From d9a130d1441b49debf880cd08669267868d27744 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sat, 9 Mar 2024 16:34:41 -0500 Subject: [PATCH] Improve rules through BSKC analysis --- rules/admin/shutdown.yara | 10 ++++++ rules/archives/zip.yara | 2 +- rules/combo/backdoor/generic/php.yara | 34 +++++++++---------- rules/combo/backdoor/generic/ruby.yara | 8 +++++ rules/combo/backdoor/generic/sudo_nohup.yara | 9 +++++ .../combo/backdoor/generic/timeout_eval.yara | 9 +++++ .../{tar_ssh.yara => archive_ssh_socket.yara} | 3 +- rules/combo/exfil/nodejs_sysinfo_http..yara | 15 ++++++++ rules/combo/exfil/python_sysinfo_http.yara | 15 ++++++++ rules/combo/exploit/overflow-shellcode.yara | 11 ++++++ rules/data/embedded-pem-test_key.yara | 10 ++++++ rules/encoding/json-encode.yara | 1 + rules/env/HOME.yara | 9 +++++ rules/env/LANG.yara | 28 +++++++++++++++ rules/env/dump.yara | 8 +++++ rules/evasion/hex.yara | 9 +++++ rules/exec/pipe.yara | 2 +- rules/exec/program.yara | 14 ++++++-- rules/fs/file-delete-forcibly.yara | 11 ++++++ rules/fs/file-read.yara | 11 ++++++ rules/fs/file-stat.yara | 12 +++++++ rules/kernel/hostname-get.yara | 1 + rules/kernel/uname-get.yara | 13 +++++++ rules/net/http-post.yara | 5 +-- rules/net/http-request.yara | 2 ++ rules/net/http-server.yara | 1 + rules/net/ip-external_address-query.yara | 9 +++++ rules/net/stat.yara | 8 +++++ rules/net/url-encode.yara | 8 +++++ rules/net/url-request.yara | 7 ++++ rules/net/url.yara | 1 + rules/process/current/parent_pid-get.yara | 1 + rules/process/current/root-check.yara | 10 ++++++ rules/process/current/userid-get.yara | 2 +- rules/process/current/username-get.yara | 11 ++++++ rules/process/current/whoami.yara | 9 ----- rules/ref/google-analytics.yara | 9 +++++ rules/ref/program/powershell.yara | 6 ++++ rules/ref/site/http-ip.yara | 2 +- rules/ref/words/agent.yara | 9 +++++ rules/techniques/code_eval.yara | 21 +++--------- 41 files changed, 314 insertions(+), 52 deletions(-) create mode 100644 rules/admin/shutdown.yara create mode 100644 rules/combo/backdoor/generic/ruby.yara create mode 100644 rules/combo/backdoor/generic/sudo_nohup.yara create mode 100644 rules/combo/backdoor/generic/timeout_eval.yara rename rules/combo/exfil/{tar_ssh.yara => archive_ssh_socket.yara} (79%) create mode 100644 rules/combo/exfil/nodejs_sysinfo_http..yara create mode 100644 rules/combo/exfil/python_sysinfo_http.yara create mode 100644 rules/data/embedded-pem-test_key.yara create mode 100644 rules/env/LANG.yara create mode 100644 rules/env/dump.yara create mode 100644 rules/evasion/hex.yara create mode 100644 rules/net/stat.yara create mode 100644 rules/net/url-encode.yara create mode 100644 rules/process/current/root-check.yara delete mode 100644 rules/process/current/whoami.yara create mode 100644 rules/ref/google-analytics.yara create mode 100644 rules/ref/program/powershell.yara create mode 100644 rules/ref/words/agent.yara diff --git a/rules/admin/shutdown.yara b/rules/admin/shutdown.yara new file mode 100644 index 00000000..3f63a732 --- /dev/null +++ b/rules/admin/shutdown.yara @@ -0,0 +1,10 @@ + +rule shutdown_s : suspicious { + meta: + description = "calls shutdown command" + strings: + $ref = /shutdown -[\w ]{0,16}/ + $ref2 = "shutdown now" + condition: + any of them +} diff --git a/rules/archives/zip.yara b/rules/archives/zip.yara index 96356757..c8fdc69e 100644 --- a/rules/archives/zip.yara +++ b/rules/archives/zip.yara @@ -1,4 +1,3 @@ - rule zip : notable { meta: description = "Works with zip files" @@ -7,6 +6,7 @@ rule zip : notable { $ref2 = "archive/zip" $ref3 = "zip_writer" fullword $ref4 = "ZIP archive" fullword + $ref5 = "zip