diff --git a/pkg/report/report.go b/pkg/report/report.go index e3824de08..9597c73c8 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -53,6 +53,11 @@ var yaraForgeJunkWords = map[string]bool{ "suspicious": true, } +// dropRules are noisy 3rd party rules to silently ignore. +var dropRules = map[string]bool{ + "3P/godmoderules/iddqd/god/mode": true, +} + var dateRe = regexp.MustCompile(`[a-z]{3}\d{1,2}`) func yaraForgeKey(rule string) string { @@ -303,6 +308,10 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, ignoreTags continue } key := generateKey(m.Namespace, m.Rule) + if dropRules[key] { + continue + } + packageRisks = append(packageRisks, key) b := bincapz.Behavior{ diff --git a/rules/evasion/amsi_bypass.yara b/rules/evasion/amsi_bypass.yara new file mode 100644 index 000000000..a7e150b8f --- /dev/null +++ b/rules/evasion/amsi_bypass.yara @@ -0,0 +1,11 @@ +rule obfuscated_bypass_amsi : windows suspicious { + meta: + description = "bypass AMSI (Anti-Malware Scan Interface)" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $amsi_base64 = "AmsiScanBuffer" ascii wide base64 + $amsi_xor = "AmsiScanBuffer" xor(0x01-0xff) + condition: + any of them +} diff --git a/rules/evasion/base64-decode.yara b/rules/evasion/base64-decode.yara index 7c225e777..61b46c5a8 100644 --- a/rules/evasion/base64-decode.yara +++ b/rules/evasion/base64-decode.yara @@ -1,6 +1,6 @@ rule base64_decode : notable python { meta: - description = "decodes base64 strings" + description = "decode base64 strings" strings: $b64decode = "b64decode" condition: @@ -9,9 +9,18 @@ rule base64_decode : notable python { rule urlsafe_decode64 : notable ruby { meta: - description = "decodes base64 strings" + description = "decode base64 strings" strings: $urlsafe_decode64_ruby = "urlsafe_decode64" condition: any of them } + +rule powershell_decode : notable { + meta: + description = "decode base64 strings" + strings: + $ref = "[System.Convert]::FromBase64String" ascii + condition: + any of them +} diff --git a/rules/evasion/powershell_hidden.yara b/rules/evasion/powershell_hidden.yara new file mode 100644 index 000000000..444be8730 --- /dev/null +++ b/rules/evasion/powershell_hidden.yara @@ -0,0 +1,9 @@ +rule powershell_encoded_command_val : suspicious { + meta: + description = "Runs powershell with a hidden command" + strings: + $ps = "powershell" ascii wide nocase + $hidden = " -w hidden " ascii wide nocase + condition: + all of them +} diff --git a/rules/evasion/script-obfuscation.yara b/rules/evasion/script-obfuscation.yara index f4db79db3..5e2f3b08d 100644 --- a/rules/evasion/script-obfuscation.yara +++ b/rules/evasion/script-obfuscation.yara @@ -16,3 +16,47 @@ rule generic_obfuscated_perl : suspicious { condition: filesize < 20971520 and $eval and 3 of them } + +rule powershell_format : suspicious { + meta: + description = "obfuscated Powershell format string" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = "}{0}\"-f " ascii wide + condition: + filesize < 16MB and any of them +} + +rule powershell_compact : notable windows { + meta: + description = "unusually compact PowerShell representation" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $InokeExpression = ");iex" nocase ascii wide + condition: + filesize < 16MB and any of them +} + +rule casing_obfuscation : notable windows { + meta: + description = "unusual casing obfuscation" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = / (sEt|SEt|SeT|sET|seT) / ascii wide + condition: + filesize < 16MB and any of them +} + +rule powershell_encoded : suspicious windows { + meta: + description = "Encoded Powershell" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = / -[eE][decoman]{0,41} ['"]?(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA|cgBlAG)/ ascii wide + condition: + filesize < 16MB and any of them +} diff --git a/rules/evasion/squiblydoo.yara b/rules/evasion/squiblydoo.yara new file mode 100644 index 000000000..725ae9dcd --- /dev/null +++ b/rules/evasion/squiblydoo.yara @@ -0,0 +1,11 @@ +rule squiblydoo : suspicious windows { + meta: + description = "uses regsrv32 to load a remote COM scriptlet" + ref = "https://socprime.com/blog/squiblydoo-attack-analysis-detection-and-mitigation/" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $class_id = "0000FEEDACDC}" ascii wide + condition: + any of them +} diff --git a/rules/evasion/xor-user_agent.yara