Add detection against VenomRAT and indicator_tools

CAPESandbox · Sep 5, 2023 · f3421e3 · f3421e3
1 parent 7d98959
commit f3421e3
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 2 deletions.
diff --git a/data/yara/CAPE/VenomRAT.yar b/data/yara/CAPE/VenomRAT.yar
@@ -0,0 +1,16 @@
+rule VenomRAT {
+    meta:
+        author = "ditekSHen"
+        description = "Detects VenomRAT"
+        cape_type = "VenomRAT Payload"
+    strings:
+       $x1 = "Venom RAT + HVNC" fullword ascii
+       $x2 = "Venom" fullword ascii
+       $x3 = "VenomByVenom" fullword wide
+       $s1 = "/c schtasks /create /f /sc onlogon /rl highest /tn \"" fullword wide
+       $s2 = "UmVjZWl2ZWQ" wide
+       $s3 = "Pac_ket" fullword wide
+       $s4 = "Po_ng" fullword wide
+    condition:
+       uint16(0) == 0x5a4d and (1 of ($x*) and 2 of ($s*))
+}
diff --git a/data/yara/binaries/indicator_tools.yar b/data/yara/binaries/indicator_tools.yar
@@ -609,9 +609,9 @@ rule INDICATOR_TOOL_PET_DefenderControl {
     strings:
         $s1 = "Windows Defender Control" wide
         $s2 = "www.sordum.org" wide ascii
-        $s3 = "AutoIt" wide
+        $s3 = "dControl" wide
     condition:
-        uint16(0) == 0x5a4d and all of them
+        uint16(0) == 0x5a4d and 2 of them
 }
 
 rule INDICATOR_TOOL_PET_Mulit_VenomAgent {
@@ -1673,3 +1673,46 @@ rule INDICATOR_TOOL_WEDGECUT {
     condition:
         uint16(0) == 0x5a4d and 4 of them
 }
+
+rule INDICATOR_TOOL_PPLBLade {
+    meta:
+        author = "ditekSHen"
+        description = "Detects PPLBlade Protected Process Dumper Tool that support obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk"
+    strings:
+        $x1 = "PPLBlade" ascii
+        $x2 = "/PPLBlade/" ascii
+        $x3 = "PPLBlade.exe --mode" ascii
+        $x4 = "PPLBLADE.SYSPPLBlade.dmp" ascii
+        $s1 = "Dump bytes sent at %s:%d. Protocol: %s" ascii
+        $s2 = "Deobfuscated dump saved in file %s" ascii
+        $m1 = "main.WriteDriverOnDisk" ascii
+        $m2 = "main.ProcExpOpenProc" ascii
+        $m3 = "main.miniDumpCallback" ascii
+        $m4 = "main.copyDumpBytes" ascii
+        $m5 = "main.MiniDumpGetBytes" ascii
+        $m6 = "main.SendBytesRaw" ascii
+        $m7 = "main.SendBytesSMB" ascii
+        $m8 = "main.DeobfuscateDump" ascii
+        $m9 = "main.dumpMutex" ascii
+        $m10 = "main.dbghelpDLL" ascii
+        $m11 = "main.miniDumpWriteDump" ascii
+    condition:
+        uint16(0) == 0x5a4d and (3 of ($x*) or (1 of ($x*) and (1 of ($s*) or 3 of ($m*))) or (all of ($s*) and 3 of ($m*)) or (7 of ($m*)))
+}
+
+rule INDICATOR_TOOL_SharpLDAP {
+    meta:
+        author = "ditekSHen"
+        description = "Detects SharpLDAP tool written in C# that aims to do enumeration via LDAP queries"
+    strings:
+        $x1 = "SharpLDAP" ascii wide
+        $x2 = "SharpLDAP.pdb" ascii
+        $s1 = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" wide
+        $s2 = "(&(servicePrincipalName=*))" wide
+        $s3 = "/Enumerating (Domain|Enterprise|Organizational|Service|Members|Users|Computers)/" wide
+        $s4 = "ListMembers" fullword ascii
+        $s5 = "GroupMembers" fullword ascii
+        $s6 = "get_SamAccountName" fullword ascii
+    condition:
+        uint16(0) == 0x5a4d and ((1 of ($x*) and 4 of ($s*)) or (5 of ($s*)))
+}