file" fullword condition: any of them } diff --git a/rules/combo/backdoor/generic/php.yara b/rules/combo/backdoor/generic/php.yara index 2504c0cf..4fc38eb7 100644 --- a/rules/combo/backdoor/generic/php.yara +++ b/rules/combo/backdoor/generic/php.yara @@ -1,5 +1,5 @@ -rule php_possible_backdoor { +rule php_possible_backdoor : critical { meta: hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" hash_2023_PHP_Backdoor_PHP_Goonshell_a = "42e5fafe25af2d2600691a26144cc47320ccfd07a224b72452dfa7de2e86ece3" @@ -28,7 +28,7 @@ rule php_possible_backdoor { filesize < 1048576 and $eval and 1 of ($php*) and 4 of ($f_*) and none of ($not*) } -rule php_eval_base64_decode { +rule php_eval_base64_decode : critical { meta: hash_2023_0xShell = "acf556b26bb0eb193e68a3863662d9707cbf827d84c34fbc8c19d09b8ea811a1" hash_2023_0xShell_0xObs = "6391e05c8afc30de1e7980dda872547620754ce55c36da15d4aefae2648a36e5" @@ -44,7 +44,7 @@ rule php_eval_base64_decode { any of them } -rule php_executor { +rule php_executor : critical { meta: hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" hash_2015_Resources_agent = "5a61246c9fe8e52347e35664e0c86ab2897d807792008680e04306e6c2104941" @@ -62,7 +62,7 @@ rule php_executor { filesize < 1048576 and $php and all of ($f_*) } -rule php_bin_hashbang { +rule php_bin_hashbang : critical { meta: hash_2015_Resources_agent = "5a61246c9fe8e52347e35664e0c86ab2897d807792008680e04306e6c2104941" hash_2023_UPX_0a07c056fec72668d3f05863f103987cc1aaec92e72148bf16db6cfd58308617_elf_x86_64 = "94f4de1bd8c85b8f820bab936ec16cdb7f7bc19fa60d46ea8106cada4acc79a2" @@ -73,7 +73,7 @@ rule php_bin_hashbang { $script and any of ($x*) } -rule php_urlvar_recon_exec { +rule php_urlvar_recon_exec : critical { meta: ref = "Backdoor.PHP.Llama" hash_2023_PHP_Backdoor_PHP_Goonshell_a = "42e5fafe25af2d2600691a26144cc47320ccfd07a224b72452dfa7de2e86ece3" @@ -105,7 +105,7 @@ rule php_system_to_perl { all of them } -rule php_eval_gzinflate_base64_backdoor { +rule php_eval_gzinflate_base64_backdoor : critical { meta: ref = "xoxo" hash_2023_0xShell_lndex = "9b073472cac7f3f8274165a575e96cfb4f4eb38471f6a8e57bb9789f3f307495" @@ -120,7 +120,7 @@ rule php_eval_gzinflate_base64_backdoor { } -rule php_obfuscated_with_hex_characters { +rule php_obfuscated_with_hex_characters : critical { meta: hash_2023_0xShell_1337 = "657bd1f3e53993cb7d600bfcd1a616c12ed3e69fa71a451061b562e5b9316649" hash_2023_0xShell_index = "f39b16ebb3809944722d4d7674dedf627210f1fa13ca0969337b1c0dcb388603" @@ -138,7 +138,7 @@ rule php_obfuscated_with_hex_characters { $php and (#hex > 5 or #hex_not_mix > 5) } -rule php_base64_eval_uname { +rule php_base64_eval_uname : critical { meta: hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" @@ -150,7 +150,7 @@ rule php_base64_eval_uname { all of them } -rule php_post_system { +rule php_post_system : suspicious { meta: hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" @@ -167,7 +167,7 @@ rule php_post_system { $php and any of ($method*) and $system } -rule php_error_reporting_disable { +rule php_error_reporting_disable : suspicious { meta: hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" hash_2023_0xShell_untitled = "39b2fd6b4b2c11a9cbfc8efbb09fc14d502cde1344f52e1269228fc95b938621" @@ -180,7 +180,7 @@ rule php_error_reporting_disable { all of them } -rule php_system_manipulation { +rule php_system_manipulation : suspicious { meta: hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" hash_2023_0xShell_untitled = "39b2fd6b4b2c11a9cbfc8efbb09fc14d502cde1344f52e1269228fc95b938621" @@ -198,7 +198,7 @@ rule php_system_manipulation { $php and 80% of them } -rule php_system_hex { +rule php_system_hex : critical { meta: hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" hash_2023_0xShell_untitled = "39b2fd6b4b2c11a9cbfc8efbb09fc14d502cde1344f52e1269228fc95b938621" @@ -208,7 +208,7 @@ rule php_system_hex { any of them } -rule php_insecure_curl_uploader { +rule php_insecure_curl_uploader : critical { meta: hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" hash_2023_0xShell_f = "9ce3da0322ee42e9119abb140b829efc3c94ea802df7a6f3968829645e1a5330" @@ -221,7 +221,7 @@ rule php_insecure_curl_uploader { $CURLOPT_SSL_VERIFYPEER and any of ($f*) } -rule php_eval_get_contents { +rule php_eval_get_contents : critical { meta: hash_2023_0xShell_f = "9ce3da0322ee42e9119abb140b829efc3c94ea802df7a6f3968829645e1a5330" strings: @@ -233,7 +233,7 @@ rule php_eval_get_contents { all of ($f*) and none of ($not*) } -rule php_is_jpeg { +rule php_is_jpeg : critical { meta: hash_2023_0xShell_tifa_png = "1a13a6c6bb6815ba352b43971e4e961615367aec714e0a0005c28b3ebbc544c6" strings: @@ -244,7 +244,7 @@ rule php_is_jpeg { all of them } -rule php_copy_files { +rule php_copy_files : suspicious { meta: hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" hash_2023_0xShell_tifa_png = "1a13a6c6bb6815ba352b43971e4e961615367aec714e0a0005c28b3ebbc544c6" @@ -255,7 +255,7 @@ rule php_copy_files { all of them } -rule php_base64_encoded { +rule php_base64_encoded : critical { meta: hash_2023_0xShell_0xObs = "6391e05c8afc30de1e7980dda872547620754ce55c36da15d4aefae2648a36e5" hash_2023_0xShell_0xShellObs = "64771788a20856c7b2a29067f41be9cb7138c11a2cf2a8d17ab4afe73516f1ed" diff --git a/rules/combo/backdoor/generic/ruby.yara b/rules/combo/backdoor/generic/ruby.yara new file mode 100644 index 00000000..96aa6a22 --- /dev/null +++ b/rules/combo/backdoor/generic/ruby.yara @@ -0,0 +1,8 @@ +rule ruby_eval_base64_decode : critical { + meta: + description = "Evaluates base64 content" + strings: + $eval_base64_decode = "eval(Base64." + condition: + any of them +} \ No newline at end of file diff --git a/rules/combo/backdoor/generic/sudo_nohup.yara b/rules/combo/backdoor/generic/sudo_nohup.yara new file mode 100644 index 00000000..eea20499 --- /dev/null +++ b/rules/combo/backdoor/generic/sudo_nohup.yara @@ -0,0 +1,9 @@ +rule sudo_nohup : suspicious { + meta: + description = "calls nohup sudo" + strings: + $nohup_sudo = /nohup sudo[ \.\/\w]{0,32}/ + $sudo_nohup = /sudo nohup[ \.\/\w]{0,32}/ + condition: + any of them +} diff --git a/rules/combo/backdoor/generic/timeout_eval.yara b/rules/combo/backdoor/generic/timeout_eval.yara new file mode 100644 index 00000000..add13ee3 --- /dev/null +++ b/rules/combo/backdoor/generic/timeout_eval.yara @@ -0,0 +1,9 @@ +rule timeout_eval : critical { + meta: + description = "evaluate code dynamically using eval() after timeout" + strings: + $ref = /setTimeout\(.{0,64}eval\([\w\(\,\)\;\*\}]{0,32}/ fullword + condition: + any of them +} + diff --git a/rules/combo/exfil/tar_ssh.yara b/rules/combo/exfil/archive_ssh_socket.yara similarity index 79% rename from rules/combo/exfil/tar_ssh.yara rename to rules/combo/exfil/archive_ssh_socket.yara index 534fe959..dda25416 100644 --- a/rules/combo/exfil/tar_ssh.yara +++ b/rules/combo/exfil/archive_ssh_socket.yara @@ -1,5 +1,5 @@ -rule tar_ssh_net : notable { +rule tar_ssh_net : suspicious { strings: $s_curl = "curl" fullword $s_wget = "wget" fullword @@ -9,6 +9,7 @@ rule tar_ssh_net : notable { $z_zip = "zip" fullword $z_tar = "tar" fullword + $z_xargs = "xargs cat" condition: $h and any of ($s*) and any of ($z*) } \ No newline at end of file diff --git a/rules/combo/exfil/nodejs_sysinfo_http..yara b/rules/combo/exfil/nodejs_sysinfo_http..yara new