b/rules/evasion/xor-user_agent.yara new file mode 100644 index 000000000..813508265 --- /dev/null +++ b/rules/evasion/xor-user_agent.yara @@ -0,0 +1,10 @@ +rule xor_mozilla : critical { + meta: + description = "XOR'ed user agent, often found in backdoors" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $Mozilla_5_0 = "Mozilla/5.0" xor(0x01-0xff) ascii wide + condition: + any of them +} diff --git a/rules/fs/backup/deletion.yara b/rules/fs/backup/deletion.yara new file mode 100644 index 000000000..1f3e116ee --- /dev/null +++ b/rules/fs/backup/deletion.yara @@ -0,0 +1,12 @@ +rule suspicious_deletion : suspicious windows { + meta: + description = "suspicious Shadow Copy deletion - possible ransomware" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $vss_admin = "vssadmin delete shadows" ascii nocase + $vss_exec = ".exe delete shadows" ascii nocase + $wmic = " shadowcopy delete" ascii wide nocase + $wbadmin = " delete catalog -quiet" ascii wide nocase + condition: + any of them +} diff --git a/rules/kernel/dev/mem.yara b/rules/kernel/dev/mem.yara index 45c27af2a..63874e82f 100644 --- a/rules/kernel/dev/mem.yara +++ b/rules/kernel/dev/mem.yara @@ -10,4 +10,15 @@ rule mem : suspicious { $not_rwho = "_PATH_RWHODIR" fullword condition: $val and none of ($not*) -} \ No newline at end of file +} + +rule comsvcs_minidump : suspicious { + meta: + description = "dump process memory using comsvcs.ddl" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = /comsvcs(\.dll)?[, ]{1,2}(MiniDump|#24)/ + condition: + any of them +} diff --git a/rules/net/raw_sockets.yara b/rules/net/raw_sockets.yara index 7d3da5a1e..65d7cc1e4 100644 --- a/rules/net/raw_sockets.yara +++ b/rules/net/raw_sockets.yara @@ -11,6 +11,7 @@ rule raw_sockets : notable { $ipproto_raw = "IPPROTO_RAW" fullword $proc_net_raw = "/proc/net/raw" $make_ip = "makeIPPacket" + $impacket = "impacket." // $rawsock = "RawSock" condition: any of them diff --git a/rules/ref/path/suspicious-pdb.yara b/rules/ref/path/suspicious-pdb.yara new file mode 100644 index 000000000..5d399c671 --- /dev/null +++ b/rules/ref/path/suspicious-pdb.yara @@ -0,0 +1,12 @@ +rule suspicious_pdb : suspicious windows { + meta: + description = "suspicious PDB (Windows Program Database) reference" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = /[a-zA-Z]{0,16}(Dropper|Bypass|Injection|Potato)\.pdb/ nocase + + $not_dep = "DepInjection.pdb" + $not_dep2 = "DependencyInjection.pdb" + condition: + $ref and none of ($not*) +} diff --git a/rules/shell/tmp_semicolon.yara b/rules/shell/tmp_semicolon.yara new file mode 100644 index 000000000..ca4e91077 --- /dev/null +++ b/rules/shell/tmp_semicolon.yara @@ -0,0 +1,11 @@ +rule semicolon_short_tmp : suspicious { + meta: + description = "unusual one-liners involving /tmp" + strings: + $tmp_before = /[\w\/ \-\;]{0,32} \/tmp\/[a-z]{1,5} {0,2};/ + $var_tmp_before = /[\w\/ \-\;]{0,32} \/var\/tmp\/[a-z]{1,5} {0,2};/ + $tmp_after = /[\w\/ \-]{0,32}; {0,2}\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ + $var_tmp_after = /[\w\/ \-]{0,32}; {0,2}\/var\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ + condition: + any of them +} diff --git a/rules/tools/backdoor/brute_ratel.yara b/rules/tools/backdoor/brute_ratel.yara new file mode 100644 index 000000000..5c2b748a1 --- /dev/null +++ b/rules/tools/backdoor/brute_ratel.yara @@ -0,0 +1,10 @@ +rule brute_ratel_c4 : suspicious { + meta: + description = "XOR'ed shellcode from Brute Ratel" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = "\x48\x83\xec\x50\x4d\x63\x68\x3c\x48\x89\x4d\x10" xor + condition: + any of them +} diff --git a/rules/tools/backdoor/cobalt_strike.yara b/rules/tools/backdoor/cobalt_strike.yara new file mode 100644 index 000000000..f8810a3b3 --- /dev/null +++ b/rules/tools/backdoor/cobalt_strike.yara @@ -0,0 +1,10 @@ +rule cobalt_strike_indicator : suspicious { + meta: + description = "CobaltStrike indicator" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = "%s as %s\\%s: %d" ascii xor + condition: + any of them +} diff --git a/rules/tools/backdoor/havoc.yara b/rules/tools/backdoor/havoc.yara new file mode 100644 index 000000000..01c1b5428 --- /dev/null +++ b/rules/tools/backdoor/havoc.yara @@ -0,0 +1,10 @@ +rule havoc_c2_xor : suspicious { + meta: + description = "Havoc C2 implant" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = "amsi.dllATVSH" ascii