diff --git a/.yara-ci.yml b/.yara-ci.yml new file mode 100644 index 000000000..6c63826bb --- /dev/null +++ b/.yara-ci.yml @@ -0,0 +1,12 @@ +branches: + accept: + - "**" +files: + accept: + - "**.yar" + - "**.yara" + ignore: + - "third_party/**" + +false_positives: + disabled: true diff --git a/rules/admin/add_apt_key.yara b/rules/admin/add_apt_key.yara index 4052e99e2..0c62c88b7 100644 --- a/rules/admin/add_apt_key.yara +++ b/rules/admin/add_apt_key.yara @@ -1,4 +1,4 @@ -rule apt_add_key : notable { +rule apt_add_key : medium { meta: description = "Installs apt repository keys" strings: diff --git a/rules/admin/dscl.yara b/rules/admin/dscl.yara index 8ecc3e77d..49c7070a2 100644 --- a/rules/admin/dscl.yara +++ b/rules/admin/dscl.yara @@ -1,8 +1,9 @@ -rule dscl_caller { + +rule dscl_caller : medium { meta: - description = "Calls dscl (Directory Service command line utility)" - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" - hash_2012_getshell_siggen = "11fb341008357bd55cee77678d9ce9609e6faae411219878d3db09cb6c125167" + description = "Calls dscl (Directory Service command line utility)" + hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" + hash_2013_GetShell = "11fb341008357bd55cee77678d9ce9609e6faae411219878d3db09cb6c125167" strings: $dscl_local = /dscl +\. +-\w{1,128}/ $dsenableroot = "dsenableroot" diff --git a/rules/admin/logs/current_logins.yara b/rules/admin/logs/current_logins.yara index ce59bd2e3..5d3a69a6a 100644 --- a/rules/admin/logs/current_logins.yara +++ b/rules/admin/logs/current_logins.yara @@ -1,13 +1,15 @@ -rule login_records : notable { - meta: - description = "accesses current logins" - strings: - $f_wtmp = "/var/log/wtmp" fullword - $f_wtmpx = "/var/log/wtmpx" fullword - // entries from include/paths.h - $not_cshell = "_PATH_CSHELL" fullword - $not_rwho = "_PATH_RWHODIR" fullword - condition: - any of ($f*) and none of ($not*) +rule login_records : medium { + meta: + description = "accesses current logins" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + hash_2023_Lightning_ad16 = "ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + strings: + $f_wtmp = "/var/log/wtmp" fullword + $f_wtmpx = "/var/log/wtmpx" fullword + $not_cshell = "_PATH_CSHELL" fullword + $not_rwho = "_PATH_RWHODIR" fullword + condition: + any of ($f*) and none of ($not*) } diff --git a/rules/admin/logs/failed_logins.yara b/rules/admin/logs/failed_logins.yara index c9427588b..9d650c40c 100644 --- a/rules/admin/logs/failed_logins.yara +++ b/rules/admin/logs/failed_logins.yara @@ -1,12 +1,14 @@ -rule failed_logins : suspicious { - meta: - description = "accesses failed logins" - strings: - $f_wtmp = "/var/log/btmp" fullword - // entries from include/paths.h - $not_cshell = "_PATH_CSHELL" fullword - $not_rwho = "_PATH_RWHODIR" fullword - condition: - any of ($f*) and none of ($not*) +rule failed_logins : high { + meta: + description = "accesses failed logins" + hash_2023_FontOnLake_1829B0E34807765F2B254EA5514D7BB587AECA3F_elf = "5e9d356cdfc85a66f8fbab29bf43e95f19489c66d2a970e33d031f267298b482" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + hash_2023_FontOnLake_8D6ACA824D1A717AE908669E356E2D4BB6F857B0_elf = "265e8236da27a35306cde4e57d73077c94c35e7a73da086273af09179f78f37a" + strings: + $f_wtmp = "/var/log/btmp" fullword + $not_cshell = "_PATH_CSHELL" fullword + $not_rwho = "_PATH_RWHODIR" fullword + condition: + any of ($f*) and none of ($not*) } diff --git a/rules/admin/logs/historical_logins.yara b/rules/admin/logs/historical_logins.yara index 0388cfd15..8ec04ed99 100644 --- a/rules/admin/logs/historical_logins.yara +++ b/rules/admin/logs/historical_logins.yara @@ -1,15 +1,16 @@ -rule login_records : suspicious { - meta: - description = "accesses historical login records" - strings: - $f_lastlog = "/var/log/lastlog" fullword - $f_utmp = "/var/log/utmp" fullword - $f_utmpx = "/var/log/utmpx" fullword - // entries from include/paths.h - $not_cshell = "_PATH_CSHELL" fullword - $not_rwho = "_PATH_RWHODIR" fullword - condition: - any of ($f*) and none of ($not*) +rule login_records : high { + meta: + description = "accesses historical login records" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + hash_2023_Lightning_ad16 = "ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + strings: + $f_lastlog = "/var/log/lastlog" fullword + $f_utmp = "/var/log/utmp" fullword + $f_utmpx = "/var/log/utmpx" fullword + $not_cshell = "_PATH_CSHELL" fullword + $not_rwho = "_PATH_RWHODIR" fullword + condition: + any of ($f*) and none of ($not*) } - diff --git a/rules/admin/logs/install.yara b/rules/admin/logs/install.yara index c8f0c19eb..8f7b3c855 100644 --- a/rules/admin/logs/install.yara +++ b/rules/admin/logs/install.yara @@ -1,4 +1,4 @@ -rule var_log_install : suspicious { +rule var_log_install : high { meta: description = "accesses software installation logs" strings: diff --git a/rules/admin/logs/syslog.yara b/rules/admin/logs/syslog.yara index dfbb14a29..b4c18d112 100644 --- a/rules/admin/logs/syslog.yara +++ b/rules/admin/logs/syslog.yara @@ -1,10 +1,13 @@ -rule var_log_syslog : suspicious { - meta: - description = "accesses system logs" - strings: - $ref = "/var/log/messages" fullword - $ref2 = "/var/log/syslog" fullword - condition: - any of them -} +rule var_log_syslog : high { + meta: + description = "accesses system logs" + hash_2023_init_d_abrt_oops = "192b763638d0be61c4ba45e08f86df22318ab741297d6841d1009cca9bddad30" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + strings: + $ref = "/var/log/messages" fullword + $ref2 = "/var/log/syslog" fullword + condition: + any of them +} diff --git a/rules/admin/package-install.yara b/rules/admin/package-install.yara index 4f478f2b6..c98e41816 100644 --- a/rules/admin/package-install.yara +++ b/rules/admin/package-install.yara @@ -1,64 +1,77 @@ -rule yum_installer : notable { + +rule yum_installer : medium { meta: - description = "install software with yum" + description = "install software with yum" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: $val = /yum install[ \w\-\_%]{0,32}/ condition: - $val + $val } -rule dnf_installer : notable { +rule dnf_installer : medium { meta: - description = "install software with dnf" + description = "install software with dnf" strings: $val = /dnf install[ \w\-\_%]{0,32}/ condition: - $val + $val } -rule rpm_installer : notable { +rule rpm_installer : medium { meta: - description = "install software with rpm" + description = "install software with rpm" + hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" strings: $val = /rpm -i[ \w\-\_%]{0,32}/ condition: - $val + $val } -rule apt_installer : notable { +rule apt_installer : medium { meta: - description = "install software with apt" + description = "install software with apt" + hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" strings: $val = /apt install[ \w\-\_%]{0,32}/ condition: - $val + $val } -rule apt_get_installer : notable { +rule apt_get_installer : medium { meta: - description = "install software with apt-get" + description = "install software with apt-get" + hash_2019_lib_restclient = "c9b67d3d9ef722facd1abce98bd7d80cec1cc1bb3e3a52c54bba91f19b5a6620" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" strings: $val = /apt-get install[ \w\-\_%]{0,32}/ - - $foo = "install foo" + $foo = "install foo" condition: - $val and not $foo + $val and not $foo } -rule apk_installer : notable { +rule apk_installer : medium { meta: - description = "install software with APK" + description = "install software with APK" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: $val = /apk add[ \w\-\_%]{0,32}/ condition: - $val + $val } -rule pip_installer_regex : notable { +rule pip_installer_regex : medium { meta: - description = "Includes 'pip install' command for installing Python modules" + description = "Includes 'pip install' command for installing Python modules" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" + hash_2022_2022_requests_3_0_0_README = "150fd62db4024e240040be44b32d7ce98df80ab86dfd564a173cd231f2254abc" strings: $regex = /pip[3 \'\"]{0,5}install[ \'\"\w\-\_%]{0,32}/ condition: - any of them + any of them } diff --git a/rules/admin/pip_install.yara b/rules/admin/pip_install.yara index 9859387b3..6312314e9 100644 --- a/rules/admin/pip_install.yara +++ b/rules/admin/pip_install.yara @@ -1,6 +1,8 @@ -rule pip_installer : suspicious { + +rule pip_installer : high { meta: - description = "Installs software using pip from python" + description = "Installs software using pip from python" + hash_2022_2022_requests_3_0_0_setup = "15507092967fbd28ccb833d98c2ee49da09e7c79fd41759cd6f783672fe1c5cc" strings: $pip_install = "os.system('pip install" $pip_install_spaces = "'pip', 'install'" @@ -9,6 +11,5 @@ rule pip_installer : suspicious { $pip3_install_spaces = "'pip3', 'install'" $pip3_install_args = "'pip3','install'" condition: - any of them + any of them } - diff --git a/rules/admin/set-default-application.yara b/rules/admin/set-default-application.yara index 6d8f2f854..0690cf891 100644 --- a/rules/admin/set-default-application.yara +++ b/rules/admin/set-default-application.yara @@ -1,6 +1,5 @@ + rule macos_setApp { - meta: - hash_2016_MacOS_Mac_File_Opener = "ae00bcacc5947754b018b043d3fa746caca850fe0715d5ea47ba94df58171690" strings: $setApp = "setApp:for" $sda = "setting default application" diff --git a/rules/admin/shutdown.yara b/rules/admin/shutdown.yara index 1dcf212c9..ddb108d2d 100644 --- a/rules/admin/shutdown.yara +++ b/rules/admin/shutdown.yara @@ -1,10 +1,13 @@ -rule shutdown_val : notable { +rule shutdown_val : medium { meta: - description = "calls shutdown command" + description = "calls shutdown command" + hash_2023_init_d_netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa" + hash_2023_rc0_d_K75netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa" + hash_2023_rc1_d_K75netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa" strings: - $ref = /shutdown -[\w ]{0,16}/ - $ref2 = "shutdown now" + $ref = /shutdown -[\w ]{0,16}/ + $ref2 = "shutdown now" condition: - any of them + any of them } diff --git a/rules/admin/sudoers-edit.yara b/rules/admin/sudoers-edit.yara index fa67a842d..3de3ffd33 100644 --- a/rules/admin/sudoers-edit.yara +++ b/rules/admin/sudoers-edit.yara @@ -1,14 +1,14 @@ -rule sudo_editor : suspicious { +rule sudo_editor : high { meta: - description = "references /etc/sudoers" - hash_2020_FinSpy_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0" - hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" + description = "references /etc/sudoers" + hash_2017_MacOS_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" + hash_2018_org_logind_ctp_archive_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0" strings: $etc_sudoers = "/etc/sudoers" $nopasswd = "NOPASSWD:" - $not_sample = "sudoers man page" - $not_vim = "VIMRUNTIME" + $not_sample = "sudoers man page" + $not_vim = "VIMRUNTIME" condition: filesize < 5242880 and ($etc_sudoers or $nopasswd) and none of ($not*) } diff --git a/rules/admin/system-configuration.yara b/rules/admin/system-configuration.yara index f93cf830a..e762611cb 100644 --- a/rules/admin/system-configuration.yara +++ b/rules/admin/system-configuration.yara @@ -1,6 +1,7 @@ -rule systemsetup_no_sleep : notable { + +rule systemsetup_no_sleep : medium { meta: - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" + hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" strings: $no_sleep = "systemsetup -setcomputersleep Never" condition: diff --git a/rules/admin/system_directories.yara b/rules/admin/system_directories.yara index a44b21f25..2237c1d47 100644 --- a/rules/admin/system_directories.yara +++ b/rules/admin/system_directories.yara @@ -1,20 +1,13 @@ -rule system_fs_manipulator : notable { +rule system_fs_manipulator : medium { meta: - description = "Modifies files within system directories" - hash_2023_QubitStrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" - hash_2021_Tsunami_Kaiten = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" - hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" - hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" - hash_2023_init_d_acpid = "b0cd9065704d205ea7087a0b2d4d6461305a2d12b03b8d2827e8e05e2013244d" - hash_2023_init_d_auditd = "2617841f93faf85ba6d414bb79cce52fa69327d0546b10c9c1d99d8b7aee9db1" - hash_2023_init_d_autofs = "3e006eafd6fe2af4d115a270fef161e3c9d470dd07205d08180edd13abafa88f" - hash_2023_init_d_haldaemon = "cbf2a35e563d218d46153a50ab08545f033a14e1777f69e4edabea649710e05b" + description = "Modifies files within system directories" + hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" + hash_2023_Linux_Malware_Samples_e212 = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: $in_usr = /(mv|chattr|rm|touch) \/(bin|root|sbin|usr|var|lib|lib64|boot)\/[ \.\w\/]{0,64}/ - - $not_mdm = "/var/db/MDM_EnableManagedApps" + $not_mdm = "/var/db/MDM_EnableManagedApps" condition: - $in_usr and none of ($not*) + $in_usr and none of ($not*) } - diff --git a/rules/archives/tar-command.yara b/rules/archives/tar-command.yara index 672a39228..6a8666dc6 100644 --- a/rules/archives/tar-command.yara +++ b/rules/archives/tar-command.yara @@ -1,7 +1,10 @@ -rule executable_calls_archive_tool : suspicious { +rule executable_calls_archive_tool : high { meta: - description = "command shells out to tar" + description = "command shells out to tar" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" strings: $a_tar_c = "tar -c" $a_tar_rX = "tar -r -X" @@ -9,4 +12,4 @@ rule executable_calls_archive_tool : suspicious { $hash_bang = "#!" condition: any of ($a*) and not $hash_bang in (0..2) -} \ No newline at end of file +} diff --git a/rules/archives/unarchive.yara b/rules/archives/unarchive.yara index cef58bd1f..548754723 100644 --- a/rules/archives/unarchive.yara +++ b/rules/archives/unarchive.yara @@ -1,10 +1,13 @@ -rule unarchive : notable { - meta: - description = "unarchives files" - strings: - $ref = /unarchive[\w \@\%]{0,32}/ - $ref2 = /Unarchive[\w \@\%]{0,32}/ - condition: - any of them -} \ No newline at end of file +rule unarchive : medium { + meta: + description = "unarchives files" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_Linux_Malware_Samples_2f85 = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965" + hash_2023_Linux_Malware_Samples_5c03 = "5c03ff30ccffc9d36c342510c7469682d3c411654ec52b0930d37a6c6aab9f72" + strings: + $ref = /unarchive[\w \@\%]{0,32}/ + $ref2 = /Unarchive[\w \@\%]{0,32}/ + condition: + any of them +} diff --git a/rules/archives/zip-command.yara b/rules/archives/zip-command.yara index e7979af1b..e6a0a2207 100644 --- a/rules/archives/zip-command.yara +++ b/rules/archives/zip-command.yara @@ -1,7 +1,10 @@ -rule executable_calls_zip { +rule executable_calls_zip : medium { meta: - description = "command shells out to zip" + description = "command shells out to zip" + hash_2021_CDDS_UserAgent_v2019 = "9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70" + hash_2021_CDDS_UserAgent_v2021 = "d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4" + hash_2021_CDDS_client = "623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a" strings: $a_zip_x = "zip -X" $a_zip_r = "zip -r" @@ -9,4 +12,4 @@ rule executable_calls_zip { $not_applet = "zip -r ../applet.zip" condition: any of ($a*) and not $hash_bang in (0..2) and none of ($not*) -} \ No newline at end of file +} diff --git a/rules/archives/zip.yara b/rules/archives/zip.yara index 4686f87ad..18f92a9ba 100644 --- a/rules/archives/zip.yara +++ b/rules/archives/zip.yara @@ -1,13 +1,16 @@ -rule zip : notable { - meta: - description = "Works with zip files" - strings: - $ref = "ZIP64" fullword - $ref2 = "archive/zip" - $ref3 = "zip_writer" fullword - $ref4 = "ZIP archive" fullword - $ref5 = "zip files" fullword - // note: "zip file" has a false positive with Go binaries - condition: - any of them + +rule zip : medium { + meta: + description = "Works with zip files" + hash_2024_Downloads_7c63 = "7c636f1c9e4d9032d66a58f263b3006788047488e00fc26997b915e9d1f174bf" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" + hash_2023_Downloads_e6b6 = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" + strings: + $ref = "ZIP64" fullword + $ref2 = "archive/zip" + $ref3 = "zip_writer" fullword + $ref4 = "ZIP archive" fullword + $ref5 = "zip files" fullword + condition: + any of them } diff --git a/rules/builtin/kernel_module.yara b/rules/builtin/kernel_module.yara index 7678b0ed2..856a53230 100644 --- a/rules/builtin/kernel_module.yara +++ b/rules/builtin/kernel_module.yara @@ -1,4 +1,4 @@ -rule kmod : suspicious { +rule kmod : high { meta: description = "includes Linux kernel module source code" strings: diff --git a/rules/builtin/openssl.yara b/rules/builtin/openssl.yara index dd00864df..6ff8c1c80 100644 --- a/rules/builtin/openssl.yara +++ b/rules/builtin/openssl.yara @@ -1,26 +1,23 @@ -rule openssl : notable { - meta: - description = "This binary includes OpenSSL source code" - strings: - $ref = "OpenSSL/" - condition: - any of them + +rule openssl : medium { + meta: + description = "This binary includes OpenSSL source code" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_04b5 = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" + strings: + $ref = "OpenSSL/" + condition: + any of them } -rule elf_with_bundled_openssl : suspicious { +rule elf_with_bundled_openssl : high { meta: - hash_2017_RiskTool_PUA_uselvj623 = "bcf92e1a88f9418739ce5b23acce1618232de1333a5143c7418271f1cb5e7626" - hash_2021_miner_gijuf = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819" - hash_2021_miner_udtwc = "9a7e8ed9621c08964bd20eb8a95fbe9853e12ebc613c37f53774b17a2cbe9100" - hash_2021_miner_nyoan = "9f059b341ac4e2e00ab33130fea5da4b1390f980d3db607384d87e736f30273e" - hash_2021_miner_vsdhx = "caa114893cf5cb213b39591bbcb72f66ee4519be07269968e714a8d3f24c3382" - hash_2021_miner_fdxme = "d1a95861c6b9836c0c3d8868019054931d1339ae896ad11575e99d91a358696d" - hash_2020_trojan_SAgnt_vnqci_sshd = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" + hash_2023_Unix_Malware_Bruteforce_4020 = "4020b018fcebf76672af2824636e7948131b313f723adef6cf41ad06bd2c6a6f" + hash_2023_Linux_Malware_Samples_24ee = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819" hash_2023_Linux_Malware_Samples_2f85 = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965" strings: $aes_part = "AES part of OpenSSL" condition: uint32(0) == 1179403647 and $aes_part } - - diff --git a/rules/builtin/rsaeuro.yara b/rules/builtin/rsaeuro.yara index 41662de33..7bfd813cc 100644 --- a/rules/builtin/rsaeuro.yara +++ b/rules/builtin/rsaeuro.yara @@ -1,4 +1,5 @@ -rule rsaeuro_user : notable { + +rule rsaeuro_user : medium { meta: hash_2017_Dockster = "8da09fec9262d8bbeb07c4e403d1da88c04393c8fc5db408e1a3a3d86dddc552" strings: diff --git a/rules/builtin/wolfssl.yara b/rules/builtin/wolfssl.yara index a8cf4cdea..311e6f583 100644 --- a/rules/builtin/wolfssl.yara +++ b/rules/builtin/wolfssl.yara @@ -1,12 +1,13 @@ -rule wolfssl : notable { - meta: - description = "This binary includes WolfSSL" - strings: - $ref = "WolfSSL" - $ref2 = "WOLFSSL_" - condition: - any of them -} - - +rule wolfssl : medium { + meta: + description = "This binary includes WolfSSL" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2020_Dacls_SubMenu = "846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6" + hash_2020_Base_lproj_SubMenu = "846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6" + strings: + $ref = "WolfSSL" + $ref2 = "WOLFSSL_" + condition: + any of them +} diff --git a/rules/cloud/google-docs.yara b/rules/cloud/google-docs.yara index 5e90706f4..12675d04c 100644 --- a/rules/cloud/google-docs.yara +++ b/rules/cloud/google-docs.yara @@ -1,4 +1,4 @@ -rule google_docs_user : suspicious { +rule google_docs_user : high { strings: $writely = "www.google.com/accounts/ServiceLogin?service=writely" $guploader = "x-guploader-client-info: mechanism=scotty" diff --git a/rules/combo/backdoor/browser_extension.yara b/rules/combo/backdoor/browser_extension.yara index 2a64eefa5..f019c21ce 100644 --- a/rules/combo/backdoor/browser_extension.yara +++ b/rules/combo/backdoor/browser_extension.yara @@ -1,25 +1,21 @@ -rule chrome_extension_abuser : suspicious { + +rule chrome_extension_abuser : high { meta: - hash_2014_CoinThief = "7f32fdcaefee42f93590f9490ab735ac9dfeb22a951ff06d721145baf563d53b" + hash_2017_CoinThief = "7f32fdcaefee42f93590f9490ab735ac9dfeb22a951ff06d721145baf563d53b" strings: $s_all_urls = "" $s_from_webstore = "from_webstore" $s_scriptable_host = "scriptable_host" - - $not_chromium = "chromium.googlesource.com" + $not_chromium = "chromium.googlesource.com" condition: 2 of ($s*) and none of ($not*) } -rule browser_extension_installer : suspicious { - meta: - hash_2017_GoPhoto = "a4d8367dc2df3a8539b9baf8ee48d09f5a8e9f9d2d58431909de0bb0816464a0" - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" +rule browser_extension_installer : high { strings: $a_loadExtensionFlag = "--load-extension" $a_chrome = "Chrome" - - $not_chromium = "CHROMIUM_TIMESTAMP" - condition: + $not_chromium = "CHROMIUM_TIMESTAMP" + condition: all of ($a*) and none of ($not*) -} \ No newline at end of file +} diff --git a/rules/combo/backdoor/crypto_geoip_exec.yara b/rules/combo/backdoor/crypto_geoip_exec.yara index 13b5d32fd..1208f810c 100644 --- a/rules/combo/backdoor/crypto_geoip_exec.yara +++ b/rules/combo/backdoor/crypto_geoip_exec.yara @@ -1,18 +1,17 @@ -rule geoip_crypto_exec : notable { + +rule geoip_crypto_exec : medium { meta: - description = "crypto, geolocation, and program execution" - hash_hash_2015_trojan_Eleanor_conn = "5c16f53276cc4ef281e82febeda254d5a80cd2a0d5d2cd400a3e9f4fc06e28ad" + description = "crypto, geolocation, and program execution" + hash_2015_sync_conn = "5c16f53276cc4ef281e82febeda254d5a80cd2a0d5d2cd400a3e9f4fc06e28ad" strings: $geoip = "geoip" $crypto = "crypto" - $exec = "execve" - $execvp = "execvp" - $exec_go = "os/exec" - + $execvp = "execvp" + $exec_go = "os/exec" $not_unsupported = "not supported in this build" - $not_http_server = "http/server" - $not_geojson = "geojson" + $not_http_server = "http/server" + $not_geojson = "geojson" condition: $geoip and $crypto and any of ($exec*) and none of ($not*) } diff --git a/rules/combo/backdoor/crypto_listen_socks.yara b/rules/combo/backdoor/crypto_listen_socks.yara index 77a6f2b65..1c933a75f 100644 --- a/rules/combo/backdoor/crypto_listen_socks.yara +++ b/rules/combo/backdoor/crypto_listen_socks.yara @@ -1,22 +1,9 @@ -rule socks_crypto_listener : notable { + +rule socks_crypto_listener : medium { meta: - hash_2020_OSX_CoinMiner_xbppt = "a2909754783bb5c4fd6955bcebc356e9d6eda94f298ed3e66c7e13511275fbc4" - hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" - hash_hash_2015_trojan_Eleanor_conn = "5c16f53276cc4ef281e82febeda254d5a80cd2a0d5d2cd400a3e9f4fc06e28ad" - hash_2015_data_storage = "329f79d9b21b186550ece1b5fbdc6adb2947fd83e3a02e662bd9ed27aa206074" - hash_2021_miner_gkqjh = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" - hash_2021_miner_malxmr = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" - hash_2021_CoinMiner_TB_Camelot = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" - hash_2021_miner_KB_Elvuz = "0b1c49ec2d53c4af21a51a34d9aa91e76195ceb442480468685418ba8ece1ba6" - hash_2021_miner_malxmr_sbepq = "0d7960a39b92dad88986deea6e5861bd00fb301e92d550c232aebb36ed010e46" - hash_2021_miner_xxlgo = "20e4c4893ed1faa9a50b0a4ba5fa0062d5178b635222849eeafa53e8c5c0d8c8" - hash_2021_miner_gijuf = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819" - hash_2021_miner_egipp = "47a4ca5b1b6a2c0c7914b342f668b860041ec826d2ac85825389dba363797431" - hash_2021_miner_nyoan = "9f059b341ac4e2e00ab33130fea5da4b1390f980d3db607384d87e736f30273e" - hash_2021_miner_vsdhx = "caa114893cf5cb213b39591bbcb72f66ee4519be07269968e714a8d3f24c3382" - hash_2021_miner_fdxme = "d1a95861c6b9836c0c3d8868019054931d1339ae896ad11575e99d91a358696d" - hash_2020_trojan_SAgnt_vnqci_sshd = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" - hash_2021_CoinMiner_Camelot = "fadc69995b9f837837595d73be8dce1bbccf0b709d0d8bb2cadf1c90b46763cf" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_04b5 = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" strings: $s_socks = "SOCKS" fullword $s_SOCKS5 = "SOCKS5" fullword @@ -30,7 +17,7 @@ rule socks_crypto_listener : notable { $not_nc = "usage: nc" $not_kitty = "KITTY_KITTEN_RUN_MODULE" $not_logger = "log.(*Logger)" - $not_js = "function(" + $not_js = "function(" condition: filesize < 26214400 and any of ($s*) and all of ($f*) and none of ($not*) } diff --git a/rules/combo/backdoor/daemon.yara b/rules/combo/backdoor/daemon.yara index eea20499d..e73b968fd 100644 --- a/rules/combo/backdoor/daemon.yara +++ b/rules/combo/backdoor/daemon.yara @@ -1,9 +1,11 @@ -rule sudo_nohup : suspicious { + +rule sudo_nohup : high { meta: - description = "calls nohup sudo" + description = "calls nohup sudo" + hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f" strings: - $nohup_sudo = /nohup sudo[ \.\/\w]{0,32}/ - $sudo_nohup = /sudo nohup[ \.\/\w]{0,32}/ + $nohup_sudo = /nohup sudo[ \.\/\w]{0,32}/ + $sudo_nohup = /sudo nohup[ \.\/\w]{0,32}/ condition: - any of them + any of them } diff --git a/rules/combo/backdoor/dbg_exec_post.yara b/rules/combo/backdoor/dbg_exec_post.yara index c952ca91f..a0e0b4c69 100644 --- a/rules/combo/backdoor/dbg_exec_post.yara +++ b/rules/combo/backdoor/dbg_exec_post.yara @@ -1,13 +1,9 @@ -rule debug_program_with_suspicious_refs : suspicious { + +rule debug_program_with_high_refs : high { meta: - hash_2023_KandyKorn_kandykorn = "927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6" - hash_2023_amos_stealer_e = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" - hash_2019_B_CrashReporter = "e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55" hash_2019_C_unioncryptoupdater = "631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680" - hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" - hash_2023_CoinMiner_com_adobe_acc_installer = "b1fff5d501e552b535639aedaf4e5c7709b8405a9f063afcff3d6bbccffec725" + hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" strings: $task_allow = "com.apple.security.get-task-allow" $r_libcurl = "libcurl" diff --git a/rules/combo/backdoor/dlsym_pthread_exec.yara b/rules/combo/backdoor/dlsym_pthread_exec.yara index 542f6bc4f..3592fa84b 100644 --- a/rules/combo/backdoor/dlsym_pthread_exec.yara +++ b/rules/combo/backdoor/dlsym_pthread_exec.yara @@ -1,11 +1,12 @@ -rule dlsym_pthread_exec: suspicious { - meta: - description = "Resolves library, creates threads, calls programs" - strings: - $dlsym = "dlsym" fullword - $openpty = "pthread_create" fullword - $system = "execl" fullword - condition: - all of them in (1200..3000) +rule dlsym_pthread_exec : high { + meta: + description = "Resolves library, creates threads, calls programs" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + strings: + $dlsym = "dlsym" fullword + $openpty = "pthread_create" fullword + $system = "execl" fullword + condition: + all of them in (1200..3000) } diff --git a/rules/combo/backdoor/exec_resolve_tmp.yara b/rules/combo/backdoor/exec_resolve_tmp.yara index f65b01554..401030529 100644 --- a/rules/combo/backdoor/exec_resolve_tmp.yara +++ b/rules/combo/backdoor/exec_resolve_tmp.yara @@ -1,12 +1,13 @@ rule fexecve_gethostbyname_realpath_tmp : critical { - meta: - description = "Runs programs, resolves hosts and paths, uses /tmp" - strings: - $f1 = "fexecve" fullword - $f2 = "gethostbyname" fullword - $f3 = "realpath" fullword - $tmp = "/tmp/" - condition: - $tmp and all of ($f*) in (1200..3000) + meta: + description = "Runs programs, resolves hosts and paths, uses /tmp" + hash_2024_Downloads_59f9 = "59f959b1e69f988171152f99eb636f9b360712234457072f78c1c08d41e1460e" + strings: + $f1 = "fexecve" fullword + $f2 = "gethostbyname" fullword + $f3 = "realpath" fullword + $tmp = "/tmp/" + condition: + $tmp and all of ($f*) in (1200..3000) } diff --git a/rules/combo/backdoor/ioplatform_sketchy.yara b/rules/combo/backdoor/ioplatform_sketchy.yara index d6b684cc1..5a9d971b5 100644 --- a/rules/combo/backdoor/ioplatform_sketchy.yara +++ b/rules/combo/backdoor/ioplatform_sketchy.yara @@ -1,12 +1,8 @@ -rule ioplatform_expert_with_sketchy_calls { + +rule ioplatform_expert_with_sketchy_calls : high { meta: - hash_2020_Gravity_Spy_Enigma = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de" - hash_2022_DazzleSpy_agent_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" - hash_2021_MacMa_qmfus = "cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8" - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" - hash_2012_FileCoder = "c9c7c7f1afa1d0760f63d895b8c9d5ab49821b2e4fe596b0c5ae94c308009e89" - hash_2022_Gimmick_CorelDRAW = "2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f" - hash_2021_CDDS_client = "623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a" + hash_2022_DazzleSpy_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" + hash_2017_FileCoder = "c9c7c7f1afa1d0760f63d895b8c9d5ab49821b2e4fe596b0c5ae94c308009e89" strings: $ioplatform = "IOPlatformExpertDevice" fullword $o_ioreg = "ioreg -" @@ -26,18 +22,6 @@ rule ioplatform_expert_with_sketchy_calls { $o_launch = "rm -rf" $o_decrypting = "Decrypting" $o_encrypting = "Encrypting" - $not_electron = "ELECTRON_RUN_AS_NODE" - $not_crashpad = "crashpad_info" - $not_osquery = "OSQUERY_WORKER" - $not_kandji = "com.kandji.profile.mdmprofile" - $not_private = "/System/Library/PrivateFrameworks/" - $not_kolide = "KOLIDE_LAUNCHER_OPTION" - $not_chromium = "RasterCHROMIUM" - $not_c1_msal = "MSALAuthScheme" - $not_license = "LicensePrice" - $not_licensed = "licensed" - $not_arc = "WelcomeToArc" condition: - (filesize < 157286400 and $ioplatform and 3 of ($o_*)) and none of ($not*) + filesize < 104857600 and $ioplatform and 4 of ($o_*) } - diff --git a/rules/combo/backdoor/iptables.yara b/rules/combo/backdoor/iptables.yara index 8514378e2..cdb2ed30f 100644 --- a/rules/combo/backdoor/iptables.yara +++ b/rules/combo/backdoor/iptables.yara @@ -1,34 +1,40 @@ -rule iptables_upload_http : notable { - meta: - description = "uploads, uses iptables and HTTP" - strings: - $ref1 = /upload[a-zA-Z]{0,16}/ - $ref2 = "HTTP" fullword - $ref3 = /iptables[ \-a-z]{0,16}/ - condition: - all of them +rule iptables_upload_http : medium { + meta: + description = "uploads, uses iptables and HTTP" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2024_Downloads_8907 = "89073097e72070cc7cc73c178447b70e07b603ccecfe406fe92fe9eafaae830f" + strings: + $ref1 = /upload[a-zA-Z]{0,16}/ + $ref2 = "HTTP" fullword + $ref3 = /iptables[ \-a-z]{0,16}/ + condition: + all of them } - -rule iptables_ssh : notable { - meta: - description = "Supports iptables and ssh" - strings: - $ref3 = /iptables[ \-a-z]{0,16}/ - $ssh = "ssh" fullword - condition: - all of them +rule iptables_ssh : medium { + meta: + description = "Supports iptables and ssh" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" + hash_2023_Linux_Malware_Samples_1f94 = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" + strings: + $ref3 = /iptables[ \-a-z]{0,16}/ + $ssh = "ssh" fullword + condition: + all of them } - -rule iptables_gdns_http : notable { - meta: - description = "Uses iptables, Google Public DNS, and HTTP" - strings: - $ref1 = /iptables[ \-a-z]{0,16}/ fullword - $ref2 = "8.8.8.8" fullword - $ref3 = "HTTP" fullword - condition: - all of them -} \ No newline at end of file +rule iptables_gdns_http : medium { + meta: + description = "Uses iptables, Google Public DNS, and HTTP" + hash_2024_Downloads_8907 = "89073097e72070cc7cc73c178447b70e07b603ccecfe406fe92fe9eafaae830f" + hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" + hash_2023_Linux_Malware_Samples_1f94 = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" + strings: + $ref1 = /iptables[ \-a-z]{0,16}/ fullword + $ref2 = "8.8.8.8" fullword + $ref3 = "HTTP" fullword + condition: + all of them +} diff --git a/rules/combo/backdoor/kill_rm.yara b/rules/combo/backdoor/kill_rm.yara index 9691dfba0..ad935a956 100644 --- a/rules/combo/backdoor/kill_rm.yara +++ b/rules/combo/backdoor/kill_rm.yara @@ -1,16 +1,9 @@ -rule kill_and_remove : notable { + +rule kill_and_remove : medium { meta: - hash_2021_malxmr = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" - hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" - hash_2022_CloudMensis_mdworker3 = "273633eee4776aef40904124ed1722a0793e6567f3009cdb037ed0a9d79c1b0b" - hash_2011_bin_fxagent = "737bb6fe9a7ad5adcd22c8c9e140166544fa0c573fe5034dfccc0dc237555c83" - hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" - hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" - hash_2021_Tsunami_Kaiten = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" - hash_2021_trojan_Gafgyt_5E = "31e87fa24f5d3648f8db7caca8dfb15b815add4dfc0fabe5db81d131882b4d38" - hash_2021_Tsunami_gjirtfg = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" - hash_2021_Tsunami_Kaiten_ujrzc = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7" - hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" strings: $rm_f = "rm -f" $rm_Rf = "rm -Rf" diff --git a/rules/combo/backdoor/net_exec.yara b/rules/combo/backdoor/net_exec.yara index 0f6c2d8e3..dee450581 100644 --- a/rules/combo/backdoor/net_exec.yara +++ b/rules/combo/backdoor/net_exec.yara @@ -1,4 +1,5 @@ -rule macos_kitchen_sink_binary { + +rule macos_kitchen_sink_binary : medium { meta: hash_2023_KandyKorn_kandykorn = "927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6" strings: @@ -14,37 +15,38 @@ rule macos_kitchen_sink_binary { $f_getpid = "getpid" $f_unlink = "unlink" $f_chmod = "chmod" - - $not_osquery = "OSQUERY" + $not_osquery = "OSQUERY" condition: - 90% of ($f*) and none of ($not*) + filesize < 20971520 and 90% of ($f*) and none of ($not*) } -rule ssh_socks5_exec : notable { - meta: - description = "supports SOCKS5, SSH, and executing programs" - strings: - $socks5 = "Socks5" - $ssh = "crypto/ssh" - $exec = "os/exec.Command" - condition: - filesize < 64MB and all of them +rule ssh_socks5_exec : medium { + meta: + description = "supports SOCKS5, SSH, and executing programs" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" + hash_2020_IPStorm_IPStorm_unpacked = "522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434" + hash_2023_UPX_5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59_elf_x86_64 = "56ca5d07fa2e8004a008222a999a97a6c27054b510e8dd6bd22048b084079e37" + strings: + $socks5 = "Socks5" + $ssh = "crypto/ssh" + $exec = "os/exec.Command" + condition: + filesize < 67108864 and all of them } - -rule progname_socket_waitpid : suspicious { - meta: - description = "sets process name, accesses internet, calls programs" - strings: - $dlsym = "__progname" fullword - $openpty = "socket" fullword - $system = "waitpid" fullword - condition: - all of them in (1200..3000) +rule progname_socket_waitpid : high { + meta: + description = "sets process name, accesses internet, calls programs" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + strings: + $dlsym = "__progname" fullword + $openpty = "socket" fullword + $system = "waitpid" fullword + condition: + all of them in (1200..3000) } - -rule POST_command_executer : suspicious { +rule POST_command_executer : high { meta: hash_2023_ObjCShellz_ProcessRequest = "8bfa4fe0534c0062393b6a2597c3491f7df3bf2eabfe06544c53bdf1f38db6d4" hash_2023_ObjCShellz_ProcessRequest_2 = "b8c751694945bff749b6a0cd71e465747402cfd25b18dc233c336e417b3e1525" @@ -55,9 +57,9 @@ rule POST_command_executer : suspicious { all of them } -rule exec_getprog_socket_waitpid_combo { +rule exec_getprog_socket_waitpid_combo : high { meta: - hash_DoubleFantasy_mdworker = "502a80f81cf39f6c559ab138a39dd4ad5fca697dbca4a62b36527be9e55400f5" + hash_2021_DoubleFantasy_mdworker = "502a80f81cf39f6c559ab138a39dd4ad5fca697dbca4a62b36527be9e55400f5" strings: $execle = "_execl" $execve = "_execve" @@ -70,11 +72,14 @@ rule exec_getprog_socket_waitpid_combo { $f_waitpid = "_waitpid" $f_rand = "_random" condition: - 8 of ($f*) and 1 of ($exec*) + filesize < 262144000 and 8 of ($f*) and 1 of ($exec*) } - -rule exec_chdir_and_socket : notable { +rule exec_chdir_and_socket : medium { + meta: + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" + hash_2023_Downloads_4305 = "4305c04df40d3ac7966289cc0a81cedbdd4eee2f92324b26fe26f57f57265bca" + hash_2023_Downloads_78eb = "78eb647f3d2aae5c52fcdc46ac1b27fb5a388ad39abbe614c0cfc902d223ccd6" strings: $socket = "socket" fullword $chdir = "chdir" fullword @@ -85,18 +90,20 @@ rule exec_chdir_and_socket : notable { filesize < 52428800 and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and $chdir and $socket and 1 of ($exec*) and none of ($not*) } -rule listens_and_executes : notable { - meta: - description = "Listens, provides a terminal, runs program" - strings: - $f_socket = "socket" fullword - $f_execl = "execl" fullword - $f_inet_addr = "inet_addr" fullword - $f_listen = "listen" fullword - - $not_setlocale = "setlocale" fullword - $not_ptrace = "ptrace" fullword - $not_usage = "Usage:" - condition: - all of ($f*) and none of ($not*) +rule listens_and_executes : medium { + meta: + description = "Listens, provides a terminal, runs program" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_Linux_Malware_Samples_0afd = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" + hash_2023_Linux_Malware_Samples_3668 = "3668b167f5c9083a9738cfc4bd863a07379a5b02ee14f48a10fb1240f3e421a6" + strings: + $f_socket = "socket" fullword + $f_execl = "execl" fullword + $f_inet_addr = "inet_addr" fullword + $f_listen = "listen" fullword + $not_setlocale = "setlocale" fullword + $not_ptrace = "ptrace" fullword + $not_usage = "Usage:" + condition: + all of ($f*) and none of ($not*) } diff --git a/rules/combo/backdoor/net_pidlist.yara b/rules/combo/backdoor/net_pidlist.yara index a8a70703c..70eda8a3c 100644 --- a/rules/combo/backdoor/net_pidlist.yara +++ b/rules/combo/backdoor/net_pidlist.yara @@ -1,4 +1,5 @@ -rule proc_listpids_and_curl : suspicious macos { + +rule proc_listpids_and_curl : high macos { meta: hash_2023_KandyKorn_kandykorn = "927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6" strings: diff --git a/rules/combo/backdoor/net_shell.yara b/rules/combo/backdoor/net_shell.yara index af70a5be9..8e03f237d 100644 --- a/rules/combo/backdoor/net_shell.yara +++ b/rules/combo/backdoor/net_shell.yara @@ -1,4 +1,5 @@ -rule netcat_exec_backdoor : suspicious { + +rule netcat_exec_backdoor : high { meta: ref = "https://cert.gov.ua/article/6123309" hash_2023_uacert_nc = "dd8a8a9dde32a14a7222a28e878d13c4f0bccd5eb54d0575fa6332d001226715" @@ -9,17 +10,8 @@ rule netcat_exec_backdoor : suspicious { } rule generic_perl_socket_exec { - meta: - hash_2017_Perl_FruitFly_A = "205f5052dc900fc4010392a96574aed5638acf51b7ec792033998e4043efdf6c" - hash_1980_FruitFly_A_9968 = "9968407d4851c2033090163ac1d5870965232bebcfe5f87274f1d6a509706a14" - hash_2017_Perl_FruitFly_afpscan = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55" - hash_2017_Perl_FruitFly_quimitchin = "ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044" - hash_2017_trojan_Perl_AFL = "cee71a5425a4cd7c0ca2fc6763d59f94dd11192b78cd696adc56c553174d5727" - hash_2017_Perl_FruitFly_spaud = "befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271" - hash_2023_uacert_socket = "912dc3aee7d5c397225f77e3ddbe3f0f4cf080de53ccdb09c537749148c1cc08" - hash_2023_Win_Trojan_Perl_9aed = "9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44" strings: - $perl = "perl" + $perl = "perl" $socket_inet = "IO::Socket::INET" $socket = "use Socket" $and_exec = "exec" @@ -28,14 +20,14 @@ rule generic_perl_socket_exec { $not_nuclei = "NUCLEI_TEMPLATES" $not_kitten = "KITTY_KITTEN_RUN_MODULE" condition: - filesize < 1MB and $perl and any of ($socket*) and any of ($and_*) and none of ($not_*) + filesize < 1048576 and $perl and any of ($socket*) and any of ($and_*) and none of ($not_*) } -rule ipinfo_and_bash : suspicious { +rule ipinfo_and_bash : high { meta: - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" - hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" + hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" + hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" strings: $ipinfo = "ipinfo.io" $bash = "/bin/bash" @@ -43,51 +35,48 @@ rule ipinfo_and_bash : suspicious { all of them } - -rule readdir_inet_system : suspicious { - meta: - description = "Lists directories, resolves IPs, calls shells" - strings: - $dlsym = "readdir" fullword - $openpty = "inet_addr" fullword - $system = "system" fullword - condition: - all of them in (1200..3000) +rule readdir_inet_system : high { + meta: + description = "Lists directories, resolves IPs, calls shells" + hash_2023_Lightning_48f9 = "48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7" + hash_2023_Unix_Trojan_Mirai_2f98 = "2f987c374944a01717b1905f2bc063a3b577a1d9933a5225717332aa6e43eb90" + hash_2023_Unix_Trojan_Mirai_c493 = "c493b42168323e2087025845c91274dabaefa70be951eac08746d4b7e900d627" + strings: + $dlsym = "readdir" fullword + $openpty = "inet_addr" fullword + $system = "system" fullword + condition: + all of them in (1200..3000) } - -rule pcap_shell_exec : suspicious { +rule pcap_shell_exec : high { meta: - description = "sniffs network traffic, executes shell" + description = "sniffs network traffic, executes shell" + hash_2023_BPFDoor_dc83 = "dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a" strings: $libpcap = "libpcap" - $shell = "shell" fullword - $sh = "/bin/sh" - $sh_bash = "/bin/bash" - + $sh = "/bin/sh" + $sh_bash = "/bin/bash" $y_exec = "exec" fullword $y_execve = "execve" fullword $y_execvp = "execvp" fullword - $y_system = "system" - - $not_airportd = "airportd" + $y_system = "system" + $not_airportd = "airportd" condition: - $libpcap and any of ($sh*) and any of ($y*) and none of ($not*) + $libpcap and any of ($sh*) and any of ($y*) and none of ($not*) } rule go_pty_daemonize_net : critical { - meta: - description = "daemonizes and exposes a terminal to the internet" - strings: - $d1 = "go-daemon" fullword - $d2 = "xdaemon" fullword - - $pty = "creack/pty" fullword - $ptsname = "ptsname" fullword - - $net = "net.socket" fullword - $nsocks = "go-socks5" - condition: - any of ($d*) and any of ($p*) and any of ($n*) + meta: + description = "daemonizes and exposes a terminal to the internet" + strings: + $d1 = "go-daemon" fullword + $d2 = "xdaemon" fullword + $pty = "creack/pty" fullword + $ptsname = "ptsname" fullword + $net = "net.socket" fullword + $nsocks = "go-socks5" + condition: + any of ($d*) and any of ($p*) and any of ($n*) } diff --git a/rules/combo/backdoor/net_term.yara b/rules/combo/backdoor/net_term.yara index f28bc2367..9b955df17 100644 --- a/rules/combo/backdoor/net_term.yara +++ b/rules/combo/backdoor/net_term.yara @@ -1,37 +1,33 @@ -rule readdir_openpty_socket : suspicious { - meta: - description = "Lists directories, opens pseudoterminals, resolves IPs" - strings: - $dlsym = "readdir" fullword - $openpty = "openpty" fullword - $system = "inet_addr" fullword - condition: - all of them in (1200..3000) +rule readdir_openpty_socket : high { + meta: + description = "Lists directories, opens pseudoterminals, resolves IPs" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + strings: + $dlsym = "readdir" fullword + $openpty = "openpty" fullword + $system = "inet_addr" fullword + condition: + all of them in (1200..3000) } -rule pseudoterminal_tunnel : suspicious { - meta: - description = "pseudoterminal and tunnel support" - strings: - $pty = "creack/pty" fullword - $ptsname = "ptsname" fullword - - $t = /[\w]{0,16}tunnel[\w]{0,16}/ fullword - $t2 = /[\w]{0,16}TUNNEL[\w]{0,16}/ fullword - - $not_qemu = "QEMU_IS_ALIGNED" - // random wordlist, found in clickhouse and chezmoi - $not_unbounded = "UNBOUNDED" - // https://github.com/aws-samples/aws-iot-securetunneling-localproxy data - $not_iot = "iotsecuredtunnel" - condition: - any of ($p*) and any of ($t*) and none of ($not*) +rule pseudoterminal_tunnel : high { + meta: + description = "pseudoterminal and tunnel support" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + strings: + $pty = "creack/pty" fullword + $ptsname = "ptsname" fullword + $t = /[\w]{0,16}tunnel[\w]{0,16}/ fullword + $t2 = /[\w]{0,16}TUNNEL[\w]{0,16}/ fullword + $not_qemu = "QEMU_IS_ALIGNED" + $not_unbounded = "UNBOUNDED" + $not_iot = "iotsecuredtunnel" + condition: + any of ($p*) and any of ($t*) and none of ($not*) } -rule tty_shell : suspicious { - meta: - hash_2023_trojan_seaspy_barracuda = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115" +rule tty_shell : high { strings: $s_tty_shell = "tty shell" nocase $s_SSLshell = /SSL *Shell/ nocase @@ -41,7 +37,7 @@ rule tty_shell : suspicious { filesize < 26214400 and any of ($s*) and none of ($not*) } -rule python_pty_spawner : suspicious { +rule python_pty_spawner : high { meta: ref1 = "https://juggernaut-sec.com/docker-breakout-lpe/" ref2 = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" @@ -51,45 +47,43 @@ rule python_pty_spawner : suspicious { any of them } - -rule spectralblur_alike : suspicious { - meta: - description = "uploads, provides a terminal, runs program" - strings: - $upload = "upload" - $shell = "shell" - $tcsetattr = "tcsetattr" - $execve = "execve" - $waitpid = "_waitpid" - $unlink = "_unlink" - $uname = "_uname" - condition: - all of them +rule spectralblur_alike : high { + meta: + description = "uploads, provides a terminal, runs program" + hash_2024_SpectralBlur_macshare = "6f3e849ee0fe7a6453bd0408f0537fa894b17fc55bc9d1729ae035596f5c9220" + strings: + $upload = "upload" + $shell = "shell" + $tcsetattr = "tcsetattr" + $execve = "execve" + $waitpid = "_waitpid" + $unlink = "_unlink" + $uname = "_uname" + condition: + all of them } -rule miner_kvryr_stak_alike : suspicious { - meta: - description = "uploads, provides a terminal, runs program" - strings: - $upload = "upload" - $shell = "shell" - $tcsetattr = "tcsetattr" - $execve = "execve" - $numa = "NUMA" - condition: - filesize < 64MB and all of them +rule miner_kvryr_stak_alike : high { + meta: + description = "uploads, provides a terminal, runs program" + hash_2023_Linux_Malware_Samples_1b1a = "1b1a56aec5b02355b90f911cdd27a35d099690fcbeb0e0622eaea831d64014d3" + hash_2023_Linux_Malware_Samples_240f = "240fe01d9fcce5aae311e906b8311a1975f8c1431b83618f3d11aeaff10aede3" + hash_2023_Linux_Malware_Samples_39c3 = "39c33c261899f2cb91f686aa6da234175237cd72cfcd9291a6e51cbdc86d4def" + strings: + $upload = "upload" + $shell = "shell" + $tcsetattr = "tcsetattr" + $execve = "execve" + $numa = "NUMA" + condition: + filesize < 67108864 and all of them } -rule proxy_http_aes_terminal_combo : notable { +rule proxy_http_aes_terminal_combo : medium { meta: - hash_2020_OSX_CoinMiner_xbppt = "a2909754783bb5c4fd6955bcebc356e9d6eda94f298ed3e66c7e13511275fbc4" - hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" - hash_2021_CoinMiner_TB_Camelot = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" - hash_2021_ANDR_miner_eomap = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76" - hash_2021_miner_nyoan = "9f059b341ac4e2e00ab33130fea5da4b1390f980d3db607384d87e736f30273e" - hash_2021_miner_vsdhx = "caa114893cf5cb213b39591bbcb72f66ee4519be07269968e714a8d3f24c3382" - hash_2021_miner_fdxme = "d1a95861c6b9836c0c3d8868019054931d1339ae896ad11575e99d91a358696d" - hash_2020_trojan_SAgnt_vnqci_sshd = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" + hash_2023_Linux_Malware_Samples_19f7 = "19f76bf2be3ea11732f2c5c562afbd6f363b062c25fba3a143c3c6ef4712774b" strings: $isatty = "isatty" $socks_proxy = "socks proxy" @@ -102,27 +96,31 @@ rule proxy_http_aes_terminal_combo : notable { filesize < 26214400 and 85% of them } -rule bpfdoor_alike : suspicious { - meta: - description = "Listens, provides a terminal, runs program" - strings: - $f_listen = "listen" fullword - $f_grantpt = "grantpt" fullword - $f_execve = "execve" fullword - $f_ptmx = "/dev/ptmx" - $not_sql_db = "sql.DB" - $not_libc = "getusershell" - condition: - all of ($f*) and none of ($not*) +rule bpfdoor_alike : high { + meta: + description = "Listens, provides a terminal, runs program" + hash_2023_BPFDoor_07ec = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d" + hash_2023_BPFDoor_3743 = "3743821d55513c52a9f06d3f6603afd167105a871e410c35a3b94e34c51089e6" + hash_2023_BPFDoor_8b9d = "8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6" + strings: + $f_listen = "listen" fullword + $f_grantpt = "grantpt" fullword + $f_execve = "execve" fullword + $f_ptmx = "/dev/ptmx" + $not_sql_db = "sql.DB" + $not_libc = "getusershell" + condition: + all of ($f*) and none of ($not*) } -rule dlsym_openpty_system : suspicious { - meta: - description = "Resolves library, opens terminal, calls shell" - strings: - $dlsym = "dlsym" fullword - $openpty = "openpty" fullword - $system = "system" - condition: - all of them in (1200..3000) +rule dlsym_openpty_system : high { + meta: + description = "Resolves library, opens terminal, calls shell" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + strings: + $dlsym = "dlsym" fullword + $openpty = "openpty" fullword + $system = "system" + condition: + all of them in (1200..3000) } diff --git a/rules/combo/backdoor/nodejs.yara b/rules/combo/backdoor/nodejs.yara index add13ee3c..876a55884 100644 --- a/rules/combo/backdoor/nodejs.yara +++ b/rules/combo/backdoor/nodejs.yara @@ -1,9 +1,10 @@ + rule timeout_eval : critical { - meta: - description = "evaluate code dynamically using eval() after timeout" - strings: - $ref = /setTimeout\(.{0,64}eval\([\w\(\,\)\;\*\}]{0,32}/ fullword - condition: - any of them + meta: + description = "evaluate code dynamically using eval() after timeout" + hash_2023_package_bgService = "36831e715a152658bab9efbd4c2c75be50ee501b3dffdb5798d846a2259154a2" + strings: + $ref = /setTimeout\(.{0,64}eval\([\w\(\,\)\;\*\}]{0,32}/ fullword + condition: + any of them } - diff --git a/rules/combo/backdoor/payload.yara b/rules/combo/backdoor/payload.yara index e2bac8d78..32758f793 100644 --- a/rules/combo/backdoor/payload.yara +++ b/rules/combo/backdoor/payload.yara @@ -1,13 +1,12 @@ -rule load_agent_with_payload : suspicious { +rule load_agent_with_payload : high { meta: - hash_2020_FinSpy_caglayan_macos = "d20fcffe09bcfbcd5b69f8fa506a614d1580fce14d23abe288e632e83936095a" hash_2020_FinSpy_installer = "80d6e71c54fb3d4a904637e4d56e108a8255036cbb4760493b142889e47b951f" - hash_2020_finspy_logind_installer = "ac414a14464bf38a59b8acdfcdf1c76451c2d79da0b3f2e53c07ed1c94aeddcd" + hash_2018_org_logind_ctp_archive_installer = "ac414a14464bf38a59b8acdfcdf1c76451c2d79da0b3f2e53c07ed1c94aeddcd" strings: $loadAgent = "loadAgent" $payload = "payload" $not_private = "/System/Library/PrivateFrameworks/" condition: $payload and $loadAgent and none of ($not*) -} \ No newline at end of file +} diff --git a/rules/combo/backdoor/php.yara b/rules/combo/backdoor/php.yara index bbab8240d..c2fb9e01f 100644 --- a/rules/combo/backdoor/php.yara +++ b/rules/combo/backdoor/php.yara @@ -1,11 +1,6 @@ rule php_possible_backdoor : critical { meta: - hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" - hash_2023_PHP_Backdoor_PHP_Goonshell_a = "42e5fafe25af2d2600691a26144cc47320ccfd07a224b72452dfa7de2e86ece3" - hash_2023_PHP_Backdoor_PHP_Goonshell_a = "42e5fafe25af2d2600691a26144cc47320ccfd07a224b72452dfa7de2e86ece3" - hash_2023_R57_Backdoor_PHP_R57_a = "3ab6322a2a14de6698446bc5e8faf741bbdad288e95c844edc9e318b722d956f" - hash_2023_R57_Backdoor_PHP_R57_a = "3ab6322a2a14de6698446bc5e8faf741bbdad288e95c844edc9e318b722d956f" hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" strings: @@ -23,7 +18,7 @@ rule php_possible_backdoor : critical { $eval = "eval" $not_aprutil = "APR-UTIL" $not_syntax = "syntax file" - $not_reference = "stream_register_wrapper" + $not_reference = "stream_register_wrapper" condition: filesize < 1048576 and $eval and 1 of ($php*) and 4 of ($f_*) and none of ($not*) } @@ -33,11 +28,6 @@ rule php_eval_base64_decode : critical { hash_2023_0xShell = "acf556b26bb0eb193e68a3863662d9707cbf827d84c34fbc8c19d09b8ea811a1" hash_2023_0xShell_0xObs = "6391e05c8afc30de1e7980dda872547620754ce55c36da15d4aefae2648a36e5" hash_2023_0xShell = "a6f1f9c9180cb77952398e719e4ef083ccac1e54c5242ea2bc6fe63e6ab4bb29" - hash_2023_0xShell_0xShellObs = "64771788a20856c7b2a29067f41be9cb7138c11a2cf2a8d17ab4afe73516f1ed" - hash_2023_0xShell_1337 = "657bd1f3e53993cb7d600bfcd1a616c12ed3e69fa71a451061b562e5b9316649" - hash_2023_0xShell_index = "f39b16ebb3809944722d4d7674dedf627210f1fa13ca0969337b1c0dcb388603" - hash_2023_0xShell_crot = "900c0453212babd82baa5151bba3d8e6fa56694aff33053de8171a38ff1bef09" - hash_2023_0xShell_index = "f39b16ebb3809944722d4d7674dedf627210f1fa13ca0969337b1c0dcb388603" strings: $eval_base64_decode = "eval(base64_decode" condition: @@ -46,14 +36,9 @@ rule php_eval_base64_decode : critical { rule php_executor : critical { meta: - hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" - hash_2015_Resources_agent = "5a61246c9fe8e52347e35664e0c86ab2897d807792008680e04306e6c2104941" - hash_2023_PHP_Backdoor_PHP_NShell = "a4f5649bb8356f0d78830c3e3ac032624dda4da5b5288190975aaa9c0cb4992f" - hash_2023_PHP_Backdoor_PHP_NShell = "a4f5649bb8356f0d78830c3e3ac032624dda4da5b5288190975aaa9c0cb4992f" - hash_2023_R57_Backdoor_PHP_R57_a = "3ab6322a2a14de6698446bc5e8faf741bbdad288e95c844edc9e318b722d956f" - hash_2023_R57_Backdoor_PHP_R57_a = "3ab6322a2a14de6698446bc5e8faf741bbdad288e95c844edc9e318b722d956f" hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2015_Resources_agent = "5a61246c9fe8e52347e35664e0c86ab2897d807792008680e04306e6c2104941" strings: $php = "" - $ref7 = "No XENIX semaphores available" - $ref8 = "Unknown error" - $ref9 = "Success" - $not_strcmp = "strcmp" - $not_libc = "libc" fullword + $ref1 = "/dev/null" fullword + $ref2 = "/proc" fullword + $ref3 = "socket" fullword + $ref4 = "(null)" fullword + $ref5 = "localhost" + $ref6 = "<=>" + $ref7 = "No XENIX semaphores available" + $ref8 = "Unknown error" + $ref9 = "Success" + $not_strcmp = "strcmp" + $not_libc = "libc" fullword condition: - filesize < 120KB and 90% of ($ref*) and none of ($not*) + filesize < 122880 and 90% of ($ref*) and none of ($not*) } rule vaguely_gafygt : critical { meta: - description = "Resembles GAFYGT" + description = "Resembles GAFYGT" + hash_2023_Linux_Malware_Samples_9e35 = "9e35f0a9eef0b597432cb8a7dfbd7ce16f657e7a74c26f7a91d81b998d00b24d" + hash_2023_Linux_Malware_Samples_a385 = "a385b3b1ed6e0480aa495361ab5b5ed9448f52595b383f897dd0a56e7ab35496" strings: - $ref1 = "/dev/null" fullword - $ref4 = "(nul" - $ref5 = "/bin/sh" - $ref6 = "UDPRAW" - $ref7 = "KILLBOT" - $not_strcmp = "strcmp" - $not_libc = "libc" fullword + $ref1 = "/dev/null" fullword + $ref4 = "(nul" + $ref5 = "/bin/sh" + $ref6 = "UDPRAW" + $ref7 = "KILLBOT" + $not_strcmp = "strcmp" + $not_libc = "libc" fullword condition: - filesize < 120KB and 90% of ($ref*) and none of ($not*) + filesize < 122880 and 90% of ($ref*) and none of ($not*) } diff --git a/rules/combo/backdoor/socat.yara b/rules/combo/backdoor/socat.yara index afc8d4eb0..e215afb05 100644 --- a/rules/combo/backdoor/socat.yara +++ b/rules/combo/backdoor/socat.yara @@ -1,4 +1,4 @@ -rule socat_backdoor : suspicious { +rule socat_backdoor : high { strings: $socat = "socat" fullword $bin_bash = "/bin/bash" diff --git a/rules/combo/backdoor/socket_filter_exec.yara b/rules/combo/backdoor/socket_filter_exec.yara index b0d3ef9b5..5f1b08945 100644 --- a/rules/combo/backdoor/socket_filter_exec.yara +++ b/rules/combo/backdoor/socket_filter_exec.yara @@ -1,20 +1,18 @@ -rule linux_network_filter_exec : suspicious { + +rule linux_network_filter_exec : high { meta: - description = "listens for packets without a socket, executes programs" + description = "listens for packets without a socket, executes programs" hash_2023_BPFDoor_dc83 = "dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a" strings: $0x = "=0x" $p_tcp = "tcp[" $p_udp = "udp[" $p_icmp = "icmp[" - $execl = "execl" fullword $execve = "execve" fullword - $e_bin_sh = "/bin/sh" - $e_bin_bash = "/bin/bash" - - $not_cilium_node = "CILIUM_SOCK" + $e_bin_sh = "/bin/sh" + $e_bin_bash = "/bin/bash" + $not_cilium_node = "CILIUM_SOCK" condition: $0x and any of ($p*) and any of ($e*) and none of ($not*) } - diff --git a/rules/combo/backdoor/ssh.yara b/rules/combo/backdoor/ssh.yara index c7ab1d40f..c2390b66d 100644 --- a/rules/combo/backdoor/ssh.yara +++ b/rules/combo/backdoor/ssh.yara @@ -1,13 +1,14 @@ -rule ssh_backdoor : suspicious { + +rule ssh_backdoor : high { meta: req = "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/" - hash_2021_trojan_SSHDoor_sshdkit = "6de1e587ac4aa49273042ffb3cdce5b92b86c31c9f85ca48dae8a38243515f75" - hash_2021_trojan_SSHDoor_sshdkit_dzptg = "ee22d8b31eecf2c7dd670dde075df199be44ef4f61eb869f943ede7f5c3d61cb" + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + hash_2023_Linux_Malware_Samples_6de1 = "6de1e587ac4aa49273042ffb3cdce5b92b86c31c9f85ca48dae8a38243515f75" strings: $ssh_agent = "ssh_host_key" - $ssh_authorized_keys = "authorized_keys" + $ssh_authorized_keys = "authorized_keys" $backdoor = "backdoor" condition: - $backdoor and any of ($ssh*) + $backdoor and any of ($ssh*) } diff --git a/rules/combo/backdoor/sys_cmd.yara b/rules/combo/backdoor/sys_cmd.yara index d68a38b1f..95e662505 100644 --- a/rules/combo/backdoor/sys_cmd.yara +++ b/rules/combo/backdoor/sys_cmd.yara @@ -1,14 +1,9 @@ -rule multiple_sys_commands : suspicious { + +rule multiple_sys_commands : high { meta: - description = "mentions multiple unrelated system commands" - hash_2022_XorDDoS = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" - hash_2020_trojan_SAgnt_vnqci_sshd = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" - hash_2023_articles_https_pberba_github_io_security_2022_02_07_linux_threat_hunting_for_persistence_systemd_generators = "8c227f67a16162ffd5b453a478ced2950eba4cbe3b004c5cc935fb9551dc2289" - hash_2023_articles_https_www_crowdstrike_com_blog_how_to_hunt_for_decisivearchitect_and_justforfun_implant = "cc3d0e46681b416ef79e729c9f766d5e56f760904caba367f30df3cafae44f75" - hash_2023_BPFDoor_07ec = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d" - hash_2023_BPFDoor_17dd = "17ddd405e4ed78129808dcf5a3381568d8f74878ca0535249cfb31340950ea85" - hash_2023_BPFDoor_2e0a = "2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb" - hash_2023_BPFDoor_340f = "340fec891eff2bbeccbef054a6b7e7e04fc09cf3b3b5fdf06accbd193a03b453" + description = "mentions multiple unrelated system commands" + hash_2023_Unix_Trojan_Xorddos_c9bd = "c9bd6d01eb7258fef88ec5c9276431c1db45f063b316f83943e45b6a40a76783" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" strings: $cron = "/usr/sbin/cron" $rsyslog = "/usr/sbin/rsyslogd" @@ -19,5 +14,5 @@ rule multiple_sys_commands : suspicious { $sdpd = "/usr/sbin/sdpd" $gam = "/usr/libexec/gam_server" condition: - filesize < 64MB and 3 of them + filesize < 67108864 and 3 of them } diff --git a/rules/combo/critical_paths.yara b/rules/combo/critical_paths.yara index f59c81094..e855a22e6 100644 --- a/rules/combo/critical_paths.yara +++ b/rules/combo/critical_paths.yara @@ -1,14 +1,7 @@ -rule linux_critical_system_paths_val : suspicious { + +rule linux_critical_system_paths_val : high { meta: - description = "accesses multiple critical Linux paths" - hash_2023_XorDDoS = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" - hash_2022_Winnti = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" - hash_2020_BirdMiner_arachnoidal = "904ad9bc506a09be0bb83079c07e9a93c99ba5d42ac89d444374d80efd7d8c11" - hash_2021_miner_malxmr = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" - hash_2021_Mettle = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" - hash_2021_trojan_Gafgyt_fszhv = "1794cf09f4ea698759b294e27412aa09eda0860475cd67ce7b23665ea6c5d58b" - hash_2021_miner_XMR_Stak = "1b1a56aec5b02355b90f911cdd27a35d099690fcbeb0e0622eaea831d64014d3" - hash_2021_trojan_Mirai_hefhz = "f01a3c987b422cb86b05c7e65338b238c4b7da5ce13b2e5fcc38dbc818d9b993" + description = "accesses multiple critical Linux paths" strings: $p_var_run = /\/var\/run[\w\/\.\-]{0,32}/ $p_tmp = /\/tmp\/[\w\/\.\-]{0,32}/ @@ -19,13 +12,11 @@ rule linux_critical_system_paths_val : suspicious { $p_sys_devices = /\/sys\/devices[\w\/\.\-]{0,32}/ $p_sys_class = /\/sys\/class[\w\/\.\-]{0,32}/ $p_sysctl = /sysctl[ -a-z]{0,32}/ - - // malware doesn't generally care about these files - $not_dirty = "/proc/sys/vm/dirty_bytes" - $not_swappy = "/proc/sys/vm/swappiness" - $not_somaxconn = "/prkyioc/sys/kernel/threads-max" - $not_mime = "/etc/apache/mime.types" - $not_clickhouse = "/tmp/jemalloc_clickhouse" + $not_dirty = "/proc/sys/vm/dirty_bytes" + $not_swappy = "/proc/sys/vm/swappiness" + $not_somaxconn = "/prkyioc/sys/kernel/threads-max" + $not_mime = "/etc/apache/mime.types" + $not_clickhouse = "/tmp/jemalloc_clickhouse" condition: - 80% of ($p*) and none of ($not*) + 80% of ($p*) and none of ($not*) } diff --git a/rules/combo/degrader/selinux_firewall.yara b/rules/combo/degrader/selinux_firewall.yara index 7ef0d13eb..109e11ad6 100644 --- a/rules/combo/degrader/selinux_firewall.yara +++ b/rules/combo/degrader/selinux_firewall.yara @@ -1,7 +1,6 @@ -rule selinux_firewall : suspicious{ + +rule selinux_firewall : high { meta: - hash_2023_installer_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" - hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" @@ -9,10 +8,9 @@ rule selinux_firewall : suspicious{ $selinux = /SELINUX[=\w]{0,32}/ fullword $f_iptables = /iptables[ -\w]{0,32}/ $f_firewalld = /[\w ]{0,32}firewalld/ - - $not_ip6tables = "NFTNL_RULE_TABLE" - $not_iptables = "iptables-restore" - $not_iptables_nft = "iptables-nft" + $not_ip6tables = "NFTNL_RULE_TABLE" + $not_iptables = "iptables-restore" + $not_iptables_nft = "iptables-nft" condition: - $selinux and any of ($f*) and none of ($not*) + $selinux and any of ($f*) and none of ($not*) } diff --git a/rules/combo/dropper/cocoa_bundle.yara b/rules/combo/dropper/cocoa_bundle.yara index a4e67b83e..bd1b6c8bf 100644 --- a/rules/combo/dropper/cocoa_bundle.yara +++ b/rules/combo/dropper/cocoa_bundle.yara @@ -2,13 +2,14 @@ rule cocoa_bundle_dropper : critical { meta: ref = "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos" + hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" strings: - $bundle = "NSBundle" fullword - $url = "NSURL" fullword - $shared = "/Users/Shared" fullword - $aes = "AES" fullword - $download = "Download" fullword - $platform = "isPlatformOrVariantPlatformVersionAtLeast" fullword + $bundle = "NSBundle" fullword + $url = "NSURL" fullword + $shared = "/Users/Shared" fullword + $aes = "AES" fullword + $download = "Download" fullword + $platform = "isPlatformOrVariantPlatformVersionAtLeast" fullword condition: - all of them + $shared and 5 of them } diff --git a/rules/combo/dropper/php.yara b/rules/combo/dropper/php.yara index 165ffc33f..5ee03e864 100644 --- a/rules/combo/dropper/php.yara +++ b/rules/combo/dropper/php.yara @@ -1,5 +1,5 @@ -rule php_copy_url { +rule php_copy_url : high { meta: ref = "kinsing" strings: diff --git a/rules/combo/dropper/python.yara b/rules/combo/dropper/python.yara index 6d18283a3..4017d868f 100644 --- a/rules/combo/dropper/python.yara +++ b/rules/combo/dropper/python.yara @@ -1,39 +1,40 @@ -rule http_open_write_system : suspicious { + +rule http_open_write_system : high { meta: - description = "fetch and execute programs" + description = "fetch and execute programs" + hash_2022_laysound_4_5_2_setup = "4465bbf91efedb996c80c773494295ae3bff27c0fff139c6aefdb9efbdf7d078" + hash_2023_JokerSpy_shared = "5fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e9642272" + hash_2023_JokerSpy_shared = "39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4" strings: - $http_requests_get = "requests.get" fullword - $http_requests_post = "requests.post" fullword - $http_urllib = "urllib.request" fullword - $http_urlopen = "urlopen" fullword - - $open = "open(" - - $write = "write(" - - $system = "os.system" fullword - $sys_popen = "os.popen" fullword - $sys_sub = "subprocess" fullword + $http_requests_get = "requests.get" fullword + $http_requests_post = "requests.post" fullword + $http_urllib = "urllib.request" fullword + $http_urlopen = "urlopen" fullword + $open = "open(" + $write = "write(" + $system = "os.system" fullword + $sys_popen = "os.popen" fullword + $sys_sub = "subprocess" fullword condition: filesize < 16384 and any of ($h*) and $open and $write and any of ($sys*) } rule setuptools_dropper : critical { - meta: - description = "setuptools script that fetches and executes" - strings: - $setup = "setup(" - $setuptools = "setuptools" fullword - - $http_requests = "requests.get" fullword - $http_requests_post = "requests.post" fullword - $http_urrlib = "urllib.request" fullword - $http_urlopen = "urlopen" fullword - - $system = "os.system" fullword - $sys_popen = "os.popen" fullword - $sys_sub = "subprocess" fullword - - condition: - all of ($setup*) and any of ($http*) and any of ($sys*) -} \ No newline at end of file + meta: + description = "setuptools script that fetches and executes" + hash_2022_laysound_4_5_2_setup = "4465bbf91efedb996c80c773494295ae3bff27c0fff139c6aefdb9efbdf7d078" + hash_2022_2022_requests_3_0_0_setup = "15507092967fbd28ccb833d98c2ee49da09e7c79fd41759cd6f783672fe1c5cc" + hash_2022_selenuim_4_4_2_setup = "5c5e1d934dbcbb635f84b443bc885c9ba347babc851cd225d2e18eadc111ecf0" + strings: + $setup = "setup(" + $setuptools = "setuptools" fullword + $http_requests = "requests.get" fullword + $http_requests_post = "requests.post" fullword + $http_urrlib = "urllib.request" fullword + $http_urlopen = "urlopen" fullword + $system = "os.system" fullword + $sys_popen = "os.popen" fullword + $sys_sub = "subprocess" fullword + condition: + all of ($setup*) and any of ($http*) and any of ($sys*) +} diff --git a/rules/combo/dropper/ruby.yara b/rules/combo/dropper/ruby.yara index 64d0247e6..bbde88ffc 100644 --- a/rules/combo/dropper/ruby.yara +++ b/rules/combo/dropper/ruby.yara @@ -1,12 +1,11 @@ -rule write_open_http : suspicious { + +rule write_open_http : high { meta: jumpcloud = "https://www.mandiant.com/resources/blog/north-korea-supply-chain" - hash_2023_jumpcloud_init = "d4918e0b1883e12408aba9eb26071038a45fb020f1a489a2b2a36ab8b225f673" + hash_2024_jumpcloud_init = "6acfc6f82f0fea6cc2484021e87fec5e47be1459e71201fbec09372236f8fc5a" strings: $write_open_https = ".write(open('https://" $write_open_http = ".write(open('http://" condition: any of them } - - diff --git a/rules/combo/dropper/shell.yara b/rules/combo/dropper/shell.yara index 33e3a8ca8..1d2041c85 100644 --- a/rules/combo/dropper/shell.yara +++ b/rules/combo/dropper/shell.yara @@ -1,66 +1,76 @@ + rule fetch_chmod_run_oneliner_value : critical { - meta: - description = "fetches, chmods, and runs a program" - strings: - $ref = /[a-z](url|get) .