file mode 100644 index 00000000..301dd2e7 --- /dev/null +++ b/rules/combo/exfil/nodejs_sysinfo_http..yara @@ -0,0 +1,15 @@ + +rule npm_sysinfoexfil : suspicious { + meta: + description = "exfiltrate system information" + strings: + $p1 = "process.platform" + $p2 = "process.arch" + $p3 = "process.versions" + + $h = "http.request" + + $post = "POST" + condition: + $h and $post and any of ($p*) +} \ No newline at end of file diff --git a/rules/combo/exfil/python_sysinfo_http.yara b/rules/combo/exfil/python_sysinfo_http.yara new file mode 100644 index 00000000..d48fed08 --- /dev/null +++ b/rules/combo/exfil/python_sysinfo_http.yara @@ -0,0 +1,15 @@ + +rule python_sysinfo_http : suspicious { + meta: + description = "exfiltrate system information" + strings: + $r_user = "getpass.getuser" + $r_hostname = "socket.gethostname" + $r_platform = "platform.platform" + + $u = /[\w\.]{0,16}urlopen/ + + condition: + filesize < 4096 and any of ($r*) and any of ($u*) +} + diff --git a/rules/combo/exploit/overflow-shellcode.yara b/rules/combo/exploit/overflow-shellcode.yara index 955f2784..8275cc71 100644 --- a/rules/combo/exploit/overflow-shellcode.yara +++ b/rules/combo/exploit/overflow-shellcode.yara @@ -10,3 +10,14 @@ rule exploit: suspicious { condition: $shellcode and 3 of them } + +rule execute_shellcode: suspicious { + meta: + description = "Executes shell code" + strings: + $ref = "execute shellcode" + $ref2 = "exec_shellcode" + $ref3 = "execute_shellcode" + condition: + any of them +} diff --git a/rules/data/embedded-pem-test_key.yara b/rules/data/embedded-pem-test_key.yara new file mode 100644 index 00000000..17ad426f --- /dev/null +++ b/rules/data/embedded-pem-test_key.yara @@ -0,0 +1,10 @@ +rule testing_key { + meta: + description = "Contains TESTING KEY directive" + strings: + $ref = "TESTING KEY-----" + condition: + any of them +} + + diff --git a/rules/encoding/json-encode.yara b/rules/encoding/json-encode.yara index dec4a339..ed7a5d3e 100644 --- a/rules/encoding/json-encode.yara +++ b/rules/encoding/json-encode.yara @@ -3,6 +3,7 @@ rule JSONEncode { strings: $jsone = "JSONEncode" $marshal = "MarshalJSON" fullword + $npm = "JSON.stringify" condition: any of them } diff --git a/rules/env/HOME.yara b/rules/env/HOME.yara index 49d354f9..389d2fb5 100644 --- a/rules/env/HOME.yara +++ b/rules/env/HOME.yara @@ -7,3 +7,12 @@ rule HOME { condition: all of them } + +rule node_HOME { + meta: + description = "Looks up the HOME directory for the current user" + strings: + $ref = "env.HOME" fullword + condition: + all of them +} diff --git a/rules/env/LANG.yara b/rules/env/LANG.yara new file mode 100644 index 00000000..47452db6 --- /dev/null +++ b/rules/env/LANG.yara @@ -0,0 +1,28 @@ +rule LANG_getenv { + meta: + description = "Looks up language of current user" + strings: + $ref = "LANG" fullword + $getenv = "getenv" + condition: + all of them +} + +rule LANG_node { + meta: + description = "Looks up language of current user" + strings: + $ref = "env.LANG" fullword + condition: + all of them +} + + +rule dollar_LANG { + meta: + description = "Looks up language of current user" + strings: + $ref = "$LANG" fullword + condition: + all of them +} diff --git a/rules/env/dump.yara b/rules/env/dump.yara new file mode 100644 index 00000000..d66a9bd3 --- /dev/null +++ b/rules/env/dump.yara @@ -0,0 +1,8 @@ +rule os_environ : harmless { + meta: + description = "Dump values from the environment" + strings: + $ref = "os.environ" fullword + condition: + any of them +} diff --git a/rules/evasion/hex.yara b/rules/evasion/hex.yara new file mode 100644 index 00000000..a6ffae5f --- /dev/null +++ b/rules/evasion/hex.yara @@ -0,0 +1,9 @@ + +rule node_hex_parse : suspicious { + meta: + description = "converts hex data to ASCII" + strings: + $ref = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ + condition: + $ref +} \ No newline at end of file diff --git a/rules/exec/pipe.yara b/rules/exec/pipe.yara index 20b929c9..4e124f22 100644 --- a/rules/exec/pipe.yara +++ b/rules/exec/pipe.yara @@ -5,7 +5,7 @@ rule popen : notable { strings: $_popen = "_popen" fullword $_pclose = "_pclose" fullword - $os_popen = "os.popen" fullword + $os_popen = /os.popen[\(\"\'\w \$\)]{0,32}/ $pipe_glibc = "pipe@@GLIBC" condition: any of them diff --git a/rules/exec/program.yara b/rules/exec/program.yara index a707eb64..28066968 100644 --- a/rules/exec/program.yara +++ b/rules/exec/program.yara @@ -78,8 +78,6 @@ rule posix_spawn : notable { } - - rule go_exec : notable { meta: syscall = "posix_spawn" @@ -89,4 +87,16 @@ rule go_exec : notable { $ref = "exec_unix.go" condition: all of them +} + +rule npm_exec : notable { + meta: + syscall = "posix_spawn" + pledge = "exec" + description = "spawn a process" + strings: + $child = "child_process" + $ref = /exec\(\'[\w \/\'\)]{0,64}/ + condition: + all of them } \ No newline at end of file diff --git a/rules/fs/file-delete-forcibly.yara b/rules/fs/file-delete-forcibly.yara index 5c07f218..0d12c4c9 100644 --- a/rules/fs/file-delete-forcibly.yara +++ b/rules/fs/file-delete-forcibly.yara @@ -8,6 +8,17 @@ rule rm_force { $ref } + +rule rm_recursive_force : suspicious { + meta: + description = "Forcibly deletes files using rm -R" + strings: + $ref = /rm -[Rr]f [ \$\w\/\.]{0,32}/ + $ref2 = /rm -f[Rr] [ \$\w\/\.]{0,32}/ + condition: + any of them +} + rule background_rm_rf : suspicious { meta: ref = "https://cert.gov.ua/article/6123309" diff --git a/rules/fs/file-read.yara b/rules/fs/file-read.yara index 49a2e177..72ad6d0b 100644 --- a/rules/fs/file-read.yara +++ b/rules/fs/file-read.yara @@ -18,3 +18,14 @@ rule py_file_read { condition: any of them } + + +rule node_file_read { + meta: + description = "reads files" + syscall = "open,close" + strings: + $read = "fs.readFile" + condition: + any of them +} diff --git a/rules/fs/file-stat.yara b/rules/fs/file-stat.yara index aad35b52..c07daf9c 100644 --- a/rules/fs/file-stat.yara +++ b/rules/fs/file-stat.yara @@ -46,4 +46,16 @@ rule go_stat : harmless { $filestat = "os.(*fileStat)" condition: any of them +} + + +rule npm_stat { + meta: + description = "Access filesystem information" + pledge = "rpath" + syscall = "stat" + strings: + $filestat = /fs\.stat[\w\(\'\.\)]{0,32}/ + condition: + any of them } \ No newline at end of file diff --git a/rules/kernel/hostname-get.yara b/rules/kernel/hostname-get.yara index 1461251c..e80effa2 100644 --- a/rules/kernel/hostname-get.yara +++ b/rules/kernel/hostname-get.yara @@ -7,6 +7,7 @@ rule gethostname { strings: $gethostname = "gethostname" $proc = "/proc/sys/kernel/hostname" + $python = "socket.gethostname" condition: any of them } diff --git a/rules/kernel/uname-get.yara b/rules/kernel/uname-get.yara index 112aad41..f8b3977e 100644 --- a/rules/kernel/uname-get.yara +++ b/rules/kernel/uname-get.yara @@ -27,6 +27,19 @@ rule python_uname : notable { description = "get system identification (platform.dist)" strings: $ref = "platform.dist()" + $ref2 = "platform.platform()" + condition: + any of them +} + + +rule npm_uname : notable { + meta: + description = "get system identification" + strings: + $ref = "process.platform" + $ref2 = "process.arch" + $ref3 = "process.versions" condition: any of them } \ No newline at end of file diff --git a/rules/net/http-post.yara b/rules/net/http-post.yara index 