Merge branch 'master' of https://github.com/CAPESandbox/community

.yara-ci.yml

@@ -1,16 +1,12 @@
 files:
   accept:
-  - "data/yara/CAPE/*.yar"
-  - "data/yara/memory/*.yar"
-  - "data/yara/binary/*.yar"
-  - "data/yara/urls/*.yar"
+  - "data/yara/**.yar"
+  ignore:
+  - "data/yara/deprecated/**.yar"
+  - "data/yara/CAPE/deprecated/**.yar"
 
 false_positives:
-  ignore:
-   - rule: "shellcode_stack_strings"
-   - rule: "shellcode_get_eip"
-   - rule: "shellcode_peb_parsing"
-   - rule: "shellcode_patterns"
-   - rule: "lsadump"
-   - rule: "UPX"
-   - rule: "INDICATOR_EXE_Packed_Dotfuscator"
+  disabled: true
+
+false_negatives:
+  disabled: true

data/yara/CAPE/GetCrypt.yar

@@ -19,8 +19,26 @@ rule GetCrypt {
         $s6 = "ntdll.dll" fullword ascii
         $s7 = "WNetCancelConnection2W" fullword ascii
         $s8 = ".%c%c%c%c" fullword wide
-        // is slowing down scanning
-        $s9 = /([Gg]uest|[Aa]dministrator|[Dd]eveloper|[Rr][0Oo]{2}t|[Aa]dmin)/ fullword ascii wide
+        $s9 = /([Gg]uest|[Aa]dmin(istrator)?|[Dd]eveloper)/ fullword ascii wide
+        // /[Rr][0Oo]t/ is slowing down scanning
+        $r0 = "R00t" fullword ascii wide
+        $r1 = "R0Ot" fullword ascii wide
+        $r2 = "R0ot" fullword ascii wide
+        $r3 = "RO0t" fullword ascii wide
+        $r4 = "ROOt" fullword ascii wide
+        $r5 = "ROot" fullword ascii wide
+        $r6 = "Ro0t" fullword ascii wide
+        $r7 = "RoOt" fullword ascii wide
+        $r8 = "Root" fullword ascii wide
+        $r9 = "r00t" fullword ascii wide
+        $r10 = "r0Ot" fullword ascii wide
+        $r11 = "r0ot" fullword ascii wide
+        $r12 = "rO0t" fullword ascii wide
+        $r13 = "rOOt" fullword ascii wide
+        $r14 = "rOot" fullword ascii wide
+        $r15 = "ro0t" fullword ascii wide
+        $r16 = "roOt" fullword ascii wide
+        $r17 = "root" fullword ascii wide
         $s10 = { 43 72 79 70 74 49 6d 70 6f 72 74 4b 65 79 00 00
                  cb 00 43 72 79 70 74 45 6e 63 72 79 70 74 00 00
                  c1 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f
@@ -32,5 +50,5 @@ rule GetCrypt {
                  00 00 b5 01 53 68 65 6c 6c 45 78 65 63 75 74 65
                  45 78 57 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00 }
     condition:
-        uint16(0) == 0x5a4d and (3 of ($x*) or 8 of ($s*))
+        uint16(0) == 0x5a4d and (3 of ($x*) or 8 of ($s*) or (7 of ($s*) and 1 of ($r*)))
 }

data/yara/CAPE/Sliver.yar

@@ -0,0 +1,20 @@
+rule Sliver {
+     meta:
+        author = "ditekSHen"
+        description = "Detects Sliver implant cross-platform adversary emulation/red team"
+        cape_type = "Sliver Payload"
+    strings:
+        $x1 = "github.com/bishopfox/sliver/protobuf/sliverpbb." ascii
+        $s1 = ".commonpb.ResponseR" ascii
+        $s2 = ".PortfwdProtocol" ascii
+        $s3 = ".WGTCPForwarder" ascii
+        $s4 = ".WGSocksServerR" ascii
+        $s5 = ".PivotEntryR" ascii
+        $s6 = ".BackdoorReq" ascii
+        $s7 = ".ProcessDumpReq" ascii
+        $s8 = ".InvokeSpawnDllReq" ascii
+        $s9 = ".SpawnDll" ascii
+        $s10 = ".TCPPivotReq" ascii
+    condition:
+        (uint16(0) == 0x5a4d or uint16(0) == 0x457f or uint16(0) == 0xfacf) and (1 of ($x*) or 5 of ($s*))
+}