o5+#o6+#o7+#o8+#o9 ) > 5 or
(
//( #o1+#o2 ) > 1 and
( #m_multi_one1 + #m_multi_one2 + #m_multi_one3 + #m_multi_one4 + #m_multi_one5 ) > 3
)
)
) or (
filesize < 700 and
(
//( #o1+#o2 ) > 1 or
( #o4+#o5+#o6+#o7+#o8+#o9 ) > 3 or
( #m_multi_one1 + #m_multi_one2 + #m_multi_one3 + #m_multi_one4 + #m_multi_one5 ) > 2
)
)
)
or any of ( $asp_obf* ) ) or (
(
filesize < 100KB and
(
( #oo1 ) > 2 or
$oo2
)
) or (
filesize < 25KB and
(
( #oo1 ) > 1
)
) or (
filesize < 1KB and
(
( #oo1 ) > 0
)
)
)
)
and not any of ( $m_fp* )
}
rule WEBSHELL_ASP_Generic_Eval_On_Input
{
meta:
description = "Generic ASP webshell which uses any eval/exec function directly on user input"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2023-04-05"
hash = "d6b96d844ac395358ee38d4524105d331af42ede"
hash = "9be2088d5c3bfad9e8dfa2d7d7ba7834030c7407"
hash = "a1df4cfb978567c4d1c353e988915c25c19a0e4a"
hash = "069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6"
id = "0904cefb-6e0f-5e5f-9986-cf83d409ce46"
strings:
$payload_and_input0 = /\beval_r\s{0,20}\(Request\(/ nocase wide ascii
$payload_and_input1 = /\beval[\s\(]{1,20}request[.\(\[]/ nocase wide ascii
$payload_and_input2 = /\bexecute[\s\(]{1,20}request\(/ nocase wide ascii
$payload_and_input4 = /\bExecuteGlobal\s{1,20}request\(/ nocase wide ascii
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
condition:
( filesize < 1100KB and (
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and any of ( $payload_and_input* ) ) or
( filesize < 100 and any of ( $payload_and_input* ) )
}
rule WEBSHELL_ASP_Nano
{
meta:
description = "Generic ASP webshell which uses any eval/exec function"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/13"
modified = "2023-04-05"
hash = "3b7910a499c603715b083ddb6f881c1a0a3a924d"
hash = "990e3f129b8ba409a819705276f8fa845b95dad0"
hash = "22345e956bce23304f5e8e356c423cee60b0912c"
hash = "c84a6098fbd89bd085526b220d0a3f9ab505bcba"
hash = "b977c0ad20dc738b5dacda51ec8da718301a75d7"
hash = "c69df00b57fd127c7d4e0e2a40d2f6c3056e0af8bfb1925938060b7e0d8c630f"
hash = "f3b39a5da1cdde9acde077208e8e5b27feb973514dab7f262c7c6b2f8f11eaa7"
hash = "0e9d92807d990144c637d8b081a6a90a74f15c7337522874cf6317092ea2d7c1"
hash = "ebbc485e778f8e559ef9c66f55bb01dc4f5dcce9c31ccdd150e2c702c4b5d9e1"
hash = "44b4068bfbbb8961e16bae238ad23d181ac9c8e4fcb4b09a66bbcd934d2d39ee"
hash = "c5a4e188780b5513f34824904d56bf6e364979af6782417ccc5e5a8a70b4a95a"
hash = "41a3cc668517ec207c990078bccfc877e239b12a7ff2abe55ff68352f76e819c"
hash = "2faad5944142395794e5e6b90a34a6204412161f45e130aeb9c00eff764f65fc"
hash = "d0c5e641120b8ea70a363529843d9f393074c54af87913b3ab635189fb0c84cb"
hash = "28cfcfe28419a399c606bf96505bc68d6fe05624dba18306993f9fe0d398fbe1"
id = "5f2f24c2-159d-51e1-80d9-11eeb77e8760"
strings:
$susasp1 = "/*-/*-*/"
$susasp2 = "(\"%1"
$susasp3 = /[Cc]hr\([Ss]tr\(/
$susasp4 = "cmd.exe"
$susasp5 = "cmd /c"
$susasp7 = "FromBase64String"
// Request and request in b64:
$susasp8 = "UmVxdWVzdC"
$susasp9 = "cmVxdWVzdA"
$susasp10 = "/*//*/"
$susasp11 = "(\"/*/\""
$susasp12 = "eval(eval("
$fp1 = "eval a"
$fp2 = "'Eval'"
$fp3 = "Eval(\""
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
//strings from private rule capa_asp_payload
$asp_payload0 = "eval_r" fullword nocase wide ascii
$asp_payload1 = /\beval\s/ nocase wide ascii
$asp_payload2 = /\beval\(/ nocase wide ascii
$asp_payload3 = /\beval\"\"/ nocase wide ascii
// var Fla = {'E':eval}; Fla.E(code)
$asp_payload4 = /:\s{0,10}eval\b/ nocase wide ascii
$asp_payload8 = /\bexecute\s?\(/ nocase wide ascii
$asp_payload9 = /\bexecute\s[\w"]/ nocase wide ascii
$asp_payload11 = "WSCRIPT.SHELL" fullword nocase wide ascii
$asp_payload13 = "ExecuteGlobal" fullword nocase wide ascii
$asp_payload14 = "ExecuteStatement" fullword nocase wide ascii
$asp_payload15 = "ExecuteStatement" fullword nocase wide ascii
$asp_multi_payload_one1 = "CreateObject" nocase fullword wide ascii
$asp_multi_payload_one2 = "addcode" fullword wide ascii
$asp_multi_payload_one3 = /\.run\b/ wide ascii
$asp_multi_payload_two1 = "CreateInstanceFromVirtualPath" fullword wide ascii
$asp_multi_payload_two2 = "ProcessRequest" fullword wide ascii