{4,64}chmod .{4,64}\.\/[a-z]{1,16}/ - condition: - any of them + meta: + description = "fetches, chmods, and runs a program" + hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb" + hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0" + hash_2023_Unix_Dropper_Mirai_56ca = "56ca15bdedf9751f282b24d868b426b76d3cbd7aecff5655b60449ef0d2ca5c8" + strings: + $ref = /[a-z](url|get) .{4,64}chmod .{4,64}\.\/[a-z]{1,16}/ + condition: + any of them } -rule curl_chmod_relative_run : notable { +rule curl_chmod_relative_run : medium { meta: - description = "may fetch file, make it executable, and run it" + description = "may fetch file, make it executable, and run it" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Linux_Malware_Samples_df3b = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" strings: - $chmcurlod = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/ - $chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/ - $dot_slah = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword + $chmcurlod = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/ + $chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/ + $dot_slah = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword condition: - all of them + all of them } -rule wget_chmod_relative_run : notable { +rule wget_chmod_relative_run : medium { meta: - description = "may fetch file, make it executable, and run it" + description = "may fetch file, make it executable, and run it" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" strings: - $chmcurlod = /wget [\-\w \$\@\{\w\/\.\:]{0,96}/ - $chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/ - $dot_slah = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword + $chmcurlod = /wget [\-\w \$\@\{\w\/\.\:]{0,96}/ + $chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/ + $dot_slah = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword condition: - all of them + all of them } -rule dev_null_rm : notable { +rule dev_null_rm : medium { strings: $dev_null_rm = /[ \w\.\/\&\-%]{0,32}\/dev\/null\;rm[ \w\/\&\.\-\%]{0,32}/ condition: any of them } -rule sleep_rm : notable { +rule sleep_rm : medium { strings: $dev_null_rm = /sleep;rm[ \w\/\&\.\-\%]{0,32}/ condition: any of them } -rule nohup_bash_background : suspicious { +rule nohup_bash_background : high { strings: - $ref = /nohup bash [\%\w\/\>]{0,64} &/ + $ref = /nohup bash [\%\w\/\>]{0,64} &/ condition: any of them } -rule fetch_pipe_shell_value : suspicious { +rule fetch_pipe_shell_value : high { meta: - description = "fetches content and pipes it to a shell" + description = "fetches content and pipes it to a shell" + hash_2023_OK_29c2 = "29c2f559a9494bce3d879aff8731a5d70a3789028055fd170c90965ce9cf0ea4" + hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" + hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" strings: - $wget_bash = /wget .{8,128}\| {0,2}bash/ - $wget_sh = /wget .{8,128}\| {0,2}sh/ - $curl_bash = /curl .{8,128}\| {0,2}bash/ - $curl_sh = /curl .{8,128}\| {0,2}sh/ + $wget_bash = /wget .{8,128}\| {0,2}bash/ + $wget_sh = /wget .{8,128}\| {0,2}sh/ + $curl_bash = /curl .{8,128}\| {0,2}bash/ + $curl_sh = /curl .{8,128}\| {0,2}sh/ condition: any of them } - - - diff --git a/rules/combo/exploit/breakout.yara b/rules/combo/exploit/breakout.yara index de158318e..9a32428da 100644 --- a/rules/combo/exploit/breakout.yara +++ b/rules/combo/exploit/breakout.yara @@ -1,4 +1,4 @@ -rule probable_container_breakout : suspicious { +rule probable_container_breakout : high { meta: description = "probable container escape" strings: @@ -19,7 +19,7 @@ rule probable_container_breakout : suspicious { 3 of them } -rule possible_container_breakout : notable { +rule possible_container_breakout : medium { meta: description = "possible container escape" strings: diff --git a/rules/combo/exploit/overflow-shellcode.yara b/rules/combo/exploit/overflow-shellcode.yara index 8275cc717..98f53fdde 100644 --- a/rules/combo/exploit/overflow-shellcode.yara +++ b/rules/combo/exploit/overflow-shellcode.yara @@ -1,23 +1,26 @@ -rule exploit: suspicious { - meta: - description = "Buffer overflow exploit" - strings: - $padding = "padding" - $address = "address" - $offset = "offset" - $shellcode = "shellcode" - condition: - $shellcode and 3 of them +rule exploit : high { + meta: + description = "Buffer overflow exploit" + hash_2023_UPX_5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59_elf_x86_64 = "56ca5d07fa2e8004a008222a999a97a6c27054b510e8dd6bd22048b084079e37" + hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + strings: + $padding = "padding" + $address = "address" + $offset = "offset" + $shellcode = "shellcode" + condition: + $shellcode and 3 of them } -rule execute_shellcode: suspicious { - meta: - description = "Executes shell code" - strings: - $ref = "execute shellcode" - $ref2 = "exec_shellcode" - $ref3 = "execute_shellcode" - condition: - any of them +rule execute_shellcode : high { + meta: + description = "Executes shell code" + strings: + $ref = "execute shellcode" + $ref2 = "exec_shellcode" + $ref3 = "execute_shellcode" + condition: + any of them } diff --git a/rules/combo/locker/crypto_tor.yara b/rules/combo/locker/crypto_tor.yara index 2e9f06411..6b554408b 100644 --- a/rules/combo/locker/crypto_tor.yara +++ b/rules/combo/locker/crypto_tor.yara @@ -2,14 +2,6 @@ rule crypto_locker { meta: ref = "https://www.sentinelone.com/blog/dark-angels-esxi-ransomware-borrows-code-victimology-from-ragnarlocker/" - hash_2023_Downloads_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" - hash_2023_Linux_Malware_Samples_83c7 = "83c771f927a0a5faf6f6acd88ed9db800b993f25df22468b394725bd4cca4fcf" - hash_2020_IPStorm_IPStorm_unpacked = "522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434" - hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" - hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" - hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" - hash_2023_Downloads_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" - hash_2023_Unix_Ransomware_Ech0raix_3d8d = "3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd" strings: $c_locked = "locked" fullword $c_kill = "kill" fullword @@ -22,14 +14,12 @@ rule crypto_locker { $c_Queue = "Queue" fullword $c_Round = "Round" fullword $c_cores = "cores" fullword - - $x_browser = "TOR Browser" nocase + $x_browser = "TOR Browser" nocase $x_tor = " TOR " $x_download = "torproject.org" $x_onion = /\w\.onion\W/ - $x_btc = "BTC" fullword - - $not_xul = "XUL_APP_FILE" + $x_btc = "BTC" fullword + $not_xul = "XUL_APP_FILE" condition: 5 of ($c*) and 2 of ($x*) and none of ($not*) } diff --git a/rules/combo/locker/curl_aes_base64.yara b/rules/combo/locker/curl_aes_base64.yara index 39697cb03..fc4210be9 100644 --- a/rules/combo/locker/curl_aes_base64.yara +++ b/rules/combo/locker/curl_aes_base64.yara @@ -1,12 +1,12 @@ -rule curl_base64_aes { +rule curl_base64_aes : medium { meta: + hash_2023_Linux_Malware_Samples_df3b = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" hash_2019_C_unioncryptoupdater = "631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680" - hash_2020_trojan_SAgnt_vnqci_sshd = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" strings: $curl_easy = "curl_easy_" $aes_key = "aes_key" $base64 = "base64" condition: - all of them + filesize < 52428800 and all of them } diff --git a/rules/combo/locker/readdir_rename_encrypt.yara b/rules/combo/locker/readdir_rename_encrypt.yara index 8e37d2c41..f58133e80 100644 --- a/rules/combo/locker/readdir_rename_encrypt.yara +++ b/rules/combo/locker/readdir_rename_encrypt.yara @@ -1,15 +1,18 @@ -rule conti_alike : notable { - meta: - description = "Reads directories, renames files, encrypts files" - strings: - $readdir = "readdir" fullword - $rename = "rename" fullword - $enc1 = "encrypted by" - $enc2 = "RSA PUBLIC KEY" - $enc3 = "Encrypting file" - $enc4 = "files_encrypted" - $enc5 = "encrypts files" - condition: - $readdir and $rename and any of ($enc*) +rule conti_alike : medium { + meta: + description = "Reads directories, renames files, encrypts files" + hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" + hash_2023_Downloads_8b57 = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201" + hash_2023_Downloads_f864 = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" + strings: + $readdir = "readdir" fullword + $rename = "rename" fullword + $enc1 = "encrypted by" + $enc2 = "RSA PUBLIC KEY" + $enc3 = "Encrypting file" + $enc4 = "files_encrypted" + $enc5 = "encrypts files" + condition: + $readdir and $rename and any of ($enc*) } diff --git a/rules/combo/miner/argon2d_numa_self.yara b/rules/combo/miner/argon2d_numa_self.yara index bd39fcc3f..ba494e665 100644 --- a/rules/combo/miner/argon2d_numa_self.yara +++ b/rules/combo/miner/argon2d_numa_self.yara @@ -1,13 +1,9 @@ -rule probably_a_miner : suspicious { + +rule probably_a_miner : high { meta: - hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" - hash_2023_Linux_Malware_Samples_04b5 = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" - hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" - hash_2023_Linux_Malware_Samples_0d79 = "0d7960a39b92dad88986deea6e5861bd00fb301e92d550c232aebb36ed010e46" - hash_2023_Linux_Malware_Samples_0dcf = "0dcfa54a7e8a4e631ef466670ce604a61f3b0e8b3e9cf72c943278c0f77c31a2" - hash_2023_Linux_Malware_Samples_1736 = "1736d6feaa80ee3c7d072a6db7ae5e7ee63c1a10314e46ab46b1a2477063de60" - hash_2023_Linux_Malware_Samples_19f7 = "19f76bf2be3ea11732f2c5c562afbd6f363b062c25fba3a143c3c6ef4712774b" - hash_2023_Linux_Malware_Samples_1e48 = "1e48915f40bfdd75fb83e79779010336320af76411b9af9f0e68d361e63a2f60" + hash_2023_Multios_Coinminer_Miner_6f28 = "6f2825856a5ae87face1c68ccb7f56f726073b8639a0897de77da25c8ecbeb19" + hash_2023_gcclib_xfitaarch = "163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c" + hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" strings: $argon = "argon2d" $proc_self = "/proc/self" diff --git a/rules/combo/miner/hugepages_nmi_crypto.yara b/rules/combo/miner/hugepages_nmi_crypto.yara index 5a84f8ca7..2158ee04b 100644 --- a/rules/combo/miner/hugepages_nmi_crypto.yara +++ b/rules/combo/miner/hugepages_nmi_crypto.yara @@ -1,13 +1,9 @@ -rule hugepages_probably_miner { + +rule hugepages_probably_miner : high { meta: - hash_2023_installer_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" - hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" - hash_2021_miner_XMR_Stak = "1b1a56aec5b02355b90f911cdd27a35d099690fcbeb0e0622eaea831d64014d3" + hash_2023_Linux_Malware_Samples_1b1a = "1b1a56aec5b02355b90f911cdd27a35d099690fcbeb0e0622eaea831d64014d3" hash_2023_Linux_Malware_Samples_1f1b = "1f1bf32f553b925963485d8bb8cc3f0344720f9e67100d610d9e3f5f6bc002a1" - hash_2023_Linux_Malware_Samples_240f = "240fe01d9fcce5aae311e906b8311a1975f8c1431b83618f3d11aeaff10aede3" - hash_2023_Linux_Malware_Samples_39c3 = "39c33c261899f2cb91f686aa6da234175237cd72cfcd9291a6e51cbdc86d4def" - hash_2023_Linux_Malware_Samples_3ff6 = "3ff6b4287e49a01724626a9e11adceee7a478aa5e5778ec139a3f9011a02f3af" strings: $hugepages = "vm.nr_hugepages" $s_watchdog = "kernel.nmi_watchdog" diff --git a/rules/combo/net/expect_scanner.yara b/rules/combo/net/expect_scanner.yara index b08096cc8..695ae4ea5 100644 --- a/rules/combo/net/expect_scanner.yara +++ b/rules/combo/net/expect_scanner.yara @@ -1,4 +1,5 @@ -rule expect_spawn : suspicious { + +rule expect_spawn : high { meta: ref = "https://cert.gov.ua/article/6123309" hash_2023_uacert_socket = "9ca4a18bce328b79720fd18bee56f1f4778f492c70f14dd0d3fdf2148c3e3998" diff --git a/rules/combo/net/host_port.yara b/rules/combo/net/host_port.yara index 15469d83c..7ea58bfa0 100644 --- a/rules/combo/net/host_port.yara +++ b/rules/combo/net/host_port.yara @@ -1,11 +1,15 @@ -rule go_scan_tool_val : notable { - meta: - description = "Uses struct with JSON representations for host:port" - strings: - $j_port = "json:\"port\"" - $j_hostname = "json:\"hostname\"" - $j_host = "json:\"host\"" - $j_hip = "json:\"ip\"" - condition: - $j_port and any of ($j_h*) -} \ No newline at end of file + +rule go_scan_tool_val : medium { + meta: + description = "Uses struct with JSON representations for host:port" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2024_Downloads_7c63 = "7c636f1c9e4d9032d66a58f263b3006788047488e00fc26997b915e9d1f174bf" + hash_2020_IPStorm_IPStorm_unpacked = "522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434" + strings: + $j_port = "json:\"port\"" + $j_hostname = "json:\"hostname\"" + $j_host = "json:\"host\"" + $j_hip = "json:\"ip\"" + condition: + $j_port and any of ($j_h*) +} diff --git a/rules/combo/net/raw_flooder.yara b/rules/combo/net/raw_flooder.yara index f48d4c094..89298742d 100644 --- a/rules/combo/net/raw_flooder.yara +++ b/rules/combo/net/raw_flooder.yara @@ -1,25 +1,22 @@ -rule raw_flooder_val : notable { - meta: - description = "raw sockets with multiple targets, possible DoS or security scanning tool" - strings: - $r_raw = "raw socket" - $r_hdr = "HDRINCL" - $r_pack = "IPPacket" - // Included by Go's TCP stack - //$r_rawsock = "iprawsock" - - $f_flood = "flood" - $f_target = "target" - $f_Flood = "Flood" - $f_Attack = "Attack" - - $p_pthread = "pthread" - $p_rand = "rand" fullword - $p_srand = "srand" fullword - $p_gorand = "(*Rand).Intn" - condition: - any of ($r*) and any of ($f*) and any of ($p*) +rule raw_flooder_val : medium { + meta: + description = "raw sockets with multiple targets, possible DoS or security scanning tool" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + hash_2023_Linux_Malware_Samples_123e = "123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096" + hash_2023_Linux_Malware_Samples_14b8 = "14b898ab0df7209eb266b92684f1d68b15121304c17903b6b20789bf2345a4a0" + strings: + $r_raw = "raw socket" + $r_hdr = "HDRINCL" + $r_pack = "IPPacket" + $f_flood = "flood" + $f_target = "target" + $f_Flood = "Flood" + $f_Attack = "Attack" + $p_pthread = "pthread" + $p_rand = "rand" fullword + $p_srand = "srand" fullword + $p_gorand = "(*Rand).Intn" + condition: + any of ($r*) and any of ($f*) and any of ($p*) } - - diff --git a/rules/combo/net/scan_tool.yara b/rules/combo/net/scan_tool.yara index 1cb20c36b..37a99b498 100644 --- a/rules/combo/net/scan_tool.yara +++ b/rules/combo/net/scan_tool.yara @@ -1,29 +1,23 @@ -rule generic_scan_tool : notable { + +rule generic_scan_tool : medium { meta: - description = "may scan networks" + description = "may scan networks" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" - hash_2022_trojan_Winnti = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" - hash_2023_Downloads_b56a = "b56a89db553d4d927f661f6ff268cd94bdcfe341fd75ba4e7c464946416ac309" hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" - hash_2021_miner_malxmr = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" - hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" - hash_2021_CoinMiner_TB_Camelot = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" - hash_2021_trojan_Mirai_3_Gafgyt = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" strings: $f_gethostbyname = "gethostbyname" $f_socket = "socket" $f_connect = "connect" - $o_banner = "banner" $o_Probe = "Probe" $o_probe = "probe" $o_scan = "scan" $o_port = "port" - $o_target = "target" - - $not_nss = "NSS_USE_SHEXP_IN_CERT_NAME" - $not_microsoft = "Microsoft Corporation" - $not_php_reference = "ftp_nb_put" + $o_target = "target" + $not_nss = "NSS_USE_SHEXP_IN_CERT_NAME" + $not_microsoft = "Microsoft Corporation" + $not_php_reference = "ftp_nb_put" condition: all of ($f*) and 2 of ($o*) and none of ($not*) -} \ No newline at end of file +} diff --git a/rules/combo/net/tunnel_proxy.yara b/rules/combo/net/tunnel_proxy.yara index b328c90cf..e103a0629 100644 --- a/rules/combo/net/tunnel_proxy.yara +++ b/rules/combo/net/tunnel_proxy.yara @@ -1,20 +1,20 @@ -rule tunnel_proxy : notable { + +rule tunnel_proxy : medium { meta: - description = "network tunnel proxy" + description = "network tunnel proxy" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" strings: - $t_tunnel = "tunnel" fullword - $t_Tunnel = "Tunnel" fullword - - - $p_proxy = "proxy" fullword - $p_Proxy = "Proxy" fullword - $p_socks5 = "SOCKS5" fullword - - $s_socket = "socket" fullword - - $c_crypto = "crypto" fullword - $c_tls = "TLS13" - $c_tlsversion = "TLSVersion" + $t_tunnel = "tunnel" fullword + $t_Tunnel = "Tunnel" fullword + $p_proxy = "proxy" fullword + $p_Proxy = "Proxy" fullword + $p_socks5 = "SOCKS5" fullword + $s_socket = "socket" fullword + $c_crypto = "crypto" fullword + $c_tls = "TLS13" + $c_tlsversion = "TLSVersion" condition: - any of ($t*) and any of ($p*) and any of ($s*) and any of ($c*) + any of ($t*) and any of ($p*) and any of ($s*) and any of ($c*) } diff --git a/rules/combo/recon/capabilities.yara b/rules/combo/recon/capabilities.yara index a24028c26..37d496935 100644 --- a/rules/combo/recon/capabilities.yara +++ b/rules/combo/recon/capabilities.yara @@ -1,4 +1,4 @@ -rule process_capabilities_val : notable { +rule process_capabilities_val : medium { meta: description = "enumerates Linux capabilities for process" strings: diff --git a/rules/combo/recon/docker.yara b/rules/combo/recon/docker.yara index 29db227ad..980573b3a 100644 --- a/rules/combo/recon/docker.yara +++ b/rules/combo/recon/docker.yara @@ -1,19 +1,21 @@ -rule docker_ps : notable { + +rule docker_ps : medium { meta: - description = "enumerates Docker containers" + description = "enumerates Docker containers" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" strings: - $ref = "docker ps" fullword + $ref = "docker ps" fullword condition: - any of them + any of them } - -rule docker_version : notable { +rule docker_version : medium { meta: - description = "gets docker version information" + description = "gets docker version information" strings: - $ref = "docker version" fullword + $ref = "docker version" fullword condition: - any of them + any of them } - diff --git a/rules/combo/recon/hostinfo_collector.yara b/rules/combo/recon/hostinfo_collector.yara index 150a71040..4b6a6cead 100644 --- a/rules/combo/recon/hostinfo_collector.yara +++ b/rules/combo/recon/hostinfo_collector.yara @@ -1,13 +1,16 @@ -rule hostinfo_collector : suspicious { + +rule hostinfo_collector : high { meta: - ref = "https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/" - description = "Collects extremely detailed information about a host" + ref = "https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/" + description = "Collects extremely detailed information about a host" + hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" + hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" + hash_2022_DazzleSpy_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" strings: - $sp = "system_profiler" - $ns = "networksetup" - $sysctl = "sysctl" - $launchctl = "launchctl" + $sp = "system_profiler" + $ns = "networksetup" + $sysctl = "sysctl" + $launchctl = "launchctl" condition: - all of them + 3 of them } - diff --git a/rules/combo/recon/nodejs.yara b/rules/combo/recon/nodejs.yara index 9753e1cbc..181e76094 100644 --- a/rules/combo/recon/nodejs.yara +++ b/rules/combo/recon/nodejs.yara @@ -1,15 +1,14 @@ rule npm_sysinfoexfil : high { - meta: - description = "may gather and exfiltrate system information" - strings: - $proc1 = "process.platform" - $proc2 = "process.arch" - $proc3 = "process.versions" - - $h = "http.request" - - $post = "POST" - condition: - filesize < 32MB and $h and $post and any of ($proc*) -} \ No newline at end of file + meta: + description = "may gather and exfiltrate system information" + hash_2023_botbait = "1b92cb3d4b562d0eb05c3b2f998e334273ce9b491bc534d73bcd0b4952ce58d2" + strings: + $proc1 = "process.platform" + $proc2 = "process.arch" + $proc3 = "process.versions" + $h = "http.request" + $post = "POST" + condition: + filesize < 33554432 and $h and $post and any of ($proc*) +} diff --git a/rules/combo/recon/php.yara b/rules/combo/recon/php.yara index d48fed085..defabc96c 100644 --- a/rules/combo/recon/php.yara +++ b/rules/combo/recon/php.yara @@ -1,15 +1,15 @@ -rule python_sysinfo_http : suspicious { - meta: - description = "exfiltrate system information" - strings: - $r_user = "getpass.getuser" - $r_hostname = "socket.gethostname" - $r_platform = "platform.platform" - - $u = /[\w\.]{0,16}urlopen/ - - condition: - filesize < 4096 and any of ($r*) and any of ($u*) +rule python_sysinfo_http : high { + meta: + description = "exfiltrate system information" + hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_aaa_bbb_ccc_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2023_setuptool_setuptool_setup = "50c9a683bc0aa2fbda3981bfdf0bbd4632094c801b224af60166376e479460ec" + strings: + $r_user = "getpass.getuser" + $r_hostname = "socket.gethostname" + $r_platform = "platform.platform" + $u = /[\w\.]{0,16}urlopen/ + condition: + filesize < 4096 and any of ($r*) and any of ($u*) } - diff --git a/rules/combo/recon/system_network.yara b/rules/combo/recon/system_network.yara index 9ce32dae0..3db1c56ee 100644 --- a/rules/combo/recon/system_network.yara +++ b/rules/combo/recon/system_network.yara @@ -1,52 +1,42 @@ -rule basic_recon : notable { + +rule basic_recon : medium { meta: - hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" - hash_2017_Perl_FruitFly_afpscan = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55" - hash_2021_ANDR_miner_eomap = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76" - hash_2021_ADR_CoinMiner_nutar = "fb6b327104eb37d42f83b552430ef9b1e45ee49c737d562876650d75e3a88e57" - hash_2023_Sodinokibi = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" + hash_2023_Downloads_f864 = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" hash_2023_Linux_Malware_Samples_2c98 = "2c98b196a51f737f29689d16abeea620b0acfa6380bdc8e94a7a927477d81e3a" - hash_2023_Linux_Malware_Samples_3ffc = "3ffc2327a5dd17978f62c44807e5bf9904bcdef222012a11e48801faf6861a67" - hash_2023_Linux_Malware_Samples_564a = "564a666d0a7efc39c9d53f5c6c4d95d5f7f6b7bff2dc9aa3c871f8c49650a99b" + hash_2023_Linux_Malware_Samples_3292 = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76" strings: $c_whoami = "whoami" fullword $c_id = "id" fullword $c_hostname = "hostname" fullword $c_uname = "uname -a" - $c_ip_addr = "ip addr" fullword + $c_ip_addr = "ip addr" fullword $not_usage = "Usage: inet" $not_apple_smb = "com.apple.smbd" $not_bashopts = "BASHOPTS" $not_private = "/System/Library/PrivateFrameworks/" - $not_license = "For license information please see" + $not_license = "For license information please see" condition: filesize < 26214400 and 3 of ($c*) and none of ($not*) } - -rule invasive_recon_val : notable { +rule invasive_recon_val : medium { meta: - hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" - hash_2017_Perl_FruitFly_afpscan = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55" - hash_2021_ANDR_miner_eomap = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76" - hash_2021_ADR_CoinMiner_nutar = "fb6b327104eb37d42f83b552430ef9b1e45ee49c737d562876650d75e3a88e57" - hash_2023_Sodinokibi = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" - hash_2023_Linux_Malware_Samples_2c98 = "2c98b196a51f737f29689d16abeea620b0acfa6380bdc8e94a7a927477d81e3a" - hash_2023_Linux_Malware_Samples_3ffc = "3ffc2327a5dd17978f62c44807e5bf9904bcdef222012a11e48801faf6861a67" - hash_2023_Linux_Malware_Samples_564a = "564a666d0a7efc39c9d53f5c6c4d95d5f7f6b7bff2dc9aa3c871f8c49650a99b" - strings: + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + strings: $c_ifconfig = /ifconfig.{0,4}-a/ fullword $c_lspi = "lspci" - $c_ufw = /ufw.{0,4}status/ - $c_sudo = /sudo.{0,4}-l/ - $c_ip_route = /ip.{0,4}route/ - $c_netstat = /netstat.{0,4}-a/ - $c_ip_addr = /ip.{0,4}addr/ fullword + $c_ufw = /ufw.{0,4}status/ + $c_sudo = /sudo.{0,4}-l/ + $c_ip_route = /ip.{0,4}route/ + $c_netstat = /netstat.{0,4}-a/ + $c_ip_addr = /ip.{0,4}addr/ fullword $not_usage = "Usage: inet" $not_apple_smb = "com.apple.smbd" $not_bashopts = "BASHOPTS" $not_private = "/System/Library/PrivateFrameworks/" - $not_license = "For license information please see" + $not_license = "For license information please see" condition: filesize < 26214400 and any of ($c*) and none of ($not*) } diff --git a/rules/combo/recon/upload_netinfo.yara b/rules/combo/recon/upload_netinfo.yara index 99a4303b6..b7044a8ab 100644 --- a/rules/combo/recon/upload_netinfo.yara +++ b/rules/combo/recon/upload_netinfo.yara @@ -1,29 +1,29 @@ import "math" -rule user_agent_ifconfig: suspicious { - meta: - description = "Has a user agent and collects network info" - strings: - $ua = "User-Agent" - $ua_moz = "Mozilla/" - $ua_msie = "compatible; MSIE" - - $net_ifconfig = "ifconfig" - $net_ifconfig_a = "-a" - condition: - any of ($ua*) and math.abs(@net_ifconfig - @net_ifconfig_a) <= 8 +rule user_agent_ifconfig : high { + meta: + description = "Has a user agent and collects network info" + strings: + $ua = "User-Agent" + $ua_moz = "Mozilla/" + $ua_msie = "compatible; MSIE" + $net_ifconfig = "ifconfig" + $net_ifconfig_a = "-a" + condition: + any of ($ua*) and math.abs(@net_ifconfig - @net_ifconfig_a) <= 8 } - -rule user_agent_proc_net_route: suspicious { - meta: - description = "Has a user agent and collects network info" - strings: - $ua = "User-Agent" - $ua_moz = "Mozilla/" - $ua_msie = "compatible; MSIE" - - $net_route = "/proc/net/route" - condition: - any of ($ua*) and any of ($net*) +rule user_agent_proc_net_route : high { + meta: + description = "Has a user agent and collects network info" + hash_2023_Unix_Dropper_Mirai_1703 = "1703bd27e0ae38a53e897b82554f95eaa5a88f2b0a6c2c9d973d7e34d05b2539" + hash_2023_Unix_Dropper_Mirai_818d = "818d45523d194e31eedc81fe8a86d6f7c3af0376806078b904f10024e4d02120" + hash_2023_Unix_Dropper_Mirai_8f9d = "8f9d9e08af48d596a32d8a7da5d045c8b1d3ffd8ccffcf85db7ecb9043c0d4be" + strings: + $ua = "User-Agent" + $ua_moz = "Mozilla/" + $ua_msie = "compatible; MSIE" + $net_route = "/proc/net/route" + condition: + any of ($ua*) and any of ($net*) } diff --git a/rules/combo/recon/upload_sysinfo.yara b/rules/combo/recon/upload_sysinfo.yara index 581dc674a..41faf2777 100644 --- a/rules/combo/recon/upload_sysinfo.yara +++ b/rules/combo/recon/upload_sysinfo.yara @@ -1,11 +1,12 @@ -rule sw_vers_and_libcurl : notable { + +rule sw_vers_and_libcurl : medium { meta: - description = "fetches macOS system version and uses libcurl" - hash_2023_KandyKorn_kandykorn = "927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6" + description = "fetches macOS system version and uses libcurl" hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" + hash_2023_KandyKorn_kandykorn = "927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6" strings: $sw_vers = "sw_vers" fullword $bin_zsh = "libcurl" condition: all of them -} \ No newline at end of file +} diff --git a/rules/combo/router/malware.yara b/rules/combo/router/malware.yara index 74170cad0..c2d94725a 100644 --- a/rules/combo/router/malware.yara +++ b/rules/combo/router/malware.yara @@ -1,14 +1,10 @@ + rule router_malware : critical { meta: - description = "access paths seen in router malware" - hash_2023_trojan_Mirai_ubzhp = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab" - hash_2023_trojan_Mirai_ghwow = "c91c6dbfa746e3c49a6c93f92b4d6c925668e620d4effc5b2bf59cf9100fe87d" - hash_2021_trojan_Gafgyt_fszhv = "1794cf09f4ea698759b294e27412aa09eda0860475cd67ce7b23665ea6c5d58b" - hash_2021_trojan_Gafgyt_malxmr = "1b5bd0d4989c245af027f6bc0c331417f81a87fff757e19cdbdfe25340be01a6" - hash_2020_CoinMiner_nbtoz = "741af7d54a95dd3b4497c73001e7b2ba1f607d19d63068b611505f9ce14c7776" - hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" - hash_2023_trojan_Mirai_thiwm = "abf0f87cc7eb6028add2e2bda31ede09709a948e8f7e56390a3f18d1eae58aa6" - hash_2023_Linux_Malware_Samples_b086 = "b086aa8017a7966f38c8dbed3268b4de938bbba1ce7317d99fc47ccb7c191965" + description = "access paths seen in router malware" + hash_2023_Downloads_98e7 = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab" + hash_2023_Downloads_abf0 = "abf0f87cc7eb6028add2e2bda31ede09709a948e8f7e56390a3f18d1eae58aa6" + hash_2023_Downloads_c91c = "c91c6dbfa746e3c49a6c93f92b4d6c925668e620d4effc5b2bf59cf9100fe87d" strings: $f_bin_busybox = "/bin/busybox" $f_usr_sbin = "/usr/sbin" @@ -21,10 +17,8 @@ rule router_malware : critical { $f_usr_bin_ps = "/usr/bin/ps" $f_wget = "/wget" $f_curl = "/curl" - - // ignore lists of busybox hard links - $not_dos2unix = "/usr/bin/dos2unix" - $not_setfont = "/usr/sbin/setfont" + $not_dos2unix = "/usr/bin/dos2unix" + $not_setfont = "/usr/sbin/setfont" condition: 5 of ($f*) and none of ($not*) } diff --git a/rules/combo/router/passwords.yara b/rules/combo/router/passwords.yara index 103ac6229..3f05af5f8 100644 --- a/rules/combo/router/passwords.yara +++ b/rules/combo/router/passwords.yara @@ -1,13 +1,9 @@ + rule router_password_references : critical { meta: - hash_2021_trojan_Mirai_Gafgyt_bonb = "68c67c4e38c1b5a1a2897c5f6d25456e989f5a94c359137ea040e79ca4a588aa" - hash_2023_Linux_Malware_Samples_efa8 = "efa875506296d77178884ba8ac68a8b6d6aef24e79025359cf5259669396e8dd" - hash_2023_Linux_Malware_Samples_efac = "efacd163027d6db6009c7363eb2af62b588258789735352adcbc672cd412c7c1" hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" - hash_2023_Unix_Trojan_Mirai_107e = "107ecf1ab33e6daa7252eb7822fe1b2a720fe33549cd33ff0aa9f9a603aa3d03" - hash_2023_Unix_Trojan_Mirai_2f98 = "2f987c374944a01717b1905f2bc063a3b577a1d9933a5225717332aa6e43eb90" - hash_2023_Unix_Trojan_Mirai_3b5f = "3b5fbff58bab53c59d499431e93f753f67dc4836821156191728a05cdabc615e" + hash_2023_Unix_Trojan_Gafgyt_8413 = "84131fcec395843710e3b8daf378e92ce54a12bf190d4d354bb50cf000e557d3" strings: $hikvision = "hikvision" $cuadmin = "CUAdmin" diff --git a/rules/combo/stealer/archive.yara b/rules/combo/stealer/archive.yara index 6bf59ebe8..06279fb09 100644 --- a/rules/combo/stealer/archive.yara +++ b/rules/combo/stealer/archive.yara @@ -1,13 +1,11 @@ -rule py_crypto_urllib_multiprocessing : suspicious { + +rule py_crypto_urllib_multiprocessing : high { meta: - deescription = "calls multiple functions useful for exfiltrating data" + deescription = "calls multiple functions useful for exfiltrating data" ref = "trojan.python/drop - e8eb4f2a73181711fc5439d0dc90059f54820fe07d9727cf5f2417c5cec6da0e" - hash_2023_amos_stealer_a = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" + hash_2023_Downloads_e6b6 = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" hash_2023_Linux_Malware_Samples_4259 = "4259f2da90bf344092abc071f376753adaf077e13aeed684a7a3c2950ec82f69" hash_2023_Linux_Malware_Samples_7c5c = "7c5c84eb86a72395bf75510d5a1a51553a025668d6477dbef86ad12da7bc6b8a" - hash_2023_Linux_Malware_Samples_9e87 = "9e87a2b19a6d1034abedf3265bbf5f063238246fc56e6087b6ec4a21f29b4239" - hash_2023_Linux_Malware_Samples_ae01 = "ae01f922c0918a8ad61ccedcad89326b4ebe78b7c61c54c33149f348fa9fcedb" - hash_2023_Linux_Malware_Samples_e8eb = "e8eb4f2a73181711fc5439d0dc90059f54820fe07d9727cf5f2417c5cec6da0e" strings: $f_subprocess = "subprocess" $f_tarfile = "tarfile" @@ -16,24 +14,23 @@ rule py_crypto_urllib_multiprocessing : suspicious { $f_blake2 = "blake2" $f_glob = "glob" $f_libcrypto = "libcrypto" - - $not_capa = "capa.engine" + $not_capa = "capa.engine" condition: 80% of ($f*) and none of ($not*) } -rule open_and_archive : suspicious { +rule open_and_archive : high { meta: - hash_2014_CoinThief = "7f32fdcaefee42f93590f9490ab735ac9dfeb22a951ff06d721145baf563d53b" + hash_2017_CoinThief = "7f32fdcaefee42f93590f9490ab735ac9dfeb22a951ff06d721145baf563d53b" strings: $open = "/usr/bin/open" fullword $defaults = "/usr/bin/defaults" $tar = "/usr/bin/tar" $zip = "/usr/bin/zip" $not_private = "/System/Library/PrivateFrameworks/" - $not_keystone = "Keystone" + $not_keystone = "Keystone" $not_sparkle = "org.sparkle-project.Sparkle" - $hashbang = "#!" + $hashbang = "#!" condition: ($open or $defaults) and ($tar or $zip) and none of ($not*) and not $hashbang at 0 } diff --git a/rules/combo/stealer/browser.yara b/rules/combo/stealer/browser.yara index af3ed5725..96167efe6 100644 --- a/rules/combo/stealer/browser.yara +++ b/rules/combo/stealer/browser.yara @@ -1,11 +1,9 @@ -rule multiple_browser_credentials : suspicious { + +rule multiple_browser_credentials : high { meta: - hash_2023_stealer_hashbreaker = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" - hash_2023_amos_stealer_e = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" - hash_2023_amos_stealer_a = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" - hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" - hash_2023_brawl_earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" - hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" strings: $c_library_keychains = "/Library/Keychains" $c_cookies_sqlite = "cookies.sqlite" @@ -24,15 +22,6 @@ rule multiple_browser_credentials : suspicious { } rule multiple_browser_credentials_2 { - meta: - hash_2023_brawl_earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" - hash_2023_stealer_hashbreaker = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" - hash_2023_amos_stealer_e = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" - hash_2023_amos_stealer_a = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" - hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" - hash_2017_GoPhoto = "a4d8367dc2df3a8539b9baf8ee48d09f5a8e9f9d2d58431909de0bb0816464a0" - hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" strings: $a_google_chrome = "Google/Chrome" $a_app_support = "Application Support" @@ -47,33 +36,30 @@ rule multiple_browser_credentials_2 { $a_chrome_local_state = "Chrome/Local State" $a_brave_software = "BraveSoftware" $a_opera = "Opera Software" - $not_osquery = "OSQUERY_WORKER" - $not_private = "/System/Library/PrivateFrameworks/" condition: - 3 of ($a_*) and none of ($not_*) + 4 of ($a_*) } - -rule multiple_browser_refs : notable { +rule multiple_browser_refs : medium { meta: - description = "Uses HTTP, archives, and references multiple browsers" + description = "Uses HTTP, archives, and references multiple browsers" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" strings: - $d_config = ".config" fullword - $d_app_support = "Application Support" fullword - - $h_http = "http" fullword - $h_POST = "POST" fullword - - $z_zip = "zip" fullword - $z_ZIP = "ZIP" fullword - $z_ditto = "ditto" fullword - $z_tar = "tar" fullword - - $b_Yandex = "Yandex" - $b_Brave = "Brave" - $b_Firefox = "Firefox" - $b_Safari = "Safari" - $b_Chrome = "Chrome" + $d_config = ".config" fullword + $d_app_support = "Application Support" fullword + $h_http = "http" fullword + $h_POST = "POST" fullword + $z_zip = "zip" fullword + $z_ZIP = "ZIP" fullword + $z_ditto = "ditto" fullword + $z_tar = "tar" fullword + $b_Yandex = "Yandex" + $b_Brave = "Brave" + $b_Firefox = "Firefox" + $b_Safari = "Safari" + $b_Chrome = "Chrome" condition: any of ($d*) and any of ($h*) and any of ($z*) and 2 of ($b*) } diff --git a/rules/combo/stealer/cloud.yara b/rules/combo/stealer/cloud.yara index 3905334f2..b8eb7a160 100644 --- a/rules/combo/stealer/cloud.yara +++ b/rules/combo/stealer/cloud.yara @@ -1,12 +1,11 @@ -rule multiple_cloud_credentials : suspicious { + +rule multiple_cloud_credentials : high { meta: - hash_2023_QubitStrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" - hash_2023_Linux_Malware_Samples_efa8 = "efa875506296d77178884ba8ac68a8b6d6aef24e79025359cf5259669396e8dd" - hash_2023_Linux_Malware_Samples_efac = "efacd163027d6db6009c7363eb2af62b588258789735352adcbc672cd412c7c1" - hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: $s_access_tokens_db = "access_tokens.db" - $s_config_gcloud = ".config/gcloud" + $s_config_gcloud = ".config/gcloud" $s_accounts_xml = "accounts.xml" $s_authinfo2 = "authinfo2" $s_azure_json = "azure.json" diff --git a/rules/combo/stealer/connect_glob_exec.yara b/rules/combo/stealer/connect_glob_exec.yara index a13436997..94354a2b8 100644 --- a/rules/combo/stealer/connect_glob_exec.yara +++ b/rules/combo/stealer/connect_glob_exec.yara @@ -1,7 +1,7 @@ -rule http_digest_auth_exec_connector : suspicious { + +rule http_digest_auth_exec_connector : high { meta: - hash_DoubleFantasy_mdworker = "502a80f81cf39f6c559ab138a39dd4ad5fca697dbca4a62b36527be9e55400f5" - description = "Uses HTTP Digest auth, runs programs, uses glob" + description = "Uses HTTP Digest auth, runs programs, uses glob" strings: $d_connect = "CONNECT" $d_digest = "Digest" @@ -14,9 +14,10 @@ rule http_digest_auth_exec_connector : suspicious { all of ($d_*) } -rule connect_glob_exec_https : notable { +rule connect_glob_exec_https : medium { meta: - description = "makes HTTPS connections, runs programs, finds files" + description = "makes HTTPS connections, runs programs, finds files" + hash_2020_BirdMiner_arachnoidal = "904ad9bc506a09be0bb83079c07e9a93c99ba5d42ac89d444374d80efd7d8c11" strings: $d_https = "https" $d_exec = "_exec" fullword diff --git a/rules/combo/stealer/creds.yara b/rules/combo/stealer/creds.yara index c05b3d4e1..c3a61300c 100644 --- a/rules/combo/stealer/creds.yara +++ b/rules/combo/stealer/creds.yara @@ -1,9 +1,8 @@ -rule suspected_data_stealer : suspicious { + +rule suspected_data_stealer : high { meta: - hash_2023_brawl_earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" - hash_2023_amos_stealer_e = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" - hash_2023_amos_stealer_a = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" strings: $e_atomic = "Atomic" fullword @@ -17,7 +16,7 @@ rule suspected_data_stealer : suspicious { $s_binance = "Binance" $s_discord = "Discord" $s_electrum = "Electrum" - $s_electrum2 = "/.elect" + $s_electrum2 = "/.elect" $s_exodus = "Exodus" $s_obs = "obs-studio" $s_pidgin = "Pidgin" diff --git a/rules/combo/stealer/discord.yara b/rules/combo/stealer/discord.yara index 4af109d98..ea582bedd 100644 --- a/rules/combo/stealer/discord.yara +++ b/rules/combo/stealer/discord.yara @@ -1,21 +1,22 @@ -rule discord_password_post_chat : suspicious { + +rule discord_password_post_chat : high { meta: - description = "gets passwords, makes HTTP requests, and uses Discord" + description = "gets passwords, makes HTTP requests, and uses Discord" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2024_hCrypto_main_en = "4d4d52eed849554e1c31d56239bcf8ddc7e27fd387330f5ab1ce7d118589e5f3" strings: - $c1 = "discordapp.com" -// $c2 = "Discord" - - $h1 = "get(" - $h2 = "post(" - $h3 = "GET" - $h4 = "POST" - $h5 = "https://" - $h6 = "x-www-form-urlencoded" - - $p1 = "password" - $p2 = "Password" - $p3 = "credentials" - $p4 = "creds" + $c1 = "discordapp.com" + $h1 = "get(" + $h2 = "post(" + $h3 = "GET" + $h4 = "POST" + $h5 = "https://" + $h6 = "x-www-form-urlencoded" + $p1 = "password" + $p2 = "Password" + $p3 = "credentials" + $p4 = "creds" condition: - any of ($c*) and any of ($h*) and any of ($p*) + any of ($c*) and any of ($h*) and any of ($p*) } diff --git a/rules/combo/stealer/ditto.yara b/rules/combo/stealer/ditto.yara index 4a6b102a3..015f3d469 100644 --- a/rules/combo/stealer/ditto.yara +++ b/rules/combo/stealer/ditto.yara @@ -1,13 +1,15 @@ -rule crypto_stealer : suspicious { +rule crypto_stealer : high { meta: - description = "makes HTTP connections and creates archives using ditto" + description = "makes HTTP connections and creates archives using ditto" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" strings: - $http = "http" - $http_POST = /POST[ \/\w]{0,32}/ - - $w_ditto = /ditto -[\w\-\/ ]{0,32}/ - $w_zip = /[\w\-\/ ]{0,32}\.zip/ + $http = "http" + $http_POST = /POST[ \/\w]{0,32}/ + $w_ditto = /ditto -[\w\-\/ ]{0,32}/ + $w_zip = /[\w\-\/ ]{0,32}\.zip/ condition: - any of ($http*) and 2 of ($w*) + any of ($http*) and 2 of ($w*) } diff --git a/rules/combo/stealer/macos_open_and_archive.yara b/rules/combo/stealer/macos_open_and_archive.yara deleted file mode 100644 index e69de29bb..000000000 diff --git a/rules/combo/stealer/office.yara b/rules/combo/stealer/office.yara index 04b10ad82..b8498e87f 100644 --- a/rules/combo/stealer/office.yara +++ b/rules/combo/stealer/office.yara @@ -1,13 +1,9 @@ -rule office_crypt_archive { + +rule office_crypt_archive : high { meta: - hash_2020_gonnacry = "f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac" - hash_2022_DazzleSpy_agent_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" - hash_2020_GravityRat_enigma_py = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de" - hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2023_Downloads_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" - hash_2023_OK_29c2 = "29c2f559a9494bce3d879aff8731a5d70a3789028055fd170c90965ce9cf0ea4" - hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + hash_2023_Downloads_f5de = "f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac" strings: $e_csv = "csv" fullword $e_doc = "doc" fullword @@ -55,7 +51,7 @@ rule office_crypt_archive { $not_xlsx_equal = "xlsx=" $not_private = "/System/Library/PrivateFrameworks/" $not_program = "@(#)PROGRAM:" - $not_saving = "saving" + $not_saving = "saving" condition: filesize < 104857600 and ($e_xlsx or $e_docx) and 7 of ($e_*) and any of ($o_*) and none of ($not*) } diff --git a/rules/combo/stealer/osascript_http_zipper.yara b/rules/combo/stealer/osascript_http_zipper.yara index 37943ef98..b78e3ce80 100644 --- a/rules/combo/stealer/osascript_http_zipper.yara +++ b/rules/combo/stealer/osascript_http_zipper.yara @@ -1,5 +1,5 @@ -rule osascript_http_zipper : suspicious { +rule osascript_http_zipper : high { meta: description = "runs AppleScript, makes HTTP requests, zips files" strings: diff --git a/rules/combo/stealer/pam.yara b/rules/combo/stealer/pam.yara index 4bae83b9b..cb7351f88 100644 --- a/rules/combo/stealer/pam.yara +++ b/rules/combo/stealer/pam.yara @@ -1,14 +1,17 @@ -rule pam_passwords : suspicious { + +rule pam_passwords : high { meta: - description = "password authentication module may record passwords" + description = "password authentication module may record passwords" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" + hash_2023_Symbiote_1211 = "121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924" strings: - $auth = "pam_authenticate" - $pass = "password" - - $f_open = "open" - $f_fopen = "fopen" - $f_socket = "socket" - $f_exfil = "exfil" + $auth = "pam_authenticate" + $pass = "password" + $f_open = "open" + $f_fopen = "fopen" + $f_socket = "socket" + $f_exfil = "exfil" condition: - $auth and $pass and any of ($f*) -} \ No newline at end of file + $auth and $pass and any of ($f*) +} diff --git a/rules/combo/stealer/php.yara b/rules/combo/stealer/php.yara index d36b6e39f..71b382bf2 100644 --- a/rules/combo/stealer/php.yara +++ b/rules/combo/stealer/php.yara @@ -1,16 +1,17 @@ -rule php_uploader { + +rule php_uploader : medium { meta: hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" hash_2023_0xShell_up = "c72f0194a61dcf25779370a6c8dd0257848789ef59d0108a21f08301569d4441" hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" strings: - $php = "" - version = "0.1" - date = "2022-01-03" - reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions#identifying-rc4-in-assembly" - reference = "https://0xc0decafe.com/detect-rc4-encryption-in-malicious-binaries/" - reference = "https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html" - strings: - // optmized constants used by John - // https://github.com/openwall/john/blob/b81ed703ceb7ca62df50c2fa0d4ea366ef713a4a/run/opencl/opencl_rc4.h#L32-L47 - $opt0 = {03020100} - $opt1 = {07060504} - $opt2 = {0b0a0908} - $opt3 = {0f0e0d0c} - $opt4 = {13121110} - $opt5 = {17161514} - $opt6 = {1b1a1918} - $opt7 = {1f1e1d1c} - $opt8 = {23222120} - $opt9 = {27262524} - $opt10 = {2b2a2928} - $opt11 = {2f2e2d2c} - $opt12 = {33323130} - $opt13 = {37363534} - $opt14 = {3b3a3938} - $opt15 = {3f3e3d3c} - $opt16 = {43424140} - $opt17 = {47464544} - $opt18 = {4b4a4948} - $opt19 = {4f4e4d4c} - $opt20 = {53525150} - $opt21 = {57565554} - $opt22 = {5b5a5958} - $opt23 = {5f5e5d5c} - $opt24 = {67666564} - $opt25 = {6b6a6968} - $opt26 = {6f6e6d6c} - $opt27 = {73727170} - $opt28 = {77767574} - $opt29 = {7b7a7978} - $opt30 = {7f7e7d7c} - $opt31 = {83828180} - $opt32 = {87868584} - $opt33 = {8b8a8988} - $opt34 = {8f8e8d8c} - $opt35 = {93929190} - $opt36 = {97969594} - $opt37 = {9b9a9998} - $opt38 = {9f9e9d9c} - $opt39 = {a3a2a1a0} - $opt40 = {a7a6a5a4} - $opt41 = {abaaa9a8} - $opt42 = {afaeadac} - $opt43 = {b3b2b1b0} - $opt44 = {b7b6b5b4} - $opt45 = {bbbab9b8} - $opt46 = {bfbebdbc} - $opt47 = {c3c2c1c0} - $opt48 = {c7c6c5c4} - $opt49 = {cbcac9c8} - $opt50 = {cfcecdcc} - $opt51 = {d3d2d1d0} - $opt52 = {d7d6d5d4} - $opt53 = {dbdad9d8} - $opt54 = {dfdedddc} - $opt55 = {e3e2e1e0} - $opt56 = {e7e6e5e4} - $opt57 = {ebeae9e8} - $opt58 = {efeeedec} - $opt59 = {f3f2f1f0} - $opt60 = {f7f6f5f4} - $opt61 = {fbfaf9f8} - $opt62 = {fffefdfc} - $opt63 = {63626160} - condition: - 80% of ($opt*) -} \ No newline at end of file +rule rc4_constants : medium { + meta: + descrption = "Identify constants used by the ARC4 cryptographic algorithm." + author = "@shellcromancer " + version = "0.1" + date = "2022-01-03" + reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions#identifying-rc4-in-assembly" + reference = "https://0xc0decafe.com/detect-rc4-encryption-in-malicious-binaries/" + reference = "https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html" + hash_2023_Linux_Malware_Samples_2f85 = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965" + hash_2023_Linux_Malware_Samples_47a4 = "47a4ca5b1b6a2c0c7914b342f668b860041ec826d2ac85825389dba363797431" + hash_2023_Linux_Malware_Samples_5c03 = "5c03ff30ccffc9d36c342510c7469682d3c411654ec52b0930d37a6c6aab9f72" + strings: + $opt0 = { 03 02 01 00 } + $opt1 = { 07 06 05 04 } + $opt2 = { 0B 0A 09 08 } + $opt3 = { 0F 0E 0D 0C } + $opt4 = { 13 12 11 10 } + $opt5 = { 17 16 15 14 } + $opt6 = { 1B 1A 19 18 } + $opt7 = { 1F 1E 1D 1C } + $opt8 = { 23 22 21 20 } + $opt9 = { 27 26 25 24 } + $opt10 = { 2B 2A 29 28 } + $opt11 = { 2F 2E 2D 2C } + $opt12 = { 33 32 31 30 } + $opt13 = { 37 36 35 34 } + $opt14 = { 3B 3A 39 38 } + $opt15 = { 3F 3E 3D 3C } + $opt16 = { 43 42 41 40 } + $opt17 = { 47 46 45 44 } + $opt18 = { 4B 4A 49 48 } + $opt19 = { 4F 4E 4D 4C } + $opt20 = { 53 52 51 50 } + $opt21 = { 57 56 55 54 } + $opt22 = { 5B 5A 59 58 } + $opt23 = { 5F 5E 5D 5C } + $opt24 = { 67 66 65 64 } + $opt25 = { 6B 6A 69 68 } + $opt26 = { 6F 6E 6D 6C } + $opt27 = { 73 72 71 70 } + $opt28 = { 77 76 75 74 } + $opt29 = { 7B 7A 79 78 } + $opt30 = { 7F 7E 7D 7C } + $opt31 = { 83 82 81 80 } + $opt32 = { 87 86 85 84 } + $opt33 = { 8B 8A 89 88 } + $opt34 = { 8F 8E 8D 8C } + $opt35 = { 93 92 91 90 } + $opt36 = { 97 96 95 94 } + $opt37 = { 9B 9A 99 98 } + $opt38 = { 9F 9E 9D 9C } + $opt39 = { A3 A2 A1 A0 } + $opt40 = { A7 A6 A5 A4 } + $opt41 = { AB AA A9 A8 } + $opt42 = { AF AE AD AC } + $opt43 = { B3 B2 B1 B0 } + $opt44 = { B7 B6 B5 B4 } + $opt45 = { BB BA B9 B8 } + $opt46 = { BF BE BD BC } + $opt47 = { C3 C2 C1 C0 } + $opt48 = { C7 C6 C5 C4 } + $opt49 = { CB CA C9 C8 } + $opt50 = { CF CE CD CC } + $opt51 = { D3 D2 D1 D0 } + $opt52 = { D7 D6 D5 D4 } + $opt53 = { DB DA D9 D8 } + $opt54 = { DF DE DD DC } + $opt55 = { E3 E2 E1 E0 } + $opt56 = { E7 E6 E5 E4 } + $opt57 = { EB EA E9 E8 } + $opt58 = { EF EE ED EC } + $opt59 = { F3 F2 F1 F0 } + $opt60 = { F7 F6 F5 F4 } + $opt61 = { FB FA F9 F8 } + $opt62 = { FF FE FD FC } + $opt63 = { 63 62 61 60 } + condition: + 80% of ($opt*) +} diff --git a/rules/crypto/xor.yara b/rules/crypto/xor.yara index 4fa84528a..b6012f8aa 100644 --- a/rules/crypto/xor.yara +++ b/rules/crypto/xor.yara @@ -1,14 +1,16 @@ -rule xor_decode_encode : suspicious { - meta: - description = "decodes/encodes XOR content" - strings: - $decode = /\w{0,16}XorDecode[\w]{0,32}/ - $encode = /\w{0,16}XorEncode[\w]{0,32}/ - $file = /\w{0,16}XorFile[\w]{0,32}/ - $decode_ = /\w{0,16}xor_decode[\w]{0,32}/ - $encode_ = /\w{0,16}xor_encode[\w]{0,32}/ - $file_ = /\w{0,16}xor_file[\w]{0,32}/ - condition: - any of them +rule xor_decode_encode : high { + meta: + description = "decodes/encodes XOR content" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" + strings: + $decode = /\w{0,16}XorDecode[\w]{0,32}/ + $encode = /\w{0,16}XorEncode[\w]{0,32}/ + $file = /\w{0,16}XorFile[\w]{0,32}/ + $decode_ = /\w{0,16}xor_decode[\w]{0,32}/ + $encode_ = /\w{0,16}xor_encode[\w]{0,32}/ + $file_ = /\w{0,16}xor_file[\w]{0,32}/ + condition: + any of them } diff --git a/rules/data/embedded-base64-gzip.yara b/rules/data/embedded-base64-gzip.yara index 0f8247ace..b2be7cf31 100644 --- a/rules/data/embedded-base64-gzip.yara +++ b/rules/data/embedded-base64-gzip.yara @@ -1,8 +1,11 @@ -rule base64_gz : notable { - meta: - description = "Contains base64 gzip content" - strings: - $header = "H4sIA" - condition: - $header -} \ No newline at end of file + +rule base64_gz : medium { + meta: + description = "Contains base64 gzip content" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + strings: + $header = "H4sIA" + condition: + $header +} diff --git a/rules/data/embedded-base64-terms.yara b/rules/data/embedded-base64-terms.yara index 4ab6bc8a8..124c02f4e 100644 --- a/rules/data/embedded-base64-terms.yara +++ b/rules/data/embedded-base64-terms.yara @@ -1,23 +1,30 @@ -rule contains_base64 : notable { - meta: - description = "Contains base64 content" - strings: - $directory = "directory" base64 - $address = "address" base64 - $html = "html" base64 - $uname = "uname" base64 - $select = "select" base64 - $company = "company" base64 - $CERTIFICATE = "CERTIFICATE" base64 - condition: - any of them + +rule contains_base64 : medium { + meta: + description = "Contains base64 content" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_0xencbase = "50057362c139184abb74a6c4ec10700477dcefc8530cf356607737539845ca54" + hash_2023_0xShell_wesobase = "17a1219bf38d953ed22bbddd5aaf1811b9380ad0535089e6721d755a00bddbd0" + strings: + $directory = "directory" base64 + $address = "address" base64 + $html = "html" base64 + $uname = "uname" base64 + $select = "select" base64 + $company = "company" base64 + $CERTIFICATE = "CERTIFICATE" base64 + condition: + any of them } -rule contains_base64_certificate : notable { - meta: - description = "Contains base64 CERTIFICATE" - strings: - $CERTIFICATE = "CERTIFICATE" base64 - condition: - any of them -} \ No newline at end of file +rule contains_base64_certificate : medium { + meta: + description = "Contains base64 CERTIFICATE" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" + hash_2017_MacOS_AppStore = "363d151d451a9687d5c0863933a15f7968d3d7018b26f6ba8df54dea9e2f635c" + hash_2023_UPX_5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59_elf_x86_64 = "56ca5d07fa2e8004a008222a999a97a6c27054b510e8dd6bd22048b084079e37" + strings: + $CERTIFICATE = "CERTIFICATE" base64 + condition: + any of them +} diff --git a/rules/data/embedded-base64-url.yara b/rules/data/embedded-base64-url.yara index 530b2f03d..986d06f3e 100644 --- a/rules/data/embedded-base64-url.yara +++ b/rules/data/embedded-base64-url.yara @@ -1,12 +1,16 @@ -rule contains_base64_url : notable { - meta: - description = "Contains base64 url" - strings: - $http = "http://" base64 - $https = "https://" base64 - $tcp = "tcp://" base64 - $udp = "udp://" base64 - $ftp = "ftp://" base64 - condition: - any of them -} \ No newline at end of file + +rule contains_base64_url : medium { + meta: + description = "Contains base64 url" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_0xencbase = "50057362c139184abb74a6c4ec10700477dcefc8530cf356607737539845ca54" + hash_2023_0xShell_wesobase = "17a1219bf38d953ed22bbddd5aaf1811b9380ad0535089e6721d755a00bddbd0" + strings: + $http = "http://" base64 + $https = "https://" base64 + $tcp = "tcp://" base64 + $udp = "udp://" base64 + $ftp = "ftp://" base64 + condition: + any of them +} diff --git a/rules/data/embedded-base64-zip.yara b/rules/data/embedded-base64-zip.yara index 3fb14a4e9..a5af8b610 100644 --- a/rules/data/embedded-base64-zip.yara +++ b/rules/data/embedded-base64-zip.yara @@ -1,4 +1,4 @@ -rule base64_zip : suspicious { +rule base64_zip : high { meta: description = "Contains base64 zip file content" strings: diff --git a/rules/data/embedded-html.yara b/rules/data/embedded-html.yara index 9900929f0..f919e101d 100644 --- a/rules/data/embedded-html.yara +++ b/rules/data/embedded-html.yara @@ -1,12 +1,16 @@ -rule html : notable { - meta: - description = "Contains HTML content" - strings: - $ref = "" - $ref2 = "" - $ref3 = "" - $ref4 = "DOCTYPE html" - $ref5 = ""{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/ - condition: - $ref +rule bash_tcp : high { + meta: + description = "sends data via /dev/tcp (bash)" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + hash_2023_spirit = "26ba215bcd5d8a9003a904b0eac7dc10054dba7bea9a708668a5f6106fd73ced" + hash_2023_Txt_Malware_Sustes_0e77 = "0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe" + strings: + $ref = /[\w \-\<]{0,32}>"{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/ + condition: + $ref } diff --git a/rules/evasion/binary-opaque.yara b/rules/evasion/binary-opaque.yara index f0b4e006f..aff2be120 100644 --- a/rules/evasion/binary-opaque.yara +++ b/rules/evasion/binary-opaque.yara @@ -1,21 +1,16 @@ -rule opaque_binary : notable { + +rule opaque_binary : medium { meta: - hash_2023_MacOS_applet = "54db4cc34db4975a60c919cd79bb01f9e0c3e8cf89571fee09c75dfff77a0bcd" - hash_2021_CDDS_arch = "a63466d09c3a6a2596a98de36083b6d268f393a27f7b781e52eeb98ae055af97" - hash_2019_Macma_CDDS_at = "341bc86bc9b76ac69dca0a48a328fd37d74c96c2e37210304cfa66ccdbe72b27" - hash_2018_org_logind_ctp_archive_helper = "562c420921f5146273b513d17b9f470a99bd676e574c155376c3eb19c37baa09" - hash_2018_org_logind_ctp_archive = "02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9" - hash_2017_MacOS_logind = "1cf36a2d8a2206cb4758dcdbd0274f21e6f437079ea39772e821a32a76271d46" - hash_2017_FlashBack = "8d56d09650ebc019209a788b2d2be7c7c8b865780eee53856bafceffaf71502c" - hash_1980_FruitFly_A_a94d = "a94dd8bfca34fd6ca3a475d6be342d236b39fbf0c2ab90b2edff62bcdbbe5d37" + hash_2024_Downloads_309f = "309f399788b63f66cfa7b37ae1db5dced55a9e73b768a7f05ea4de553192eeb1" + hash_2024_Downloads_52d3 = "52d3f9458cfc31b2b8b6a5abd2ad743e7a2bb2999442ee2a3de5e17805cfbacc" + hash_2024_Downloads_690f = "690f29dd425f7415ecb50986aa26750960c39a0ca8a02ddfd37ec4196993bd9e" strings: $word_with_spaces = /[a-z]{2,} [a-z]{2,}/ - $not_gmon_start = "__gmon_start__" - $not_usage = "usage:" fullword - $not_usage2 = "Usage:" fullword - $not_USAGE = "USAGE:" fullword - $not_java = "java/lang" + $not_gmon_start = "__gmon_start__" + $not_usage = "usage:" fullword + $not_usage2 = "Usage:" fullword + $not_USAGE = "USAGE:" fullword + $not_java = "java/lang" condition: - // matches elf or macho filesize < 52428800 and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and #word_with_spaces < 4 and none of ($not*) } diff --git a/rules/evasion/binary-unusually_small.yara b/rules/evasion/binary-unusually_small.yara index 714b1fe34..b92e97d8c 100644 --- a/rules/evasion/binary-unusually_small.yara +++ b/rules/evasion/binary-unusually_small.yara @@ -1,18 +1,5 @@ rule impossibly_small_elf_program { - meta: - hash_2022_GetShell_ConnectBack = "cd54a34dbd7d345a7fd7fd8744feb5c956825317e9225edb002c3258683947f1" - hash_2021_trojan_Dakkatoni_hafbful = "16e09592a9e85cd67530ec365ac2c50e48e873335c1ad0f984e3daaefc8a57b5" - hash_2021_trojan_Hack_msfencode = "4c33e1ec01b8ad98f670ba6ec6792d23d1b5d3c399990f39ffd7299ac7c0646f" - hash_2021_trojan_Linux_Agent_Rare = "4cfff3ea8fbaa2939088a0d1aa99d4e75f3edb1b44e5be6dd2e8d49fd423820c" - hash_2021_trojan_AgentSig_bgmodio = "4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00" - hash_2021_trojan_IAUQISY_rwrai = "5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b" - hash_2021_trojan_ShellCode_shelma = "ae70ca051f29b058f18ed7aef33b750ddec69d05d08801cf3f99b121e41c0c4f" - hash_2021_trojan_r002c0whf23_sxltr = "cb8d3fe305a2acaa34ebd37472fe4a966ed238e09d7f77164a1f53d850ea0294" - hash_2021_trojan_GetShell_shellcode_ConnectBack = "de595779400e250b2275e7ecf9291879d26b29a71868984491b633f5de1362b8" - hash_2021_trojan_GetShell_shellcode_94 = "eac3bb07ccd2e505af4bc74b9bef2886bf82b37c5820d9fcef673b4e246b2308" - hash_2021_trojan_GetShell_expl = "ecaed171d4f088948908b2077fbcfe4ab94744b9df840befc9004376eeaff165" - hash_2021_trojan_Mirai_Generica_zdhck = "f72a6f38886d4447e5c98fafb5c7249b1325d9f8f3833065bffeb6e46ef771ea" condition: filesize < 8192 and uint32(0) == 1179403647 } @@ -20,11 +7,6 @@ rule impossibly_small_elf_program { rule impossibly_small_macho_program { meta: warning = "Many false positives if Java bytecode is included" - hash_2019_Macma_CDDS_at = "341bc86bc9b76ac69dca0a48a328fd37d74c96c2e37210304cfa66ccdbe72b27" - hash_2017_DevilRobber = "868926dc8773abddb806327b3ca9928e9d76a32abd273ea16ed73f4286260724" - hash_2017_trojan_Quimitchin_Java = "a94dd8bfca34fd6ca3a475d6be342d236b39fbf0c2ab90b2edff62bcdbbe5d37" - hash_2021_trojan_Java_Adwind = "cb3387ee7ae54b69f829b42690bef10e5efbdb7463f0f92cc896989b826344fd" - hash_2021_oBSrz_AES = "d3cb413ca4f21bdce73ab1db40caa4951cf2e63012a01849a81f72d37113f2dd" strings: $not_jar = "META-INF/" $not_dwarf = "_DWARF" diff --git a/rules/evasion/bitwise_math.yara b/rules/evasion/bitwise_math.yara index 83a580fa9..530bc89fd 100644 --- a/rules/evasion/bitwise_math.yara +++ b/rules/evasion/bitwise_math.yara @@ -1,9 +1,11 @@ -rule excessive_bitwise_math : notable { +rule excessive_bitwise_math : medium { meta: - description = "excessive use of bitwise math" + description = "excessive use of bitwise math" + hash_2023_yfinancce_0_1_setup = "3bde1e9207dd331806bf58926d842e2d0f6a82424abd38a8b708e9f4e3e12049" + hash_2023_yvper_0_1_setup = "b765244c1f8a11ee73d1e74927b8ad61718a65949e0b8d8cbc04e5d84dccaf96" strings: - $x = /\-{0,1}\d{1,8} \<\< \-{0,1}\d{1,8}/ -condition: - filesize < 128000 and #x > 10 -} \ No newline at end of file + $x = /\-{0,1}\d{1,8} \<\< \-{0,1}\d{1,8}/ + condition: + filesize < 128000 and #x > 10 +} diff --git a/rules/evasion/codecs_decode.yara b/rules/evasion/codecs_decode.yara index fad75d207..2b580e22f 100644 --- a/rules/evasion/codecs_decode.yara +++ b/rules/evasion/codecs_decode.yara @@ -1,9 +1,11 @@ -rule codecs_decode : suspicious { +rule codecs_decode : high { meta: - description = "decodes text with an arbitrary codec" + description = "decodes text with an arbitrary codec" + hash_2023_JokerSpy_shared = "5fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e9642272" + hash_2023_JokerSpy_shared = "39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4" strings: - $val = /[\w\= ]{0,16}codecs\.decode\(\'.{0,32}\'/ + $val = /[\w\= ]{0,16}codecs\.decode\(\'.{0,32}\'/ condition: - $val -} \ No newline at end of file + $val +} diff --git a/rules/evasion/compiled-osascript.yara b/rules/evasion/compiled-osascript.yara index 724aacc5a..a734f31e1 100644 --- a/rules/evasion/compiled-osascript.yara +++ b/rules/evasion/compiled-osascript.yara @@ -1,14 +1,14 @@ -rule danger_compiled_osascript : notable { +rule danger_compiled_osascript : medium { meta: - hash_2023_NukeSped_Lazarus = "7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48" + hash_2023_Scripts_main = "7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48" strings: $s_sysoexec = "sysoexecTEXT" $s_aevtoapp = "aevtoappnull" $not_capture_one = "Capture One" $not_display_alert = "display alert" $not_saving = "saving" - $not_captureone = "captureone" + $not_captureone = "captureone" condition: filesize < 1048576 and all of ($s_*) and none of ($not*) -} \ No newline at end of file +} diff --git a/rules/evasion/content-length-0.yara b/rules/evasion/content-length-0.yara index ba14d92a8..13269ee9d 100644 --- a/rules/evasion/content-length-0.yara +++ b/rules/evasion/content-length-0.yara @@ -1,10 +1,12 @@ -rule content_length_0 : notable { + +rule content_length_0 : medium { meta: - description = "Sets HTTP content length to zero" + description = "Sets HTTP content length to zero" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2023_Linux_Malware_Samples_1020 = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" strings: - $ref = "Content-Length: 0" + $ref = "Content-Length: 0" condition: - $ref + $ref } - - diff --git a/rules/evasion/decrypt-eval.yara b/rules/evasion/decrypt-eval.yara index b8f9be9c4..67fecb610 100644 --- a/rules/evasion/decrypt-eval.yara +++ b/rules/evasion/decrypt-eval.yara @@ -1,21 +1,21 @@ import "math" -rule python_exec_near_enough_decrypt: critical { +rule python_exec_near_enough_decrypt : critical { meta: description = "Evaluates code from encrypted content" strings: $exec = "exec(" $decrypt = "decrypt(" condition: - all of them and math.abs(@decrypt - @exec) <= 128 + all of them and math.abs(@decrypt - @exec) <= 256 } -rule python_exec_near_enough_fernet: critical { +rule python_exec_near_enough_fernet : critical { meta: description = "Evaluates code from encrypted content" strings: $exec = "exec(" $fernet = "Fernet" condition: - all of them and math.abs(@fernet - @exec) <= 128 + all of them and math.abs(@fernet - @exec) <= 256 } \ No newline at end of file diff --git a/rules/evasion/elf-funky-tenable.yara b/rules/evasion/elf-funky-tenable.yara index de70d7d50..4dabb8af2 100644 --- a/rules/evasion/elf-funky-tenable.yara +++ b/rules/evasion/elf-funky-tenable.yara @@ -1,45 +1,34 @@ import "elf" -rule single_load_rwe { +rule single_load_rwe : high { meta: description = "Flags binaries with a single LOAD segment marked as RWE." family = "Stager" filetype = "ELF" - hash = "711a06265c71a7157ef1732c56e02a992e56e9d9383ca0f6d98cd96a30e37299" - hash_2023_Linux_Malware_Samples_16e0 = "16e09592a9e85cd67530ec365ac2c50e48e873335c1ad0f984e3daaefc8a57b5" - hash_2023_Linux_Malware_Samples_4c33 = "4c33e1ec01b8ad98f670ba6ec6792d23d1b5d3c399990f39ffd7299ac7c0646f" - hash_2023_Linux_Malware_Samples_4ed5 = "4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00" - hash_2023_Linux_Malware_Samples_5eb6 = "5eb69f3b46a0df45f5e4f2c0beede4a86f9aace3870dd8db28bc6521e69f363b" - hash_2023_Linux_Malware_Samples_ae70 = "ae70ca051f29b058f18ed7aef33b750ddec69d05d08801cf3f99b121e41c0c4f" - hash_2023_Linux_Malware_Samples_cb8d = "cb8d3fe305a2acaa34ebd37472fe4a966ed238e09d7f77164a1f53d850ea0294" + hash_2024_Downloads_690f = "690f29dd425f7415ecb50986aa26750960c39a0ca8a02ddfd37ec4196993bd9e" hash_2023_Downloads_cd54 = "cd54a34dbd7d345a7fd7fd8744feb5c956825317e9225edb002c3258683947f1" + hash_2023_Linux_Malware_Samples_16e0 = "16e09592a9e85cd67530ec365ac2c50e48e873335c1ad0f984e3daaefc8a57b5" condition: elf.number_of_segments == 1 and elf.segments[0].type == elf.PT_LOAD and elf.segments[0].flags == elf.PF_R | elf.PF_W | elf.PF_X } -rule fake_section_headers_conflicting_entry_point_address { +rule fake_section_headers_conflicting_entry_point_address : high { meta: description = "A fake sections header has been added to the binary." family = "Obfuscation" filetype = "ELF" - hash = "a2301180df014f216d34cec8a6a6549638925ae21995779c2d7d2827256a8447" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" hash_2023_Linux_Malware_Samples_19f7 = "19f76bf2be3ea11732f2c5c562afbd6f363b062c25fba3a143c3c6ef4712774b" - hash_2023_Linux_Malware_Samples_1ce9 = "1ce94d788d01ae70782084d5dd48844ecf03629c3aaacff7f4bc35e59d4aaf55" - hash_2023_Linux_Malware_Samples_1fce = "1fce1d5b977c38e491fe84e529a3eb5730d099a4966c753b551209f4a24524f3" - hash_2023_Linux_Malware_Samples_25ba = "25ba8e1e4ae88297fa5715b9bdd68b059ccb128af1eb06d9ecce0181d48ae2c3" - hash_2023_Linux_Malware_Samples_43fa = "43fab92516cdfaa88945996988b7cfe987f26050516503fb2be65592379d7d7f" - hash_2023_Linux_Malware_Samples_4a77 = "4a77c23cb0f77b8b5f4c8bfc9ba786f9b08b910dc8b4d25f1eb6e07c29c600f1" condition: elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_segments > 0 and elf.number_of_sections > 0 and not (for any i in (0..elf.number_of_segments) : ((elf.segments[i].offset <= elf.entry_point) and ((elf.segments[i].offset + elf.segments[i].file_size) >= elf.entry_point) and for any j in (0..elf.number_of_sections) : (elf.sections[j].offset <= elf.entry_point and ((elf.sections[j].offset + elf.sections[j].size) >= elf.entry_point) and (elf.segments[i].virtual_address + (elf.entry_point - elf.segments[i].offset)) == (elf.sections[j].address + (elf.entry_point - elf.sections[j].offset))))) } -rule fake_dynamic_symbols { +rule fake_dynamic_symbols : high { meta: description = "A fake dynamic symbol table has been added to the binary" family = "Obfuscation" filetype = "ELF" - hash = "51676ae7e151a0b906c3a8ad34f474cb5b65eaa3bf40bb09b00c624747bcb241" condition: elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries) : (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections) : (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments) : ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset)))) } diff --git a/rules/evasion/fake-library.yara b/rules/evasion/fake-library.yara index 34597bb23..53771639c 100644 --- a/rules/evasion/fake-library.yara +++ b/rules/evasion/fake-library.yara @@ -1,28 +1,33 @@ -rule libnetresolv_fake_val : suspicious { + +rule libnetresolv_fake_val : high { meta: ref = "https://cert.gov.ua/article/6123309" - description = "references fake library - possible dynamic library hijacking" + description = "references fake library - possible dynamic library hijacking" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: $libnetresolv = "libnetresolv.so" condition: any of them } -rule libs_fake_val : suspicious { +rule libs_fake_val : high { meta: ref = "https://cert.gov.ua/article/6123309" - description = "references fake library, possible dynamic library hijacking" + description = "references fake library, possible dynamic library hijacking" + hash_2023_uacert_refs = "106eef08f3bfcced3e221ee6f789792650386d7794d30c80eae19e42ef893682" strings: $libnetresolv = "libs.so" fullword condition: any of them } - -rule libc_fake_number_val : suspicious { +rule libc_fake_number_val : high { meta: ref = "https://cert.gov.ua/article/6123309" - description = "references a non-standard libc library (normally libc.so.6)" + description = "references a non-standard libc library (normally libc.so.6)" + hash_2023_ZIP_locker_FreeBSD_64 = "41cbb7d79388eaa4d6e704bd4a8bf8f34d486d27277001c343ea3ce112f4fb0d" + hash_2023_uacert_refs = "106eef08f3bfcced3e221ee6f789792650386d7794d30c80eae19e42ef893682" strings: $fake_libc_version = /libc.so.