5fd7d1a9..c7ba1027 100644 --- a/rules/net/http-post.yara +++ b/rules/net/http-post.yara @@ -4,9 +4,10 @@ rule http_post : notable { description = "Able to submit content via HTTP POST" strings: $POST = "POST" - $HTTP = "HTTP" + $h_HTTP = "HTTP" + $http = "http" condition: - all of them + $POST and any of ($h*) } rule form_data_reference : notable { diff --git a/rules/net/http-request.yara b/rules/net/http-request.yara index 8c72b50d..85f2471d 100644 --- a/rules/net/http-request.yara +++ b/rules/net/http-request.yara @@ -9,6 +9,8 @@ rule http_request { $connect = "httpConnect" $close = "httpClose" $http1 = "HTTP/1." + $http2 = "Referer" fullword + $http3 = "https" condition: any of them } diff --git a/rules/net/http-server.yara b/rules/net/http-server.yara index 566c1dcd..691220e5 100644 --- a/rules/net/http-server.yara +++ b/rules/net/http-server.yara @@ -4,6 +4,7 @@ rule http_server : notable { description = "Able to serve HTTP requests" strings: $gin = "gin-gonic/" + $gin_handler = "gin.HandlerFunc" condition: any of them } diff --git a/rules/net/ip-external_address-query.yara b/rules/net/ip-external_address-query.yara index e614f18e..f52359ff 100644 --- a/rules/net/ip-external_address-query.yara +++ b/rules/net/ip-external_address-query.yara @@ -58,3 +58,12 @@ rule iplookup_website_xor : critical { condition: any of them } + +rule python_list_comprehension : suspicious { + meta: + description = "discover IP address via socket connection" + strings: + $ref = "[socket.socket(socket.AF_INET, socket.SOCK_DGRAM" + condition: + any of them +} \ No newline at end of file diff --git a/rules/net/stat.yara b/rules/net/stat.yara new file mode 100644 index 00000000..78882205 --- /dev/null +++ b/rules/net/stat.yara @@ -0,0 +1,8 @@ +rule netstat : notable { + meta: + description = "Uses 'netstat' for network information" + strings: + $ref1 = /netstat[ \-a-z\|]{0,16}/ + condition: + all of them +} diff --git a/rules/net/url-encode.yara b/rules/net/url-encode.yara new file mode 100644 index 00000000..59e9d98f --- /dev/null +++ b/rules/net/url-encode.yara @@ -0,0 +1,8 @@ +rule url_encode : notable { + meta: + description = "encodes URL, likely to pass GET variables" + strings: + $ref = "urlencode" + condition: + any of them +} diff --git a/rules/net/url-request.yara b/rules/net/url-request.yara index 63fa43b1..5dd94331 100644 --- a/rules/net/url-request.yara +++ b/rules/net/url-request.yara @@ -5,6 +5,13 @@ rule requests_urls : notable { $ref = "NSMutableURLRequest" $ref2 = "import requests" $ref3 = "net/url" + $ref4 = /requests\.get\([\w, =\)]{0,16}/ + $ref5 = "require('request');" + $ref6 = "request(url, " + $ref7 = "require('https').request" + $ref8 = "http.request" + $ref9 = "urllib2.urlopen" + $ref10 = "urllib.request" condition: any of them } diff --git a/rules/net/url.yara b/rules/net/url.yara index 7b15737c..4c6bac45 100644 --- a/rules/net/url.yara +++ b/rules/net/url.yara @@ -5,6 +5,7 @@ rule url_handle { $ref = "NSURL" $ref2 = "URLContext" $ref3 = "RequestURI" + $ref4 = "urllib" condition: any of them } diff --git a/rules/process/current/parent_pid-get.yara b/rules/process/current/parent_pid-get.yara index 03cef41b..d494ae60 100644 --- a/rules/process/current/parent_pid-get.yara +++ b/rules/process/current/parent_pid-get.yara @@ -3,6 +3,7 @@ rule getppid { description = "gets parent process ID" strings: $ref = "getppid" fullword + $ref2 = "process.ppid" fullword condition: any of them } \ No newline at end of file diff --git a/rules/process/current/root-check.yara b/rules/process/current/root-check.yara new file mode 100644 index 00000000..9fc8583c --- /dev/null +++ b/rules/process/current/root-check.yara @@ -0,0 +1,10 @@ + +rule getuid_root : notable { + meta: + description = "checks if uid=0 (root)" + strings: + $python = "os.getuid() == 0" + $python_w32 = "ctypes.windll.shell32.IsUserAnAdmin() != 0" + condition: + any of them +} \ No newline at end of file diff --git a/rules/process/current/userid-get.yara b/rules/process/current/userid-get.yara index f77c5c8a..3002a152 100644 --- a/rules/process/current/userid-get.yara +++ b/rules/process/current/userid-get.yara @@ -7,4 +7,4 @@ rule getuid : harmless { $Getuid = "Getuid" fullword condition: any of them -} \ No newline at end of file +} diff --git a/rules/process/current/username-get.yara b/rules/process/current/username-get.yara index 8136ccb0..5e50c82f 100644 --- a/rules/process/current/username-get.yara +++ b/rules/process/current/username-get.yara @@ -5,6 +5,17 @@ rule getlogin { pledge = "id" strings: $ref = "getlogin" fullword + $ref2 = "getpass.getuser" fullword condition: any of them } + +rule whoami : notable { + meta: + syscall = "getuid" + description = "returns the user name running this process" + strings: + $ref = "whoami" fullword + condition: + any of them +} \ No newline at end of file diff --git a/rules/process/current/whoami.yara b/rules/process/current/whoami.yara deleted file mode 100644 index 52cd9974..00000000 --- a/rules/process/current/whoami.yara +++ /dev/null @@ -1,9 +0,0 @@ -rule whoami : notable { - meta: - syscall = "getuid" - description = "returns the user name running this process" - strings: - $ref = "whoami" fullword - condition: - any of them -} \ No newline at end of file diff --git a/rules/ref/google-analytics.yara b/rules/ref/google-analytics.yara new file mode 100644 index 00000000..88bfdf84 --- /dev/null +++ b/rules/ref/google-analytics.yara @@ -0,0 +1,9 @@ +rule hardcoded_analytics : suspicious { + meta: + description = "Contains hardcoded Google Analytics ID" + strings: + $ref = /UA-[\d]{5,9}-\d{1,3}/ fullword + $ref2 = "analytics" + condition: + all of them +} diff --git a/rules/ref/program/powershell.yara b/rules/ref/program/powershell.yara new file mode 100644 index 00000000..a9debf07 --- /dev/null +++ b/rules/ref/program/powershell.yara @@ -0,0 +1,6 @@ +rule powershell : notable { + strings: + $ref = "powershell" fullword + condition: + $ref +} \ No newline at end of file diff --git a/rules/ref/site/http-ip.yara b/rules/ref/site/http-ip.yara index e52d53c8..5342b74b 100644 --- a/rules/ref/site/http-ip.yara +++ b/rules/ref/site/http-ip.yara @@ -3,7 +3,7 @@ rule http_hardcoded_ip : suspicious exfil { meta: description = "URL pointing to an IP address rather than DNS name" strings: - $ipv4 = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}/ + $ipv4 = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}[:\/\w\?]{0,32}/ $not_metadata = "http://169.254.169.254" $not_100 = "http://100.100.100" $not_11 = "http://11.11.11" diff --git a/rules/ref/words/agent.yara b/rules/ref/words/agent.yara new file mode 100644 index 00000000..6b8c7730 --- /dev/null +++ b/rules/ref/words/agent.yara @@ -0,0 +1,9 @@ +rule agent : notable { + meta: + description = "References an 'agent'" + strings: + $ref = /[a-zA-Z_]{0,16}agent/ fullword + $ref2 = /agent[a-zA-Z_]{0,16}/ fullword + condition: + any of them +} diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara index f0c8d48b..c4a4780b 100644 --- a/rules/techniques/code_eval.yara +++ b/rules/techniques/code_eval.yara @@ -1,21 +1,8 @@ -rule php_eval : suspicious { +rule eval : suspicious { meta: - description = "evaluate PHP code dynamically using eval" + description = "evaluate code dynamically using eval()" strings: - $php = "