$asp_multi_payload_two3 = "BuildManager" fullword wide ascii
$asp_multi_payload_three1 = "System.Diagnostics" wide ascii
$asp_multi_payload_three2 = "Process" fullword wide ascii
$asp_multi_payload_three3 = ".Start" wide ascii
// this is about "MSXML2.DOMDocument" but since that's easily obfuscated, lets not search for it
$asp_multi_payload_four1 = "CreateObject" fullword nocase wide ascii
$asp_multi_payload_four2 = "TransformNode" fullword nocase wide ascii
$asp_multi_payload_four3 = "loadxml" fullword nocase wide ascii
// execute cmd.exe /c with arguments using ProcessStartInfo
$asp_multi_payload_five1 = "ProcessStartInfo" fullword nocase wide ascii
$asp_multi_payload_five2 = ".Start" nocase wide ascii
$asp_multi_payload_five3 = ".Filename" nocase wide ascii
$asp_multi_payload_five4 = ".Arguments" nocase wide ascii
//strings from private rule capa_asp_write_file
// $asp_write1 = "ADODB.Stream" wide ascii # just a string, can be easily obfuscated
$asp_always_write1 = /\.write/ nocase wide ascii
$asp_always_write2 = /\.swrite/ nocase wide ascii
//$asp_write_way_one1 = /\.open\b/ nocase wide ascii
$asp_write_way_one2 = "SaveToFile" fullword nocase wide ascii
$asp_write_way_one3 = "CREAtEtExtFiLE" fullword nocase wide ascii
$asp_cr_write1 = "CreateObject(" nocase wide ascii
$asp_cr_write2 = "CreateObject (" nocase wide ascii
$asp_streamwriter1 = "streamwriter" fullword nocase wide ascii
$asp_streamwriter2 = "filestream" fullword nocase wide ascii
condition:
(
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and
( (
any of ( $asp_payload* ) or
all of ( $asp_multi_payload_one* ) or
all of ( $asp_multi_payload_two* ) or
all of ( $asp_multi_payload_three* ) or
all of ( $asp_multi_payload_four* ) or
all of ( $asp_multi_payload_five* )
)
or (
any of ( $asp_always_write* ) and
(
any of ( $asp_write_way_one* ) and
any of ( $asp_cr_write* )
) or (
any of ( $asp_streamwriter* )
)
)
) and not any of ( $fp* ) and
( filesize < 200 or
( filesize < 1000 and any of ( $susasp* ) ) )
}
rule WEBSHELL_ASP_Encoded
{
meta:
description = "Webshell in VBscript or JScript encoded using *.Encode plus a suspicious string"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/03/14"
modified = "2023-07-05"
hash = "1bc7327f9d3dbff488e5b0b69a1b39dcb99b3399"
hash = "9885ee1952b5ad9f84176c9570ad4f0e32461c92"
hash = "27a020c5bc0dbabe889f436271df129627b02196"
hash = "f41f8c82b155c3110fc1325e82b9ee92b741028b"
hash = "af40f4c36e3723236c59dc02f28a3efb047d67dd"
id = "67c0e1f6-6da5-569c-ab61-8b8607429471"
strings:
$encoded1 = "VBScript.Encode" nocase wide ascii
$encoded2 = "JScript.Encode" nocase wide ascii
$data1 = "#@~^" wide ascii
$sus1 = "shell" nocase wide ascii
$sus2 = "cmd" fullword wide ascii
$sus3 = "password" fullword wide ascii
$sus4 = "UserPass" fullword wide ascii
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
condition:
filesize < 500KB and (
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and any of ( $encoded* ) and any of ( $data* ) and
( any of ( $sus* ) or
( filesize < 20KB and #data1 > 4 ) or
( filesize < 700 and #data1 > 0 ) )
}
rule WEBSHELL_ASP_Encoded_AspCoding
{
meta:
description = "ASP Webshell encoded using ASPEncodeDLL.AspCoding"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2021/03/14"
modified = "2023-07-05"
score = 60
hash = "7cfd184ab099c4d60b13457140493b49c8ba61ee"
hash = "f5095345ee085318235c11ae5869ae564d636a5342868d0935de7582ba3c7d7a"
id = "788a8dae-bcb8-547c-ba17-e1f14bc28f34"
strings:
$encoded1 = "ASPEncodeDLL" fullword nocase wide ascii
$encoded2 = ".Runt" nocase wide ascii
$encoded3 = "Request" fullword nocase wide ascii
$encoded4 = "Response" fullword nocase wide ascii
$data1 = "AspCoding.EnCode" wide ascii
//$sus1 = "shell" nocase wide ascii
//$sus2 = "cmd" fullword wide ascii
//$sus3 = "password" fullword wide ascii
//$sus4 = "UserPass" fullword wide ascii
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
condition:
filesize < 500KB and (
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and all of ( $encoded* ) and any of ( $data* )
}
rule WEBSHELL_ASP_By_String
{
meta:
description = "Known ASP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions."