[2345789]/ condition: diff --git a/rules/evasion/fake-process-name.yara b/rules/evasion/fake-process-name.yara index 593cffdee..79cbb820e 100644 --- a/rules/evasion/fake-process-name.yara +++ b/rules/evasion/fake-process-name.yara @@ -1,19 +1,23 @@ + rule fake_kworker_val : critical { meta: - description = "Pretends to be a kworker kernel thread" + description = "Pretends to be a kworker kernel thread" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" strings: - $kworker = /\[{0,1}kworker\/[\d:\]]{1,5}/ - $kworker2 = "kworker" fullword - $kworker3 = "[kworker" + $kworker = /\[{0,1}kworker\/[\d:\]]{1,5}/ + $kworker2 = "kworker" fullword + $kworker3 = "[kworker" condition: - any of them + any of them } rule fake_syslogd : critical { meta: - description = "Pretends to be syslogd" + description = "Pretends to be syslogd" strings: - $ref = "[syslogd]" + $ref = "[syslogd]" condition: - any of them -} \ No newline at end of file + any of them +} diff --git a/rules/evasion/fake-ssh_user_agent.yara b/rules/evasion/fake-ssh_user_agent.yara index 509a69af2..49fe410f0 100644 --- a/rules/evasion/fake-ssh_user_agent.yara +++ b/rules/evasion/fake-ssh_user_agent.yara @@ -1,8 +1,10 @@ -rule fake_openssh_0 : suspicious { + +rule fake_openssh_0 : high { meta: - description = "Contains OpenSSH user-agent, possibly for spoofing purposes" + description = "Contains OpenSSH user-agent, possibly for spoofing purposes" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" strings: - $ref = /SSH-2\.0-OpenSSH_[\w\.]{0,8}/ + $ref = /SSH-2\.0-OpenSSH_[\w\.]{0,8}/ condition: - $ref -} \ No newline at end of file + $ref +} diff --git a/rules/evasion/fake-updater.yara b/rules/evasion/fake-updater.yara index 21aba417b..79b633ad0 100644 --- a/rules/evasion/fake-updater.yara +++ b/rules/evasion/fake-updater.yara @@ -1,5 +1,5 @@ -rule fake_chrome_update : suspicious { +rule fake_chrome_update : high { meta: description = "May fake being a Chrome update" strings: diff --git a/rules/evasion/fake-user-agent.yara b/rules/evasion/fake-user-agent.yara index 67d484b53..c33b2abe0 100644 --- a/rules/evasion/fake-user-agent.yara +++ b/rules/evasion/fake-user-agent.yara @@ -1,91 +1,103 @@ -rule fake_user_agent_msie : suspicious { +rule fake_user_agent_msie : high { meta: - description = "pretends to be MSIE" + description = "pretends to be MSIE" + hash_2023_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" + hash_2023_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" + hash_2023_Chaos_27cd = "27cdb8d8f64ce395795fdbde10cf3a08e7b217c92b7af89cde22abbf951b9e99" strings: $u_MSIE = /compatible; MSIE[ \;\(\)\w]{0,32}/ $u_msie = /compatible; msie[ \;\(\)\w]{0,32}/ $u_msie2 = /MSIE 9.0{/ - $not_access_log = "\"GET http://" - $not_pixel = "Pixel 5" - $not_ipad = "iPad Mini" + $not_access_log = "\"GET http://" + $not_pixel = "Pixel 5" + $not_ipad = "iPad Mini" condition: any of ($u_*) and none of ($not_*) } -rule fake_user_agent_khtml_val : suspicious { +rule fake_user_agent_khtml_val : high { strings: $u_khtml = /KHTML, like Gecko\w Version\/\d+.\d+ Safari/ $not_nuclei = "NUCLEI_TEMPLATES" $not_electron = "ELECTRON_RUN_AS_NODE" - $not_access_log = "\"GET http://" + $not_access_log = "\"GET http://" condition: any of ($u_*) and none of ($not_*) } - -rule fake_user_agent_chrome : notable { +rule fake_user_agent_chrome : medium { + meta: + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" strings: $u_chrome = "(KHTML, like Gecko) Chrome" $not_nuclei = "NUCLEI_TEMPLATES" $not_electron = "ELECTRON_RUN_AS_NODE" - $not_access_log = "\"GET http://" + $not_access_log = "\"GET http://" condition: any of ($u_*) and none of ($not_*) } -rule fake_user_agent_wordpress : suspicious { +rule fake_user_agent_wordpress : high { strings: $u_wordpress = "User-Agent: Internal Wordpress RPC connection" $not_nuclei = "NUCLEI_TEMPLATES" $not_electron = "ELECTRON_RUN_AS_NODE" - $not_access_log = "\"GET http://" + $not_access_log = "\"GET http://" condition: any of ($u_*) and none of ($not_*) } -rule fake_user_agent_firefox : notable { +rule fake_user_agent_firefox : medium { + meta: + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" strings: $u_gecko = "Gecko/20" $not_nuclei = "NUCLEI_TEMPLATES" $not_electron = "ELECTRON_RUN_AS_NODE" - $not_access_log = "\"GET http://" + $not_access_log = "\"GET http://" condition: any of ($u_*) and none of ($not_*) } rule fake_user_agent_netscape { - strings: - $u_mozilla = "Mozilla/4" fullword - $not_access_log = "\"GET http://" - condition: - any of ($u_*) and none of ($not_*) + strings: + $u_mozilla = "Mozilla/4" fullword + $not_access_log = "\"GET http://" + condition: + any of ($u_*) and none of ($not_*) } - rule fake_user_agent_curl { - strings: - $u_curl = "User-Agent: curl/" - $not_access_log = "\"GET http://" - condition: - any of ($u_*) and none of ($not_*) + strings: + $u_curl = "User-Agent: curl/" + $not_access_log = "\"GET http://" + condition: + any of ($u_*) and none of ($not_*) } -rule elf_faker_val : notable { +rule elf_faker_val : medium { meta: - description = "Fake user agent" + description = "Fake user agent" + hash_2024_Downloads_fd0b = "fd0b5348bbfd013359f9651268ee67a265bce4e3a1cacf61956e3246bac482e8" + hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" + hash_2023_Linux_Malware_Samples_16bb = "16bbeec4e23c0dc04c2507ec0d257bf97cfdd025cd86f8faf912cea824b2a5ba" strings: - $val = /Mozilla\/5[\.\w ]{4,64}/ + $val = /Mozilla\/5[\.\w ]{4,64}/ condition: uint32(0) == 1179403647 and $val } - -rule lowercase_mozilla_val : suspicious { +rule lowercase_mozilla_val : high { meta: - description = "Fake user agent" + description = "Fake user agent" + hash_2023_rustbucket_example = "c54bfacc63cd61c7d66e7282f17402c851b2b4cfdc9af7c1a81ad6a7838df19a" strings: - $ref = /mozilla\/\d{1,2}\.[\.\w ]{0,32}/ + $ref = /mozilla\/\d{1,2}\.[\.\w ]{0,32}/ condition: - $ref + $ref } diff --git a/rules/evasion/fake-var-run-id.yara b/rules/evasion/fake-var-run-id.yara index 2c403e5f8..e7fae5239 100644 --- a/rules/evasion/fake-var-run-id.yara +++ b/rules/evasion/fake-var-run-id.yara @@ -1,4 +1,4 @@ -rule fake_var_run : notable { +rule fake_var_run : medium { meta: description = "References a likely fake name in /var/run" strings: diff --git a/rules/evasion/hex.yara b/rules/evasion/hex.yara index a6ffae5f8..351dbe800 100644 --- a/rules/evasion/hex.yara +++ b/rules/evasion/hex.yara @@ -1,9 +1,11 @@ -rule node_hex_parse : suspicious { +rule node_hex_parse : high { meta: - description = "converts hex data to ASCII" + description = "converts hex data to ASCII" + hash_2023_package_bgService = "36831e715a152658bab9efbd4c2c75be50ee501b3dffdb5798d846a2259154a2" + hash_2023_getcookies_harness = "99b1563adea48f05ff6dfffa17f320f12f0d0026c6b94769537a1b0b1d286c13" strings: - $ref = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ + $ref = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ condition: - $ref -} \ No newline at end of file + $ref +} diff --git a/rules/evasion/hidden-functions.yara b/rules/evasion/hidden-functions.yara index 16a1b165a..7ea7346c3 100644 --- a/rules/evasion/hidden-functions.yara +++ b/rules/evasion/hidden-functions.yara @@ -1,4 +1,4 @@ -rule php_hidden_eval : suspicious { +rule php_hidden_eval : high { meta: description = "Appears to hide and evaluate a function" strings: diff --git a/rules/evasion/hide_shell_history.yara b/rules/evasion/hide_shell_history.yara index b5ac571eb..2b58fa53f 100644 --- a/rules/evasion/hide_shell_history.yara +++ b/rules/evasion/hide_shell_history.yara @@ -1,14 +1,10 @@ -rule hide_shell_history : suspicious { + +rule hide_shell_history : high { meta: - description = "Hides shell command history" - hash_2022_trojan_Winnti = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" - hash_2022_XorDDoS_0Xorddos = "d920dec25946a86aeaffd5a53ce8c3f05c9a7bac44d5c71481f497de430cb67e" - hash_2023_articles_https_www_intezer_com_blog_malware_analysis_hiddenwasp_malware_targeting_linux_systems = "4558b35302720a58cf80271cf1a87da93dcb55113d4e9ccd8c211e9fd9febbef" + description = "Hides shell command history" + hash_2023_BPFDoor_8b9d = "8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6" hash_2023_BPFDoor_93f4 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c" hash_2023_BPFDoor_dc83 = "dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a" - hash_2023_FontOnLake_BFCC4E6628B63C92BC46219937EA7582EA6FBB41_elf = "8a0a9740cf928b3bd1157a9044c6aced0dfeef3aa25e9ff9c93e113cbc1117ee" - hash_2023_UPX_204046B3279B487863738DDB17CBB6718AF2A83A_elf_x86_64 = "6187541be6d2a9d23edaa3b02c50aea644c1ac1a80ff3e4ddd441b0339e0dd1b" - hash_2023_OK_9c77 = "9c770b12a2da76c41f921f49a22d7bc6b5a1166875b9dc732bc7c05b6ae39241" strings: $hide_this = "HIDE_THIS" $histfile = "HISTFILE=" fullword @@ -18,7 +14,7 @@ rule hide_shell_history : suspicious { $h_set_o_history = "set +o history" $histsize_0 = "HISTSIZE=0" $h_gotcha = "GOTCHA" - $not_increment = "HISTSIZE++" + $not_increment = "HISTSIZE++" condition: any of ($h*) and none of ($not*) } diff --git a/rules/evasion/image-png-smuggling.yara b/rules/evasion/image-png-smuggling.yara index 547ffbbf5..2fb1c5725 100644 --- a/rules/evasion/image-png-smuggling.yara +++ b/rules/evasion/image-png-smuggling.yara @@ -1,4 +1,4 @@ -rule png { +rule png : medium { strings: $eval = " 7 and none of ($not*) + uint32(0) == 1179403647 and math.entropy(1200, 4096) > 7 and none of ($not*) } diff --git a/rules/evasion/packer/high_entropy.yara b/rules/evasion/packer/high_entropy.yara index 5ae224c5e..7a90b9373 100644 --- a/rules/evasion/packer/high_entropy.yara +++ b/rules/evasion/packer/high_entropy.yara @@ -6,14 +6,14 @@ private rule smallBinary { filesize < 64MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) } -rule high_entropy_7_5 : notable { +rule high_entropy_7_5 : medium { meta: description = "higher entropy binary (>7.5)" condition: smallBinary and math.entropy(1,filesize) >= 7.5 } -rule high_entropy_7_9 : suspicious { +rule high_entropy_7_9 : high { meta: description = "high entropy binary (>7.9)" strings: diff --git a/rules/evasion/packer/shc.yara b/rules/evasion/packer/shc.yara index 58f4d4e21..1d09ec0b3 100644 --- a/rules/evasion/packer/shc.yara +++ b/rules/evasion/packer/shc.yara @@ -1,10 +1,13 @@ -rule shc : suspicious { +rule shc : high { meta: - description = "Binary generated with SHC (Shell Script Compiler)" - ref = "https://github.com/neurobin/shc" + description = "Binary generated with SHC (Shell Script Compiler)" + ref = "https://github.com/neurobin/shc" + hash_2023_Linux_Malware_Samples_1328 = "1328f1c2c9fe178f13277c18847dd9adb9474f389985e17126fcb895aac035f2" + hash_2023_Linux_Malware_Samples_77b8 = "77b881109c2141aef8a86263de75e041794556489055c1488f1d36feb7d70dd3" + hash_2023_Linux_Malware_Samples_edbe = "edbee3b92100cc9a6a8a3c1a5fc00212627560c5e36d29569d497613ea3e3c16" strings: $ref = "argv[0] nor $_" condition: - $ref -} \ No newline at end of file + $ref +} diff --git a/rules/evasion/packer/upx.yara b/rules/evasion/packer/upx.yara index 203f04682..19d175d7c 100644 --- a/rules/evasion/packer/upx.yara +++ b/rules/evasion/packer/upx.yara @@ -1,43 +1,41 @@ -rule upx : suspicious { +rule upx : high { meta: - description = "Binary is packed with UPX" - hash_2022_covid_osx_agent = "7831806172857a563d7b4789acddc98fc11763aaf3cedf937630b4a9dce31419" - hash_2018_coldroot = "d7cd18d3e6929dd1e5c12613f9a937fd45f75aa6e0ecee70908d2638f6b3ce7c" - hash_2020_ipstorm_alien = "4cd7c5ee322e55b1c1ae49f152629bfbdc2f395e9d8c57ce65dbb5d901f61ac1" - hash_2023_trojan_Mirai_sora_x86 = "5f73f54865a1be276d39f5426f497c21e44a309e165e5e2d02f5201e8c1f05e0" - hash_2023_trojan_Mirai_maCarm = "b6f51ce14ba12fd254da8fa40e7fef20b76e9df57660b66121e5f16718797320" - hash_2023_Linux_Malware_Samples_06ed = "06ed8158a168fa9635ed8d79679587f45cfd9825859e346361443eda0fc40b4c" - hash_2023_Linux_Malware_Samples_0a4b = "0a4b417193f63a3cce4550e363548384eb007f89e89eb831cf1b7f5ddf230a51" - hash_2023_Linux_Malware_Samples_0b9d = "0b9d850ad22de9ed4951984456e77789793017e9df41271c58f45f411ef0c3d2" + description = "Binary is packed with UPX" + hash_2023_UPX_0c25 = "0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d" + hash_2023_UPX_5a59 = "5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59" + hash_2023_FontOnLake_38B09D690FAFE81E964CBD45EC7CF20DCB296B4D_elf = "f155fafa36d1094433045633741df98bbbc1153997b3577c3fa337cc525713c0" strings: $u_upx_sig = "UPX!" $u_packed = "executable packer" $u_is_packed = "This file is packed" - - $not_upx = "UPX_DEBUG_DOCTEST_DISABLE" + $not_upx = "UPX_DEBUG_DOCTEST_DISABLE" condition: any of ($u*) in (0..1024) and none of ($not*) } -rule upx_elf: suspicious { +rule upx_elf : high { meta: - description = "Linux ELF binary packed with UPX" + description = "Linux ELF binary packed with UPX" + hash_2023_UPX_0c25 = "0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d" + hash_2023_UPX_5a59 = "5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59" + hash_2023_FontOnLake_1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8_elf = "efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa" strings: $proc_self = "/proc/self/exe" $prot_exec = "PROT_EXEC|PROT_WRITE failed" condition: - uint32(0) == 1179403647 and $prot_exec and $proc_self + uint32(0) == 1179403647 and $prot_exec and $proc_self } -rule upx_elf_tampered: critical { +rule upx_elf_tampered : critical { meta: - description = "Linux ELF binary packed with modified UPX" + description = "Linux ELF binary packed with modified UPX" + hash_2023_Unix_Trojan_DarkNexus_2527 = "2527fc4d6491bd8fc9a79344790466eaedcce8795efe540ac323ea93e59c5ab5" + hash_2023_Unix_Trojan_DarkNexus_2e1d = "2e1d9acd6ab43d63f3eab9fc995080fc67a0a5bbdc66be3aff53ed3745c9e811" + hash_2023_Unix_Trojan_DarkNexus_3a55 = "3a55dcda90c72acecb548f4318d41708bb73c4c3fb099ff65c988948dc8b216f" strings: -// only in some versions -// $proc_self = "/proc/self/exe" $prot_exec = "PROT_EXEC|PROT_WRITE failed" - $upx = "UPX!" + $upx = "UPX!" condition: - uint32(0) == 1179403647 and $prot_exec and not $upx -} \ No newline at end of file + uint32(0) == 1179403647 and $prot_exec and not $upx +} diff --git a/rules/evasion/powershell_encoded.yara b/rules/evasion/powershell_encoded.yara index cc0009e5e..d8e965bc7 100644 --- a/rules/evasion/powershell_encoded.yara +++ b/rules/evasion/powershell_encoded.yara @@ -1,9 +1,13 @@ -rule powershell_encoded_command_val : suspicious { + +rule powershell_encoded_command_val : high { meta: - description = "Runs powershell with an encoded command" + description = "Runs powershell with an encoded command" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2024_2018_04_Common_Malware_Carrier_payload = "8cdd29e28daf040965d4cad8bf3c73d00dde3f2968bab44c7d8fe482ba2057f9" + hash_2023_grandmask_3_13_setup = "8835778f9e75e6493693fc6163477ec94aba723c091393a30d7e7b9eed4f5a54" strings: - $ps = "powershell" - $enc = /\-EncodedCommand [\w\=]{0,256}/ + $ps = "powershell" + $enc = /\-EncodedCommand [\w\=]{0,256}/ condition: - all of them + all of them } diff --git a/rules/evasion/powershell_hidden.yara b/rules/evasion/powershell_hidden.yara index 24e8be6ce..98c174ebd 100644 --- a/rules/evasion/powershell_hidden.yara +++ b/rules/evasion/powershell_hidden.yara @@ -1,20 +1,25 @@ -rule powershell_hidden_short : suspicious { + +rule powershell_hidden_short : high { meta: - description = "Runs powershell with a hidden command" + description = "Runs powershell with a hidden command" + hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" strings: - $ps = "powershell" ascii wide nocase - $hidden = " -w hidden " ascii wide nocase + $ps = "powershell" ascii wide nocase + $hidden = " -w hidden " ascii wide nocase condition: - all of them + all of them } -rule powershell_hidden_long : notable { +rule powershell_hidden_long : medium { meta: - description = "Runs powershell with a hidden command" + description = "Runs powershell with a hidden command" + hash_2023_grandmask_3_13_setup = "8835778f9e75e6493693fc6163477ec94aba723c091393a30d7e7b9eed4f5a54" + hash_2023_py_guigrand_4_67_setup = "4cb4b9fcce78237f0ef025d1ffda8ca8bc79bf8d4c199e4bfc6eff84ce9ce554" + hash_2023_py_killtoolad_3_65_setup = "64ec7b05442356293e903afe028637d821bad4444c4e1e11b73a4ff540fe480b" strings: - $ps = "powershell" ascii wide nocase - $ws = "-WindowStyle" ascii wide nocase - $hidden = "hidden " ascii wide nocase + $ps = "powershell" ascii wide nocase + $ws = "-WindowStyle" ascii wide nocase + $hidden = "hidden " ascii wide nocase condition: - all of them + all of them } diff --git a/rules/evasion/process-check.yara b/rules/evasion/process-check.yara index 0d8795313..c6ceb73b9 100644 --- a/rules/evasion/process-check.yara +++ b/rules/evasion/process-check.yara @@ -1,11 +1,12 @@ -rule activity_monitor_checker : suspicious { + +rule activity_monitor_checker : high { meta: hash_2020_BirdMiner_tonsillith = "9f8dba1cea7c8a4d7701a6a3e2d826202ba7e00e30e9c836c734ad6842b8cb5e" hash_2020_BirdMiner_tormina = "4179cdef4de0eef44039e9d03d42b3aeca06df533be74fc65f5235b21c9f0fb1" strings: - $ps = "ps" fullword - $pgrep = "pgrep" fullword - $am = "Activity Monitor" fullword + $ps = "ps" fullword + $pgrep = "pgrep" fullword + $am = "Activity Monitor" fullword condition: - $am and any of ($p*) + $am and any of ($p*) } diff --git a/rules/evasion/process-hide.yara b/rules/evasion/process-hide.yara index a59e749bf..16b195e8f 100644 --- a/rules/evasion/process-hide.yara +++ b/rules/evasion/process-hide.yara @@ -1,18 +1,24 @@ -rule elf_processhide : suspicious { - meta: - description = "userland rootkit designed to hide processes" - strings: - $prochide = "processhide" - $process_to_filter = "process_to_filter" - condition: - all of them +rule elf_processhide : high { + meta: + description = "userland rootkit designed to hide processes" + hash_2023_Unix_Coinminer_Xanthe_0e6d = "0e6d37099dd89c7eed44063420bd05a2d7b0865a0f690e12457fbec68f9b67a8" + hash_2023_Unix_Malware_Agent_7337 = "73376cbb9666d7a9528b9397d4341d0817540448f62b22b51de8f6a3fb537a3d" + hash_2023_Unix_Trojan_Prochider_234c = "234c0dd014a958cf5958a9be058140e29f46fca99eb26f5755f5ae935af92787" + strings: + $prochide = "processhide" + $process_to_filter = "process_to_filter" + condition: + all of them } -rule elf_possible_prochid : suspicious { +rule elf_possible_prochid : high { meta: - description = "userland rootkit designed to hide processes" + description = "userland rootkit designed to hide processes" ref = "prochid.c" + hash_2023_OK_c38c = "c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a" + hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116" + hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71" strings: $proc_self_fd = "/proc/self/fd/%d" $proc_stat = "/proc/%s/stat" @@ -21,18 +27,9 @@ rule elf_possible_prochid : suspicious { all of them } - rule process_hider { meta: - description = "userland rootkit designed to hide processes" - hash_2014_MacOS_logind = "65c89525ea4da91500c021e5ac3cb67cf2c29086cca3ef7c75a44ac38cc1cce5" - hash_2023_FontOnLake_1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8_elf = "efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa" - hash_2023_FontOnLake_27E868C0505144F0708170DF701D7C1AE8E1FAEA_elf = "d7ad1bff4c0e6d094af27b4d892b3398b48eab96b64a8f8a2392e26658c63f30" - hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" - hash_2023_FontOnLake_49D4E5FCD3A3018A88F329AE47EF4C87C6A2D27A_elf = "95f37c26707a9ef03f1a94cb0349484053c7ae9791352851d22a6ecdb018da71" - hash_2023_FontOnLake_56580E7BA6BF26D878C538985A6DC62CA094CD04_elf = "2daa5503b7f068ac471330869ccfb1ae617538fecaea69fd6c488d57929f8279" - hash_2023_FontOnLake_771340752985DD8E84CF3843C9843EF7A76A39E7_elf = "602c435834d796943b1e547316c18a9a64c68f032985e7a5a763339d82598915" - hash_2023_FontOnLake_B439A503D68AD7164E0F32B03243A593312040F8_elf = "10c7e04d12647107e7abf29ae612c1d0e76a79447e03393fa8a44f8a164b723d" + description = "userland rootkit designed to hide processes" strings: $hide_process = "hide_proc" $proc_hide = "proc_hide" diff --git a/rules/evasion/py_builtins.yara b/rules/evasion/py_builtins.yara index 0fe5151c0..fde663118 100644 --- a/rules/evasion/py_builtins.yara +++ b/rules/evasion/py_builtins.yara @@ -1,9 +1,11 @@ -rule indirect_python_builtins : suspicious { +rule indirect_python_builtins : high { meta: - description = "Indirectly refers to Python builtins" + description = "Indirectly refers to Python builtins" + hash_2023_yfinancce_0_1_setup = "3bde1e9207dd331806bf58926d842e2d0f6a82424abd38a8b708e9f4e3e12049" + hash_2023_yvper_0_1_setup = "b765244c1f8a11ee73d1e74927b8ad61718a65949e0b8d8cbc04e5d84dccaf96" strings: - $val = /getattr\(__builtins__,[ \w\.\)\)]{0,64}/ -condition: - any of them + $val = /getattr\(__builtins__,[ \w\.\)\)]{0,64}/ + condition: + any of them } diff --git a/rules/evasion/readdir-interceptor.yara b/rules/evasion/readdir-interceptor.yara index 9176cd2b7..bd77552d8 100644 --- a/rules/evasion/readdir-interceptor.yara +++ b/rules/evasion/readdir-interceptor.yara @@ -1,34 +1,38 @@ -rule readdir_intercept : suspicious { - meta: - description = "userland rootkit designed to hide files" - strings: - $r_new65 = "readdir64" fullword - $r_old64 = "_readdir64" - $r_new32 = "readdir" fullword - $r_old32 = "_readdir" - $not_ld_debug = "LD_DEBUG" - $not_libc = "getusershell" - condition: - uint32(0) == 1179403647 and all of ($r*) and none of ($not*) +rule readdir_intercept : high { + meta: + description = "userland rootkit designed to hide files" + hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116" + hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71" + hash_2023_lib_skit = "427b1d16f16736cf8cee43a7c54cd448ca46ac9b573614def400d2d8d998e586" + strings: + $r_new65 = "readdir64" fullword + $r_old64 = "_readdir64" + $r_new32 = "readdir" fullword + $r_old32 = "_readdir" + $not_ld_debug = "LD_DEBUG" + $not_libc = "getusershell" + condition: + uint32(0) == 1179403647 and all of ($r*) and none of ($not*) } -rule readdir_intercept_source : suspicious { - meta: - description = "userland rootkit designed to hide files" - strings: - $declare = "DECLARE_READDIR" - $hide = "hide" - condition: - all of them +rule readdir_intercept_source : high { + meta: + description = "userland rootkit designed to hide files" + strings: + $declare = "DECLARE_READDIR" + $hide = "hide" + condition: + all of them } -rule lkm_dirent : suspicious { - meta: - description = "kernel rootkit designed to hide files" - strings: - $dirent = "linux_dirent" - $Linux = "Linux" - condition: - all of them +rule lkm_dirent : high { + meta: + description = "kernel rootkit designed to hide files" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + strings: + $dirent = "linux_dirent" + $Linux = "Linux" + condition: + all of them } diff --git a/rules/evasion/rename_system_binary.yara b/rules/evasion/rename_system_binary.yara index 09bb572f3..36a52988f 100644 --- a/rules/evasion/rename_system_binary.yara +++ b/rules/evasion/rename_system_binary.yara @@ -1,10 +1,12 @@ -rule rename_system_binary: suspicious { +rule rename_system_binary : high { meta: - description = "Renames system binary" + description = "Renames system binary" + hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" strings: $ref = /(mv|cp|ln) \/(bin|usr\/bin)\/[ \.\w\/]{0,64}/ condition: - $ref + $ref } - diff --git a/rules/evasion/rootkit.yara b/rules/evasion/rootkit.yara index 40941a5f0..7272770a4 100644 --- a/rules/evasion/rootkit.yara +++ b/rules/evasion/rootkit.yara @@ -1,11 +1,11 @@ + rule linux_kernel_module_getdents64 : critical { meta: - description = "kernel module that intercepts directory listing" + description = "kernel module that intercepts directory listing" ref = "https://github.com/m0nad/Diamorphine" hash_2022_LQvKibDTq4_diamorphine = "aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede" hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" hash_2023_LQvKibDTq4_diamorphine = "d83f43f47c1438d900143891e7a542d1d24f9adcbd649b7698d8ee7585068039" - hash_2023_hf_tar_diamorphine = "19bab35afb1accd6004e648540643a114c5cfdf572564ad0b12668db46b167b2" strings: $getdents64 = "getdents64" $register_kprobe = "register_kprobe" @@ -13,13 +13,13 @@ rule linux_kernel_module_getdents64 : critical { all of them } -rule funky_high_signal_killer : suspicious { +rule funky_high_signal_killer : high { meta: - description = "Uses high signals to communicate to a rootkit" - hash_2023_QubitStrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + description = "Uses high signals to communicate to a rootkit" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: $odd_teen_sig = /kill -1[012346789]/ fullword - // limit is 64 $high_sig = /kill -[23456]\d/ fullword condition: any of them diff --git a/rules/evasion/script-obfuscation.yara b/rules/evasion/script-obfuscation.yara index 5e2f3b08d..a4a2a983f 100644 --- a/rules/evasion/script-obfuscation.yara +++ b/rules/evasion/script-obfuscation.yara @@ -1,11 +1,9 @@ -rule generic_obfuscated_perl : suspicious { + +rule generic_obfuscated_perl : high { meta: - hash_2017_Perl_FruitFly_A = "205f5052dc900fc4010392a96574aed5638acf51b7ec792033998e4043efdf6c" + hash_1980_FruitFly_A_205f = "205f5052dc900fc4010392a96574aed5638acf51b7ec792033998e4043efdf6c" hash_1980_FruitFly_A_9968 = "9968407d4851c2033090163ac1d5870965232bebcfe5f87274f1d6a509706a14" - hash_2017_Perl_FruitFly_afpscan = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55" - hash_2017_Perl_FruitFly_quimitchin = "ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044" - hash_2017_trojan_Perl_AFL = "cee71a5425a4cd7c0ca2fc6763d59f94dd11192b78cd696adc56c553174d5727" - hash_2017_Perl_FruitFly_spaud = "befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271" + hash_1980_FruitFly_A_bbbf = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55" strings: $unpack_nospace = "pack'" fullword $unpack = "pack '" fullword @@ -17,46 +15,42 @@ rule generic_obfuscated_perl : suspicious { filesize < 20971520 and $eval and 3 of them } -rule powershell_format : suspicious { +rule powershell_format : high { meta: - description = "obfuscated Powershell format string" + description = "obfuscated Powershell format string" author = "Florian Roth" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar - $ref = "}{0}\"-f " ascii wide + $ref = "}{0}\"-f " ascii wide condition: - filesize < 16MB and any of them + filesize < 16777216 and any of them } -rule powershell_compact : notable windows { +rule powershell_compact : medium windows { meta: - description = "unusually compact PowerShell representation" + description = "unusually compact PowerShell representation" author = "Florian Roth" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar - $InokeExpression = ");iex" nocase ascii wide + $InokeExpression = ");iex" ascii wide nocase condition: - filesize < 16MB and any of them + filesize < 16777216 and any of them } -rule casing_obfuscation : notable windows { +rule casing_obfuscation : medium windows { meta: - description = "unusual casing obfuscation" + description = "unusual casing obfuscation" author = "Florian Roth" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar - $ref = / (sEt|SEt|SeT|sET|seT) / ascii wide + $ref = / (sEt|SEt|SeT|sET|seT) / ascii wide condition: - filesize < 16MB and any of them + filesize < 16777216 and any of them } -rule powershell_encoded : suspicious windows { +rule powershell_encoded : high windows { meta: - description = "Encoded Powershell" + description = "Encoded Powershell" author = "Florian Roth" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar $ref = / -[eE][decoman]{0,41} ['"]?(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA|cgBlAG)/ ascii wide condition: - filesize < 16MB and any of them + filesize < 16777216 and any of them } diff --git a/rules/evasion/squiblydoo.yara b/rules/evasion/squiblydoo.yara index 725ae9dcd..5025a3765 100644 --- a/rules/evasion/squiblydoo.yara +++ b/rules/evasion/squiblydoo.yara @@ -1,4 +1,4 @@ -rule squiblydoo : suspicious windows { +rule squiblydoo : high windows { meta: description = "uses regsrv32 to load a remote COM scriptlet" ref = "https://socprime.com/blog/squiblydoo-attack-analysis-detection-and-mitigation/" diff --git a/rules/evasion/system_directory.yara b/rules/evasion/system_directory.yara index 5e334c380..d3d0feb61 100644 --- a/rules/evasion/system_directory.yara +++ b/rules/evasion/system_directory.yara @@ -1,7 +1,7 @@ -rule cp_to_apple_directory : suspicious { + +rule cp_to_apple_directory : high { meta: ref = "https://triangletoot.party/@philofishal@infosec.exchange/111211016916902934" - hash_test = "77db065934b7a6d6ac5b517d98431c82bf2dc53c3aa7519e22fce8f0cd82d42a" strings: $cp_to_apple_subdir = /cp [\w\.\"\/ ]{1,128} [\w\. \"\/]{1,64}\/Application Support\/Apple[\.\w\"]{0,32}/ $cp_to_com_apple = /cp [\w\.\"\/ ]{1,128} [\w\. \"\/]{1,64}\/com.apple[\.