From 693bd095e52824f24968818a93b3987c8eaab1b4 Mon Sep 17 00:00:00 2001
From: Bart P <bartblaze@gmail.com>
Date: Fri, 8 Mar 2024 17:37:38 +0100
Subject: [PATCH 1/6] Typoasyncrat_mutex.py

---
 modules/signatures/windows/asyncrat_mutex.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/signatures/windows/asyncrat_mutex.py b/modules/signatures/windows/asyncrat_mutex.py
index 58dadc8e..fa020fab 100644
--- a/modules/signatures/windows/asyncrat_mutex.py
+++ b/modules/signatures/windows/asyncrat_mutex.py
@@ -18,7 +18,7 @@
 
 class AsyncRatMutex(Signature):
     name = "asyncrat_mutex"
-    description = "Creates known AsyncRat mutexe"
+    description = "Creates known AsyncRat mutex"
     severity = 3
     categories = ["infostealer", "keylogger", "rat"]
     families = ["AsyncRat"]

From 0614eae59da33057fb7c6a77cb8c1d99969c2e75 Mon Sep 17 00:00:00 2001
From: Bart P <bartblaze@gmail.com>
Date: Fri, 8 Mar 2024 17:39:32 +0100
Subject: [PATCH 2/6] Bump action & python in workflows

---
 .github/workflows/python-package.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index a6e7858a..ae364d0e 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -12,14 +12,14 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.11]
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -39,15 +39,15 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.11]
     if: ${{ github.ref == 'refs/heads/master' }}
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
 

From 882f6fee03465fcbe57b06834f35de6b67c106e5 Mon Sep 17 00:00:00 2001
From: Bart P <bartblaze@gmail.com>
Date: Fri, 8 Mar 2024 17:40:08 +0100
Subject: [PATCH 3/6] Bump action & python in workflows

---
 .github/workflows/update-mitre-files.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/update-mitre-files.yml b/.github/workflows/update-mitre-files.yml
index feb29ffe..b64206a6 100644
--- a/.github/workflows/update-mitre-files.yml
+++ b/.github/workflows/update-mitre-files.yml
@@ -11,14 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.11]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         ref: ${{ github.head_ref }}
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: ${{ matrix.python-version }}
     - name: Update mitre files

From be71787ce71e587cb5ce4a252181b031e084b6d8 Mon Sep 17 00:00:00 2001
From: Bart P <bartblaze@gmail.com>
Date: Fri, 8 Mar 2024 17:47:50 +0100
Subject: [PATCH 4/6] Add credwiz and vaultcmd

---
 .../signatures/windows/credential_access.py   | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/modules/signatures/windows/credential_access.py b/modules/signatures/windows/credential_access.py
index 2ca6ec51..29bab6bb 100644
--- a/modules/signatures/windows/credential_access.py
+++ b/modules/signatures/windows/credential_access.py
@@ -38,3 +38,49 @@ def run(self):
                 ret = True
 
         return ret
+
+
+class VaultCmd(Signature):
+    name = "vaultcmd_credentialaccess"
+    description = "Lists credentials using VaultCmd"
+    severity = 3
+    categories = ["credentials", "credential_access"]
+    authors = ["bartblaze"]
+    minimum = "1.3"
+    evented = True
+    ttps = ["T1555"]
+    reference = ["https://attack.mitre.org/techniques/T1555/004/"]
+
+    def run(self):
+        ret = False
+        cmdlines = self.results["behavior"]["summary"]["executed_commands"]
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "vaultcmd" in lower and "list" in lower:
+                ret = True
+                self.data.append({"command": cmdline})
+
+        return ret
+
+
+class CredWiz(Signature):
+    name = "credwiz_credentialaccess"
+    description = "Exports credentials using CredWiz"
+    severity = 3
+    categories = ["credentials", "credential_access"]
+    authors = ["bartblaze"]
+    minimum = "1.3"
+    evented = True
+    ttps = ["T1555"]
+    reference = ["https://attack.mitre.org/techniques/T1555/"]
+
+    def run(self):
+        ret = False
+        cmdlines = self.results["behavior"]["summary"]["executed_commands"]
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "credwiz" in lower and "keymgr" in lower:
+                ret = True
+                self.data.append({"command": cmdline})
+
+        return ret

From 673cf45905d2709e058883dbf75bcb67d5cb29fa Mon Sep 17 00:00:00 2001
From: Bart P <bartblaze@gmail.com>
Date: Fri, 8 Mar 2024 17:50:24 +0100
Subject: [PATCH 5/6] Create RokRAT.yar