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021-01-13"
modified = "2023-04-05"
hash = "f72252b13d7ded46f0a206f63a1c19a66449f216"
hash = "bd75ac9a1d1f6bcb9a2c82b13ea28c0238360b3a7be909b2ed19d3c96e519d3d"
hash = "56a54fe1f8023455800fd0740037d806709ffb9ece1eb9e7486ad3c3e3608d45"
hash = "4ef5d8b51f13b36ce7047e373159d7bb42ca6c9da30fad22e083ab19364c9985"
hash = "e90c3c270a44575c68d269b6cf78de14222f2cbc5fdfb07b9995eb567d906220"
hash = "8a38835f179e71111663b19baade78cc3c9e1f6fcc87eb35009cbd09393cbc53"
hash = "f2883e9461393b33feed4139c0fc10fcc72ff92924249eb7be83cb5b76f0f4ee"
hash = "10cca59c7112dfb1c9104d352e0504f842efd4e05b228b6f34c2d4e13ffd0eb6"
hash = "ed179e5d4d365b0332e9ffca83f66ee0afe1f1b5ac3c656ccd08179170a4d9f7"
hash = "ce3273e98e478a7e95fccce0a3d3e8135c234a46f305867f2deacd4f0efa7338"
hash = "65543373b8bd7656478fdf9ceeacb8490ff8976b1fefc754cd35c89940225bcf"
hash = "de173ea8dcef777368089504a4af0804864295b75e51794038a6d70f2bcfc6f5"
id = "4705b28b-2ffa-53d1-b727-1a9fc2a7dd69"
strings:
// reversed
$asp_string1 = "tseuqer lave" wide ascii
$asp_string2 = ":eval request(" wide ascii
$asp_string3 = ":eval request(" wide ascii
$asp_string4 = "SItEuRl=\"http://www.zjjv.com\"" wide ascii
$asp_string5 = "ServerVariables(\"HTTP_HOST\"),\"gov.cn\"" wide ascii
// e+k-v+k-a+k-l
// e+x-v+x-a+x-l
$asp_string6 = /e\+.-v\+.-a\+.-l/ wide ascii
$asp_string7 = "r+x-e+x-q+x-u" wide ascii
$asp_string8 = "add6bb58e139be10" fullword wide ascii
$asp_string9 = "WebAdmin2Y.x.y(\"" wide ascii
$asp_string10 = "<%if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(Request[" wide ascii
$asp_string11 = "<% If Request.Files.Count <> 0 Then Request.Files(0).SaveAs(Server.MapPath(Request(" wide ascii
// Request.Item["
$asp_string12 = "UmVxdWVzdC5JdGVtWyJ" wide ascii
// eval( in utf7 in base64 all 3 versions
$asp_string13 = "UAdgBhAGwAKA" wide ascii
$asp_string14 = "lAHYAYQBsACgA" wide ascii
$asp_string15 = "ZQB2AGEAbAAoA" wide ascii
// request in utf7 in base64 all 3 versions
$asp_string16 = "IAZQBxAHUAZQBzAHQAKA" wide ascii
$asp_string17 = "yAGUAcQB1AGUAcwB0ACgA" wide ascii
$asp_string18 = "cgBlAHEAdQBlAHMAdAAoA" wide ascii
$asp_string19 = "\"ev\"&\"al" wide ascii
$asp_string20 = "\"Sc\"&\"ri\"&\"p" wide ascii
$asp_string21 = "C\"&\"ont\"&\"" wide ascii
$asp_string22 = "\"vb\"&\"sc" wide ascii
$asp_string23 = "\"A\"&\"do\"&\"d" wide ascii
$asp_string24 = "St\"&\"re\"&\"am\"" wide ascii
$asp_string25 = "*/eval(" wide ascii
$asp_string26 = "\"e\"&\"v\"&\"a\"&\"l" nocase
$asp_string27 = "<%eval\"\"&(\"" nocase wide ascii
$asp_string28 = "6877656D2B736972786677752B237E232C2A" wide ascii
$asp_string29 = "ws\"&\"cript.shell" wide ascii
$asp_string30 = "SerVer.CreAtEoBjECT(\"ADODB.Stream\")" wide ascii
$asp_string31 = "ASPShell - web based shell" wide ascii
$asp_string32 = "<++ CmdAsp.asp ++>" wide ascii
$asp_string33 = "\"scr\"&\"ipt\"" wide ascii
$asp_string34 = "Regex regImg = new Regex(\"[a-z|A-Z]{1}:\\\\\\\\[a-z|A-Z| |0-9|\\u4e00-\\u9fa5|\\\\~|\\\\\\\\|_|{|}|\\\\.]*\");" wide ascii
$asp_string35 = "\"she\"&\"ll." wide ascii
$asp_string36 = "LH\"&\"TTP" wide ascii
$asp_string37 = "<title>Web Sniffer</title>" wide ascii
$asp_string38 = "<title>WebSniff" wide ascii
$asp_string39 = "cript\"&\"ing" wide ascii
$asp_string40 = "tcejbOmetsySeliF.gnitpircS" wide ascii
$asp_string41 = "tcejbOetaerC.revreS" wide ascii
$asp_string42 = "This file is part of A Black Path Toward The Sun (\"ABPTTS\")" wide ascii
$asp_string43 = "if ((Request.Headers[headerNameKey] != null) && (Request.Headers[headerNameKey].Trim() == headerValueKey.Trim()))" wide ascii