\w\"]{0,32}/ diff --git a/rules/evasion/vm-check.yara b/rules/evasion/vm-check.yara index 9d0f63fd9..35b52729a 100644 --- a/rules/evasion/vm-check.yara +++ b/rules/evasion/vm-check.yara @@ -1,7 +1,10 @@ -rule vm_checker : notable { +rule vm_checker : medium { meta: - description = "Checks to see if it is running with a VM" + description = "Checks to see if it is running with a VM" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" strings: $a_vmware = "VMware" $a_qemu = "QEMU Virtual CPU" @@ -15,4 +18,3 @@ rule vm_checker : notable { condition: 2 of ($a_*) and none of ($not_*) } - diff --git a/rules/evasion/xor-certs.yara b/rules/evasion/xor-certs.yara index 020899306..e329bc26d 100644 --- a/rules/evasion/xor-certs.yara +++ b/rules/evasion/xor-certs.yara @@ -1,7 +1,10 @@ -rule xor_certs : suspicious { +rule xor_certs : high { meta: - description = "key material obfuscated using xor" + description = "key material obfuscated using xor" + hash_2023_ZIP_locker_AArch_64 = "724eb1c8e51f184495cfe81df7049531d413dd3e434ee3506b6cc6b18c61e96d" + hash_2023_ZIP_locker_ARMv5_32 = "0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e" + hash_2023_ZIP_locker_ARMv6_32 = "e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096" strings: $public = "PUBLIC" xor(1-31) $public2 = "PUBLIC" xor(33-255) @@ -11,4 +14,4 @@ rule xor_certs : suspicious { $ssh2 = "ssh-rsa AAA" xor(33-255) condition: any of them -} \ No newline at end of file +} diff --git a/rules/evasion/xor-commands.yara b/rules/evasion/xor-commands.yara index 1444ed232..3c973d96d 100644 --- a/rules/evasion/xor-commands.yara +++ b/rules/evasion/xor-commands.yara @@ -1,7 +1,10 @@ -rule xor_commands : suspicious { +rule xor_commands : high { meta: - description = "commands obfuscated using xor" + description = "commands obfuscated using xor" + hash_2023_Linux_Trojan_ShellBot_accc = "acccf2fa4e21f2cd1d7305186e4c83d6cde5ee98f1b37022b70170533e399a89" + hash_2023_ZIP_locker_AArch_64 = "724eb1c8e51f184495cfe81df7049531d413dd3e434ee3506b6cc6b18c61e96d" + hash_2023_ZIP_locker_ARMv5_32 = "0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e" strings: $b_chmod = "chmod " xor(1-31) $b_curl = "curl -" xor(1-31) @@ -18,10 +21,9 @@ rule xor_commands : suspicious { $b_dev_tcp = "/dev/tcp" xor(1-31) $b_bash_i = "bash -i" xor(1-31) $b_bash_c = "bash -c" xor(1-31) - $b_base64 = "base64" xor(1-31) - $b_eval = "eval(" xor(1-31) -// can false - $b_chmod2 = "chmod " xor(33-255) + $b_base64 = "base64" xor(1-31) + $b_eval = "eval(" xor(1-31) + $b_chmod2 = "chmod " xor(33-255) $b_curl2 = "curl -" xor(33-255) $b_bin_sh2 = "/bin/sh" xor(33-255) $b_bin_bash2 = "/bin/bash" xor(33-255) @@ -36,8 +38,8 @@ rule xor_commands : suspicious { $b_dev_tcp2 = "/dev/tcp" xor(33-255) $b_bash_i2 = "bash -i" xor(33-255) $b_bash_c2 = "bash -c" xor(33-255) - $b_base642 = "base64" xor(33-255) - $b_eval2 = "eval(" xor(33-255) + $b_base642 = "base64" xor(33-255) + $b_eval2 = "eval(" xor(33-255) condition: any of ($b_*) -} \ No newline at end of file +} diff --git a/rules/evasion/xor-url.yara b/rules/evasion/xor-url.yara index 87acb48af..80332c969 100644 --- a/rules/evasion/xor-url.yara +++ b/rules/evasion/xor-url.yara @@ -1,29 +1,26 @@ -rule xor_url : suspicious { - meta: - description = "URL hidden using XOR encryption" - strings: - $http = "http:" xor(1-31) - $https = "https:" xor(1-31) - $ftp = "ftp:/" xor(1-31) - $office = "office" xor(1-31) - $google = "google." xor(1-31) - $microsoft = "microsoft" xor(1-31) - $apple = "apple." xor(1-31) -// $dot_com_slash = ".com/" xor(1-31) - $user_agent = "User-Agent" xor(1-31) - - $http2 = "http://" xor(33-255) - $https2 = "https://" xor(33-255) - $ftp2 = "ftp://" xor(33-255) -// $office2 = "office" xor(33-255) - $google2 = "google." xor(33-255) - $microsoft2 = "microsoft" xor(33-255) - $apple2 = "apple." xor(33-255) -// $dot_com_slash2 = ".com/" xor(33-255) - $user_agent2 = "User-Agent" xor(33-255) - - - condition: - any of them +rule xor_url : high { + meta: + description = "URL hidden using XOR encryption" + hash_2023_ZIP_locker_AArch_64 = "724eb1c8e51f184495cfe81df7049531d413dd3e434ee3506b6cc6b18c61e96d" + hash_2023_ZIP_locker_ARMv5_32 = "0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e" + hash_2023_ZIP_locker_ARMv6_32 = "e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096" + strings: + $http = "http:" xor(1-31) + $https = "https:" xor(1-31) + $ftp = "ftp:/" xor(1-31) + $office = "office" xor(1-31) + $google = "google." xor(1-31) + $microsoft = "microsoft" xor(1-31) + $apple = "apple." xor(1-31) + $user_agent = "User-Agent" xor(1-31) + $http2 = "http://" xor(33-255) + $https2 = "https://" xor(33-255) + $ftp2 = "ftp://" xor(33-255) + $google2 = "google." xor(33-255) + $microsoft2 = "microsoft" xor(33-255) + $apple2 = "apple." xor(33-255) + $user_agent2 = "User-Agent" xor(33-255) + condition: + any of them } diff --git a/rules/evasion/xor-user_agent.yara b/rules/evasion/xor-user_agent.yara index 813508265..c43e9d9e2 100644 --- a/rules/evasion/xor-user_agent.yara +++ b/rules/evasion/xor-user_agent.yara @@ -1,10 +1,13 @@ + rule xor_mozilla : critical { meta: - description = "XOR'ed user agent, often found in backdoors" - author = "Florian Roth" + description = "XOR'ed user agent, often found in backdoors" + author = "Florian Roth" + hash_2023_Tiganie_S3npai_29ae = "29ae9389dcb1f5b0bc3a52543b3ddfc933a65c4943709907fd136decf717255c" + hash_2023_Unix_Dropper_Mirai_1550 = "1550ae8e301f86778bb9a2aa91df606f61edc51273ab61053817b8322af71afc" + hash_2023_Unix_Dropper_Mirai_2d11 = "2d115b7bb43411fe88ba4cb929843b5dcf897559a6c9d2ec80554723604ea4e2" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar - $Mozilla_5_0 = "Mozilla/5.0" xor(0x01-0xff) ascii wide + $Mozilla_5_0 = "Mozilla/5.0" ascii wide xor(1-255) condition: any of them } diff --git a/rules/exec/cmd.yara b/rules/exec/cmd.yara index 588180b4b..c66be4011 100644 --- a/rules/exec/cmd.yara +++ b/rules/exec/cmd.yara @@ -1,11 +1,15 @@ -rule exec : notable { - meta: - description = "executes a command" - strings: - $exe_cmd = /[\w:]{0,32}[Ee]xe[\w]{0,6}C(m|omman)d[\w:]{0,32}/ fullword - $run_cmd = /[\w:]{0,32}[rR]un[\w]{0,6}C(m|omman)d[\w:]{0,32}/ fullword - $start_cmd = /[\w:]{0,32}[sS]tart[\w]{0,6}C(m|omman)d[\w:]{0,32}/ fullword - $cmdlist = "cmdlist" fullword - condition: - any of them + +rule exec : medium { + meta: + description = "executes a command" + hash_2023_0xShell_adminer = "2fd7e6d8f987b243ab1839249551f62adce19704c47d3d0c8dd9e57ea5b9c6b3" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + strings: + $exe_cmd = /[\w:]{0,32}[Ee]xe[\w]{0,6}C(m|omman)d[\w:]{0,32}/ fullword + $run_cmd = /[\w:]{0,32}[rR]un[\w]{0,6}C(m|omman)d[\w:]{0,32}/ fullword + $start_cmd = /[\w:]{0,32}[sS]tart[\w]{0,6}C(m|omman)d[\w:]{0,32}/ fullword + $cmdlist = "cmdlist" fullword + condition: + any of them } diff --git a/rules/exec/pipe.yara b/rules/exec/pipe.yara index 2eec24b52..2b7afd535 100644 --- a/rules/exec/pipe.yara +++ b/rules/exec/pipe.yara @@ -1,14 +1,17 @@ -rule popen : notable { - meta: - description = "launches program and reads its output" - syscall = "pipe" - ref = "https://linux.die.net/man/3/popen" - strings: - $_popen = "_popen" fullword - $_pclose = "_pclose" fullword - $os_popen = /os.popen[\(\"\'\w \$\)]{0,32}/ - $pipe_glibc = "pipe@@GLIBC" - condition: - any of them -} +rule popen : medium { + meta: + description = "launches program and reads its output" + syscall = "pipe" + ref = "https://linux.die.net/man/3/popen" + hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_aaa_bbb_ccc_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + strings: + $_popen = "_popen" fullword + $_pclose = "_pclose" fullword + $os_popen = /os.popen[\(\"\'\w \$\)]{0,32}/ + $pipe_glibc = "pipe@@GLIBC" + condition: + any of them +} diff --git a/rules/exec/program.yara b/rules/exec/program.yara index 5abbd0f90..75ef3e400 100644 --- a/rules/exec/program.yara +++ b/rules/exec/program.yara @@ -1,107 +1,126 @@ -rule execall : notable { - meta: - syscall = "execve" - pledge = "exec" - description = "executes external programs" - strings: - $execl = "execl" fullword - $execle = "execle" fullword - $execlp = "execlp" fullword - $execv = "execv" fullword - $execvp = "execvp" fullword - $execvP = "execvP" fullword - $go = "syscall.libc_execve_trampoline" - condition: - any of ($exec*) and not $go +rule execall : medium { + meta: + syscall = "execve" + pledge = "exec" + description = "executes external programs" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" + strings: + $execl = "execl" fullword + $execle = "execle" fullword + $execlp = "execlp" fullword + $execv = "execv" fullword + $execvp = "execvp" fullword + $execvP = "execvP" fullword + $go = "syscall.libc_execve_trampoline" + condition: + any of ($exec*) and not $go } -rule execve : notable { - meta: - syscall = "execve" - pledge = "exec" - description = "executes external programs" - strings: - $execve = "execve" fullword - $go = "syscall.libc_execve_trampoline" - $execve_f = "fexecve" fullword - condition: - any of ($exec*) and not $go +rule execve : medium { + meta: + syscall = "execve" + pledge = "exec" + description = "executes external programs" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + strings: + $execve = "execve" fullword + $go = "syscall.libc_execve_trampoline" + $execve_f = "fexecve" fullword + condition: + any of ($exec*) and not $go } -rule exec_cmd_run : notable { - meta: - syscall = "execve" - pledge = "exec" - description = "executes external programs" - strings: - $ref = "exec.(*Cmd).Run" - $ref2 = ").CombinedOutput" - condition: - any of them +rule exec_cmd_run : medium { + meta: + syscall = "execve" + pledge = "exec" + description = "executes external programs" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2023_Downloads_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" + strings: + $ref = "exec.(*Cmd).Run" + $ref2 = ").CombinedOutput" + condition: + any of them } - -rule perl_system : notable { - meta: - syscall = "execve" - pledge = "exec" - description = "executes external programs" - strings: - $ref = "system(" - condition: - all of them +rule perl_system : medium { + meta: + syscall = "execve" + pledge = "exec" + description = "executes external programs" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" + hash_2023_0xShell_untitled = "39b2fd6b4b2c11a9cbfc8efbb09fc14d502cde1344f52e1269228fc95b938621" + strings: + $ref = "system(" + condition: + all of them } - -rule subprocess : notable { - meta: - syscall = "execve" - pledge = "exec" - description = "execute external program" - ref = "https://man7.org/linux/man-pages/man2/execve.2.html" - strings: - $naked = "subprocess" - $val = /subprocess\.\w{1,16}[\(\"\/\w\'\.\- \,\[\]]{0,64}/ - condition: - any of them +rule subprocess : medium { + meta: + syscall = "execve" + pledge = "exec" + description = "execute external program" + ref = "https://man7.org/linux/man-pages/man2/execve.2.html" + hash_2023_Downloads_e6b6 = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" + hash_2023_Linux_Malware_Samples_03bb = "03bb1cfd9e45844701aabc549f530d56f162150494b629ca19d83c1c696710d7" + hash_2023_Linux_Malware_Samples_05ca = "05ca0e0228930e9ec53fe0f0b796255f1e44ab409f91bc27d20d04ad34dcb69d" + strings: + $naked = "subprocess" + $val = /subprocess\.\w{1,16}[\(\"\/\w\'\.\- \,\[\]]{0,64}/ + condition: + any of them } - -rule posix_spawn : notable { - meta: - syscall = "posix_spawn" - pledge = "exec" - description = "spawn a process" - ref = "https://man7.org/linux/man-pages/man3/posix_spawn.3.html" - strings: - $ref = "posix_spawn" - condition: - all of them +rule posix_spawn : medium { + meta: + syscall = "posix_spawn" + pledge = "exec" + description = "spawn a process" + ref = "https://man7.org/linux/man-pages/man3/posix_spawn.3.html" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_45b8 = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" + strings: + $ref = "posix_spawn" + condition: + all of them } - -rule go_exec : notable { - meta: - syscall = "posix_spawn" - pledge = "exec" - description = "run external command" - ref = "https://pkg.go.dev/os/exec" - strings: - $ref = "exec_unix.go" - condition: - all of them +rule go_exec : medium { + meta: + syscall = "posix_spawn" + pledge = "exec" + description = "run external command" + ref = "https://pkg.go.dev/os/exec" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2023_Downloads_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" + strings: + $ref = "exec_unix.go" + condition: + all of them } -rule npm_exec : notable { - meta: - syscall = "posix_spawn" - pledge = "exec" - description = "spawn a process" - ref = "https://nodejs.org/api/child_process.html" - strings: - $child = "child_process" - $ref_val = /exec\([\'\"][\w \/\'\)]{0,64}/ - condition: - all of them +rule npm_exec : medium { + meta: + syscall = "posix_spawn" + pledge = "exec" + description = "spawn a process" + ref = "https://nodejs.org/api/child_process.html" + hash_2023_misc_mr_robot = "630bbcf0643d9fc9840f2f54ea4ae1ea34dc94b91ee011779c8e8c91f733c9f5" + hash_2024_2021_ua_parser_js_preinstall = "62e08e4967da57e037255d2e533b7c5d7d1f1773af2a06113470c29058b5fcd0" + strings: + $child = "child_process" + $ref_val = /exec\([\'\"][\w \/\'\)]{0,64}/ + condition: + all of them } diff --git a/rules/exec/shell_command.yara b/rules/exec/shell_command.yara index bd90303e4..7e3c196d6 100644 --- a/rules/exec/shell_command.yara +++ b/rules/exec/shell_command.yara @@ -1,11 +1,14 @@ -rule system : notable { - meta: - description = "execute a shell command" - syscalls = "fork,execl" - ref = "https://man7.org/linux/man-pages/man3/system.3.html" - strings: - $system = "system" fullword - condition: - all of them in (1200..3000) +rule system : medium { + meta: + description = "execute a shell command" + syscalls = "fork,execl" + ref = "https://man7.org/linux/man-pages/man3/system.3.html" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_Linux_Malware_Samples_123e = "123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096" + hash_2023_Linux_Malware_Samples_2bc8 = "2bc860efee229662a3c55dcf6e50d6142b3eec99c606faa1210f24541cad12f5" + strings: + $system = "system" fullword + condition: + all of them in (1200..3000) } diff --git a/rules/exec/shell_echo.yara b/rules/exec/shell_echo.yara index 91b506553..14c77b768 100644 --- a/rules/exec/shell_echo.yara +++ b/rules/exec/shell_echo.yara @@ -1,12 +1,16 @@ -rule elf_calls_shell_echo : notable { - meta: - syscall = "posix_spawn" - pledge = "exec" - description = "program generates text with echo command" - ref = "https://linux.die.net/man/1/echo" - strings: - $val = /echo ['"%\w\>\/ \.]{1,64}/ - $not_echo = "not echo" - condition: - uint32(0) == 1179403647 and $val and none of ($not*) -} \ No newline at end of file + +rule elf_calls_shell_echo : medium { + meta: + syscall = "posix_spawn" + pledge = "exec" + description = "program generates text with echo command" + ref = "https://linux.die.net/man/1/echo" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2023_Downloads_d920 = "d920dec25946a86aeaffd5a53ce8c3f05c9a7bac44d5c71481f497de430cb67e" + strings: + $val = /echo ['"%\w\>\/ \.]{1,64}/ + $not_echo = "not echo" + condition: + uint32(0) == 1179403647 and $val and none of ($not*) +} diff --git a/rules/exfil/discord.yara b/rules/exfil/discord.yara index aa6fa4932..ce17c31e5 100644 --- a/rules/exfil/discord.yara +++ b/rules/exfil/discord.yara @@ -1,10 +1,13 @@ -rule discord_bot : suspicious { +rule discord_bot : high { meta: - description = "Uses the Discord webhooks API" - ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_suspicious.yar#L706" + description = "Uses the Discord webhooks API" + ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706" + hash_2023_pan_chan_6896 = "6896b02503c15ffa68e17404f1c97fd53ea7b53c336a7b8b34e7767f156a9cf2" + hash_2023_pan_chan_73ed = "73ed0b692fda696efd5f8e33dc05210e54b17e4e4a39183c8462bcc5a3ba06cc" + hash_2023_pan_chan_99ed = "99ed2445553e490c912ee8493073cc4340e7c6310b0b7fc425ffe8340c551473" strings: $s1 = "discord.com/api/webhooks" condition: any of them -} \ No newline at end of file +} diff --git a/rules/exfil/sysinfo_http.yara b/rules/exfil/sysinfo_http.yara index 6b5ea8ca6..a36e50e1c 100644 --- a/rules/exfil/sysinfo_http.yara +++ b/rules/exfil/sysinfo_http.yara @@ -1,10 +1,11 @@ -rule sysinfo_http : suspicious { +rule sysinfo_http : high { meta: - description = "sends host information via HTTP GET variables" + description = "sends host information via HTTP GET variables" + hash_2023_Unix_Trojan_Redxor_0a76 = "0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f" strings: - $ref = "&hostname=" - $ref2 = "&uname=" + $ref = "&hostname=" + $ref2 = "&uname=" condition: - any of them + any of them } diff --git a/rules/exfil/telegram.yara b/rules/exfil/telegram.yara index 54552d99a..f16b76fad 100644 --- a/rules/exfil/telegram.yara +++ b/rules/exfil/telegram.yara @@ -1,6 +1,6 @@ -rule telegram_bot : suspicious { +rule telegram_bot : high { meta: - ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_suspicious.yar#L676" + ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L676" strings: $s1 = "api.telegram.org" $s1_b64 = "api.telegram.org" base64 diff --git a/rules/fs/attributes/chattr.yara b/rules/fs/attributes/chattr.yara index a60449569..51ca09d4f 100644 --- a/rules/fs/attributes/chattr.yara +++ b/rules/fs/attributes/chattr.yara @@ -1,18 +1,12 @@ -rule chattr_caller : suspicious { + +rule chattr_caller : high { meta: - hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" hash_2023_Txt_Malware_Sustes_0e77 = "0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe" - hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" - hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" - hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" - hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" strings: $chattr = /chattr [-\+][\w\- ]{0,32} [\w\.\/]{0,64}/ - - // unvrelated command - $not_chezmoi = "chezmoi chattr" + $not_chezmoi = "chezmoi chattr" condition: $chattr and none of ($not*) } diff --git a/rules/fs/attributes/remove.yara b/rules/fs/attributes/remove.yara index c8594d79d..f3e032b94 100644 --- a/rules/fs/attributes/remove.yara +++ b/rules/fs/attributes/remove.yara @@ -1,9 +1,13 @@ -rule remove_xattr : notable { - meta: - description = "remove an extended file attribute value" - ref = "https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/removexattr.2.html" - strings: - $ref = "removexattr" fullword - condition: - any of them + +rule remove_xattr : medium { + meta: + description = "remove an extended file attribute value" + ref = "https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/removexattr.2.html" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" + strings: + $ref = "removexattr" fullword + condition: + any of them } diff --git a/rules/fs/attributes/set.yara b/rules/fs/attributes/set.yara index 741d9bfa8..08cd333c7 100644 --- a/rules/fs/attributes/set.yara +++ b/rules/fs/attributes/set.yara @@ -1,9 +1,13 @@ -rule remove_xattr : notable { - meta: - description = "set an extended file attribute value" - ref = "https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html" - strings: - $ref = "setxattr" fullword - condition: - any of them + +rule remove_xattr : medium { + meta: + description = "set an extended file attribute value" + ref = "https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" + strings: + $ref = "setxattr" fullword + condition: + any of them } diff --git a/rules/fs/attributes/xattr.yara b/rules/fs/attributes/xattr.yara index d2d56efe6..355934e01 100644 --- a/rules/fs/attributes/xattr.yara +++ b/rules/fs/attributes/xattr.yara @@ -1,8 +1,9 @@ -rule xattr_user : notable { + +rule xattr_user : medium { meta: + hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_CloudMensis_mdworker3 = "273633eee4776aef40904124ed1722a0793e6567f3009cdb037ed0a9d79c1b0b" - hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" strings: $xattr_c = "xattr -c" $xattr_d = "xattr -d" diff --git a/rules/fs/backup/deletion.yara b/rules/fs/backup/deletion.yara index 1f3e116ee..eb0808082 100644 --- a/rules/fs/backup/deletion.yara +++ b/rules/fs/backup/deletion.yara @@ -1,6 +1,6 @@ -rule suspicious_deletion : suspicious windows { +rule high_deletion : high windows { meta: - description = "suspicious Shadow Copy deletion - possible ransomware" + description = "high Shadow Copy deletion - possible ransomware" strings: // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar $vss_admin = "vssadmin delete shadows" ascii nocase diff --git a/rules/fs/directory-traverse.yara b/rules/fs/directory-traverse.yara index 088bf8c32..1ed3a89bd 100644 --- a/rules/fs/directory-traverse.yara +++ b/rules/fs/directory-traverse.yara @@ -1,23 +1,27 @@ + rule fts { - meta: - description = "traverse filesystem hierarchy" - syscall = "openat,getdents" - pledge = "rpath" - strings: - $fts_open = "_fts_open" fullword - $fts_read = "_fts_read" fullword - $fts_children = "_fts_children" fullword - $fts_set = "_fts_set" fullword - $fts_close = "_fts_close" fullword - condition: - 2 of them + meta: + description = "traverse filesystem hierarchy" + syscall = "openat,getdents" + pledge = "rpath" + strings: + $fts_open = "_fts_open" fullword + $fts_read = "_fts_read" fullword + $fts_children = "_fts_children" fullword + $fts_set = "_fts_set" fullword + $fts_close = "_fts_close" fullword + condition: + 2 of them } -rule py_walk : notable { - meta: - description = "traverse filesystem hierarchy" - strings: - $walk = "os.walk" - condition: - any of them -} \ No newline at end of file +rule py_walk : medium { + meta: + description = "traverse filesystem hierarchy" + hash_2024_scripts_sync_csv = "aa7a7ad320421cdbeb2f488318849c3494b8ecba4e0f9c3623c3c16287cdd55a" + hash_2021_A_g = "ffb0a802fdf054d4988d68762d9922820bdc3728f0378fcd6c4ed28c06da5cf0" + hash_2023_yfinancce_0_1_setup = "3bde1e9207dd331806bf58926d842e2d0f6a82424abd38a8b708e9f4e3e12049" + strings: + $walk = "os.walk" + condition: + any of them +} diff --git a/rules/fs/file-create.yara b/rules/fs/file-create.yara index 4cc0e3ddd..df1a5533c 100644 --- a/rules/fs/file-create.yara +++ b/rules/fs/file-create.yara @@ -1,11 +1,14 @@ -rule creat : notable { - meta: - description = "create a new file or rewrite an existing one" - syscalls = "open" - ref = "https://man7.org/linux/man-pages/man3/creat.3p.html" - strings: - $system = "creat" fullword - condition: - all of them in (1200..3000) +rule creat : medium { + meta: + description = "create a new file or rewrite an existing one" + syscalls = "open" + ref = "https://man7.org/linux/man-pages/man3/creat.3p.html" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_Linux_Malware_Samples_14a3 = "14a33415e95d104cf5cf1acaff9586f78f7ec3ffb26efd0683c468edeaf98fd7" + hash_2023_Linux_Malware_Samples_d0a3 = "d0a3421d977bcce8e867ec10e4790aa4b69353edf9d5ddfc3dd0480a18878a19" + strings: + $system = "creat" fullword + condition: + all of them in (1200..3000) } diff --git a/rules/fs/file-delete-forcibly.yara b/rules/fs/file-delete-forcibly.yara index 3cdf9c373..15db66dbf 100644 --- a/rules/fs/file-delete-forcibly.yara +++ b/rules/fs/file-delete-forcibly.yara @@ -1,25 +1,27 @@ rule rm_force { meta: - description = "Forcibly deletes files using rm" + description = "Forcibly deletes files using rm" strings: - $ref = /rm [\-\w ]{0,4}-f[ \$\w\/\.]{0,32}/ + $ref = /rm [\-\w ]{0,4}-f[ \$\w\/\.]{0,32}/ condition: - $ref + $ref } - rule rm_recursive_force : medium { meta: - description = "Forcibly recursively deletes files using rm -R" + description = "Forcibly recursively deletes files using rm -R" + hash_2023_anarchy = "1a6f8d758c6e569109a021c01cc4a5e787a9c876866c0ce5a15f07f266ec8059" + hash_2019_test_compass_test = "6647a368750892a379bb483096910fc3729312e6b2eb6bb964da8062013e300a" + hash_2019_test_sass_test = "fdcb3a53bb071031a5c44d0a7d554a085dceb9ed393a5e3940fda4471698c186" strings: - $ref = /rm -[Rr]f [ \$\w\/\.]{0,32}/ - $ref2 = /rm -f[Rr] [ \$\w\/\.]{0,32}/ + $ref = /rm -[Rr]f [ \$\w\/\.]{0,32}/ + $ref2 = /rm -f[Rr] [ \$\w\/\.]{0,32}/ condition: - any of them + any of them } -rule background_rm_rf : suspicious { +rule background_rm_rf : high { meta: ref = "https://cert.gov.ua/article/6123309" hash_2023_uacert_destructor = "50aea94a6e503d0d3f7c5aa0284746262a3d1afe092b369992070af94a4c1997" diff --git a/rules/fs/file-delete.yara b/rules/fs/file-delete.yara index 352e8240b..214803241 100644 --- a/rules/fs/file-delete.yara +++ b/rules/fs/file-delete.yara @@ -1,30 +1,26 @@ + rule unlink { - meta: - pledge = "wpath" - syscall = "unlink" - description = "deletes files" - ref = "https://man7.org/linux/man-pages/man2/unlink.2.html" - strings: - $unlink = "unlink" fullword - $unlinkat = "unlinkat" fullword - condition: - any of them + meta: + pledge = "wpath" + syscall = "unlink" + description = "deletes files" + ref = "https://man7.org/linux/man-pages/man2/unlink.2.html" + strings: + $unlink = "unlink" fullword + $unlinkat = "unlinkat" fullword + condition: + any of them } -rule rm_f_hardcoded_tmp_path : suspicious { +rule rm_f_hardcoded_tmp_path : high { meta: - hash_2023_Backdoors_Backdoor_Linux = "0e08cfb2d92b67ad67e7014e2e91849be3ef1b13c201b7ae928a1bab5a010b5b" - hash_2023_Backdoors_Backdoor_Linux_Rootin = "4a6a9aa068fb133bd6ef06e95a65bfadcb5b52d0281caed6ff727b9a8fa293ec" - hash_2023_Backdoors_Backdoor_Linux_Rootin = "cc6672b5825e0a5db7fd4ff8134a02653d3b432236e73f23898a10f09242e158" - hash_2023_Linux_Linux_RedMenshenBPFDoor = "228746e67078354963f2c119ca62e2cfec4e0f4daf208c9d18713f581be9ad62" - hash_2023_Mirai_Family_Mirai_Linux_Eragon2_0 = "fb443019a5206c4e4afac7cd6ec83ca3547db61e8931fd0e58f4aaf28dd6381e" - hash_2023_Mirai_Family_Mirai_Linux_yakuza = "c8175e88ccf35532184c42506c99dde75d582e276fa7c2fd46dccbf7e640e278" - hash_2023_Perl_Backdoor_Perl_Dompu = "f17b6917b835603ef24ab6926d938cbdefbfb537d43fa11965f2e2fdaf80faf6" - hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" - ref = "https://attack.mitre.org/techniques/T1485/" + ref = "https://attack.mitre.org/techniques/T1485/" + hash_2023_BPFDoor_8b84 = "8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95" + hash_2023_BPFDoor_8b9d = "8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6" + hash_2023_FontOnLake_FE26CB98AA1416A8B1F6CED4AC1B5400517257B2_elf = "bcfb4d908469db43ffd8370ebca6b3e8b75470fa997ef10b7a451fa3f489acae" strings: $ref = /rm +\-[a-zA-Z]{,1}f[a-zA-Z]{,1} \/(tmp|var|dev)\/[\w\/\.\-\%]{0,64}/ - $not_apt = "/var/lib/apt/lists" + $not_apt = "/var/lib/apt/lists" condition: - $ref and none of ($not*) + $ref and none of ($not*) } diff --git a/rules/fs/file-make_executable.yara b/rules/fs/file-make_executable.yara index f9ea72238..c467bba33 100644 --- a/rules/fs/file-make_executable.yara +++ b/rules/fs/file-make_executable.yara @@ -1,28 +1,34 @@ -rule chmod_executable_plus : notable { + +rule chmod_executable_plus : medium { meta: - description = "makes file executable" + description = "makes file executable" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" strings: - $val = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/ + $val = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/ condition: - $val + $val } -rule chmod_executable_octal : suspicious { +rule chmod_executable_octal : high { meta: - description = "makes file executable" + description = "makes file executable" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" strings: - $val = /chmod [\-\w ]{0,4}\+[rw]{0,2}[75][ \$\@\w\/\.]{0,64}/ + $val = /chmod [\-\w ]{0,4}\+[rw]{0,2}[75][ \$\@\w\/\.]{0,64}/ condition: - $val + $val } -rule chmod_executable_ruby : suspicious { +rule chmod_executable_ruby : high { meta: jumpcloud = "https://www.mandiant.com/resources/blog/north-korea-supply-chain" - hash_2023_jumpcloud_init = "d4918e0b1883e12408aba9eb26071038a45fb020f1a489a2b2a36ab8b225f673" + hash_2024_jumpcloud_init = "6acfc6f82f0fea6cc2484021e87fec5e47be1459e71201fbec09372236f8fc5a" strings: $chmod_7_val = /File\.chmod\(\d{0,16}7\d{0,16}/ condition: any of them } - diff --git a/rules/fs/file-permissions-setuid.yara b/rules/fs/file-permissions-setuid.yara index 0f7e785fc..18e0dc396 100644 --- a/rules/fs/file-permissions-setuid.yara +++ b/rules/fs/file-permissions-setuid.yara @@ -1,12 +1,7 @@ + rule make_setuid { meta: - hash_2020_FinSpy_caglayan_macos = "d20fcffe09bcfbcd5b69f8fa506a614d1580fce14d23abe288e632e83936095a" - hash_2020_FinSpy_installer = "80d6e71c54fb3d4a904637e4d56e108a8255036cbb4760493b142889e47b951f" - hash_2020_finspy_logind_installer = "ac414a14464bf38a59b8acdfcdf1c76451c2d79da0b3f2e53c07ed1c94aeddcd" - hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" - hash_2023_Backdoors_Backdoor_Linux_Galore_11 = "5320a828ceff981ca08b671b8f1b6da78aed7b6e1e247a2d32f3ae555a58bc2b" - hash_2023_Perl_Backdoor_Perl_Galore = "e20fb8f5899b747bcf1bc67b5fbb0e64ea2af24c676f8337f20e7aa17b1d24af" - ref = "https://en.wikipedia.org/wiki/Setuid" + ref = "https://en.wikipedia.org/wiki/Setuid" strings: $chmod_47 = "chmod 47" $chmod_s = "chmod +s" diff --git a/rules/fs/file-times-set.yara b/rules/fs/file-times-set.yara index a96478492..371eccaa0 100644 --- a/rules/fs/file-times-set.yara +++ b/rules/fs/file-times-set.yara @@ -1,71 +1,82 @@ -rule utimes : notable { - meta: - syscall = "utimes" - pledge = "fattr" - ref = "https://linux.die.net/man/2/utimes" - description = "change file last access and modification times" - strings: - $ref = "utimes" fullword - $ref2 = "utime" fullword - condition: - any of them -} -rule futimes : notable { - meta: - syscall = "futimes" - pledge = "fattr" - description = "change file timestamps" - ref = "https://linux.die.net/man/3/futimes" - strings: - $ref = "futimes" fullword - condition: - any of them +rule utimes : medium { + meta: + syscall = "utimes" + pledge = "fattr" + ref = "https://linux.die.net/man/2/utimes" + description = "change file last access and modification times" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_04b5 = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" + strings: + $ref = "utimes" fullword + $ref2 = "utime" fullword + condition: + any of them } -rule lutimes : notable { - meta: - syscall = "lutimes" - pledge = "fattr" - description = "change file timestamps" - ref = "https://linux.die.net/man/3/futimes" - strings: - $ref = "lutimes" fullword - condition: - any of them +rule futimes : medium { + meta: + syscall = "futimes" + pledge = "fattr" + description = "change file timestamps" + ref = "https://linux.die.net/man/3/futimes" + hash_2023_CoinMiner_com_adobe_acc = "fabe0b41fb5bce6bda8812197ffd74571fc9e8a5a51767bcceef37458e809c5c" + hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" + hash_2018_MonoBundle_libMonoPosixHelper = "fb5b95f9bdb10fe39b5ae9e709099809e26a3359292436f4b329b372754743f3" + strings: + $ref = "futimes" fullword + condition: + any of them } +rule lutimes : medium { + meta: + syscall = "lutimes" + pledge = "fattr" + description = "change file timestamps" + ref = "https://linux.die.net/man/3/futimes" + hash_2018_MonoBundle_libMonoPosixHelper = "fb5b95f9bdb10fe39b5ae9e709099809e26a3359292436f4b329b372754743f3" + hash_2018_MonoBundle_libMonoPosixHelper = "fb5b95f9bdb10fe39b5ae9e709099809e26a3359292436f4b329b372754743f3" + strings: + $ref = "lutimes" fullword + condition: + any of them +} rule utimensat { - meta: - syscall = "utimensat" - pledge = "fattr" - description = "change file timestamps with nanosecond precision" - ref = "https://linux.die.net/man/3/futimens" - strings: - $ref = "utimensat" fullword - condition: - any of them + meta: + syscall = "utimensat" + pledge = "fattr" + description = "change file timestamps with nanosecond precision" + ref = "https://linux.die.net/man/3/futimens" + strings: + $ref = "utimensat" fullword + condition: + any of them } rule futimens { - meta: - syscall = "futimens" - pledge = "fattr" - description = "change file timestamps with nanosecond precision" - ref = "https://linux.die.net/man/3/futimens" - strings: - $ref = "futimens" fullword - condition: - any of them + meta: + syscall = "futimens" + pledge = "fattr" + description = "change file timestamps with nanosecond precision" + ref = "https://linux.die.net/man/3/futimens" + strings: + $ref = "futimens" fullword + condition: + any of them } -rule shell_toucher : notable { +rule shell_toucher : medium { meta: - description = "change file timestamps" + description = "change file timestamps" + hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_Linux_Malware_Samples_df3b = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" strings: - $ref = /touch [\$\%\w\-\_\.\/ ]{0,24}/ fullword - $not_touch_a = "touch a" + $ref = /touch [\$\%\w\-\_\.\/ ]{0,24}/ fullword + $not_touch_a = "touch a" condition: - $ref and none of ($not*) -} \ No newline at end of file + $ref and none of ($not*) +} diff --git a/rules/fs/mounts-read.yara b/rules/fs/mounts-read.yara index 2681de376..0c9a354bb 100644 --- a/rules/fs/mounts-read.yara +++ b/rules/fs/mounts-read.yara @@ -1,33 +1,41 @@ -rule mount_files : notable { - meta: - description = "Parses active mounts (/etc/fstab, /etc/mtab)" - pledge = "stdio" - ref = "https://linux.die.net/man/3/setmntent" - strings: - $etc_fstab = "/etc/fstab" fullword - $etc_mtab = "/etc/mtab" fullword - condition: - any of them + +rule mount_files : medium { + meta: + description = "Parses active mounts (/etc/fstab, /etc/mtab)" + pledge = "stdio" + ref = "https://linux.die.net/man/3/setmntent" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + strings: + $etc_fstab = "/etc/fstab" fullword + $etc_mtab = "/etc/mtab" fullword + condition: + any of them } -rule mntent : notable { - meta: - description = "Parses active mounts (/etc/fstab, /etc/mtab)" - pledge = "stdio" - ref = "https://linux.die.net/man/3/setmntent" - strings: - $setmntent = "setmntent" fullword - $getmntent = "getmntent" fullword - condition: - any of them +rule mntent : medium { + meta: + description = "Parses active mounts (/etc/fstab, /etc/mtab)" + pledge = "stdio" + ref = "https://linux.die.net/man/3/setmntent" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" + strings: + $setmntent = "setmntent" fullword + $getmntent = "getmntent" fullword + condition: + any of them } -rule gemntinfo : notable { - meta: - description = "gets information on mounted volumes" - ref = "https://man.freebsd.org/cgi/man.cgi?query=getmntinfo&manpath=FreeBSD+12.1-RELEASE+and+Ports" - strings: - $ref = "getmntinfo" fullword - condition: - any of them +rule gemntinfo : medium { + meta: + description = "gets information on mounted volumes" + ref = "https://man.freebsd.org/cgi/man.cgi?query=getmntinfo&manpath=FreeBSD+12.1-RELEASE+and+Ports" + hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" + strings: + $ref = "getmntinfo" fullword + condition: + any of them } diff --git a/rules/fs/overwrite.yara b/rules/fs/overwrite.yara index caad91973..49899a9cc 100644 --- a/rules/fs/overwrite.yara +++ b/rules/fs/overwrite.yara @@ -1,4 +1,5 @@ -rule background_dd : suspicious { + +rule background_dd : high { meta: ref = "https://cert.gov.ua/article/6123309" hash_2023_uacert_dd_bg = "171288619486905a2fdf581f24a98f4e19ae928bd31a7fc8bd9d035cb2b8368b" diff --git a/rules/fs/permission-chown.yara b/rules/fs/permission-chown.yara index aea28706d..84ed19a9b 100644 --- a/rules/fs/permission-chown.yara +++ b/rules/fs/permission-chown.yara @@ -1,47 +1,51 @@ + rule chown : harmless { - meta: - description = "May change file ownership" - pledge = "wpath" - syscall = "chown" - capability = "CAP_CHOWN" - strings: - $chown = "chown" fullword - condition: - any of them + meta: + description = "May change file ownership" + pledge = "wpath" + syscall = "chown" + capability = "CAP_CHOWN" + strings: + $chown = "chown" fullword + condition: + any of them } rule fchown { - meta: - description = "May change file ownership" - pledge = "wpath" - syscall = "fchown" - capability = "CAP_CHOWN" - strings: - $chown = "fchown" fullword - condition: - any of them + meta: + description = "May change file ownership" + pledge = "wpath" + syscall = "fchown" + capability = "CAP_CHOWN" + strings: + $chown = "fchown" fullword + condition: + any of them } rule fchownat { - meta: - description = "May change file ownership" - pledge = "wpath" - syscall = "fchown" - capability = "CAP_CHOWN" - strings: - $chown = "fchownat" fullword - condition: - any of them + meta: + description = "May change file ownership" + pledge = "wpath" + syscall = "fchown" + capability = "CAP_CHOWN" + strings: + $chown = "fchownat" fullword + condition: + any of them } -rule Chown : notable { - meta: - description = "Changes file ownership" - pledge = "wpath" - syscall = "fchown" - capability = "CAP_CHOWN" - strings: - $chown = "Chown" fullword - condition: - any of them +rule Chown : medium { + meta: + description = "Changes file ownership" + pledge = "wpath" + syscall = "fchown" + capability = "CAP_CHOWN" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2023_Downloads_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" + strings: + $chown = "Chown" fullword + condition: + any of them } diff --git a/rules/fs/permission-modify-dangerous.yara b/rules/fs/permission-modify-dangerous.yara index 47d8ae604..e65909497 100644 --- a/rules/fs/permission-modify-dangerous.yara +++ b/rules/fs/permission-modify-dangerous.yara @@ -1,21 +1,23 @@ -rule chmod_dangerous_val : notable { + +rule chmod_dangerous_val : medium { meta: - description = "Makes a world writeable file" + description = "Makes a world writeable file" strings: - $ref = /chmod [\-\w ]{0,4}666[ \$\w\/\.]{0,32}/ + $ref = /chmod [\-\w ]{0,4}666[ \$\w\/\.]{0,32}/ condition: - $ref + $ref } -rule chmod_dangerous_exec_val : suspicious exfil { +rule chmod_dangerous_exec_val : high exfil { meta: - description = "Makes a world writeable executable" + description = "Makes a world writeable executable" + hash_2023_APT31_1d60 = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2" + hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f" + hash_2023_Py_Trojan_NecroBot_0e60 = "0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322" strings: - $ref = /chmod [\-\w ]{0,4}777[ \$\w\/\.]