Add new rules to indicator_tools

CAPESandbox · Sep 25, 2024 · 733e6ca · 733e6ca
1 parent a4e8a64
commit 733e6ca
Showing 1 changed file with 91 additions and 0 deletions.
diff --git a/data/yara/binaries/indicator_tools.yar b/data/yara/binaries/indicator_tools.yar
@@ -1838,3 +1838,94 @@ rule INDICATOR_TOOL_SharpGhostTask {
     condition:
         uint16(0) == 0x5a4d and 3 of them
 }
+
+rule INDICATOR_TOOL_KrbRelay {
+    meta:
+        author = "ditekshen"
+        description = "Detects KrbRelay"
+    strings:
+        $s1 = "System.Collections.Generic.IEnumerable<System.IntPtr>.GetEnumerator" fullword ascii
+        $s2 = "System.Collections.Generic.IEnumerator<System.IntPtr>.get_Current" fullword ascii
+        $s3 = "GetProcessIdFromIPid" fullword ascii
+        $g1 = "hello.stg" fullword wide
+        $g2 = "DSInternals.Common" fullword ascii
+        $g3 = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_7b3eed059f4c3e41\\Amd64\\UNIDRV.DLL" fullword wide
+        $g4 = "C:\\Windows\\System32\\kernelbase.dll" fullword wide
+        $g5 = "get_UnsupportedSecretEncryptionType" fullword ascii
+        $g6 = "CoInitializeSecurity Error: 0x{0:X8}. Exploit will fail." fullword wide
+        $g7 = "AuthnSvc: {0} - PrincName: {1}" fullword wide
+    condition: 
+        uint16(0) == 0x5a4d and ((all of ($s*) and 4 of ($g*)) or (7 of them))
+}
+
+rule INDICATOR_TOOL_EDRSilencer {
+    meta:
+        author = "ditekshen"
+        description = "Detects EDRSilencer"
+    strings:
+        $s1 = "block \"C:\\Windows\\System32\\curl.exe\"" ascii
+        $s2 = "blockedr" fullword ascii
+        $s3 = "edrProcess" fullword ascii
+        $s4 = "BlockEdrProcessTraffic" fullword ascii
+        $s5 = "isInEdrProcessList" fullword ascii
+        $s6 = "EDRSilencer.c" fullword ascii
+        $v1 = "elastic-agent.exe" fullword ascii nocase
+        $v2 = "CybereasonAV.exe" fullword ascii nocase
+        $v3 = "SentinelAgent.exe" fullword ascii nocase
+        $v4 = "fortiedr.exe" fullword ascii nocase
+        $v5 = "MsMpEng.exe" fullword ascii nocase
+        $v6 = "CylanceSvc.exe" fullword ascii nocase
+    condition: 
+        uint16(0) == 0x5a4d and (4 of ($s*) or (3 of ($s*) and 1 of ($v*)))
+}
+
+rule INDICATOR_TOOL_EDRPrison {
+    meta:
+        author = "ditekshen"
+        description = "Detects EDRPrison"
+    strings:
+        $s1 = "Block:" wide
+        $s2 = "PacketLen:" wide
+        $s3 = "DoWorkPacket_Step" ascii
+        $s4 = "DoWorkAsyncNETWORK" ascii
+        $s5 = "BlockMessage" ascii
+        $s6 = "GetRmAddrPortNetwork" ascii
+    condition: 
+        uint16(0) == 0x5a4d and 5 of them
+}
+
+rule INDICATOR_TOOL_SharpSQLPwn {
+    meta:
+        author = "ditekshen"
+        description = "Detects SharpSQLPwn"
+    strings:
+        $s1 = "smb_ip" fullword ascii
+        $s2 = "Recon" fullword ascii
+        $s3 = "UNCPathInjection" fullword ascii
+        $s4 = "from sys.server_principals" wide
+        $s5 = "EXEC sp_configure '" wide
+        $s6 = "EXEC ('sp_configure" wide
+        $s7 = "CREATE ASSEMBLY" wide
+        $s8 = "DROP ASSEMBLY" wide
+        $s9 = "FROM 0x" wide
+        $s10 = "EXEC master..xp_dirtree \"\\\\" wide
+    condition: 
+        uint16(0) == 0x5a4d and 7 of them
+}
+
+rule INDICATOR_TOOL_ChromeKatz {
+    meta:
+        author = "ditekshen"
+        description = "Detects ChromeKatz: CookieKatz and CredentialKatz"
+    strings:
+        $s1 = "\\include\\xmemory" ascii wide
+        $s2 = "targetBrowser" ascii
+        $s3 = "thirdPattern" ascii
+        $s4 = "isBrowserWow64" ascii
+        $s5 = "wcscpy_s(memory, size_in_elements, string)" fullword wide
+        $s6 = "hChrome" fullword ascii
+        $t1 = "szCookieMonster" fullword ascii
+        $t2 = "szPasswordReuseDetectorInstances" fullword ascii
+    condition: 
+        uint16(0) == 0x5a4d and 6 of them
+}