$asp_string44 = "if (request.getHeader(headerNameKey).toString().trim().equals(headerValueKey.trim()))" wide ascii
$asp_string45 = "Response.Write(Server.HtmlEncode(ExcutemeuCmd(txtArg.Text)));" wide ascii
$asp_string46 = "\"c\" + \"m\" + \"d\"" wide ascii
$asp_string47 = "\".\"+\"e\"+\"x\"+\"e\"" wide ascii
$asp_string48 = "Tas9er" fullword wide ascii
$asp_string49 = "<%@ Page Language=\"\\u" wide ascii
$asp_string50 = "BinaryRead(\\u" wide ascii
$asp_string51 = "Request.\\u" wide ascii
$asp_string52 = "System.Buffer.\\u" wide ascii
$asp_string53 = "System.Net.\\u" wide ascii
$asp_string54 = ".\\u0052\\u0065\\u0066\\u006c\\u0065\\u0063\\u0074\\u0069\\u006f\\u006e\"" wide ascii
$asp_string55 = "\\u0041\\u0073\\u0073\\u0065\\u006d\\u0062\\u006c\\u0079.\\u004c\\u006f\\u0061\\u0064" wide ascii
$asp_string56 = "\\U00000052\\U00000065\\U00000071\\U00000075\\U00000065\\U00000073\\U00000074[\"" wide ascii
$asp_string57 = "*/\\U0000" wide ascii
$asp_string58 = "\\U0000FFFA" wide ascii
$asp_string59 = "\"e45e329feb5d925b\"" wide ascii
$asp_string60 = ">POWER!shelled<" wide ascii
$asp_string61 = "@requires xhEditor" wide ascii
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
condition:
filesize < 200KB and (
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and any of ( $asp_string* )
}
rule WEBSHELL_ASP_Sniffer
{
meta:
description = "ASP webshell which can sniff local traffic"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/03/14"
modified = "2023-07-05"
hash = "1206c22de8d51055a5e3841b4542fb13aa0f97dd"
hash = "60d131af1ed23810dbc78f85ee32ffd863f8f0f4"
hash = "c3bc4ab8076ef184c526eb7f16e08d41b4cec97e"
hash = "ed5938c04f61795834751d44a383f8ca0ceac833"
id = "b5704c19-fce1-5210-8185-4839c1c5a344"
strings:
$sniff1 = "Socket(" wide ascii
$sniff2 = ".Bind(" wide ascii
$sniff3 = ".SetSocketOption(" wide ascii
$sniff4 = ".IOControl(" wide ascii
$sniff5 = "PacketCaptureWriter" fullword wide ascii
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
//strings from private rule capa_asp_input
// Request.BinaryRead
// Request.Form
$asp_input1 = "request" fullword nocase wide ascii
$asp_input2 = "Page_Load" fullword nocase wide ascii
// base64 of Request.Form(
$asp_input3 = "UmVxdWVzdC5Gb3JtK" fullword wide ascii
$asp_xml_http = "Microsoft.XMLHTTP" fullword nocase wide ascii
$asp_xml_method1 = "GET" fullword wide ascii
$asp_xml_method2 = "POST" fullword wide ascii
$asp_xml_method3 = "HEAD" fullword wide ascii
// dynamic form
$asp_form1 = "<form " wide ascii
$asp_form2 = "<Form " wide ascii
$asp_form3 = "<FORM " wide ascii
$asp_asp = "<asp:" wide ascii
$asp_text1 = ".text" wide ascii
$asp_text2 = ".Text" wide ascii
condition:
(
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and (
any of ( $asp_input* ) or
(
$asp_xml_http and
any of ( $asp_xml_method* )
) or
(
any of ( $asp_form* ) and
any of ( $asp_text* ) and
$asp_asp
)
)
and filesize < 30KB and all of ( $sniff* )
}
rule WEBSHELL_ASP_Generic_Tiny
{
meta:
description = "Generic tiny ASP webshell which uses any eval/exec function indirectly on user input or writes a file"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2025-08-18"
hash = "990e3f129b8ba409a819705276f8fa845b95dad0"
hash = "52ce724580e533da983856c4ebe634336f5fd13a"
hash = "0864f040a37c3e1cef0213df273870ed6a61e4bc"
hash = "b184dc97b19485f734e3057e67007a16d47b2a62"
id = "0904cefb-6e0f-5e5f-9986-cf83d409ce46"
strings:
$fp1 = "net.rim.application.ipproxyservice.AdminCommand.execute"
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
//strings from private rule capa_asp_input
// Request.BinaryRead
