YARA rules for Volt Typhoon
95 rules · scoped to actor · back to Volt Typhoon
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule hacktool_macos_ptoomey3_keychain_dumper
{
meta:
description = "Keychain dumping utility."
reference = "https://github.com/ptoomey3/Keychain-Dumper"
author = "@mimeframe"
strings:
$a1 = "keychain_dumper" wide ascii
$a2 = "/var/Keychains/keychain-2.db" wide ascii
$a3 = "<key>keychain-access-groups</key>" wide ascii
$a4 = "SELECT DISTINCT agrp FROM genp UNION SELECT DISTINCT agrp FROM inet" wide ascii
$a5 = "dumpEntitlements" wide ascii
condition:
all of ($a*)
}
rule SUSP_LNX_ByteEncoder_Jan25 {
meta:
description = "Detects Linux binaries that encode bytes by splitting them into upper and lower nibbles and mapping them to custom lookup tables, seen being used by SEASPY and Bluez backdoors"
author = "MalGamy (Nextron System)"
date = "2025-01-23"
reference = "https://www.securityweek.com/newly-discovered-turla-malware-targets-linux-systems/"
hash = "3e0312ce8d0c1e5c192dbb93cac4770a1205c56dc9d02a0510c7e10a15251de5"
hash = "301d58a6a1819466e77209dbf8ca635cbee3b45516e5ee228fea50ae4a27b7d5"
hash = "957c0c135b50d1c209840ec7ead60912a5ccefd2873bf5722cb85354cea4eb37"
hash = "5e3c128749f7ae4616a4620e0b53c0e5381724a790bba8314acb502ce7334df2"
hash = "b0b83e1c69aa8df6da4383230bef1ef46e09f3bf26cec877eac53a9d48dc53ca"
hash = "d21b40645e33638bd36b63582c2c6ad5e8230c731236a54e8e5f4139bad31fdf"
score = 75
id = "4866348a-2129-5f6a-9498-8ab1acfa74b4"
strings:
$op1 = {8B 45 FC 48 63 D0 48 8B 45 A8 48 01 C2 8B 45 BC C1 F8 04 83 E0 0F 48 98 0F B6 44 05 E0 88 02} // Encode upper nibbl
$op2 = {8B 45 FC 48 98 48 8D 50 01 48 8B 45 A8 48 01 C2 8B 45 BC 83 E0 0F 48 98 0F B6 44 05 C0 88 02} // Encode lower nibble
condition:
uint32be(0) == 0x7f454c46
and filesize < 4MB
and all of them
}
rule BernhardPOS {
meta:
author = "Nick Hoffman / Jeremy Humble"
last_update = "2015-07-14"
source = "Morphick Inc."
description = "BernhardPOS Credit Card dumping tool"
reference = "http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick"
md5 = "e49820ef02ba5308ff84e4c8c12e7c3d"
score = 70
id = "9b9e1507-cf1b-5653-beaa-458205e367c3"
strings:
$shellcode_kernel32_with_junk_code = { 33 c0 83 ?? ?? 83 ?? ?? 64 a1 30 00 00 00 83 ?? ?? 83 ?? ?? 8b 40 0c 83 ?? ?? 83 ?? ?? 8b 40 14 83 ?? ?? 83 ?? ?? 8b 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b 00 83 ?? ?? 83 ?? ?? 8b 40 10 83 ?? ?? }
$mutex_name = "OPSEC_BERNHARD"
$build_path = "C:\\bernhard\\Debug\\bernhard.pdb"
$string_decode_routine = { 55 8b ec 83 ec 50 53 56 57 a1 ?? ?? ?? ?? 89 45 f8 66 8b 0d ?? ?? ?? ?? 66 89 4d fc 8a 15 ?? ?? ?? ?? 88 55 fe 8d 45 f8 50 ff ?? ?? ?? ?? ?? 89 45 f0 c7 45 f4 00 00 00 00 ?? ?? 8b 45 f4 83 c0 01 89 45 f4 8b 45 08 50 ff ?? ?? ?? ?? ?? 39 45 f4 ?? ?? 8b 45 08 03 45 f4 0f be 08 8b 45 f4 99 f7 7d f0 0f be 54 15 f8 33 ca 8b 45 08 03 45 f4 88 08 ?? ?? 5f 5e 5b 8b e5 5d }
condition:
any of them
}
rule Ping_Command_in_EXE {
meta:
description = "Detects an suspicious ping command execution in an executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-11-03"
score = 60
id = "937ab622-fbcf-5a31-a3ff-af2584484140"
strings:
$x1 = "cmd /c ping 127.0.0.1 -n " ascii
condition:
uint16(0) == 0x5a4d and all of them
}
rule APT_Project_Sauron_arping_module {
meta:
description = "Detects strings from arping module - Project Sauron report by Kaspersky"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/eFoP4A"
date = "2016-08-08"
id = "42389511-de92-57cb-9dee-9f829fd5e55a"
strings:
$s1 = "Resolve hosts that answer"
$s2 = "Print only replying Ips"
$s3 = "Do not display MAC addresses"
condition:
all of them
}
rule APT_Backdoor_SUNBURST_2
{
meta:
author = "FireEye"
description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 85
id = "329071d5-c9c6-5ae1-a514-aea9f4037bac"
strings:
$a = "0y3Kzy8BAA==" wide
$aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide
$ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide
$ac = "C88sSs1JLS4GAA==" wide
$ad = "C/UEAA==" wide