---
 data/yara/CAPE/RokRAT.yar | 42 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 data/yara/CAPE/RokRAT.yar

diff --git a/data/yara/CAPE/RokRAT.yar b/data/yara/CAPE/RokRAT.yar
new file mode 100644
index 00000000..0faf26ee
--- /dev/null
+++ b/data/yara/CAPE/RokRAT.yar
@@ -0,0 +1,42 @@
+rule RokRAT
+{
+meta:
+	id = "67CbAcgxp3LrNC8G138xsq"
+	fingerprint = "9a421d0257276c98d57abdaeb1e31e98956ec8ecf97d48827b35b527d174f35e"
+	version = "1.0"
+	modified = "2024-03-08"
+	status = "RELEASED"
+	sharing = "TLP:WHITE"
+	source = "BARTBLAZE"
+	author = "@bartblaze"
+	description = "Identifies RokRAT."
+	category = "MALWARE"
+	malware_type = "RAT"
+	reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
+	cape_type = "RokRAT Payload"
+
+strings:
+	$new_pe = {0f b6 03 8d 4b 05 03 c8 89 4? ?? 8b 44 18 01 89 4? ?? 8d ?? 98 f4 ff ff 50 68 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 8d ?? 98 f4 ff ff 4f 8a 
+	4? ?? 47 84 c0 75 ?? 8b 5? ?? be ?? ?? ?? ?? 33 c0 8b c8 a5 a5 a5 a5 a4 8b 7? ?? 85 d2 74 ?? 8a 26 8a 04 31 32 c4 34 ?? 88 04 31 41 3b ca}
+
+	$str_1 = "%s%04X%04X.tmp" ascii wide
+	$str_2 = "360Tray.exe" ascii wide
+	$str_3 = "dir /A /S %s >> \"%%temp%%/%c_.TMP\"" ascii wide
+	$str_4 = "KB400928_doc.exe" ascii wide
+	$str_5 = "\\%d.dat" ascii wide
+	$str_6 = "%spid:%d,name:%s,path:%s%s" ascii wide
+	$str_7 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" ascii wide
+
+	$comms_1 = "127.0.0.1" ascii wide
+	$comms_2 = "api.pcloud.com" ascii wide
+	$comms_3 = "my.pcloud.com" ascii wide
+	$comms_4 = "cloud-api.yandex.net" ascii wide
+	$comms_5 = "api.dropboxapi.com" ascii wide
+	$comms_6 = "content.dropboxapi.com" ascii wide
+	$comms_7 = "Content-Type: voice/mp3" ascii wide
+
+condition:
+	$new_pe or 
+	4 of ($str_*) or 
+	(6 of ($comms_*) and 2 of ($str_*))
+}

From 56ea16392bf06b50f5bb956d257df667dc0c997a Mon Sep 17 00:00:00 2001
From: Bart P <bartblaze@gmail.com>
Date: Fri, 8 Mar 2024 17:59:42 +0100
Subject: [PATCH 6/6] Delete data/yara/CAPE/RokRAT.yar

---
 data/yara/CAPE/RokRAT.yar | 42 ---------------------------------------
 1 file changed, 42 deletions(-)
 delete mode 100644 data/yara/CAPE/RokRAT.yar

diff --git a/data/yara/CAPE/RokRAT.yar b/data/yara/CAPE/RokRAT.yar
deleted file mode 100644
index 0faf26ee..00000000
--- a/data/yara/CAPE/RokRAT.yar
+++ /dev/null
@@ -1,42 +0,0 @@
-rule RokRAT
-{
-meta:
-	id = "67CbAcgxp3LrNC8G138xsq"
-	fingerprint = "9a421d0257276c98d57abdaeb1e31e98956ec8ecf97d48827b35b527d174f35e"
-	version = "1.0"
-	modified = "2024-03-08"
-	status = "RELEASED"
-	sharing = "TLP:WHITE"
-	source = "BARTBLAZE"
-	author = "@bartblaze"
-	description = "Identifies RokRAT."
-	category = "MALWARE"
-	malware_type = "RAT"
-	reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
-	cape_type = "RokRAT Payload"
-
-strings:
-	$new_pe = {0f b6 03 8d 4b 05 03 c8 89 4? ?? 8b 44 18 01 89 4? ?? 8d ?? 98 f4 ff ff 50 68 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 8d ?? 98 f4 ff ff 4f 8a 
-	4? ?? 47 84 c0 75 ?? 8b 5? ?? be ?? ?? ?? ?? 33 c0 8b c8 a5 a5 a5 a5 a4 8b 7? ?? 85 d2 74 ?? 8a 26 8a 04 31 32 c4 34 ?? 88 04 31 41 3b ca}
-
-	$str_1 = "%s%04X%04X.tmp" ascii wide
-	$str_2 = "360Tray.exe" ascii wide
-	$str_3 = "dir /A /S %s >> \"%%temp%%/%c_.TMP\"" ascii wide
-	$str_4 = "KB400928_doc.exe" ascii wide
-	$str_5 = "\\%d.dat" ascii wide
-	$str_6 = "%spid:%d,name:%s,path:%s%s" ascii wide
-	$str_7 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" ascii wide
-
-	$comms_1 = "127.0.0.1" ascii wide
-	$comms_2 = "api.pcloud.com" ascii wide
-	$comms_3 = "my.pcloud.com" ascii wide
-	$comms_4 = "cloud-api.yandex.net" ascii wide
-	$comms_5 = "api.dropboxapi.com" ascii wide
-	$comms_6 = "content.dropboxapi.com" ascii wide
-	$comms_7 = "Content-Type: voice/mp3" ascii wide
-
-condition:
-	$new_pe or 
-	4 of ($str_*) or 
-	(6 of ($comms_*) and 2 of ($str_*))
-}