// Request.Form
$asp_input1 = "request" fullword nocase wide ascii
$asp_input2 = "Page_Load" fullword nocase wide ascii
// base64 of Request.Form(
$asp_input3 = "UmVxdWVzdC5Gb3JtK" fullword wide ascii
$asp_xml_http = "Microsoft.XMLHTTP" fullword nocase wide ascii
$asp_xml_method1 = "GET" fullword wide ascii
$asp_xml_method2 = "POST" fullword wide ascii
$asp_xml_method3 = "HEAD" fullword wide ascii
// dynamic form
$asp_form1 = "<form " wide ascii
$asp_form2 = "<Form " wide ascii
$asp_form3 = "<FORM " wide ascii
$asp_asp = "<asp:" wide ascii
$asp_text1 = ".text" wide ascii
$asp_text2 = ".Text" wide ascii
//strings from private rule capa_bin_files
$dex1 = "dex\n0"
$dex2 = "dey\n0"
$pack = { 50 41 43 4b 00 00 00 02 00 }
//strings from private rule capa_asp_payload
$asp_payload0 = "eval_r" fullword nocase wide ascii
$asp_payload1 = /\beval\s/ nocase wide ascii
$asp_payload2 = /\beval\(/ nocase wide ascii
$asp_payload3 = /\beval\"\"/ nocase wide ascii
// var Fla = {'E':eval}; Fla.E(code)
$asp_payload4 = /:\s{0,10}eval\b/ nocase wide ascii
$asp_payload8 = /\bexecute\s?\(/ nocase wide ascii
$asp_payload9 = /\bexecute\s[\w"]/ nocase wide ascii
$asp_payload11 = "WSCRIPT.SHELL" fullword nocase wide ascii
$asp_payload13 = "ExecuteGlobal" fullword nocase wide ascii
$asp_payload14 = "ExecuteStatement" fullword nocase wide ascii
$asp_payload15 = "ExecuteStatement" fullword nocase wide ascii
$asp_multi_payload_one1 = "CreateObject" nocase fullword wide ascii
$asp_multi_payload_one2 = "addcode" fullword wide ascii
$asp_multi_payload_one3 = /\.run\b/ wide ascii
$asp_multi_payload_two1 = "CreateInstanceFromVirtualPath" fullword wide ascii
$asp_multi_payload_two2 = "ProcessRequest" fullword wide ascii
$asp_multi_payload_two3 = "BuildManager" fullword wide ascii
$asp_multi_payload_three1 = "System.Diagnostics" wide ascii
$asp_multi_payload_three2 = "Process" fullword wide ascii
$asp_multi_payload_three3 = ".Start" wide ascii
// this is about "MSXML2.DOMDocument" but since that's easily obfuscated, lets not search for it
$asp_multi_payload_four1 = "CreateObject" fullword nocase wide ascii
$asp_multi_payload_four2 = "TransformNode" fullword nocase wide ascii
$asp_multi_payload_four3 = "loadxml" fullword nocase wide ascii
// execute cmd.exe /c with arguments using ProcessStartInfo
$asp_multi_payload_five1 = "ProcessStartInfo" fullword nocase wide ascii
$asp_multi_payload_five2 = ".Start" nocase wide ascii
$asp_multi_payload_five3 = ".Filename" nocase wide ascii
$asp_multi_payload_five4 = ".Arguments" nocase wide ascii
//strings from private rule capa_asp_write_file
// $asp_write1 = "ADODB.Stream" wide ascii # just a string, can be easily obfuscated
$asp_always_write1 = /\.write/ nocase wide ascii
$asp_always_write2 = /\.swrite/ nocase wide ascii
//$asp_write_way_one1 = /\.open\b/ nocase wide ascii
$asp_write_way_one2 = "SaveToFile" fullword nocase wide ascii
$asp_write_way_one3 = "CREAtEtExtFiLE" fullword nocase wide ascii
$asp_cr_write1 = "CreateObject(" nocase wide ascii
$asp_cr_write2 = "CreateObject (" nocase wide ascii
$asp_streamwriter1 = "streamwriter" fullword nocase wide ascii
$asp_streamwriter2 = "filestream" fullword nocase wide ascii
condition:
(
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and (
any of ( $asp_input* ) or
(
$asp_xml_http and
any of ( $asp_xml_method* )
) or
(
any of ( $asp_form* ) and
any of ( $asp_text* ) and
$asp_asp
)
)
and not 1 of ( $fp* ) and not (
uint16(0) == 0x5a4d or
$dex1 at 0 or
$dex2 at 0 or
$pack at 0 or
// fp on jar with zero compression
uint16(0) == 0x4b50
)
and
( filesize < 700 and
( (