$ae = "C89MSU8tKQYA" wide
$af = "8wvwBQA=" wide
$ag = "cyzIz8nJBwA=" wide
$ah = "c87JL03xzc/LLMkvysxLBwA=" wide
$ai = "88tPSS0GAA==" wide
$aj = "C8vPKc1NLQYA" wide
$ak = "88wrSS1KS0xOLQYA" wide
$al = "c87PLcjPS80rKQYA" wide
$am = "Ky7PLNAvLUjRBwA=" wide
$an = "06vIzQEA" wide
$b = "0y3NyyxLLSpOzIlPTgQA" wide
$c = "001OBAA=" wide
$d = "0y0oysxNLKqMT04EAA==" wide
$e = "0y3JzE0tLknMLQAA" wide
$f = "003PyU9KzAEA" wide
$h = "0y1OTS4tSk1OBAA=" wide
$i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide
$j = "c8rPSQEA" wide
$k = "c8rPSfEsSczJTAYA" wide
$l = "c60oKUp0ys9JAQA=" wide
$m = "c60oKUp0ys9J8SxJzMlMBgA=" wide
$n = "8yxJzMlMBgA=" wide
$o = "88lMzygBAA==" wide
$p = "88lMzyjxLEnMyUwGAA==" wide
$q = "C0pNL81JLAIA" wide
$r = "C07NzXTKz0kBAA==" wide
$s = "C07NzXTKz0nxLEnMyUwGAA==" wide
$t = "yy9IzStOzCsGAA==" wide
$u = "y8svyQcA" wide
$v = "SytKTU3LzysBAA==" wide
$w = "C84vLUpOdc5PSQ0oygcA" wide
$x = "C84vLUpODU4tykwLKMoHAA==" wide
$y = "C84vLUpO9UjMC07MKwYA" wide
$z = "C84vLUpO9UjMC04tykwDAA==" wide
condition:
($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))
}
rule APT_Dropper_Raw64_TEARDROP_1
{
meta:
author = "FireEye"
description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 85
id = "88adad58-ba16-5996-9ea8-ea356c3ed5b2"
strings:
$sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
$sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
$sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
condition:
all of them
}
rule APT_Dropper_Win64_TEARDROP_1
{
meta:
author = "FireEye"
description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory. (comment by Nextron: prone to False Positives)"
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 70
id = "15dfdb74-5ca3-5bc6-be7a-730333b03ba5"
strings:
$loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
$loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
$loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
$loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
$loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
rule HackTool_Win64_AndrewSpecial_1
{
meta:
description = "Detects AndrewSpecial process dumping tool"
date = "2020-11-25"
modified = "2020-11-25"
md5 = "4456e52f6f8543c3ba76cb25ea3e9bd2"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "20ce4902-4eb3-5ecf-aa8c-0515965dde57"
strings:
$dump = { 33 D2 B9 FF FF 1F 00 FF 15 [10-90] 00 00 00 00 [2-6] 80 00 00 00 [2-6] 02 00 00 00 45 33 C9 45 33 C0 BA 00 00 00 10 48 8D 0D [4] FF 15 [4-120] 00 00 00 00 [2-6] 00 00 00 00 [2-6] 00 00 00 00 41 B9 02 00 00 00 [6-15] E8 [4-20] FF 15 }
$shellcode_x64 = { 4C 8B D1 B8 3C 00 00 00 0F 05 C3 }
$shellcode_x64_inline = { C6 44 24 ?? 4C C6 44 24 ?? 8B C6 44 24 ?? D1 C6 44 24 ?? B8 C6 44 24 ?? 3C C6 44 24 ?? 00 C6 44 24 ?? 00 C6 44 24 ?? 00 C6 44 24 ?? 0F C6 44 24 ?? 05 C6 44 24 ?? C3 }
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and $dump and any of ($shellcode*)
}
rule Dos_netstat {
meta:
description = "Chinese Hacktool Set - file netstat.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d0444b7bd936b5fc490b865a604e97c22d97e598"
id = "bc3141bf-4e82-5aa4-a8a6-a0a4586ee9a1"
strings:
$s0 = "w03a2409.dll" fullword ascii
$s1 = "Retransmission Timeout Algorithm = unknown (%1!u!)" fullword wide /* Goodware String - occured 2 times */
$s2 = "Administrative Status = %1!u!" fullword wide /* Goodware String - occured 2 times */
$s3 = "Packet Too Big %1!-10u! %2!-10u!" fullword wide /* Goodware String - occured 2 times */
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule SUSP_Netsh_PortProxy_Command {
meta:
description = "Detects a suspicious command line with netsh and the portproxy command"
author = "Florian Roth (Nextron Systems)"
reference = "https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy"
date = "2019-04-20"
score = 65
hash1 = "9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09"
id = "cbbd2042-572c-5283-bd45-e745b36733ad"
strings:
$x1 = "netsh interface portproxy add v4tov4 listenport=" ascii
condition:
1 of them
}