xor + condition: + any of them +} diff --git a/rules/tools/backdoor/merlin.yara b/rules/tools/backdoor/merlin.yara new file mode 100644 index 000000000..a340e5aac --- /dev/null +++ b/rules/tools/backdoor/merlin.yara @@ -0,0 +1,10 @@ +rule merlin_c2 : suspicious { + meta: + description = "XOR'ed shellcode from Brute Ratel" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = "main.Merlin" ascii fullword + condition: + any of them +} diff --git a/rules/tools/backdoor/silver.yara b/rules/tools/backdoor/silver.yara index 2d0adb41b..cf374d18b 100644 --- a/rules/tools/backdoor/silver.yara +++ b/rules/tools/backdoor/silver.yara @@ -22,3 +22,13 @@ rule c2_implant_sliver_functions : critical { condition: filesize < 20971520 and 2 of them } + +rule beaconjitter_xor : suspicious { + meta: + description = "Sliver C2 implant" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = "BeaconJitter" xor + condition: + any of them +} diff --git a/rules/tools/credentials/mimikatz.yara b/rules/tools/credentials/mimikatz.yara new file mode 100644 index 000000000..d276ba8ff --- /dev/null +++ b/rules/tools/credentials/mimikatz.yara @@ -0,0 +1,10 @@ +rule hacktool_mimikatz : critical { + meta: + description = "extract Windows passwords from memory" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $passwords = "sekurlsa::logonpasswords" ascii wide nocase + $error = "ERROR kuhl" wide xor + condition: + any of them +} diff --git a/rules/tools/vulncheck/metasploit.yara b/rules/tools/vulncheck/metasploit.yara new file mode 100644 index 000000000..d19db2ace --- /dev/null +++ b/rules/tools/vulncheck/metasploit.yara @@ -0,0 +1,24 @@ +rule metasploit_payload : critical { + meta: + hash_2012_getshell_siggen = "4863d9a15f3a1ed5dd1f84cf9883eafb6bf2b483c2c6032cfbf0d3caf3cf6dd8" + description = "Metasploit shellcode (msfpayload)" + strings: + $msfpayload = "msfpayload" + $metasploit = "http://www.metasploit.com" + $payload = "Payload: " + $shh = "/shh/bin" + condition: + 2 of them +} + +rule meterpreter : scritical windows { + meta: + description = "extensible payload for DLL injection and remote access" + ref = "https://www.offsec.com/metasploit-unleashed/about-meterpreter/" + author = "Florian Roth" + strings: + // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar + $ref = "/meterpreter/" ascii xor + condition: + any of them +} diff --git a/rules/tools/vulncheck/metasploit_payload.yara b/rules/tools/vulncheck/metasploit_payload.yara deleted file mode 100644 index 8e8817ec0..000000000 --- a/rules/tools/vulncheck/metasploit_payload.yara +++ /dev/null @@ -1,12 +0,0 @@ -rule metasploit_payload : critical { - meta: - hash_2012_getshell_siggen = "4863d9a15f3a1ed5dd1f84cf9883eafb6bf2b483c2c6032cfbf0d3caf3cf6dd8" - description = "Metasploit shellcode (msfpayload)" - strings: - $msfpayload = "msfpayload" - $metasploit = "http://www.metasploit.com" - $payload = "Payload: " - $shh = "/shh/bin" - condition: - 2 of them -} diff --git a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff index 77aef8b4a..66ce1cd5e 100644 --- a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff +++ b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff @@ -5,11 +5,11 @@ New Risk: 🚨 CRITICAL | RISK | KEY | DESCRIPTION | |-------------|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------| -| +4/CRITICAL | **3P/godmoderules/iddqd/god/mode** | detects a wide array of cyber threats, from malware and ransomware to advanced persistent threats (APTs), by Florian Roth | | +4/CRITICAL | **3P/signature_base/3cxdesktopapp/backdoor** | detects 3CXDesktopApp MacOS Backdoor component, by X__Junior (Nextron Systems) | | +4/CRITICAL | **3P/signature_base/nk/3cx** | detects malicious DYLIB files related to 3CX compromise, by Florian Roth (Nextron Systems) | | +4/CRITICAL | **3P/signature_base/susp/xored** | detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key, by Florian Roth | | +4/CRITICAL | **3P/volexity/iconic** | detects the MACOS version of the ICONIC loader., by threatintel@volexity.com | +| +4/CRITICAL | **evasion/xor/user_agent** | xOR'ed user agent, often found in backdoors, by Florian Roth: "$Mozilla_5_0" | | +2/MEDIUM | **exec/pipe** | launches program and reads its output | | +2/MEDIUM | **fs/permission/modify** | modifies file permissions | | +2/MEDIUM | **net/http/cookies** | able to access HTTP resources using cookies |