From 733e6cad7ee6e982c912f40439bde788ce7b69fc Mon Sep 17 00:00:00 2001 From: ditekshen Date: Wed, 25 Sep 2024 18:45:03 +0300 Subject: [PATCH] Add new rules to indicator_tools --- data/yara/binaries/indicator_tools.yar | 91 ++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/data/yara/binaries/indicator_tools.yar b/data/yara/binaries/indicator_tools.yar index 107ab6b9..206c814a 100644 --- a/data/yara/binaries/indicator_tools.yar +++ b/data/yara/binaries/indicator_tools.yar @@ -1838,3 +1838,94 @@ rule INDICATOR_TOOL_SharpGhostTask { condition: uint16(0) == 0x5a4d and 3 of them } + +rule INDICATOR_TOOL_KrbRelay { + meta: + author = "ditekshen" + description = "Detects KrbRelay" + strings: + $s1 = "System.Collections.Generic.IEnumerable.GetEnumerator" fullword ascii + $s2 = "System.Collections.Generic.IEnumerator.get_Current" fullword ascii + $s3 = "GetProcessIdFromIPid" fullword ascii + $g1 = "hello.stg" fullword wide + $g2 = "DSInternals.Common" fullword ascii + $g3 = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_7b3eed059f4c3e41\\Amd64\\UNIDRV.DLL" fullword wide + $g4 = "C:\\Windows\\System32\\kernelbase.dll" fullword wide + $g5 = "get_UnsupportedSecretEncryptionType" fullword ascii + $g6 = "CoInitializeSecurity Error: 0x{0:X8}. Exploit will fail." fullword wide + $g7 = "AuthnSvc: {0} - PrincName: {1}" fullword wide + condition: + uint16(0) == 0x5a4d and ((all of ($s*) and 4 of ($g*)) or (7 of them)) +} + +rule INDICATOR_TOOL_EDRSilencer { + meta: + author = "ditekshen" + description = "Detects EDRSilencer" + strings: + $s1 = "block \"C:\\Windows\\System32\\curl.exe\"" ascii + $s2 = "blockedr" fullword ascii + $s3 = "edrProcess" fullword ascii + $s4 = "BlockEdrProcessTraffic" fullword ascii + $s5 = "isInEdrProcessList" fullword ascii + $s6 = "EDRSilencer.c" fullword ascii + $v1 = "elastic-agent.exe" fullword ascii nocase + $v2 = "CybereasonAV.exe" fullword ascii nocase + $v3 = "SentinelAgent.exe" fullword ascii nocase + $v4 = "fortiedr.exe" fullword ascii nocase + $v5 = "MsMpEng.exe" fullword ascii nocase + $v6 = "CylanceSvc.exe" fullword ascii nocase + condition: + uint16(0) == 0x5a4d and (4 of ($s*) or (3 of ($s*) and 1 of ($v*))) +} + +rule INDICATOR_TOOL_EDRPrison { + meta: + author = "ditekshen" + description = "Detects EDRPrison" + strings: + $s1 = "Block:" wide + $s2 = "PacketLen:" wide + $s3 = "DoWorkPacket_Step" ascii + $s4 = "DoWorkAsyncNETWORK" ascii + $s5 = "BlockMessage" ascii + $s6 = "GetRmAddrPortNetwork" ascii + condition: + uint16(0) == 0x5a4d and 5 of them +} + +rule INDICATOR_TOOL_SharpSQLPwn { + meta: + author = "ditekshen" + description = "Detects SharpSQLPwn" + strings: + $s1 = "smb_ip" fullword ascii + $s2 = "Recon" fullword ascii + $s3 = "UNCPathInjection" fullword ascii + $s4 = "from sys.server_principals" wide + $s5 = "EXEC sp_configure '" wide + $s6 = "EXEC ('sp_configure" wide + $s7 = "CREATE ASSEMBLY" wide + $s8 = "DROP ASSEMBLY" wide + $s9 = "FROM 0x" wide + $s10 = "EXEC master..xp_dirtree \"\\\\" wide + condition: + uint16(0) == 0x5a4d and 7 of them +} + +rule INDICATOR_TOOL_ChromeKatz { + meta: + author = "ditekshen" + description = "Detects ChromeKatz: CookieKatz and CredentialKatz" + strings: + $s1 = "\\include\\xmemory" ascii wide + $s2 = "targetBrowser" ascii + $s3 = "thirdPattern" ascii + $s4 = "isBrowserWow64" ascii + $s5 = "wcscpy_s(memory, size_in_elements, string)" fullword wide + $s6 = "hChrome" fullword ascii + $t1 = "szCookieMonster" fullword ascii + $t2 = "szPasswordReuseDetectorInstances" fullword ascii + condition: + uint16(0) == 0x5a4d and 6 of them +}