rule Loader_MSIL_NetshShellCodeRunner_1
{
meta:
description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NetshShellCodeRunner' project."
md5 = "dd8805d0e470e59b829d98397507d8c2"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "b3521812-7ea3-5f80-89bd-3bdd71b687f2"
strings:
$typelibguid0 = "49c045bc-59bb-4a00-85c3-4beb59b2ee12" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Impacket_Keyword {
meta:
description = "Detects Impacket Keyword in Executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-08-04"
score = 60
hash1 = "9388c78ea6a78dbea307470c94848ae2481481f593d878da7763e649eaab4068"
hash2 = "2f6d95e0e15174cfe8e30aaa2c53c74fdd13f9231406b7103da1e099c08be409"
id = "a92962e6-1b05-583b-8b06-f226bdea88e2"
strings:
$s1 = "impacket.smb(" ascii
$s2 = "impacket.ntlm(" ascii
$s3 = "impacket.nmb(" ascii
condition:
(uint16(0) == 0x5a4d and filesize < 14000KB and 1 of them)
}
rule Impacket_Tools_tracer {
meta:
description = "Compiled Impacket Tools"
author = "Florian Roth"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
modified = "2021-07-15"
hash1 = "e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b"
strings:
$s1 = "btk85.dll" fullword ascii
$s2 = "btcl85.dll" fullword ascii
$s3 = "xtk\\unsupported.tcl" fullword ascii
$fp1 = "Linden Research Inc" wide
condition:
( uint16(0) == 0x5a4d and filesize < 21000KB and all of ($s*) )
and not 1 of ($fp*)
}
rule Impacket_Tools_wmiexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4"
id = "3c2c7edf-da71-53dc-9ddf-dfbf10838a27"
strings:
$s1 = "bwmiexec.exe.manifest" fullword ascii
$s2 = "swmiexec" fullword ascii
$s3 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and 2 of them )
}
rule Impacket_Tools_sniffer {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769"
id = "07051edc-91a8-59d6-87bf-dba98ef28588"
strings:
$s1 = "ssniffer" fullword ascii
$s2 = "impacket.dhcp(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_mmcexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "263a1655a94b7920531e123a8c9737428f2988bf58156c62408e192d4b2a63fc"
id = "cca2082f-72a4-50c8-80b8-a9bed430dc4e"
strings:
$s1 = "smmcexec" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 16000KB and all of them )
}
rule Impacket_Tools_ifmap {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "20a1f11788e6cc98a76dca2db4691963c054fc12a4d608ac41739b98f84b3613"
id = "e5461916-ec2b-5f65-b938-267483f50bb2"
strings:
$s1 = "bifmap.exe.manifest" fullword ascii
$s2 = "impacket.dcerpc.v5.epm(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule karmaSMB {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
id = "32c810c7-02e7-5203-b2ed-4e930b318cc0"
strings:
$s1 = "bkarmaSMB.exe.manifest" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule samrdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
id = "cd274719-c8cc-5882-8d75-192ad822c6b3"
strings:
$s2 = "bsamrdump.exe.manifest" fullword ascii
$s3 = "ssamrdump" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_rpcdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9"
id = "3f998aa6-c260-5fef-99ef-e8b4770c68c6"
strings:
$s1 = "srpcdump" fullword ascii
$s2 = "impacket.dcerpc.v5.epm(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_secretsdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d"
id = "c944d051-ea24-5595-abef-59e326ad56de"
strings:
$s1 = "ssecretsdump" fullword ascii
$s2 = "impacket.ese(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_esentutl {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "70d854953d3ebb2c252783a4a103ba0e596d6ab447f238af777fb37d2b64c0cd"
id = "1965e2b3-54be-553a-83d6-a0d4919414dd"
strings:
$s1 = "impacket.ese(" ascii
$s2 = "sesentutl" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 11000KB and all of them )
}
rule Impacket_Tools_opdump {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
id = "1bb0e747-e9b7-5a54-8052-428351be8d0d"
strings:
$s2 = "bopdump.exe.manifest" fullword ascii
$s3 = "sopdump" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_sniff {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699"
