forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Disable godmode, import rules based on it (chainguard-dev#149)
* Disable godmode, import rules based on it * update comment
- Loading branch information
1 parent
ccb5a8f
commit 1be14a7
Showing
21 changed files
with
238 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
rule obfuscated_bypass_amsi : windows suspicious { | ||
meta: | ||
description = "bypass AMSI (Anti-Malware Scan Interface)" | ||
author = "Florian Roth" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$amsi_base64 = "AmsiScanBuffer" ascii wide base64 | ||
$amsi_xor = "AmsiScanBuffer" xor(0x01-0xff) | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
rule powershell_encoded_command_val : suspicious { | ||
meta: | ||
description = "Runs powershell with a hidden command" | ||
strings: | ||
$ps = "powershell" ascii wide nocase | ||
$hidden = " -w hidden " ascii wide nocase | ||
condition: | ||
all of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
rule squiblydoo : suspicious windows { | ||
meta: | ||
description = "uses regsrv32 to load a remote COM scriptlet" | ||
ref = "https://socprime.com/blog/squiblydoo-attack-analysis-detection-and-mitigation/" | ||
author = "Florian Roth" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$class_id = "0000FEEDACDC}" ascii wide | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
rule xor_mozilla : critical { | ||
meta: | ||
description = "XOR'ed user agent, often found in backdoors" | ||
author = "Florian Roth" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$Mozilla_5_0 = "Mozilla/5.0" xor(0x01-0xff) ascii wide | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
rule suspicious_deletion : suspicious windows { | ||
meta: | ||
description = "suspicious Shadow Copy deletion - possible ransomware" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$vss_admin = "vssadmin delete shadows" ascii nocase | ||
$vss_exec = ".exe delete shadows" ascii nocase | ||
$wmic = " shadowcopy delete" ascii wide nocase | ||
$wbadmin = " delete catalog -quiet" ascii wide nocase | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
rule suspicious_pdb : suspicious windows { | ||
meta: | ||
description = "suspicious PDB (Windows Program Database) reference" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$ref = /[a-zA-Z]{0,16}(Dropper|Bypass|Injection|Potato)\.pdb/ nocase | ||
$not_dep = "DepInjection.pdb" | ||
$not_dep2 = "DependencyInjection.pdb" | ||
condition: | ||
$ref and none of ($not*) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
rule semicolon_short_tmp : suspicious { | ||
meta: | ||
description = "unusual one-liners involving /tmp" | ||
strings: | ||
$tmp_before = /[\w\/ \-\;]{0,32} \/tmp\/[a-z]{1,5} {0,2};/ | ||
$var_tmp_before = /[\w\/ \-\;]{0,32} \/var\/tmp\/[a-z]{1,5} {0,2};/ | ||
$tmp_after = /[\w\/ \-]{0,32}; {0,2}\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ | ||
$var_tmp_after = /[\w\/ \-]{0,32}; {0,2}\/var\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
rule brute_ratel_c4 : suspicious { | ||
meta: | ||
description = "XOR'ed shellcode from Brute Ratel" | ||
author = "Florian Roth" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$ref = "\x48\x83\xec\x50\x4d\x63\x68\x3c\x48\x89\x4d\x10" xor | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
rule cobalt_strike_indicator : suspicious { | ||
meta: | ||
description = "CobaltStrike indicator" | ||
author = "Florian Roth" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$ref = "%s as %s\\%s: %d" ascii xor | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
rule havoc_c2_xor : suspicious { | ||
meta: | ||
description = "Havoc C2 implant" | ||
author = "Florian Roth" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$ref = "amsi.dllATVSH" ascii xor | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
rule merlin_c2 : suspicious { | ||
meta: | ||
description = "XOR'ed shellcode from Brute Ratel" | ||
author = "Florian Roth" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$ref = "main.Merlin" ascii fullword | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
rule hacktool_mimikatz : critical { | ||
meta: | ||
description = "extract Windows passwords from memory" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$passwords = "sekurlsa::logonpasswords" ascii wide nocase | ||
$error = "ERROR kuhl" wide xor | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
rule metasploit_payload : critical { | ||
meta: | ||
hash_2012_getshell_siggen = "4863d9a15f3a1ed5dd1f84cf9883eafb6bf2b483c2c6032cfbf0d3caf3cf6dd8" | ||
description = "Metasploit shellcode (msfpayload)" | ||
strings: | ||
$msfpayload = "msfpayload" | ||
$metasploit = "http://www.metasploit.com" | ||
$payload = "Payload: " | ||
$shh = "/shh/bin" | ||
condition: | ||
2 of them | ||
} | ||
|
||
rule meterpreter : scritical windows { | ||
meta: | ||
description = "extensible payload for DLL injection and remote access" | ||
ref = "https://www.offsec.com/metasploit-unleashed/about-meterpreter/" | ||
author = "Florian Roth" | ||
strings: | ||
// extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | ||
$ref = "/meterpreter/" ascii xor | ||
condition: | ||
any of them | ||
} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,11 +5,11 @@ New Risk: 🚨 CRITICAL | |
|
||
| RISK | KEY | DESCRIPTION | | ||
|-------------|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| +4/CRITICAL | **3P/godmoderules/iddqd/god/mode** | detects a wide array of cyber threats, from malware and ransomware to advanced persistent threats (APTs), by Florian Roth | | ||
| +4/CRITICAL | **3P/signature_base/3cxdesktopapp/backdoor** | detects 3CXDesktopApp MacOS Backdoor component, by X__Junior (Nextron Systems) | | ||
| +4/CRITICAL | **3P/signature_base/nk/3cx** | detects malicious DYLIB files related to 3CX compromise, by Florian Roth (Nextron Systems) | | ||
| +4/CRITICAL | **3P/signature_base/susp/xored** | detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key, by Florian Roth | | ||
| +4/CRITICAL | **3P/volexity/iconic** | detects the MACOS version of the ICONIC loader., by [email protected] | | ||
| +4/CRITICAL | **evasion/xor/user_agent** | xOR'ed user agent, often found in backdoors, by Florian Roth: "$Mozilla_5_0" | | ||
| +2/MEDIUM | **exec/pipe** | launches program and reads its output | | ||
| +2/MEDIUM | **fs/permission/modify** | modifies file permissions | | ||
| +2/MEDIUM | **net/http/cookies** | able to access HTTP resources using cookies | | ||
|