Skip to content

Commit

Permalink
Disable godmode, import rules based on it (chainguard-dev#149)
Browse files Browse the repository at this point in the history
* Disable godmode, import rules based on it

* update comment
  • Loading branch information
tstromberg authored Apr 19, 2024
1 parent ccb5a8f commit 1be14a7
Show file tree
Hide file tree
Showing 21 changed files with 238 additions and 16 deletions.
9 changes: 9 additions & 0 deletions pkg/report/report.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ var yaraForgeJunkWords = map[string]bool{
"suspicious": true,
}

// dropRules are noisy 3rd party rules to silently ignore.
var dropRules = map[string]bool{
"3P/godmoderules/iddqd/god/mode": true,
}

var dateRe = regexp.MustCompile(`[a-z]{3}\d{1,2}`)

func yaraForgeKey(rule string) string {
Expand Down Expand Up @@ -303,6 +308,10 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, ignoreTags
continue
}
key := generateKey(m.Namespace, m.Rule)
if dropRules[key] {
continue
}

packageRisks = append(packageRisks, key)

b := bincapz.Behavior{
Expand Down
11 changes: 11 additions & 0 deletions rules/evasion/amsi_bypass.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
rule obfuscated_bypass_amsi : windows suspicious {
meta:
description = "bypass AMSI (Anti-Malware Scan Interface)"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$amsi_base64 = "AmsiScanBuffer" ascii wide base64
$amsi_xor = "AmsiScanBuffer" xor(0x01-0xff)
condition:
any of them
}
13 changes: 11 additions & 2 deletions rules/evasion/base64-decode.yara
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
rule base64_decode : notable python {
meta:
description = "decodes base64 strings"
description = "decode base64 strings"
strings:
$b64decode = "b64decode"
condition:
Expand All @@ -9,9 +9,18 @@ rule base64_decode : notable python {

rule urlsafe_decode64 : notable ruby {
meta:
description = "decodes base64 strings"
description = "decode base64 strings"
strings:
$urlsafe_decode64_ruby = "urlsafe_decode64"
condition:
any of them
}

rule powershell_decode : notable {
meta:
description = "decode base64 strings"
strings:
$ref = "[System.Convert]::FromBase64String" ascii
condition:
any of them
}
9 changes: 9 additions & 0 deletions rules/evasion/powershell_hidden.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
rule powershell_encoded_command_val : suspicious {
meta:
description = "Runs powershell with a hidden command"
strings:
$ps = "powershell" ascii wide nocase
$hidden = " -w hidden " ascii wide nocase
condition:
all of them
}
44 changes: 44 additions & 0 deletions rules/evasion/script-obfuscation.yara
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,47 @@ rule generic_obfuscated_perl : suspicious {
condition:
filesize < 20971520 and $eval and 3 of them
}

rule powershell_format : suspicious {
meta:
description = "obfuscated Powershell format string"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = "}{0}\"-f " ascii wide
condition:
filesize < 16MB and any of them
}

rule powershell_compact : notable windows {
meta:
description = "unusually compact PowerShell representation"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$InokeExpression = ");iex" nocase ascii wide
condition:
filesize < 16MB and any of them
}

rule casing_obfuscation : notable windows {
meta:
description = "unusual casing obfuscation"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = / (sEt|SEt|SeT|sET|seT) / ascii wide
condition:
filesize < 16MB and any of them
}

rule powershell_encoded : suspicious windows {
meta:
description = "Encoded Powershell"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = / -[eE][decoman]{0,41} ['"]?(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA|cgBlAG)/ ascii wide
condition:
filesize < 16MB and any of them
}
11 changes: 11 additions & 0 deletions rules/evasion/squiblydoo.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
rule squiblydoo : suspicious windows {
meta:
description = "uses regsrv32 to load a remote COM scriptlet"
ref = "https://socprime.com/blog/squiblydoo-attack-analysis-detection-and-mitigation/"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$class_id = "0000FEEDACDC}" ascii wide
condition:
any of them
}
10 changes: 10 additions & 0 deletions rules/evasion/xor-user_agent.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
rule xor_mozilla : critical {
meta:
description = "XOR'ed user agent, often found in backdoors"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$Mozilla_5_0 = "Mozilla/5.0" xor(0x01-0xff) ascii wide
condition:
any of them
}
12 changes: 12 additions & 0 deletions rules/fs/backup/deletion.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
rule suspicious_deletion : suspicious windows {
meta:
description = "suspicious Shadow Copy deletion - possible ransomware"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$vss_admin = "vssadmin delete shadows" ascii nocase
$vss_exec = ".exe delete shadows" ascii nocase
$wmic = " shadowcopy delete" ascii wide nocase
$wbadmin = " delete catalog -quiet" ascii wide nocase
condition:
any of them
}
13 changes: 12 additions & 1 deletion rules/kernel/dev/mem.yara
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,15 @@ rule mem : suspicious {
$not_rwho = "_PATH_RWHODIR" fullword
condition:
$val and none of ($not*)
}
}