id = "07051edc-91a8-59d6-87bf-dba98ef28588"
strings:
$s1 = "ssniff" fullword ascii
$s2 = "impacket.eap(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_smbexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2"
id = "02208817-2eab-54e2-90cf-44dbf5474607"
strings:
$s1 = "logging.config(" ascii
$s2 = "ssmbexec" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_goldenPac {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
id = "9894d16c-83fa-5e1d-9ca6-572deeec006a"
strings:
$s1 = "impacket.examples.serviceinstall(" ascii
$s2 = "bgoldenPac.exe" fullword ascii
$s3 = "json.scanner(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_netview {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6"
id = "1b9238d2-b9b1-5633-8481-05a3a97af5a6"
strings:
$s1 = "impacket.dcerpc.v5.wkst(" ascii
$s2 = "dummy_threading(" ascii
$s3 = "snetview" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_smbtorture {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
id = "4f9b55e2-93ce-5d08-a228-73233fb0a2c6"
strings:
$s1 = "impacket" fullword ascii
$s2 = "ssmbtorture" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_smbrelayx {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f"
id = "84abf3cf-841c-592d-a9d1-71d5e76eb43f"
strings:
$s1 = "impacket.examples.secretsdump" fullword ascii
$s2 = "impacket.examples.serviceinstall" fullword ascii
$s3 = "impacket.smbserver(" ascii
$s4 = "SimpleHTTPServer(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 18000KB and 3 of them )
}
rule Impacket_Tools_wmipersist {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086"
id = "29bda652-28f0-5ab6-9bc2-411f20ab0dda"
strings:
$s1 = "swmipersist" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_lookupsid {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "47756725d7a752d3d3cfccfb02e7df4fa0769b72e008ae5c85c018be4cf35cc1"
id = "27f13397-b044-54b4-b5e8-c5f7ed374f59"
strings:
$s1 = "slookupsid" fullword ascii
$s2 = "impacket.dcerpc" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and all of them )
}
rule Impacket_Tools_wmiquery {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094"
id = "e8bdf27a-9763-5947-854f-162f74ff53be"
strings:
$s1 = "swmiquery" fullword ascii
$s2 = "\\yzHPlU=QA" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and all of them )
}
rule Impacket_Tools_atexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "337bd5858aba0380e16ee9a9d8f0b3f5bfc10056ced4e75901207166689fbedc"
id = "4f02e304-69d4-5952-80be-793379bccac0"
strings:
$s1 = "batexec.exe.manifest" fullword ascii
$s2 = "satexec" fullword ascii
$s3 = "impacket.dcerpc" fullword ascii
$s4 = "# CSZq" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 15000KB and 3 of them )
}
rule Impacket_Tools_Generic_1 {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
super_rule = 1
hash1 = "4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3"
hash2 = "d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3"
hash3 = "2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1"
hash4 = "ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6"
hash5 = "e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742"
hash6 = "27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364"
hash7 = "dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98"
hash8 = "0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b"
hash9 = "21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9"
hash10 = "4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a"
hash11 = "47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d"
hash12 = "7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2"
hash13 = "9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f"
hash14 = "d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7"
hash15 = "8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699"
hash16 = "efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769"
hash17 = "e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b"
