private rule MachO
{
meta:
description = "Mach-O binaries"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
rule Sofacy_Malware_AZZY_Backdoor_1 {
meta:
description = "AZZY Backdoor - Sample 1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/"
date = "2015-12-04"
hash = "a9dc96d45702538c2086a749ba2fb467ba8d8b603e513bdef62a024dfeb124cb"
id = "184dc45e-8014-5dcf-a033-d77586c60fdf"
strings:
$s0 = "advstorshell.dll" fullword wide
$s1 = "advshellstore.dll" fullword ascii
$s2 = "Windows Advanced Storage Shell Extension DLL" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 150KB and 2 of them
}
rule hacktool_macos_exploit_tpwn
{
meta:
description = "tpwn exploits a null pointer dereference in XNU to escalate privileges to root."
reference = "https://www.rapid7.com/db/modules/exploit/osx/local/tpwn"
author = "@mimeframe"
strings:
$a1 = "[-] Couldn't find a ROP gadget, aborting." wide ascii
$a2 = "leaked kaslr slide," wide ascii
$a3 = "didn't get root, but this system is vulnerable." wide ascii
$a4 = "Escalating privileges! -qwertyoruiop" wide ascii
condition:
2 of ($a*)
}
rule hacktool_windows_mimikatz_files
{
meta:
description = "Mimikatz credential dump tool: Files"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
strings:
$s1 = "kiwifilter.log" fullword wide
$s2 = "kiwissp.log" fullword wide
$s3 = "mimilib.dll" fullword ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
any of them
}