YARA rules for Solar
7 rules · scoped to tool · back to Solar
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule EQGRP_durablenapkin_solaris_2_0_1 {
meta:
description = "Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Research"
date = "2016-08-15"
score = 75
id = "7b49a26d-9ee3-5aff-93fc-509239daef28"
strings:
$s1 = "recv_ack: %s: Service not supplied by provider" fullword ascii
$s2 = "send_request: putmsg \"%s\": %s" fullword ascii
$s3 = "port undefined" fullword ascii
$s4 = "recv_ack: %s getmsg: %s" fullword ascii
$s5 = ">> %d -- %d" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 40KB and 2 of them )
}
rule APT_SUSP_Solarwinds_Orion_Config_Anomaly_Dec20 {
meta:
description = "Detects a suspicious renamed Afind.exe as used by different attackers"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/iisresetme/status/1339546337390587905?s=12"
date = "2020-12-15"
score = 70
nodeepdive = 1
id = "440a3eb9-b573-53ea-ab26-c44d9cf62401"
strings:
$s1 = "ReportWatcher" fullword wide ascii
$fp1 = "ReportStatus" fullword wide ascii
condition:
filename == "SolarWindows.Orion.Core.BusinessLayer.dll.config"
and $s1
and not $fp1
}
rule EquationGroup_watcher_solaris_i386_v_3_3_0 {
meta:
description = "Equation Group hack tool set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-09"
hash1 = "395ec2531970950ffafde234dded0cce0c95f1f9a22763d1d04caa060a5222bb"
id = "e75c6ed9-b6e6-530d-a6ac-40bd0477754f"
strings:
$s1 = "getexecname" fullword ascii
$s2 = "invalid option `" fullword ascii
$s6 = "__fpstart" ascii
$s12 = "GHFIJKLMNOPQRSTUVXW" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 700KB and all of them )
}
rule SUSP_Solarwinds_SUNBURST_Revoked_Cert {
meta:
description = "Detects executables signed with a compromised certificate after 2019 (it doesn't mean that the "
date = "2020-12-14"
reference = "https://github.com/fireeye/sunburst_countermeasures/pull/3#issuecomment-747156202"
score = 50
condition:
uint16(0) == 0x5a4d and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "Symantec Class 3 SHA256 Code Signing CA" and
pe.signatures[i].serial == "0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed" and
// valid after Tuesday, January 1, 2019 0:00:00
pe.signatures[i].not_before > 1546300800
)
}
rule LOG_APT_WEBSHELL_Solarwinds_SUNBURST_Report_Webshell_Dec20_2 {
meta:
description = "Detects webshell access mentioned in FireEye's SUNBURST report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/"
date = "2020-12-21"
id = "fb86164d-13de-5357-8f52-c597b51127ff"
strings:
$xr1 = /logoimagehandler.ashx[^\n\s]{1,400}clazz=/ ascii wide
condition:
$xr1
}
rule HKTL_NET_GUID_SolarFlare {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mubix/solarflare"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-15"
modified = "2025-08-15"
id = "3645e14c-6025-59fa-a5a2-d8dacba8cd94"
strings:
$typelibguid0lo = "ca60e49e-eee9-409b-8d1a-d19f1d27b7e4" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
rule HKTL_Solarwinds_credential_stealer {
meta:
description = "Detects solarwinds credential stealers like e.g. solarflare via the touched certificate, files and database columns"
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware"
reference = "https://github.com/mubix/solarflare"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-20"
hash = "1b2e5186464ed0bdd38fcd9f4ab294a7ba28bd829bf296584cbc32e2889037e4"
hash = "4adb69d4222c80d97f8d64e4d48b574908a518f8d504f24ce93a18b90bd506dc"
id = "87dba889-367a-5fc3-b5e0-eb8e3c36a5e9"
strings:
$certificate = "CN=SolarWinds-Orion" ascii nocase wide
$credfile1 = "\\CredentialStorage\\SolarWindsDatabaseAccessCredential" ascii nocase wide
$credfile2 = "\\KeyStorage\\CryptoHelper\\default.dat" ascii nocase wide
$credfile3 = "\\Orion\\SWNetPerfMon.DB" ascii nocase wide
$credfile4 = "\\Orion\\RabbitMQ\\.erlang.cookie" ascii nocase wide
$sql1 = "encryptedkey" ascii nocase wide fullword
$sql2 = "protectiontype" ascii nocase wide fullword
$sql3 = "CredentialProperty" ascii nocase wide fullword
$sql4 = "passwordhash" ascii nocase wide fullword
$sql5 = "credentialtype" ascii nocase wide fullword
$sql6 = "passwordsalt" ascii nocase wide fullword
condition:
uint16(0) == 0x5A4D and $certificate and ( 2 of ( $credfile* ) or 5 of ( $sql* ) )
}