hash18 = "19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4"
hash19 = "2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086"
hash20 = "202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094"
id = "d2ce6426-d165-5569-a992-268f05622653"
strings:
$s1 = "bpywintypes27.dll" fullword ascii
$s2 = "hZFtPC" fullword ascii
$s3 = "impacket" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 21000KB and all of ($s*) ) or ( all of them )
}
rule Impacket_Lateral_Movement {
meta:
description = "Detects Impacket Network Aktivity for Lateral Movement"
author = "Markus Neis"
reference = "https://github.com/CoreSecurity/impacket"
date = "2018-03-22"
score = 60
id = "44db234c-ac81-5d21-bc2a-8cfd88807c0d"
strings:
$s1 = "impacket.dcerpc.v5.transport(" ascii
$s2 = "impacket.smbconnection(" ascii
$s3 = "impacket.dcerpc.v5.ndr(" ascii
$s4 = "impacket.spnego(" ascii
$s5 = "impacket.smb(" ascii
$s6 = "impacket.ntlm(" ascii
$s7 = "impacket.nmb(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 14000KB and 2 of them
}
rule HackTool_PY_ImpacketObfuscation_1
{
meta:
date = "2020-12-01"
modified = "2020-12-01"
description = "smbexec"
md5 = "0b1e512afe24c31531d6db6b47bac8ee"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "992d1132-3136-5e1b-a1ef-dcdf36ebf0f5"
strings:
$s1 = "class CMDEXEC" nocase
$s2 = "class RemoteShell" nocase
$s3 = "self.services_names"
$s4 = "import random"
$s6 = /self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]%CoMSpEC%[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase
$s7 = /self\.__serviceName[\x09\x20]{0,32}=[\x09\x20]{0,32}self\.services_names\[random\.randint\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}len\(self\.services_names\)[\x09\x20]{0,32}-[\x09\x20]{0,32}1\)\]/
condition:
all of them
}
rule HackTool_PY_ImpacketObfuscation_2
{
meta:
description = "Detects FireEye's wmiexec impacket obfuscation"
date = "2020-12-01"
modified = "2020-12-01"
md5 = "f3dd8aa567a01098a8a610529d892485"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "f1059f66-eaff-5866-bafb-c94236cf96a0"
strings:
$s1 = "import random"
$s2 = "class WMIEXEC" nocase
$s3 = "class RemoteShell" nocase
$s4 = /=[\x09\x20]{0,32}str\(int\(time\.time\(\)\)[\x09\x20]{0,32}-[\x09\x20]{0,32}random\.randint\(\d{1,10}[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,10}\)\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}str\(uuid\.uuid4\(\)\)\.split\([\x22\x27]\-[\x22\x27]\)\[0\]/
$s5 = /self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]cmd.exe[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/K [\x22\x27]/ nocase
condition:
all of them
}
rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_1 {
meta:
description = "Detects VersaMem Java webshell samples (as used by Volt Typhoon)"
author = "blacklotuslabs (modified by Florian Roth and X__Junior)"
reference = "https://x.com/ryanaraine/status/1828440883315999117"
date = "2024-08-27"
modified = "2024-08-29"
score = 75
id = "9b666e61-cfa8-58b3-a362-772cd907c57c"
strings:
$sa1 = "com.versa.vnms.ui.TestMain"
$sa2 = "captureLoginPasswordCode"
$sa3 = "com/versa/vnms/ui/services/impl/VersaAuthenticationServiceImpl"
$sa4 = "/tmp/.temp.data"
$sa5 = "getInsertCode"
$sa6 = "VersaMem"
$sa7 = "Versa-Auth"
$sb1 = "/tmp/.java_pid"
$sb2 = {2f 75 73 72 2f 62 69 6e 2f 70 67 72 65 70 01 00 02 2d 66 01 00 25 6f 72 67 2e 61 70 61 63 68 65 2e 63 61 74 61 6c 69 6e 61 2e 73 74 61 72 74 75 70 2e 42 6f 6f 74 73 74 72 61 70 07}
condition:
filesize < 5MB and ( 3 of them or all of ($sb*) )
}
rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_2 {
meta:
description = "Detects VersaMem Java webshell samples (as used by Volt Typhoon)"
author = "Florian Roth"
reference = "https://x.com/craiu/status/1828687700884336990"
date = "2024-08-29"
score = 75
hash1 = "4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37"
id = "5ca598ed-5d0a-563d-a5e8-f8229af2c949"
strings:
$x1 = "tomcat_memShell" ascii
$x2 = "versa/vnms/ui/config/" ascii fullword
condition:
uint16(0) == 0x4b50
and filesize < 3000KB
and 1 of them
}