rule comsvcs_minidump : suspicious {
meta:
description = "dump process memory using comsvcs.ddl"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = /comsvcs(\.dll)?[, ]{1,2}(MiniDump|#24)/
condition:
any of them
}
1 change: 1 addition & 0 deletions rules/net/raw_sockets.yara
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ rule raw_sockets : notable {
$ipproto_raw = "IPPROTO_RAW" fullword
$proc_net_raw = "/proc/net/raw"
$make_ip = "makeIPPacket"
$impacket = "impacket."
// $rawsock = "RawSock"
condition:
any of them
Expand Down
12 changes: 12 additions & 0 deletions rules/ref/path/suspicious-pdb.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
rule suspicious_pdb : suspicious windows {
meta:
description = "suspicious PDB (Windows Program Database) reference"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = /[a-zA-Z]{0,16}(Dropper|Bypass|Injection|Potato)\.pdb/ nocase
$not_dep = "DepInjection.pdb"
$not_dep2 = "DependencyInjection.pdb"
condition:
$ref and none of ($not*)
}
11 changes: 11 additions & 0 deletions rules/shell/tmp_semicolon.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
rule semicolon_short_tmp : suspicious {
meta:
description = "unusual one-liners involving /tmp"
strings:
$tmp_before = /[\w\/ \-\;]{0,32} \/tmp\/[a-z]{1,5} {0,2};/
$var_tmp_before = /[\w\/ \-\;]{0,32} \/var\/tmp\/[a-z]{1,5} {0,2};/
$tmp_after = /[\w\/ \-]{0,32}; {0,2}\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/
$var_tmp_after = /[\w\/ \-]{0,32}; {0,2}\/var\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/
condition:
any of them
}
10 changes: 10 additions & 0 deletions rules/tools/backdoor/brute_ratel.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
rule brute_ratel_c4 : suspicious {
meta:
description = "XOR'ed shellcode from Brute Ratel"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = "\x48\x83\xec\x50\x4d\x63\x68\x3c\x48\x89\x4d\x10" xor
condition:
any of them
}
10 changes: 10 additions & 0 deletions rules/tools/backdoor/cobalt_strike.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
rule cobalt_strike_indicator : suspicious {
meta:
description = "CobaltStrike indicator"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = "%s as %s\\%s: %d" ascii xor
condition:
any of them
}
10 changes: 10 additions & 0 deletions rules/tools/backdoor/havoc.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
rule havoc_c2_xor : suspicious {
meta:
description = "Havoc C2 implant"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = "amsi.dllATVSH" ascii xor
condition:
any of them
}
10 changes: 10 additions & 0 deletions rules/tools/backdoor/merlin.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
rule merlin_c2 : suspicious {
meta:
description = "XOR'ed shellcode from Brute Ratel"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = "main.Merlin" ascii fullword
condition:
any of them
}
10 changes: 10 additions & 0 deletions rules/tools/backdoor/silver.yara
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,13 @@ rule c2_implant_sliver_functions : critical {
condition:
filesize < 20971520 and 2 of them
}

rule beaconjitter_xor : suspicious {
meta:
description = "Sliver C2 implant"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = "BeaconJitter" xor
condition:
any of them
}
10 changes: 10 additions & 0 deletions rules/tools/credentials/mimikatz.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
rule hacktool_mimikatz : critical {
meta:
description = "extract Windows passwords from memory"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$passwords = "sekurlsa::logonpasswords" ascii wide nocase
$error = "ERROR kuhl" wide xor
condition:
any of them
}
24 changes: 24 additions & 0 deletions rules/tools/vulncheck/metasploit.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
rule metasploit_payload : critical {
meta:
hash_2012_getshell_siggen = "4863d9a15f3a1ed5dd1f84cf9883eafb6bf2b483c2c6032cfbf0d3caf3cf6dd8"
description = "Metasploit shellcode (msfpayload)"
strings:
$msfpayload = "msfpayload"
$metasploit = "http://www.metasploit.com"
$payload = "Payload: "
$shh = "/shh/bin"
condition:
2 of them
}

rule meterpreter : scritical windows {
meta:
description = "extensible payload for DLL injection and remote access"
ref = "https://www.offsec.com/metasploit-unleashed/about-meterpreter/"
author = "Florian Roth"
strings:
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
$ref = "/meterpreter/" ascii xor
condition:
any of them
}
12 changes: 0 additions & 12 deletions rules/tools/vulncheck/metasploit_payload.yara

This file was deleted.

2 changes: 1 addition & 1 deletion samples/macOS/2023.3CX/libffmpeg.dirty.mdiff
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ New Risk: 🚨 CRITICAL

| RISK | KEY | DESCRIPTION |
|-------------|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|
| +4/CRITICAL | **3P/godmoderules/iddqd/god/mode** | detects a wide array of cyber threats, from malware and ransomware to advanced persistent threats (APTs), by Florian Roth |
| +4/CRITICAL | **3P/signature_base/3cxdesktopapp/backdoor** | detects 3CXDesktopApp MacOS Backdoor component, by X__Junior (Nextron Systems) |
| +4/CRITICAL | **3P/signature_base/nk/3cx** | detects malicious DYLIB files related to 3CX compromise, by Florian Roth (Nextron Systems) |
| +4/CRITICAL | **3P/signature_base/susp/xored** | detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key, by Florian Roth |
| +4/CRITICAL | **3P/volexity/iconic** | detects the MACOS version of the ICONIC loader., by [email protected] |
| +4/CRITICAL | **evasion/xor/user_agent** | xOR'ed user agent, often found in backdoors, by Florian Roth: "$Mozilla_5_0" |
| +2/MEDIUM | **exec/pipe** | launches program and reads its output |
| +2/MEDIUM | **fs/permission/modify** | modifies file permissions |
| +2/MEDIUM | **net/http/cookies** | able to access HTTP resources using cookies |
Expand Down

0 comments on commit 1be14a7

Please sign in to comment.