any of ( $asp_payload* ) or
all of ( $asp_multi_payload_one* ) or
all of ( $asp_multi_payload_two* ) or
all of ( $asp_multi_payload_three* ) or
all of ( $asp_multi_payload_four* ) or
all of ( $asp_multi_payload_five* )
)
or (
any of ( $asp_always_write* ) and
(
any of ( $asp_write_way_one* ) and
any of ( $asp_cr_write* )
) or (
any of ( $asp_streamwriter* )
)
)
) )
}
rule WEBSHELL_ASP_Generic : FILE {
meta:
description = "Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2021-03-07"
modified = "2025-08-18"
score = 60
hash = "a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75"
hash = "4cf6fbad0411b7d33e38075f5e00d4c8ae9ce2f6f53967729974d004a183b25c"
hash = "a91320483df0178eb3cafea830c1bd94585fc896"
hash = "f3398832f697e3db91c3da71a8e775ebf66c7e73"
id = "0904cefb-6e0f-5e5f-9986-cf83d409ce46"
strings:
$asp_much_sus7 = "Web Shell" nocase
$asp_much_sus8 = "WebShell" nocase
$asp_much_sus3 = "hidded shell"
$asp_much_sus4 = "WScript.Shell.1" nocase
$asp_much_sus5 = "AspExec"
$asp_much_sus14 = "\\pcAnywhere\\" nocase
$asp_much_sus15 = "antivirus" nocase
$asp_much_sus16 = "McAfee" nocase
$asp_much_sus17 = "nishang"
$asp_much_sus18 = "\"unsafe" fullword wide ascii
$asp_much_sus19 = "'unsafe" fullword wide ascii
$asp_much_sus28 = "exploit" fullword wide ascii
$asp_much_sus30 = "TVqQAAMAAA" wide ascii
$asp_much_sus31 = "HACKED" fullword wide ascii
$asp_much_sus32 = "hacked" fullword wide ascii
$asp_much_sus33 = "hacker" wide ascii
$asp_much_sus34 = "grayhat" nocase wide ascii
$asp_much_sus35 = "Microsoft FrontPage" wide ascii
$asp_much_sus36 = "Rootkit" wide ascii
$asp_much_sus37 = "rootkit" wide ascii
$asp_much_sus38 = "/*-/*-*/" wide ascii
$asp_much_sus39 = "u\"+\"n\"+\"s" wide ascii
$asp_much_sus40 = "\"e\"+\"v" wide ascii
$asp_much_sus41 = "a\"+\"l\"" wide ascii
$asp_much_sus42 = "\"+\"(\"+\"" wide ascii
$asp_much_sus43 = "q\"+\"u\"" wide ascii
$asp_much_sus44 = "\"u\"+\"e" wide ascii
$asp_much_sus45 = "/*//*/" wide ascii
$asp_much_sus46 = "(\"/*/\"" wide ascii
$asp_much_sus47 = "eval(eval(" wide ascii
$asp_much_sus48 = "Shell.Users" wide ascii
$asp_much_sus49 = "PasswordType=Regular" wide ascii
$asp_much_sus50 = "-Expire=0" wide ascii
$asp_much_sus51 = "sh\"&\"el" wide ascii
$asp_gen_sus1 = /:\s{0,20}eval}/ nocase wide ascii
$asp_gen_sus2 = /\.replace\(\/\w\/g/ nocase wide ascii
$asp_gen_sus6 = "self.delete"
$asp_gen_sus9 = "\"cmd /c" nocase
$asp_gen_sus10 = "\"cmd\"" nocase
$asp_gen_sus11 = "\"cmd.exe" nocase
$asp_gen_sus12 = "%comspec%" wide ascii
$asp_gen_sus13 = "%COMSPEC%" wide ascii
//TODO:$asp_gen_sus12 = ".UserName" nocase
$asp_gen_sus18 = "Hklm.GetValueNames();" nocase
// bonus string for proxylogon exploiting webshells
$asp_gen_sus19 = "http://schemas.microsoft.com/exchange/" wide ascii
$asp_gen_sus21 = "\"upload\"" wide ascii
$asp_gen_sus22 = "\"Upload\"" wide ascii
$asp_gen_sus25 = "shell_" wide ascii
//$asp_gen_sus26 = "password" fullword wide ascii
//$asp_gen_sus27 = "passw" fullword wide ascii
// own base64 or base 32 func
$asp_gen_sus29 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" fullword wide ascii
$asp_gen_sus30 = "abcdefghijklmnopqrstuvwxyz234567" fullword wide ascii
$asp_gen_sus31 = "serv-u" wide ascii
$asp_gen_sus32 = "Serv-u" wide ascii
$asp_gen_sus33 = "Army" fullword wide ascii
$asp_slightly_sus1 = "<pre>" wide ascii
$asp_slightly_sus2 = "<PRE>" wide ascii
// "e"+"x"+"e"
$asp_gen_obf1 = "\"+\"" wide ascii
$fp1 = "DataBinder.Eval"
$fp2 = "B2BTools"
$fp3 = "<b>Failed to execute cache update. See the log file for more information" ascii
$fp4 = "Microsoft. All rights reserved."
$fp5 = "\"unsafe\"," ascii wide
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
//strings from private rule capa_bin_files
$dex1 = "dex\n0"
$dex2 = "dey\n0"
$pack = { 50 41 43 4b 00 00 00 02 00 }
//strings from private rule capa_asp_input
// Request.BinaryRead
// Request.Form
$asp_input1 = "request" fullword nocase wide ascii
$asp_input2 = "Page_Load" fullword nocase wide ascii
// base64 of Request.Form(
$asp_input3 = "UmVxdWVzdC5Gb3JtK" fullword wide ascii
$asp_xml_http = "Microsoft.XMLHTTP" fullword nocase wide ascii
$asp_xml_method1 = "GET" fullword wide ascii
$asp_xml_method2 = "POST" fullword wide ascii
$asp_xml_method3 = "HEAD" fullword wide ascii
// dynamic form
$asp_form1 = "<form " wide ascii
$asp_form2 = "<Form " wide ascii
$asp_form3 = "<FORM " wide ascii
$asp_asp = "<asp:" wide ascii
$asp_text1 = ".text" wide ascii
$asp_text2 = ".Text" wide ascii
//strings from private rule capa_asp_payload
$asp_payload0 = "eval_r" fullword nocase wide ascii
$asp_payload1 = /\beval\s/ nocase wide ascii
$asp_payload2 = /\beval\(/ nocase wide ascii
$asp_payload3 = /\beval\"\"/ nocase wide ascii
// var Fla = {'E':eval}; Fla.E(code)
$asp_payload4 = /:\s{0,10}eval\b/ nocase wide ascii
$asp_payload8 = /\bexecute\s?\(/ nocase wide ascii
$asp_payload9 = /\bexecute\s[\w"]/ nocase wide ascii
$asp_payload11 = "WSCRIPT.SHELL" fullword nocase wide ascii
$asp_payload13 = "ExecuteGlobal" fullword nocase wide ascii
$asp_payload14 = "ExecuteStatement" fullword nocase wide ascii
$asp_payload15 = "ExecuteStatement" fullword nocase wide ascii
$asp_multi_payload_one1 = "CreateObject" nocase fullword wide ascii
$asp_multi_payload_one2 = "addcode" fullword wide ascii
$asp_multi_payload_one3 = /\.run\b/ wide ascii
$asp_multi_payload_two1 = "CreateInstanceFromVirtualPath" fullword wide ascii
$asp_multi_payload_two2 = "ProcessRequest" fullword wide ascii
$asp_multi_payload_two3 = "BuildManager" fullword wide ascii
$asp_multi_payload_three1 = "System.Diagnostics" wide ascii
$asp_multi_payload_three2 = "Process" fullword wide ascii
$asp_multi_payload_three3 = "Start" fullword wide ascii
// this is about "MSXML2.DOMDocument" but since that's easily obfuscated, lets not search for it
$asp_multi_payload_four1 = "CreateObject" fullword nocase wide ascii
$asp_multi_payload_four2 = "TransformNode" fullword nocase wide ascii
$asp_multi_payload_four3 = "loadxml" fullword nocase wide ascii
// execute cmd.exe /c with arguments using ProcessStartInfo
$asp_multi_payload_five1 = "ProcessStartInfo" fullword nocase wide ascii
$asp_multi_payload_five2 = ".Start" nocase wide ascii
$asp_multi_payload_five3 = ".Filename" nocase wide ascii
$asp_multi_payload_five4 = ".Arguments" nocase wide ascii
//strings from private rule capa_asp_write_file
// $asp_write1 = "ADODB.Stream" wide ascii # just a string, can be easily obfuscated
$asp_always_write1 = /\.write/ nocase wide ascii
$asp_always_write2 = /\.swrite/ nocase wide ascii
//$asp_write_way_one1 = /\.open\b/ nocase wide ascii
$asp_write_way_one2 = "SaveToFile" fullword nocase wide ascii
$asp_write_way_one3 = "CREAtEtExtFiLE" fullword nocase wide ascii
$asp_cr_write1 = "CreateObject(" nocase wide ascii
$asp_cr_write2 = "CreateObject (" nocase wide ascii
$asp_streamwriter1 = "streamwriter" fullword nocase wide ascii
$asp_streamwriter2 = "filestream" fullword nocase wide ascii
//strings from private rule capa_asp_classid
$tagasp_capa_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_capa_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_capa_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_capa_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_capa_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
condition:
//any of them or
(
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and not (
uint16(0) == 0x5a4d or
$dex1 at 0 or
$dex2 at 0 or
$pack at 0 or
// fp on jar with zero compression
uint16(0) == 0x4b50
)
and (
any of ( $asp_input* ) or
(
$asp_xml_http and
any of ( $asp_xml_method* )
) or
(
any of ( $asp_form* ) and
any of ( $asp_text* ) and
$asp_asp
)
)
and (
any of ( $asp_payload* ) or
all of ( $asp_multi_payload_one* ) or
all of ( $asp_multi_payload_two* ) or
all of ( $asp_multi_payload_three* ) or
all of ( $asp_multi_payload_four* ) or
all of ( $asp_multi_payload_five* )
)
and not any of ( $fp* ) and
( ( filesize < 3KB and
( 1 of ( $asp_slightly_sus* ) ) ) or
( filesize < 25KB and
( 1 of ( $asp_much_sus* ) or 1 of ( $asp_gen_sus* ) or
( #asp_gen_obf1 > 2 ) ) ) or
( filesize < 50KB and
( 1 of ( $asp_much_sus* ) or 3 of ( $asp_gen_sus* ) or
( #asp_gen_obf1 > 6 ) ) ) or
( filesize < 150KB and
( 1 of ( $asp_much_sus* ) or 4 of ( $asp_gen_sus* ) or
( #asp_gen_obf1 > 6 ) or
( (
any of ( $asp_always_write* ) and
(
any of ( $asp_write_way_one* ) and
any of ( $asp_cr_write* )
) or (
any of ( $asp_streamwriter* )
)
)
and
( 1 of ( $asp_much_sus* ) or 2 of ( $asp_gen_sus* ) or
( #asp_gen_obf1 > 3 ) ) ) ) ) or
( filesize < 100KB and (
any of ( $tagasp_capa_classid* )
)
) )
}
rule WEBSHELL_PHP_Generic_Backticks_OBFUSC
{
meta:
description = "Generic PHP webshell which uses backticks directly on user input"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2023-04-05"
hash = "23dc299f941d98c72bd48659cdb4673f5ba93697"
hash = "e3f393a1530a2824125ecdd6ac79d80cfb18fffb89f470d687323fb5dff0eec1"
hash = "1e75914336b1013cc30b24d76569542447833416516af0d237c599f95b593f9b"
hash = "8db86ad90883cd208cf86acd45e67c03f994998804441705d690cb6526614d00"
id = "5ecb329f-0755-536d-8bfa-e36158474a0b"
strings:
$s1 = /echo[\t ]{0,500}\(?`\$/ wide ascii
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
condition:
filesize < 500 and (
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
and $s1
}
rule APT_Tick_Sysmon_Loader_Jun18 {
meta:
description = "Detects Sysmon Loader from Tick group incident - Weaponized USB"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/"
date = "2018-06-23"
hash1 = "31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8"
id = "eae013c3-4774-5342-bd1a-5f2825612747"
strings:
$x1 = "SysMonitor_3A2DCB47" fullword ascii
$s1 = "msxml.exe" fullword ascii
$s2 = "wins.log" fullword ascii
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run" fullword ascii
$s4 = "%2d-%2d-%2d-%2d" fullword ascii
$s5 = "%USERPROFILE%" fullword ascii /* Goodware String - occured 22 times */
$s6 = "Windows NT" fullword ascii /* Goodware String - occured 72 times */
$s7 = "device monitor" fullword ascii
$s8 = "\\Accessories" ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
pe.imphash() == "c5bb16e79fb500c430edce9481ae5b2b" or
$x1 or 6 of them
)
}
rule APT_Tick_HomamDownloader_Jun18 {
meta:
description = "Detects HomamDownloader from Tick group incident - Weaponized USB"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/"
date = "2018-06-23"
hash1 = "f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec"
id = "8ec52cb7-41a4-50a9-9cb1-23bee354680f"
strings:
$s1 = "cmd /c hostname >>" fullword ascii
$s2 = "Mstray.exe" fullword ascii
$s3 = "msupdata.exe" fullword ascii
$s5 = "Windows\\CurrentVersion\\run" fullword ascii
$s6 = "Content-Type: */*" fullword ascii
$s11 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" fullword ascii /* Goodware String - occured 3 times */
condition:
uint16(0) == 0x5a4d and filesize < 30KB and 3 of them
}