{0,32}/ - - $not_dev_shm = "chmod 1777 /dev/shm" - $not_chromium = "CHROMIUM_TIMESTAMP" + $ref = /chmod [\-\w ]{0,4}777[ \$\w\/\.]{0,32}/ + $not_dev_shm = "chmod 1777 /dev/shm" + $not_chromium = "CHROMIUM_TIMESTAMP" condition: - $ref and not ($not_dev_shm and $not_chromium) + $ref and not ($not_dev_shm and $not_chromium) } - diff --git a/rules/fs/permission-modify.yara b/rules/fs/permission-modify.yara index 3f5414b7e..cb27ffe21 100644 --- a/rules/fs/permission-modify.yara +++ b/rules/fs/permission-modify.yara @@ -1,28 +1,31 @@ -rule chmod : notable { - meta: - description = "modifies file permissions" - pledge = "fattr" - syscall = "chmod" - ref = "https://linux.die.net/man/1/chmod" - strings: - $chmod = "chmod" fullword - $dotChmod = "Chmod" fullword - $_setmode = "_setmode" fullword - condition: - any of them -} +rule chmod : medium { + meta: + description = "modifies file permissions" + pledge = "fattr" + syscall = "chmod" + ref = "https://linux.die.net/man/1/chmod" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_adminer = "2fd7e6d8f987b243ab1839249551f62adce19704c47d3d0c8dd9e57ea5b9c6b3" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + strings: + $chmod = "chmod" fullword + $dotChmod = "Chmod" fullword + $_setmode = "_setmode" fullword + condition: + any of them +} rule fchmod : notamble { - meta: - description = "modifies file permissions" - pledge = "fattr" - syscall = "fchmodat" - ref = "https://linux.die.net/man/2/fchmodat" - strings: - $fchmod = "fchmod" fullword - $dotfchmod = ".Fchmod" fullword - $fchmodat = "fchmodat" fullword - condition: - any of them -} \ No newline at end of file + meta: + description = "modifies file permissions" + pledge = "fattr" + syscall = "fchmodat" + ref = "https://linux.die.net/man/2/fchmodat" + strings: + $fchmod = "fchmod" fullword + $dotfchmod = ".Fchmod" fullword + $fchmodat = "fchmodat" fullword + condition: + any of them +} diff --git a/rules/group/lookup.yara b/rules/group/lookup.yara index 1906cb90f..e7f60ca84 100644 --- a/rules/group/lookup.yara +++ b/rules/group/lookup.yara @@ -1,23 +1,26 @@ -rule getgrent : notable { - meta: - description = "get entry from group database" - strings: - $ref = "getgrent" fullword - $ref4 = "getgruuid" fullword - $ref5 = "setgroupent" fullword - $ref6 = "setgrent" fullword - $ref7 = "endgrent" fullword - condition: - any of them -} +rule getgrent : medium { + meta: + description = "get entry from group database" + hash_2023_Linux_Malware_Samples_1020 = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" + hash_2023_Linux_Malware_Samples_24f3 = "24f3ac76dcd4b0830a1ebd82cc9b1abe98450b8df29cb4f18f032f1077d24404" + hash_2023_Linux_Malware_Samples_43fa = "43fab92516cdfaa88945996988b7cfe987f26050516503fb2be65592379d7d7f" + strings: + $ref = "getgrent" fullword + $ref4 = "getgruuid" fullword + $ref5 = "setgroupent" fullword + $ref6 = "setgrent" fullword + $ref7 = "endgrent" fullword + condition: + any of them +} rule getgrgid_nam : harmless { - meta: - description = "get entry from group database" - strings: - $ref2 = "getgrnam" fullword - $ref3 = "getgrgid" fullword - condition: - any of them + meta: + description = "get entry from group database" + strings: + $ref2 = "getgrnam" fullword + $ref3 = "getgrgid" fullword + condition: + any of them } diff --git a/rules/hash/md5.yara b/rules/hash/md5.yara index 252a7513d..3526286b8 100644 --- a/rules/hash/md5.yara +++ b/rules/hash/md5.yara @@ -1,21 +1,25 @@ + rule MD5 { meta: - description = "Uses the MD5 signature format" + description = "Uses the MD5 signature format" strings: - $ref = /MD5_[\w\:]{0,16}/ - $ref2 = /md5:[\w\:]{0,16}/ + $ref = /MD5_[\w\:]{0,16}/ + $ref2 = /md5:[\w\:]{0,16}/ condition: - any of them + any of them } -rule md5_verify : notable { +rule md5_verify : medium { meta: - description = "Verifies MD5 signatures" + description = "Verifies MD5 signatures" + hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" + hash_2021_CDDS_UserAgent_v2019 = "9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70" + hash_2021_CDDS_UserAgent_v2021 = "d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4" strings: - $ref = "md5 expect" - $ref2 = "md5 mismatch" - $ref3 = "FileMd5" - $ref4 = "FileMD5" + $ref = "md5 expect" + $ref2 = "md5 mismatch" + $ref3 = "FileMd5" + $ref4 = "FileMD5" condition: - any of them + any of them } diff --git a/rules/hash/whirlpool.yara b/rules/hash/whirlpool.yara index c21ac9c7b..2c67d9eef 100644 --- a/rules/hash/whirlpool.yara +++ b/rules/hash/whirlpool.yara @@ -1,9 +1,13 @@ -rule whirlpool : notable { - meta: - description = "hash function often used for cryptomining" - ref = "https://en.wikipedia.org/wiki/Whirlpool_(hash_function)" - strings: - $ref = "WHIRLPOOL" fullword - condition: - any of them + +rule whirlpool : medium { + meta: + description = "hash function often used for cryptomining" + ref = "https://en.wikipedia.org/wiki/Whirlpool_(hash_function)" + hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" + strings: + $ref = "WHIRLPOOL" fullword + condition: + any of them } diff --git a/rules/kernel/apparmor.yara b/rules/kernel/apparmor.yara index ed6a94393..55b864e12 100644 --- a/rules/kernel/apparmor.yara +++ b/rules/kernel/apparmor.yara @@ -1,26 +1,36 @@ -rule apparmor : notable { + +rule apparmor : medium { meta: description = "Mentions 'apparmor'" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" strings: - $ref = "apparmor" fullword + $ref = "apparmor" fullword condition: - any of them + any of them } -rule apparmor_stop : suspicious { +rule apparmor_stop : high { meta: - description = "Stops the AppArmor service" + description = "Stops the AppArmor service" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" strings: - $val = "apparmor stop" + $val = "apparmor stop" condition: - any of them + any of them } -rule disable_apparmor : suspicious { +rule disable_apparmor : high { meta: - description = "Disables the AppArmor service" + description = "Disables the AppArmor service" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" strings: - $val = "disable apparmor" + $val = "disable apparmor" condition: - any of them + any of them } diff --git a/rules/kernel/cpu-info.yara b/rules/kernel/cpu-info.yara index a7cc29fe4..71fd5f9a8 100644 --- a/rules/kernel/cpu-info.yara +++ b/rules/kernel/cpu-info.yara @@ -1,35 +1,37 @@ -rule host_processor_info : notable { - meta: - syscall = "host_processor_info" - description = "returns hardware processor, count" - ref = "https://developer.apple.com/documentation/kernel/1502854-host_processor_info" - strings: - $ref = "host_processor_info" - condition: - any of them +rule host_processor_info : medium { + meta: + syscall = "host_processor_info" + description = "returns hardware processor, count" + ref = "https://developer.apple.com/documentation/kernel/1502854-host_processor_info" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_CoinMiner_com_adobe_acc = "fabe0b41fb5bce6bda8812197ffd74571fc9e8a5a51767bcceef37458e809c5c" + hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" + strings: + $ref = "host_processor_info" + condition: + any of them } - rule host_processors { - meta: - syscall = "host_processors" - description = "returns hardware processor, count" - ref = "https://developer.apple.com/documentation/kernel/1502854-host_processor_info" - strings: - $ref = "host_processors" - condition: - any of them + meta: + syscall = "host_processors" + description = "returns hardware processor, count" + ref = "https://developer.apple.com/documentation/kernel/1502854-host_processor_info" + strings: + $ref = "host_processors" + condition: + any of them } rule processor_count { - meta: - description = "gets number of processors" - ref = "https://man7.org/linux/man-pages/man3/get_nprocs.3.html" - strings: - $ref = "get_nprocs" fullword - $ref2 = "nproc" fullword - $ref3 = "numProcessors" fullword - condition: - any of them + meta: + description = "gets number of processors" + ref = "https://man7.org/linux/man-pages/man3/get_nprocs.3.html" + strings: + $ref = "get_nprocs" fullword + $ref2 = "nproc" fullword + $ref3 = "numProcessors" fullword + condition: + any of them } diff --git a/rules/kernel/dev/block-device.yara b/rules/kernel/dev/block-device.yara index a96c64d3a..29b74f3e3 100644 --- a/rules/kernel/dev/block-device.yara +++ b/rules/kernel/dev/block-device.yara @@ -1,19 +1,23 @@ -rule block_devices : notable { - meta: - description = "works with block devices" - strings: - $sys_val = /\/sys\/block[\$%\w\{\}]{0,16}/ - $sys_dev_val = /\/sys\/dev\/block[\$%\w\{\}]{0,16}/ - condition: - any of them + +rule block_devices : medium { + meta: + description = "works with block devices" + hash_2023_Linux_Malware_Samples_1020 = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" + hash_2023_Linux_Malware_Samples_206c = "206cc0d26617057196f1e3e8903597fd0b234c9f945263fad9ac6b1686c71d21" + hash_2023_Linux_Malware_Samples_24f3 = "24f3ac76dcd4b0830a1ebd82cc9b1abe98450b8df29cb4f18f032f1077d24404" + strings: + $sys_val = /\/sys\/block[\$%\w\{\}]{0,16}/ + $sys_dev_val = /\/sys\/dev\/block[\$%\w\{\}]{0,16}/ + condition: + any of them } -rule dev_sd : notable { - meta: - capability = "CAP_SYS_RAWIO" - description = "access raw generic block devices" - strings: - $val = /\/dev\/sd[\$%\w\{\}]{0,10}/ - condition: - any of them +rule dev_sd : medium { + meta: + capability = "CAP_SYS_RAWIO" + description = "access raw generic block devices" + strings: + $val = /\/dev\/sd[\$%\w\{\}]{0,10}/ + condition: + any of them } diff --git a/rules/kernel/dev/diskmapper.yara b/rules/kernel/dev/diskmapper.yara index c06760964..35c4c93cb 100644 --- a/rules/kernel/dev/diskmapper.yara +++ b/rules/kernel/dev/diskmapper.yara @@ -1,4 +1,4 @@ -rule dev_dm : notable { +rule dev_dm : medium { meta: capability = "CAP_SYS_RAWIO" description = "access raw LVM disk mapper devices" diff --git a/rules/kernel/dev/flash_memory.yara b/rules/kernel/dev/flash_memory.yara index 72f6740f0..a3c462c34 100644 --- a/rules/kernel/dev/flash_memory.yara +++ b/rules/kernel/dev/flash_memory.yara @@ -1,4 +1,4 @@ -rule dev_mtd : notable { +rule dev_mtd : medium { meta: capability = "CAP_SYS_RAWIO" description = "access raw flash memory devices" diff --git a/rules/kernel/dev/kmem.yara b/rules/kernel/dev/kmem.yara index 8fb644b1d..94585a9b5 100644 --- a/rules/kernel/dev/kmem.yara +++ b/rules/kernel/dev/kmem.yara @@ -1,5 +1,5 @@ -rule kmem : suspicious { +rule kmem : high { meta: capability = "CAP_SYS_RAWIO" description = "access raw kernel memory" diff --git a/rules/kernel/dev/loopback.yara b/rules/kernel/dev/loopback.yara index 2e6c2016e..624dd90df 100644 --- a/rules/kernel/dev/loopback.yara +++ b/rules/kernel/dev/loopback.yara @@ -1,9 +1,11 @@ -rule dev_loopback : notable { - meta: - capability = "CAP_SYS_RAWIO" - description = "access virtual block devices (loopback)" - strings: - $val = /\/dev\/loop[\$%\w\{\}]{0,16}/ - condition: - any of them + +rule dev_loopback : medium { + meta: + capability = "CAP_SYS_RAWIO" + description = "access virtual block devices (loopback)" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + strings: + $val = /\/dev\/loop[\$%\w\{\}]{0,16}/ + condition: + any of them } diff --git a/rules/kernel/dev/mapper.yara b/rules/kernel/dev/mapper.yara index d2489d660..84b14663c 100644 --- a/rules/kernel/dev/mapper.yara +++ b/rules/kernel/dev/mapper.yara @@ -1,10 +1,13 @@ -rule dev_mapper : notable { - meta: - description = "uses the device mapper framework" - ref = "https://en.wikipedia.org/wiki/Device_mapper" - strings: - $val = /\/dev\/mapper[\$\%\w\{\}]{0,16}/ - condition: - any of them -} +rule dev_mapper : medium { + meta: + description = "uses the device mapper framework" + ref = "https://en.wikipedia.org/wiki/Device_mapper" + hash_2023_init_d_halt = "c8acf18e19c56191e220e5f6d29d7c1e7f861b2be16ab8d5da693b450406fd0f" + hash_2023_rc_d = "30b0e00414ce76f7f64175fb133632d5c517394bc013b0efe3d8ead384d5e464" + hash_2023_rc0_d_S01halt = "c8acf18e19c56191e220e5f6d29d7c1e7f861b2be16ab8d5da693b450406fd0f" + strings: + $val = /\/dev\/mapper[\$\%\w\{\}]{0,16}/ + condition: + any of them +} diff --git a/rules/kernel/dev/mem.yara b/rules/kernel/dev/mem.yara index 63874e82f..48544eab9 100644 --- a/rules/kernel/dev/mem.yara +++ b/rules/kernel/dev/mem.yara @@ -1,24 +1,25 @@ -rule mem : suspicious { - meta: - capability = "CAP_SYS_RAWIO" - description = "access raw system memory" - strings: - $val = "/dev/mem" - // entries from include/paths.h - $not_cshell = "_PATH_CSHELL" fullword - $not_rwho = "_PATH_RWHODIR" fullword - condition: - $val and none of ($not*) +rule mem : high { + meta: + capability = "CAP_SYS_RAWIO" + description = "access raw system memory" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + hash_2023_gcclib_xfitaarch = "163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c" + hash_2023_Linux_Malware_Samples_83c7 = "83c771f927a0a5faf6f6acd88ed9db800b993f25df22468b394725bd4cca4fcf" + strings: + $val = "/dev/mem" + $not_cshell = "_PATH_CSHELL" fullword + $not_rwho = "_PATH_RWHODIR" fullword + condition: + $val and none of ($not*) } -rule comsvcs_minidump : suspicious { +rule comsvcs_minidump : high { meta: - description = "dump process memory using comsvcs.ddl" - author = "Florian Roth" + description = "dump process memory using comsvcs.ddl" + author = "Florian Roth" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar - $ref = /comsvcs(\.dll)?[, ]{1,2}(MiniDump|#24)/ + $ref = /comsvcs(\.dll)?[, ]{1,2}(MiniDump|#24)/ condition: any of them } diff --git a/rules/kernel/dev/sd_mmc.yara b/rules/kernel/dev/sd_mmc.yara index b05c47ddf..547d24329 100644 --- a/rules/kernel/dev/sd_mmc.yara +++ b/rules/kernel/dev/sd_mmc.yara @@ -1,4 +1,4 @@ -rule dev_mmc : suspicious { +rule dev_mmc : high { meta: capability = "CAP_SYS_RAWIO" description = "access raw SD/MMC devices" diff --git a/rules/kernel/dev/ubi.yara b/rules/kernel/dev/ubi.yara index d07737c1d..ca26db16a 100644 --- a/rules/kernel/dev/ubi.yara +++ b/rules/kernel/dev/ubi.yara @@ -1,4 +1,4 @@ -rule ubi : suspicious { +rule ubi : high { meta: capability = "CAP_SYS_RAWIO" description = "access raw unsorted block images (UBI)" diff --git a/rules/kernel/hardware-info.yara b/rules/kernel/hardware-info.yara index f3730ea89..1772f2edd 100644 --- a/rules/kernel/hardware-info.yara +++ b/rules/kernel/hardware-info.yara @@ -1,29 +1,22 @@ rule sysctl_machdep { - meta: - description = "gets detailed hardware information using sysctl" - strings: - $ref = "kern.osproductversion" - $ref2 = "machdep.cpu.vendor" - $ref3 = "machdep.cpu.brand_string" - $ref4 = "hw.cpufrequency" - condition: - 2 of them + meta: + description = "gets detailed hardware information using sysctl" + strings: + $ref = "kern.osproductversion" + $ref2 = "machdep.cpu.vendor" + $ref3 = "machdep.cpu.brand_string" + $ref4 = "hw.cpufrequency" + condition: + 2 of them } -rule macos_hardware_profiler : notable { +rule macos_hardware_profiler : medium { meta: - description = "Gathers hardware information" - hash_2023_DDosia_d_mac_arm64 = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" - hash_2023_amos_stealer_a = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" - hash_2019_Macma_CDDS_at = "341bc86bc9b76ac69dca0a48a328fd37d74c96c2e37210304cfa66ccdbe72b27" - hash_2020_FinSpy_installer = "80d6e71c54fb3d4a904637e4d56e108a8255036cbb4760493b142889e47b951f" - hash_2017_FlashBack = "8d56d09650ebc019209a788b2d2be7c7c8b865780eee53856bafceffaf71502c" - hash_2021_objective_see_Malware_MapperState = "919d049d5490adaaed70169ddd0537bfa2018a572e93b19801cf245f7fd28408" - hash_2023_RustBucket_Stage_3 = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747" - hash_2021_miner_igtpi = "43fab92516cdfaa88945996988b7cfe987f26050516503fb2be65592379d7d7f" - hash_2021_miner_malxmr_ccibl = "ac6818140883e0f8bf5cef9b5f965861ff64cebfe181ff025e1f0aee9c72506c" - hash_2021_miner_qcvsu = "edff1edfc410a5f4509d09c1264ce53236096f89231d415edbe6326e4e8d3fa3" + description = "Gathers hardware information" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" strings: $p_system_profiler = "system_profiler SPHardwareDataType" $p_uuid = "IOPlatformUUID" diff --git a/rules/kernel/kprobe.yara b/rules/kernel/kprobe.yara index b5fd3bc85..cde5632fa 100644 --- a/rules/kernel/kprobe.yara +++ b/rules/kernel/kprobe.yara @@ -1,9 +1,12 @@ -rule register_kprobe : notable { - meta: - description = "registers a kernel probe (possibly kernel module)" - strings: - $ref = "register_kprobe" - condition: - any of them -} +rule register_kprobe : medium { + meta: + description = "registers a kernel probe (possibly kernel module)" + hash_2022_LQvKibDTq4_diamorphine = "aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + hash_2023_LQvKibDTq4_diamorphine_mod = "710368bd25889cb1d61ce82ac59c4cc076ea8021f9d3c47bb6ae79ca2901bdc2" + strings: + $ref = "register_kprobe" + condition: + any of them +} diff --git a/rules/kernel/module-load.yara b/rules/kernel/module-load.yara index f9289a0fc..c695e0e69 100644 --- a/rules/kernel/module-load.yara +++ b/rules/kernel/module-load.yara @@ -1,19 +1,25 @@ -rule init_module : notable { - meta: - description = "Load Linux kernel module" - syscall = "init_module" - capability = "CAP_SYS_MODULE" - strings: - $ref = "init_module" fullword - condition: - all of them + +rule init_module : medium { + meta: + description = "Load Linux kernel module" + syscall = "init_module" + capability = "CAP_SYS_MODULE" + hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" + hash_2023_Linux_Malware_Samples_b82d = "b82d4d3d7f3a31bf2ad88315f52cb544aa4d9b786e3db61fdfabd25a790de410" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + strings: + $ref = "init_module" fullword + condition: + all of them } -rule kernel_module_loader : suspicious { +rule kernel_module_loader : high { meta: - hash_2023_installer_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_init_d_vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" + hash_2023_rc0_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" + hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" strings: $insmod = /insmod [ \$\%\w\.\/_-]{1,32}\.ko/ condition: all of them -} \ No newline at end of file +} diff --git a/rules/kernel/module-unload.yara b/rules/kernel/module-unload.yara index ba4ec456e..1408a44f6 100644 --- a/rules/kernel/module-unload.yara +++ b/rules/kernel/module-unload.yara @@ -1,7 +1,7 @@ -rule system_kext_unloader : suspicious { +rule system_kext_unloader : high { meta: - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" + hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" strings: $kextunload_sys_lib_ext = "kextunload /System/Library/Extensions/" condition: diff --git a/rules/kernel/module.yara b/rules/kernel/module.yara index 14908697e..6757df40b 100644 --- a/rules/kernel/module.yara +++ b/rules/kernel/module.yara @@ -1,21 +1,25 @@ -rule lkm : notable { - meta: - description = "Contains a Linux kernel module" - capability = "CAP_SYS_MODULE" - strings: - $vergmagic = "vermagic=" - $srcversion = "srcversion=" - condition: - all of them + +rule lkm : medium { + meta: + description = "Contains a Linux kernel module" + capability = "CAP_SYS_MODULE" + hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + hash_2023_LQvKibDTq4_diamorphine_mod = "e394d87045c800a63bd4d295e635ff8a03624255c3fd85fe8e6957807f1cb569" + strings: + $vergmagic = "vermagic=" + $srcversion = "srcversion=" + condition: + all of them } -rule delete_module : notable { - meta: - description = "Unload Linux kernel module" - syscall = "delete_module" - capability = "CAP_SYS_MODULE" - strings: - $ref = "delete_module" fullword - condition: - all of them +rule delete_module : medium { + meta: + description = "Unload Linux kernel module" + syscall = "delete_module" + capability = "CAP_SYS_MODULE" + strings: + $ref = "delete_module" fullword + condition: + all of them } diff --git a/rules/kernel/opencl.yara b/rules/kernel/opencl.yara index 9e5002935..90b561a69 100644 --- a/rules/kernel/opencl.yara +++ b/rules/kernel/opencl.yara @@ -1,9 +1,12 @@ -rule OpenCL : notable { - meta: - description = "support for OpenCL" - strings: - $ref = "OpenCL" fullword - condition: - any of them -} \ No newline at end of file +rule OpenCL : medium { + meta: + description = "support for OpenCL" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" + hash_2023_Linux_Malware_Samples_0d79 = "0d7960a39b92dad88986deea6e5861bd00fb301e92d550c232aebb36ed010e46" + strings: + $ref = "OpenCL" fullword + condition: + any of them +} diff --git a/rules/kernel/platform.yara b/rules/kernel/platform.yara index ae4039427..8dcba8d13 100644 --- a/rules/kernel/platform.yara +++ b/rules/kernel/platform.yara @@ -1,64 +1,75 @@ rule uname { - meta: - description = "system identification" - pledge = "sysctl" - syscall = "sysctl" - ref = "https://man7.org/linux/man-pages/man1/uname.1.html" - strings: - $uname = "uname" fullword - $uname2 = "syscall.Uname" fullword - condition: - any of them + meta: + description = "system identification" + pledge = "sysctl" + syscall = "sysctl" + ref = "https://man7.org/linux/man-pages/man1/uname.1.html" + strings: + $uname = "uname" fullword + $uname2 = "syscall.Uname" fullword + condition: + any of them } -rule os_release : notable { - meta: - description = "operating-system identification" - pledge = "sysctl" - syscall = "sysctl" - ref = "https://developer.apple.com/documentation/os/1524245-os_release" - strings: - $ref = "os_release" fullword - condition: - any of them +rule os_release : medium { + meta: + description = "operating-system identification" + pledge = "sysctl" + syscall = "sysctl" + ref = "https://developer.apple.com/documentation/os/1524245-os_release" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" + hash_2023_RustBucket_Stage_3 = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747" + strings: + $ref = "os_release" fullword + condition: + any of them } -rule macos_platform_check : notable { - meta: - description = "platform check" - pledge = "sysctl" - syscall = "sysctl" - ref = "https://developer.apple.com/documentation/os/1524245-os_release" - strings: - $ref = "isPlatformOrVariantPlatformVersionAtLeast" fullword - $ref2 = "/System/Library/CoreServices/SystemVersion.plist" fullword - $ref3 = "IOPlatformExpertDevice" fullword - condition: - any of them +rule macos_platform_check : medium { + meta: + description = "platform check" + pledge = "sysctl" + syscall = "sysctl" + ref = "https://developer.apple.com/documentation/os/1524245-os_release" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + strings: + $ref = "isPlatformOrVariantPlatformVersionAtLeast" fullword + $ref2 = "/System/Library/CoreServices/SystemVersion.plist" fullword + $ref3 = "IOPlatformExpertDevice" fullword + condition: + any of them } -rule python_platform : notable { - meta: - description = "system platform identification" - ref = "https://docs.python.org/3/library/platform.html" - strings: - $ref = "platform.dist()" - $ref2 = "platform.platform()" - $ref3 = "sys.platform" - condition: - any of them +rule python_platform : medium { + meta: + description = "system platform identification" + ref = "https://docs.python.org/3/library/platform.html" + hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_aaa_bbb_ccc_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2023_setuptool_setuptool_setup = "50c9a683bc0aa2fbda3981bfdf0bbd4632094c801b224af60166376e479460ec" + strings: + $ref = "platform.dist()" + $ref2 = "platform.platform()" + $ref3 = "sys.platform" + condition: + any of them } - -rule npm_uname : notable { - meta: - description = "get system identification" - ref = "https://nodejs.org/api/process.html" - strings: - $ref = "process.platform" - $ref2 = "process.arch" - $ref3 = "process.versions" - condition: - any of them -} \ No newline at end of file +rule npm_uname : medium { + meta: + description = "get system identification" + ref = "https://nodejs.org/api/process.html" + hash_2023_botbait = "1b92cb3d4b562d0eb05c3b2f998e334273ce9b491bc534d73bcd0b4952ce58d2" + hash_2018_OSX_Dummy_script = "ced05b1f429ade707691b04f59d7929961661963311b768d438317f4d3d82953" + hash_2024_2021_ua_parser_js_preinstall = "62e08e4967da57e037255d2e533b7c5d7d1f1773af2a06113470c29058b5fcd0" + strings: + $ref = "process.platform" + $ref2 = "process.arch" + $ref3 = "process.versions" + condition: + any of them +} diff --git a/rules/kernel/ptrace.yara b/rules/kernel/ptrace.yara index 27f7ba558..5c1d87ea9 100644 --- a/rules/kernel/ptrace.yara +++ b/rules/kernel/ptrace.yara @@ -1,9 +1,13 @@ -rule ptrace : notable { - meta: - capability = "CAP_SYS_PTRACE" - description = "trace or modify system calls" - strings: - $ref = "ptrace" fullword - condition: - any of them -} \ No newline at end of file + +rule ptrace : medium { + meta: + capability = "CAP_SYS_PTRACE" + description = "trace or modify system calls" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + strings: + $ref = "ptrace" fullword + condition: + any of them +} diff --git a/rules/kernel/reboot.yara b/rules/kernel/reboot.yara index 89d9e7695..cbb9bedce 100644 --- a/rules/kernel/reboot.yara +++ b/rules/kernel/reboot.yara @@ -1,33 +1,37 @@ + rule _reboot : harmless { - meta: - capability = "CAP_SYS_BOOT" - description = "reboot system" - strings: - $ref = "_reboot" fullword - $not_master = "master_reboot" - condition: - $ref and none of ($not*) + meta: + capability = "CAP_SYS_BOOT" + description = "reboot system" + strings: + $ref = "_reboot" fullword + $not_master = "master_reboot" + condition: + $ref and none of ($not*) } rule kexec_load { - meta: - capability = "CAP_SYS_BOOT" - description = "load a new kernel for later execution" - strings: - $ref = "kexec_load" fullword - $ref2 = "kexec_file_load" fullword - condition: - any of them + meta: + capability = "CAP_SYS_BOOT" + description = "load a new kernel for later execution" + strings: + $ref = "kexec_load" fullword + $ref2 = "kexec_file_load" fullword + condition: + any of them } -rule reboot_command_val : suspicious { - meta: - description = "Forcibly reboots machine" - strings: - $usr_sbin = "/usr/sbin/reboot" fullword - $sbin = "/sbin/reboot" fullword - $bin = "/bin/reboot" fullword - $usr_bin = "/usr/bin/reboot" fullword - condition: - any of them +rule reboot_command_val : high { + meta: + description = "Forcibly reboots machine" + hash_2023_init_d_halt = "c8acf18e19c56191e220e5f6d29d7c1e7f861b2be16ab8d5da693b450406fd0f" + hash_2023_rc0_d_S01halt = "c8acf18e19c56191e220e5f6d29d7c1e7f861b2be16ab8d5da693b450406fd0f" + hash_2023_rc6_d_S01reboot = "c8acf18e19c56191e220e5f6d29d7c1e7f861b2be16ab8d5da693b450406fd0f" + strings: + $usr_sbin = "/usr/sbin/reboot" fullword + $sbin = "/sbin/reboot" fullword + $bin = "/bin/reboot" fullword + $usr_bin = "/usr/bin/reboot" fullword + condition: + any of them } diff --git a/rules/kernel/symbol-lookup.yara b/rules/kernel/symbol-lookup.yara index 41aee4dd2..7e540f5c0 100644 --- a/rules/kernel/symbol-lookup.yara +++ b/rules/kernel/symbol-lookup.yara @@ -1,12 +1,14 @@ -rule kallsyms : suspicious { - meta: - description = "access unexported kernel symbols" - ref = "https://lwn.net/Articles/813350/" - strings: - $ref = "kallsyms_lookup_name" fullword - - $not_bpf = "BPF_FUNC_kallsyms_lookup_name" - condition: - $ref and none of ($not*) +rule kallsyms : high { + meta: + description = "access unexported kernel symbols" + ref = "https://lwn.net/Articles/813350/" + hash_2023_FontOnLake_1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8_elf = "efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa" + hash_2023_FontOnLake_27E868C0505144F0708170DF701D7C1AE8E1FAEA_elf = "d7ad1bff4c0e6d094af27b4d892b3398b48eab96b64a8f8a2392e26658c63f30" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + strings: + $ref = "kallsyms_lookup_name" fullword + $not_bpf = "BPF_FUNC_kallsyms_lookup_name" + condition: + $ref and none of ($not*) } diff --git a/rules/kernel/sysctl/nmi_watchdog.yara b/rules/kernel/sysctl/nmi_watchdog.yara index d42e094a9..a9597dad7 100644 --- a/rules/kernel/sysctl/nmi_watchdog.yara +++ b/rules/kernel/sysctl/nmi_watchdog.yara @@ -1,19 +1,24 @@ -rule nmi_watchdog : suspicious { - meta: - description = "accesses kern.nmi_watchdog control" - strings: - $ref = "nmi_watchdog" - condition: - any of them +rule nmi_watchdog : high { + meta: + description = "accesses kern.nmi_watchdog control" + hash_2023_Txt_Malware_Sustes_0e77 = "0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + strings: + $ref = "nmi_watchdog" + condition: + any of them } - -rule nmi_watchdog_disable : suspicious { - meta: - description = "disables kern.nmi_watchdog - possible miner" - strings: - $ref = "nmi_watchdog=0" - condition: - any of them -} \ No newline at end of file +rule nmi_watchdog_disable : high { + meta: + description = "disables kern.nmi_watchdog - possible miner" + hash_2023_Txt_Malware_Sustes_0e77 = "0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + strings: + $ref = "nmi_watchdog=0" + condition: + any of them +} diff --git a/rules/kernel/sysctl/vm.nr_hugepages.yara b/rules/kernel/sysctl/vm.nr_hugepages.yara index 2a9133ab0..3be3c41d8 100644 --- a/rules/kernel/sysctl/vm.nr_hugepages.yara +++ b/rules/kernel/sysctl/vm.nr_hugepages.yara @@ -1,9 +1,12 @@ -rule huge_pages : notable { - meta: - description = "accesses vm.nr_hugepages control" - strings: - $ref = "vm.nr_hugepages" - condition: - any of them -} \ No newline at end of file +rule huge_pages : medium { + meta: + description = "accesses vm.nr_hugepages control" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" + hash_2023_Linux_Malware_Samples_1b1a = "1b1a56aec5b02355b90f911cdd27a35d099690fcbeb0e0622eaea831d64014d3" + hash_2023_Linux_Malware_Samples_1f1b = "1f1bf32f553b925963485d8bb8cc3f0344720f9e67100d610d9e3f5f6bc002a1" + strings: + $ref = "vm.nr_hugepages" + condition: + any of them +} diff --git a/rules/kernel/sysinfo.yara b/rules/kernel/sysinfo.yara index dca95a662..590aa2c1a 100644 --- a/rules/kernel/sysinfo.yara +++ b/rules/kernel/sysinfo.yara @@ -1,11 +1,14 @@ -rule sysinfo : notable { - meta: - description = "get system information (load, swap)" - syscall = "sysinfo" - ref = "https://man7.org/linux/man-pages/man2/sysinfo.2.html" - strings: - $uname = "sysinfo" fullword - condition: - any of them +rule sysinfo : medium { + meta: + description = "get system information (load, swap)" + syscall = "sysinfo" + ref = "https://man7.org/linux/man-pages/man2/sysinfo.2.html" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + strings: + $uname = "sysinfo" fullword + condition: + any of them } diff --git a/rules/kernel/system_uuid.yara b/rules/kernel/system_uuid.yara index ad94327da..3f0fa93ae 100644 --- a/rules/kernel/system_uuid.yara +++ b/rules/kernel/system_uuid.yara @@ -1,9 +1,12 @@ -rule macos_platform_check : notable { - meta: - description = "machine unique identifier" - strings: - $ref = "IOPlatformUUID" fullword - $ref2 = "DeviceIDInKeychain" - condition: - any of them +rule macos_ioplatform_deviceid : medium { + meta: + description = "machine unique identifier" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + strings: + $ref = "IOPlatformUUID" fullword + $ref2 = "DeviceIDInKeychain" + condition: + any of them } diff --git a/rules/malware/family/avasa-zombie.yara b/rules/malware/family/avasa-zombie.yara index 81d789d8b..7dbb34f8d 100644 --- a/rules/malware/family/avasa-zombie.yara +++ b/rules/malware/family/avasa-zombie.yara @@ -1,12 +1,13 @@ + rule avasa_zombie : critical { - meta: - description = "DDoS agent: avasa-zombie (Linux/Agent.FP)" - hash = "7c636f1c9e4d9032d66a58f263b3006788047488e00fc26997b915e9d1f174bf" - strings: - $avasa_zombie = "avasa-zombie" fullword - $minecraft_motd = "MotdMethod" fullword - $convert_attack = "ConvertAttack" fullword - $local_attack = "localAttackStorage" fullword - condition: - 3 of them + meta: + description = "DDoS agent: avasa-zombie (Linux/Agent.FP)" + hash_2024_Downloads_7c63 = "7c636f1c9e4d9032d66a58f263b3006788047488e00fc26997b915e9d1f174bf" + strings: + $avasa_zombie = "avasa-zombie" fullword + $minecraft_motd = "MotdMethod" fullword + $convert_attack = "ConvertAttack" fullword + $local_attack = "localAttackStorage" fullword + condition: + 3 of them } diff --git a/rules/malware/family/skuld.yara b/rules/malware/family/skuld.yara index 5c6aaee97..c8a66ff53 100644 --- a/rules/malware/family/skuld.yara +++ b/rules/malware/family/skuld.yara @@ -1,10 +1,12 @@ + rule stealthworker : critical { - meta: - description = "Skuld stealer: https://github.com/hackirby/skuld/blob" - ref = "https://github.com/hackirby/skuld" - strings: - $ref = "skuld" fullword - $wallet = "walletsinjection" fullword - condition: - all of them + meta: + description = "Skuld stealer: https://github.com/hackirby/skuld/blob" + ref = "https://github.com/hackirby/skuld" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" + strings: + $ref = "skuld" fullword + $wallet = "walletsinjection" fullword + condition: + all of them } diff --git a/rules/malware/family/stealthworker.yara b/rules/malware/family/stealthworker.yara index 3414af673..dfa98c39f 100644 --- a/rules/malware/family/stealthworker.yara +++ b/rules/malware/family/stealthworker.yara @@ -1,8 +1,10 @@ + rule stealthworker : critical { - meta: - description = "StealthWorker Worm/Trojan" - strings: - $ref = "StealthWorker/Worker" - condition: - all of them + meta: + description = "StealthWorker Worm/Trojan" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" + strings: + $ref = "StealthWorker/Worker" + condition: + all of them } diff --git a/rules/management/esxcli.yara b/rules/management/esxcli.yara index cd8b5a11a..6602c1675 100644 --- a/rules/management/esxcli.yara +++ b/rules/management/esxcli.yara @@ -1,12 +1,9 @@ -rule esxcli_caller : suspicious { +rule esxcli_caller : high { meta: - hash_2023_RedAlert_redniev = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" - hash_2023_Royal = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" - hash_2023_blackcat_x64 = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f" - hash_2023_HelloKitty_A = "556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed" - hash_2023_Sodinokibi = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" + hash_2023_BlackCat_45b8 = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f" hash_2023_Multios_Ransomware_DarkSide_da3b = "da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5" + hash_2023_Downloads_039e = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" strings: $esxcli = "esxcli" condition: diff --git a/rules/mem/anonymous-file.yara b/rules/mem/anonymous-file.yara index 984fc7c89..125564f6e 100644 --- a/rules/mem/anonymous-file.yara +++ b/rules/mem/anonymous-file.yara @@ -1,11 +1,14 @@ -rule memfd_create : notable { - meta: - syscall = "memfd_create" - description = "create an anonymous file" - capability = "CAP_IPC_LOCK" - strings: - $ref = "memfd_create" fullword - condition: - any of them +rule memfd_create : medium { + meta: + syscall = "memfd_create" + description = "create an anonymous file" + capability = "CAP_IPC_LOCK" + hash_2023_Linux_Malware_Samples_a07b = "a07bd8aedde27e776480bb375d191ce11c3a03275f6a03616b4a0bfbc1b9dfe6" + hash_2020_BirdMiner_arachnoidal = "904ad9bc506a09be0bb83079c07e9a93c99ba5d42ac89d444374d80efd7d8c11" + hash_2023_Pupy_2ab5 = "2ab59fa690e502a733aa1500a96d8e94ecb892ed9d59736cca16a09538ce7d77" + strings: + $ref = "memfd_create" fullword + condition: + any of them } diff --git a/rules/net/bpf.yara b/rules/net/bpf.yara index 60d837f96..c05ec7eeb 100644 --- a/rules/net/bpf.yara +++ b/rules/net/bpf.yara @@ -1,13 +1,16 @@ -rule bpf : notable { - meta: - capability = "CAP_SYS_BPF" - description = "BPF (Berkeley Packet Filter)" - strings: - $ref = "bpf" fullword - $ref2 = "/dev/bpf" - $ref3 = "SetBPF" fullword - $ref4 = "SetsockoptSockFprog" - condition: - any of them +rule bpf : medium { + meta: + capability = "CAP_SYS_BPF" + description = "BPF (Berkeley Packet Filter)" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + strings: + $ref = "bpf" fullword + $ref2 = "/dev/bpf" + $ref3 = "SetBPF" fullword + $ref4 = "SetsockoptSockFprog" + condition: + any of them } diff --git a/rules/net/ddos.yara b/rules/net/ddos.yara index 91f8d6079..4c59a0fe6 100644 --- a/rules/net/ddos.yara +++ b/rules/net/ddos.yara @@ -1,10 +1,14 @@ + rule ddos_refs : critical { - meta: - description = "Performs DDoS (distributed denial of service) attacks" - strings: - $ref = "TSource Engine Query" - $ref2 = "ackflood" fullword - $ref3 = "synflood" fullword - condition: - any of them + meta: + description = "Performs DDoS (distributed denial of service) attacks" + hash_2023_Unix_Malware_Agent_6fbb = "6fbbbd21cd5895553e7caf2d8d77e96e5dfe88095f970a8704ce472eb1eb219b" + hash_2023_Unix_Trojan_Gafgyt_28e1 = "28e1a958b781f23cdea4e7ec1a1a7458c75004daaf2847362335f9d07358cf4f" + hash_2023_Unix_Trojan_Gafgyt_5636 = "5636cddb43765a7e9228c88bd9f5c4cef443da2add0f7b7a9b77cead9387f5db" + strings: + $ref = "TSource Engine Query" + $ref2 = "ackflood" fullword + $ref3 = "synflood" fullword + condition: + any of them } diff --git a/rules/net/dial.yara b/rules/net/dial.yara index 9247d650d..51fc563bd 100644 --- a/rules/net/dial.yara +++ b/rules/net/dial.yara @@ -1,14 +1,9 @@ -rule dial_shared_screen_discovery : suspicious { +rule dial_shared_screen_discovery : high { meta: - hash_2021_trojan_Mirai_3_Gafgyt = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" - hash_2021_trojan_Mirai_dclea = "206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a" - hash_2021_trojan_Mirai_leeyo = "ff2a39baf61e34f14f9c49c27faed07bdd431605b3c845ab82023c39589e6798" - hash_2023_Linux_Malware_Samples_341a = "341a49940749d5f07d32d1c8dfddf6388a11e45244cc54bc8768a8cd7f00b46a" - hash_2023_Linux_Malware_Samples_cbad = "cbadb658ba16ad9a635cdd984ce56bb3f39da33524aded8d40371c0e1ae9be44" - hash_2023_Linux_Malware_Samples_dcd3 = "dcd318efe5627e07a8eda9104ede1f510e43f5c0ae7f74d411137e1174f2844b" - hash_2023_Linux_Malware_Samples_fdcd = "fdcda1da780db220c77a44b294221a2ab9f2ca8c60f84d65e032cb5bc271e927" hash_2023_UPX_346d49f539e31f1caaa102385742761e4f8fbc8e7e0e9981a018d79cd908c6b2_elf_x86 = "9c33e6aad8862369c6d1e8bc87daa568dc5ff44bc49a109d8bcafdbce626556c" + hash_2023_UPX_5e0df7eb8b71c031a40c7c6998df3e1916411aea9a3c17f37247723caacd488c_elf_x86 = "36b793d08cb5716e5351a29b4c84ff96ceeb92b458a5283f06cec7a4e56545db" + hash_2023_Linux_Malware_Samples_0afd = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" strings: $urn_multiscreen = "urn:dial-multiscreen-org:service:dial:1" $not_chromium = "RasterCHROMIUM" diff --git a/rules/net/dns-over-https.yara b/rules/net/dns-over-https.yara index 87d62759a..f1ca90037 100644 --- a/rules/net/dns-over-https.yara +++ b/rules/net/dns-over-https.yara @@ -1,11 +1,15 @@ -rule doh_refs : notable { - meta: - description = "Supports DNS (Domain Name Service) over HTTPS" - strings: - $doh_Provider = "doh.Provider" - $DnsOverHttps = "DnsOverHttps" - $contentType = "application/dns-message" - $dnspod = "dnspod" - condition: - any of them + +rule doh_refs : medium { + meta: + description = "Supports DNS (Domain Name Service) over HTTPS" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2023_Linux_Malware_Samples_1020 = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" + hash_2023_Linux_Malware_Samples_24f3 = "24f3ac76dcd4b0830a1ebd82cc9b1abe98450b8df29cb4f18f032f1077d24404" + strings: + $doh_Provider = "doh.Provider" + $DnsOverHttps = "DnsOverHttps" + $contentType = "application/dns-message" + $dnspod = "dnspod" + condition: + any of them } diff --git a/rules/net/dns-reverse.yara b/rules/net/dns-reverse.yara index 7b61abb5b..89d6efc0c 100644 --- a/rules/net/dns-reverse.yara +++ b/rules/net/dns-reverse.yara @@ -1,10 +1,14 @@ -rule in_addr_arpa : notable { - meta: - pledge = "inet" - description = "looks up the reverse hostname for an IP" - strings: - $ref = ".in-addr.arpa" - $ref2 = "ip6.arpa" - condition: - any of them + +rule in_addr_arpa : medium { + meta: + pledge = "inet" + description = "looks up the reverse hostname for an IP" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" + strings: + $ref = ".in-addr.arpa" + $ref2 = "ip6.arpa" + condition: + any of them } diff --git a/rules/net/download.yara b/rules/net/download.yara index ac4fbd5cd..cfdbf92e8 100644 --- a/rules/net/download.yara +++ b/rules/net/download.yara @@ -1,13 +1,15 @@ -rule download : notable { - meta: - description = "download files" - strings: - $ref = /[a-zA-Z\-_ ]{0,16}download[a-zA-Z\-_ ]{0,16}/ fullword - $ref2 = /[a-zA-Z\-_ ]{0,16}DOWNLOAD[a-zA-Z\-_ ]{0,16}/ fullword - $ref3 = /[a-zA-Z\-_ ]{0,16}Download[a-zA-Z\-_ ]{0,16}/ fullword - - $not_be = "be downloaded" - condition: - any of ($ref*) and none of ($not*) -} \ No newline at end of file +rule download : medium { + meta: + description = "download files" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_adminer = "2fd7e6d8f987b243ab1839249551f62adce19704c47d3d0c8dd9e57ea5b9c6b3" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + strings: + $ref = /[a-zA-Z\-_ ]{0,16}download[a-zA-Z\-_ ]{0,16}/ fullword + $ref2 = /[a-zA-Z\-_ ]{0,16}DOWNLOAD[a-zA-Z\-_ ]{0,16}/ fullword + $ref3 = /[a-zA-Z\-_ ]{0,16}Download[a-zA-Z\-_ ]{0,16}/ fullword + $not_be = "be downloaded" + condition: + any of ($ref*) and none of ($not*) +} diff --git a/rules/net/encrypted-stream.yara b/rules/net/encrypted-stream.yara index 9ac503432..73cdf935e 100644 --- a/rules/net/encrypted-stream.yara +++ b/rules/net/encrypted-stream.yara @@ -1,11 +1,13 @@ -rule go_encrypted_stream : suspicious { - meta: - description = "Uses github.com/nknorg/encrypted-stream to encrypt streams" - strings: - $ref1 = ").Encrypt" - $ref2 = ").Decrypt" - $ref3 = ").MaxOverhead" - $ref4 = ").NonceSize" - condition: - all of them + +rule go_encrypted_stream : high { + meta: + description = "Uses github.com/nknorg/encrypted-stream to encrypt streams" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + strings: + $ref1 = ").Encrypt" + $ref2 = ").Decrypt" + $ref3 = ").MaxOverhead" + $ref4 = ").NonceSize" + condition: + all of them } diff --git a/rules/net/fetch-insecure.yara b/rules/net/fetch-insecure.yara index eaa4bc2c9..cfbc195e3 100644 --- a/rules/net/fetch-insecure.yara +++ b/rules/net/fetch-insecure.yara @@ -1,10 +1,14 @@ -rule curl_insecure_val : notable { - meta: - description = "Invokes curl in insecure mode" - strings: - $ref = /curl[\w\- ]{0,5}-k[ \-\w:\/]{0,64}/ - $ref2 = /curl[\w\- ]{0,5}--insecure[ \-\w:\/]{0,64}/ - $c_wget_insecure = /wget[\w\- ]{0,5}--no-check-certificate[\/\- \w\%\(\{\}\'\"\)\$]{0,128}/ - condition: - any of them + +rule curl_insecure_val : medium { + meta: + description = "Invokes curl in insecure mode" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2018_MacOS_CoinTicker = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" + hash_2020_Licatrade_run = "ad27ae075010795c04a6c5f1303531f3f2884962be4d741bf38ced0180710d06" + strings: + $ref = /curl[\w\- ]{0,5}-k[ \-\w:\/]{0,64}/ + $ref2 = /curl[\w\- ]{0,5}--insecure[ \-\w:\/]{0,64}/ + $c_wget_insecure = /wget[\w\- ]{0,5}--no-check-certificate[\/\- \w\%\(\{\}\'\"\)\$]{0,128}/ + condition: + any of them } diff --git a/rules/net/fetch-suspicious.yara b/rules/net/fetch-suspicious.yara index 0dc6bef7d..abbdab826 100644 --- a/rules/net/fetch-suspicious.yara +++ b/rules/net/fetch-suspicious.yara @@ -1,34 +1,29 @@ -rule curl_agent_val : suspicious { - meta: - description = "Invokes curl with a custom user agent" - strings: - $ref = /curl [\w\.\- :\"\/]{0,64}-a[ "][\w\- :\"\/]{0,64}/ - condition: - $ref +rule curl_agent_val : high { + meta: + description = "Invokes curl with a custom user agent" + strings: + $ref = /curl [\w\.\- :\"\/]{0,64}-a[ "][\w\- :\"\/]{0,64}/ + condition: + $ref } -rule urllib_oneliner : suspicious { +rule urllib_oneliner : high { meta: - hash_2023_installer_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: $urllib_req = "import urllib.request; urllib.request.urlretrieve" condition: any of them } -rule suspicious_fetch_command_val : suspicious { +rule high_fetch_command_val : high { meta: - description = "suspicious fetch command" - hash_2019_Macma_AgentB = "9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70" - hash_2021_Macma_CDDS_UserAgent = "d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4" - hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" - hash_2016_Eleanor_eleanr_save = "5dbbb91467e0f6e58497ae0c0c621a84a1f250bb856f3f9f139e70dedf1a32b7" - hash_2018_MacOS_CoinTicker = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" - hash_2021_Gmera_Licatrade = "ad27ae075010795c04a6c5f1303531f3f2884962be4d741bf38ced0180710d06" - hash_2021_trojan_Gafgyt_Mirai_tlduc_bashlite = "16bbeec4e23c0dc04c2507ec0d257bf97cfdd025cd86f8faf912cea824b2a5ba" - hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" - hash_2021_trojan_Gafgyt_23DZ = "b34bb82ef2a0f3d02b93ed069fee717bd1f9ed9832e2d51b0b2642cb0b4f3891" + description = "high fetch command" + hash_2023_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" + hash_2023_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" + hash_2023_Chaos_27cd = "27cdb8d8f64ce395795fdbde10cf3a08e7b217c92b7af89cde22abbf951b9e99" strings: $c_curl_d = /curl [\- \w]{0,16}-[dOok][\/\- \w\%\(\{\}\'\"\)\$]{0,128}/ $c_curl_insecure = /curl [\- \w]{0,128}--insecure[\/\- \w\%\(\{\}\'\"\)\$]{0,128}/ @@ -36,10 +31,8 @@ rule suspicious_fetch_command_val : suspicious { $c_kinda_curl_silent_k = "-k --insecure" $c_kinda_curl_k_q = "-k -q" $c_wget_insecure = /wget --no-check-certificate[\/\- \w\%\(\{\}\'\"\)\$]{0,128}/ - - $not_curl_response_code = "%{response_code}" - $not_oh_my_zsh = "oh-my-zsh-master" + $not_curl_response_code = "%{response_code}" + $not_oh_my_zsh = "oh-my-zsh-master" condition: any of ($c*) and none of ($not*) } - diff --git a/rules/net/fetch.yara b/rules/net/fetch.yara index d0d6864a2..de13fe42c 100644 --- a/rules/net/fetch.yara +++ b/rules/net/fetch.yara @@ -1,32 +1,29 @@ -rule curl_value : notable { - meta: - description = "Invokes curl" - strings: - $ref = /curl [\w\.\- :\"\/]{0,64}/ - condition: - $ref +rule curl_value : medium { + meta: + description = "Invokes curl" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + strings: + $ref = /curl [\w\.\- :\"\/]{0,64}/ + condition: + $ref } -rule curl_download_val : notable { - meta: - description = "Invokes curl to download a file" - strings: - $ref = /curl [\w\.\- :\"\/]{0,64}-[oO][\w\- :\"\/]{0,64}/ - condition: - $ref +rule curl_download_val : medium { + meta: + description = "Invokes curl to download a file" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" + strings: + $ref = /curl [\w\.\- :\"\/]{0,64}-[oO][\w\- :\"\/]{0,64}/ + condition: + $ref } rule executable_calls_fetch_tool { - meta: - hash_2021_trojan_Mirai_3_Gafgyt = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" - hash_2021_trojan_Gafgyt_Mirai_tlduc_bashlite = "16bbeec4e23c0dc04c2507ec0d257bf97cfdd025cd86f8faf912cea824b2a5ba" - hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" - hash_2023_Linux_Malware_Samples_1fce = "1fce1d5b977c38e491fe84e529a3eb5730d099a4966c753b551209f4a24524f3" - hash_2021_trojan_Mirai_dclea = "206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a" - hash_2021_miner_xxlgo = "20e4c4893ed1faa9a50b0a4ba5fa0062d5178b635222849eeafa53e8c5c0d8c8" - hash_2021_miner_gijuf = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819" - hash_2021_trojan_miner_oztkc = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965" strings: $t_curl = "curl -" $t_wget = "wget -" diff --git a/rules/net/geoip.yara b/rules/net/geoip.yara index 8483c2630..d95511dbe 100644 --- a/rules/net/geoip.yara +++ b/rules/net/geoip.yara @@ -1,6 +1,9 @@ -rule geoip_website_value : suspicious { + +rule geoip_website_value : high { meta: - description = "public service for IP geolocation" + description = "public service for IP geolocation" + hash_2024_2021_ua_parser_js_preinstall = "156ee05a1c1c1c68441fb8eedc034c50293ff0a643a8a1c132363e612a08fa6d" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" strings: $ipify = "ip-api.com" $wtfismyip = "freegeoip" diff --git a/rules/net/http-cookies.yara b/rules/net/http-cookies.yara index 370aa867d..7219a2329 100644 --- a/rules/net/http-cookies.yara +++ b/rules/net/http-cookies.yara @@ -1,14 +1,17 @@ -rule http_cookie : notable { - meta: - pledge = "inet" - description = "access HTTP resources using cookies" - ref = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies" - strings: - $Cookie = "Cookie" - $HTTP = "HTTP" - $http_cookie = "http_cookie" - $http_cookie2 = "HTTP_COOKIE" - condition: - any of ($http_cookie*) or ($Cookie and $HTTP) +rule http_cookie : medium { + meta: + pledge = "inet" + description = "access HTTP resources using cookies" + ref = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies" + hash_2023_0xShell_adminer = "2fd7e6d8f987b243ab1839249551f62adce19704c47d3d0c8dd9e57ea5b9c6b3" + hash_2019_active_controller_middleware = "9a85e7aee672b1258b3d4606f700497d351dd1e1117ceb0e818bfea7922b9a96" + hash_2023_1_1_6_payload = "cbe882505708c72bc468264af4ef5ae5de1b75de1f83bba4073f91568d9d20a1" + strings: + $Cookie = "Cookie" + $HTTP = "HTTP" + $http_cookie = "http_cookie" + $http_cookie2 = "HTTP_COOKIE" + condition: + any of ($http_cookie*) or ($Cookie and $HTTP) } diff --git a/rules/net/http-form-upload.yara b/rules/net/http-form-upload.yara index 7afa3495e..8d8339c22 100644 --- a/rules/net/http-form-upload.yara +++ b/rules/net/http-form-upload.yara @@ -1,10 +1,14 @@ -rule http_form_upload : notable { - meta: - pledge = "inet" - description = "upload content via HTTP form" - strings: - $header = "application/x-www-form-urlencoded" - $POST = "POST" fullword - condition: - all of them -} \ No newline at end of file + +rule http_form_upload : medium { + meta: + pledge = "inet" + description = "upload content via HTTP form" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2017_package_package_setup = "79be89b218ac2160d6047c22a1161a2be048044f24e920872715e130496aec8c" + hash_2019_lib_restclient = "c9b67d3d9ef722facd1abce98bd7d80cec1cc1bb3e3a52c54bba91f19b5a6620" + strings: + $header = "application/x-www-form-urlencoded" + $POST = "POST" fullword + condition: + all of them +} diff --git a/rules/net/http-post.yara b/rules/net/http-post.yara index 0d73c8947..7180f9f19 100644 --- a/rules/net/http-post.yara +++ b/rules/net/http-post.yara @@ -1,23 +1,25 @@ -rule http_post : notable { - meta: - pledge = "inet" - description = "submit content to websites" - strings: - $POST = "POST" - $h_HTTP = "HTTP" - $http = "http" - condition: - $POST and any of ($h*) + +rule http_post : medium { + meta: + pledge = "inet" + description = "submit content to websites" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_adminer = "2fd7e6d8f987b243ab1839249551f62adce19704c47d3d0c8dd9e57ea5b9c6b3" + hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" + strings: + $POST = "POST" + $h_HTTP = "HTTP" + $http = "http" + condition: + $POST and any of ($h*) } -rule form_data_reference : notable { +rule form_data_reference : medium { meta: - description = "submit form content to websites" - hash_2019_trojan_NukeSped_Lazarus_AppleJeus = "e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55" - hash_2014_trojan_Lamberts_greenlambert = "af7c395426649c57e44eac0bb6c6a109ac649763065ff5b2b23db71839bac655" - hash_2023_trojan_JokerSpy_Python = "aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1" - hash_2021_CoinMiner_Sysrv = "5f80945354ea8e28fa8191a37d37235ce5c5448bffb336e8db5b01719a69128f" - hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + description = "submit form content to websites" + hash_2019_restclient_payload = "97b4859cd7ff37977e76079c1b2dbe80adcbe80893afc6fb9876cac8d2373d10" + hash_2019_spec_payload_spec = "fe743cdfe68aa357cf60fc55704e20d49fd713038878dca427a47285b4bfa493" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" strings: $f_content_dispo_name = "Content-Disposition: form-data; name=" $f_multipart = "multipart/form-data; boundary=" diff --git a/rules/net/http-server.yara b/rules/net/http-server.yara index b323efded..f65f9d779 100644 --- a/rules/net/http-server.yara +++ b/rules/net/http-server.yara @@ -1,10 +1,14 @@ -rule http_server : notable { - meta: - pledge = "inet" - description = "serves HTTP requests" - strings: - $gin = "gin-gonic/" - $gin_handler = "gin.HandlerFunc" - condition: - any of them + +rule http_server : medium { + meta: + pledge = "inet" + description = "serves HTTP requests" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + hash_2023_Manjusaka_955e = "955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1" + hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f" + strings: + $gin = "gin-gonic/" + $gin_handler = "gin.HandlerFunc" + condition: + any of them } diff --git a/rules/net/i2p.yara b/rules/net/i2p.yara index 38642343a..0fccaf97d 100644 --- a/rules/net/i2p.yara +++ b/rules/net/i2p.yara @@ -1,14 +1,10 @@ -rule i2p_user : suspicious { + +rule i2p_user : high { meta: - description = "Uses the I2P Anonymous Network" - hash_2020_OSX_CoinMiner_xbppt = "a2909754783bb5c4fd6955bcebc356e9d6eda94f298ed3e66c7e13511275fbc4" - hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" - hash_2020_Prometei_B_uselvh323 = "2bc860efee229662a3c55dcf6e50d6142b3eec99c606faa1210f24541cad12f5" - hash_2021_miner_andr_dzpsy = "64815d7c84c249e5f3b70d494791498ce85ea9a97c3edaee49ffa89809e20c6e" - hash_2020_Prometei_lbjon = "75ea0d099494b0397697d5245ea6f2b5bf8f22bb3c3e6d6d81e736ac0dac9fbc" - hash_2021_miner_TQ = "7955542df199c6ce4ca0bb3966dcf9cc71199c592fec38508dad58301a3298d0" - hash_2021_miner_andr_aouid = "876b30a58a084752dbbb66cfcc003417e2be2b13fb5913612b0ca4c77837467e" - hash_2021_miner_fdxme = "d1a95861c6b9836c0c3d8868019054931d1339ae896ad11575e99d91a358696d" + description = "Uses the I2P Anonymous Network" + hash_2023_Linux_Malware_Samples_2bc8 = "2bc860efee229662a3c55dcf6e50d6142b3eec99c606faa1210f24541cad12f5" + hash_2023_Linux_Malware_Samples_6481 = "64815d7c84c249e5f3b70d494791498ce85ea9a97c3edaee49ffa89809e20c6e" + hash_2023_Linux_Malware_Samples_75ea = "75ea0d099494b0397697d5245ea6f2b5bf8f22bb3c3e6d6d81e736ac0dac9fbc" strings: $base32_i2p_domain = ".b32.i2p" $other_i2p_domain = /\.[a-z]{1,128}\.i2p/ diff --git a/rules/net/interface-list.yara b/rules/net/interface-list.yara index d11084e9f..998c91d95 100644 --- a/rules/net/interface-list.yara +++ b/rules/net/interface-list.yara @@ -1,12 +1,15 @@ -rule bsd_ifaddrs : notable { - meta: - description = "list network interfaces" - strings: - $getifaddrs = "getifaddrs" fullword - $freeifaddrs = "freeifaddrs" fullword - $ifconfig = "ifconfig" fullword - $proc = "/proc/net/dev" - condition: - any of them -} +rule bsd_ifaddrs : medium { + meta: + description = "list network interfaces" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_Downloads_2f13 = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" + strings: + $getifaddrs = "getifaddrs" fullword + $freeifaddrs = "freeifaddrs" fullword + $ifconfig = "ifconfig" fullword + $proc = "/proc/net/dev" + condition: + any of them +} diff --git a/rules/net/ip-byte-order.yara b/rules/net/ip-byte-order.yara index 2b4ca7908..3469b68c7 100644 --- a/rules/net/ip-byte-order.yara +++ b/rules/net/ip-byte-order.yara @@ -1,11 +1,14 @@ -rule htonl : notable { - meta: - pledge = "inet" - description = "convert values between host and network byte order" - strings: - $ref = "htonl" fullword - $ref2 = "htons" fullword - condition: - any of them in (1300..3000) +rule htonl : medium { + meta: + pledge = "inet" + description = "convert values between host and network byte order" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + hash_2023_Linux_Malware_Samples_123e = "123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096" + hash_2023_Linux_Malware_Samples_2bc8 = "2bc860efee229662a3c55dcf6e50d6142b3eec99c606faa1210f24541cad12f5" + strings: + $ref = "htonl" fullword + $ref2 = "htons" fullword + condition: + any of them in (1300..3000) } diff --git a/rules/net/ip-parse.yara b/rules/net/ip-parse.yara index 2459c8430..fa0df7d6f 100644 --- a/rules/net/ip-parse.yara +++ b/rules/net/ip-parse.yara @@ -1,30 +1,40 @@ -rule inet_addr : notable { - meta: - pledge = "inet" - description = "parses IP address" - strings: - $ref = "inet_addr" - condition: - any of them + +rule inet_addr : medium { + meta: + pledge = "inet" + description = "parses IP address" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + hash_2023_Downloads_2f13 = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" + strings: + $ref = "inet_addr" + condition: + any of them } -rule inet_pton : notable { - meta: - pledge = "inet" - description = "parses IP address (IPv4 or IPv6)" - strings: - $ref = "inet_pton" - condition: - any of them +rule inet_pton : medium { + meta: + pledge = "inet" + description = "parses IP address (IPv4 or IPv6)" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_Downloads_b56a = "b56a89db553d4d927f661f6ff268cd94bdcfe341fd75ba4e7c464946416ac309" + strings: + $ref = "inet_pton" + condition: + any of them } -rule ip_go : notable { - meta: - pledge = "inet" - description = "parses IP address (IPv4 or IPv6)" - strings: - $ref = "IsSingleIP" - $ref2 = "IsLinkLocalUnicast" - condition: - any of them +rule ip_go : medium { + meta: + pledge = "inet" + description = "parses IP address (IPv4 or IPv6)" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2023_Downloads_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" + strings: + $ref = "IsSingleIP" + $ref2 = "IsLinkLocalUnicast" + condition: + any of them } diff --git a/rules/net/ip-string.yara b/rules/net/ip-string.yara index f278ef379..2a6e14326 100644 --- a/rules/net/ip-string.yara +++ b/rules/net/ip-string.yara @@ -1,11 +1,15 @@ -rule inet_ntoa : notable { - meta: - pledge = "inet" - ref = "https://linux.die.net/man/3/inet_ntoa" - description = "converts IP address from byte to string" - strings: - $ref = "inet_ntoa" fullword - $ref2 = "inet_ntop" fullword - condition: - any of them + +rule inet_ntoa : medium { + meta: + pledge = "inet" + ref = "https://linux.die.net/man/3/inet_ntoa" + description = "converts IP address from byte to string" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + strings: + $ref = "inet_ntoa" fullword + $ref2 = "inet_ntop" fullword + condition: + any of them } diff --git a/rules/net/irc.yara b/rules/net/irc.yara index 21ddc5a9e..17e726878 100644 --- a/rules/net/irc.yara +++ b/rules/net/irc.yara @@ -1,12 +1,16 @@ -rule irc : suspicious { - meta: - pledge = "inet" - description = "Uses IRC (Internet Relay Chat" - strings: - $ref = "PRIVMSG" - $ref2 = "NOTICE %s" - $ref3 = "NICK %s" - $ref4 = "JOIN %s :%s" - condition: - any of them + +rule irc : high { + meta: + pledge = "inet" + description = "Uses IRC (Internet Relay Chat" + hash_2023_Unix_Trojan_Tsunami_8555 = "855557e415b485cedb9dc2c6f96d524143108aff2f84497528a8fcddf2dc86a2" + hash_2023_Unix_Trojan_Tsunami_d3b5 = "d3b513cb2eb19aad50a0d070f420a5f372d185ba8a715bdddcf86437c4ce6f5e" + hash_2023_Win_Trojan_Perl_9aed = "9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44" + strings: + $ref = "PRIVMSG" + $ref2 = "NOTICE %s" + $ref3 = "NICK %s" + $ref4 = "JOIN %s :%s" + condition: + any of them } diff --git a/rules/net/listen-free_port.yara b/rules/net/listen-free_port.yara index 7032bf078..d3c42fae1 100644 --- a/rules/net/listen-free_port.yara +++ b/rules/net/listen-free_port.yara @@ -1,4 +1,4 @@ -rule freeport : notable { +rule freeport : medium { meta: description = "find open TCP port to listen at" strings: diff --git a/rules/net/mac-address.yara b/rules/net/mac-address.yara index 3881f6368..e5e38c144 100644 --- a/rules/net/mac-address.yara +++ b/rules/net/mac-address.yara @@ -1,10 +1,14 @@ -rule macaddr : notable { - meta: - description = "Retrieves network MAC address" - strings: - $ref = "MAC address" - $ref2 = "get_if_mac_addr" - $ref3 = "macAddress" fullword - condition: - any of them + +rule macaddr : medium { + meta: + description = "Retrieves network MAC address" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + hash_2023_Downloads_b56a = "b56a89db553d4d927f661f6ff268cd94bdcfe341fd75ba4e7c464946416ac309" + hash_2024_Downloads_fd0b = "fd0b5348bbfd013359f9651268ee67a265bce4e3a1cacf61956e3246bac482e8" + strings: + $ref = "MAC address" + $ref2 = "get_if_mac_addr" + $ref3 = "macAddress" fullword + condition: + any of them } diff --git a/rules/net/multiplexing.yara b/rules/net/multiplexing.yara index 8f75394aa..1861b7509 100644 --- a/rules/net/multiplexing.yara +++ b/rules/net/multiplexing.yara @@ -1,4 +1,4 @@ -rule go_nps_mux : suspicious { +rule go_nps_mux : high { meta: description = "Uses github.com/smallbutstrong/nps-mux to multiplex network connections" strings: diff --git a/rules/net/ntlm.yara b/rules/net/ntlm.yara index 8c0db1fed..e9a75b2cf 100644 --- a/rules/net/ntlm.yara +++ b/rules/net/ntlm.yara @@ -1,6 +1,10 @@ -rule windows_ntlm : notable { + +rule windows_ntlm : medium { meta: - description = "Uses the Windows NTLM authentication scheme" + description = "Uses the Windows NTLM authentication scheme" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2023_Linux_Malware_Samples_1020 = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" + hash_2023_Linux_Malware_Samples_24f3 = "24f3ac76dcd4b0830a1ebd82cc9b1abe98450b8df29cb4f18f032f1077d24404" strings: $s_ntlmssp = "ntlmssp" $s_smbhash = "SMBHASH" diff --git a/rules/net/proxy-install.yara b/rules/net/proxy-install.yara index 9572883ab..b66928838 100644 --- a/rules/net/proxy-install.yara +++ b/rules/net/proxy-install.yara @@ -1,11 +1,10 @@ + rule macos_proxy_manipulator { - meta: - hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" strings: $n_networksetup = "networksetup" $n_setwebproxy = "-setwebproxy" $n_setsecurewebproxy = "-setsecurewebproxy" - $not_networksetup = "networksetup tool" + $not_networksetup = "networksetup tool" condition: 2 of ($n_*) and none of ($not*) } diff --git a/rules/net/proxy_server.yara b/rules/net/proxy_server.yara index 81547ab4c..4a85bfbce 100644 --- a/rules/net/proxy_server.yara +++ b/rules/net/proxy_server.yara @@ -1,11 +1,11 @@ rule nps_tunnel : critical { - meta: - description = "Uses NPS, a intranet penetration proxy server" - strings: - $ref1 = ".LoadTaskFromJsonFile" - $ref2 = ".LoadHostFromJsonFile" - condition: - all of them + meta: + description = "Uses NPS, a intranet penetration proxy server" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + strings: + $ref1 = ".LoadTaskFromJsonFile" + $ref2 = ".LoadHostFromJsonFile" + condition: + all of them } - diff --git a/rules/net/public_ip.yara b/rules/net/public_ip.yara index b2bac8710..e7d35371e 100644 --- a/rules/net/public_ip.yara +++ b/rules/net/public_ip.yara @@ -1,19 +1,21 @@ -rule iplookup_website_value : suspicious { + +rule iplookup_website_value : high { meta: - hash_2023_stealer_hashbreaker = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" - description = "public service to discover external IP address" + description = "public service to discover external IP address" + hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" + hash_2023_Unix_Trojan_Ipstorm_1996 = "1996927b41960a2af8e49cf745ed6668bc5b8d7855c2bb116f98104163e29000" + hash_2023_Unix_Trojan_Ipstorm_2f6f = "2f6f44e3e2baf701ae1ee3826986f89df4e5314c8ba50615fb6580f1ef54c830" strings: $ipify = "ipify.org" $wtfismyip = "wtfismyip" $iplogger = "iplogger.org" $getjsonip = "getjsonip" - $ipconfig_me = "ifconfig.me" - $icanhazip = "icanhazip" - $ident_me = "ident.me" fullword - $showip_net = "showip.net" fullword - $ifconfig_io = "ifconfig.io" fullword - $ifconfig_co = "ifconfig.co" fullword + $ipconfig_me = "ifconfig.me" + $icanhazip = "icanhazip" + $ident_me = "ident.me" fullword + $showip_net = "showip.net" fullword + $ifconfig_io = "ifconfig.io" fullword + $ifconfig_co = "ifconfig.co" fullword $ipinfo = "ipinfo.io" $ipify_b = "ipify.org" base64 $wtfismyip_b = "wtfismyip" base64 @@ -31,9 +33,8 @@ rule iplookup_website_value : suspicious { rule iplookup_website_base64 : critical { meta: - hash_2023_stealer_hashbreaker = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" - description = "public service to discover external IP address" + description = "public service to discover external IP address" + hash_2017_MacOS_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" strings: $ipify_b = "ipify.org" base64 $wtfismyip_b = "wtfismyip" base64 @@ -46,9 +47,7 @@ rule iplookup_website_base64 : critical { rule iplookup_website_xor : critical { meta: - hash_2023_stealer_hashbreaker = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" - description = "public service to discover external IP address" + description = "public service to discover external IP address" strings: $ipify_x = "ipify.org" xor(1-255) $wtfismyip_x = "wtfismyip" xor(1-255) @@ -59,11 +58,14 @@ rule iplookup_website_xor : critical { any of them } -rule python_list_comprehension : suspicious { - meta: - description = "discover IP address via socket connection" - strings: - $ref = "[socket.socket(socket.AF_INET, socket.SOCK_DGRAM" - condition: - any of them -} \ No newline at end of file +rule python_list_comprehension : high { + meta: + description = "discover IP address via socket connection" + hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_aaa_bbb_ccc_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_aaa_bbb_ccc_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + strings: + $ref = "[socket.socket(socket.AF_INET, socket.SOCK_DGRAM" + condition: + any of them +} diff --git a/rules/net/raw_sockets.yara b/rules/net/raw_sockets.yara index f27640526..36fe8385a 100644 --- a/rules/net/raw_sockets.yara +++ b/rules/net/raw_sockets.yara @@ -1,18 +1,20 @@ -rule raw_sockets : notable { - meta: - description = "send raw and/or malformed IP packets" - capability = "CAP_SYS_RAW" - ref = "https://man7.org/linux/man-pages/man7/raw.7.html" - strings: - $ref = "raw socket" fullword - $hdrincl = "HDRINCL" fullword - $sock_raw = "SOCK_RAW" fullword - $ipproto_raw = "IPPROTO_RAW" fullword - $proc_net_raw = "/proc/net/raw" - $make_ip = "makeIPPacket" - $impacket = "impacket." - // $rawsock = "RawSock" - condition: - any of them +rule raw_sockets : medium { + meta: + description = "send raw and/or malformed IP packets" + capability = "CAP_SYS_RAW" + ref = "https://man7.org/linux/man-pages/man7/raw.7.html" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + hash_2023_Downloads_b56a = "b56a89db553d4d927f661f6ff268cd94bdcfe341fd75ba4e7c464946416ac309" + hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" + strings: + $ref = "raw socket" fullword + $hdrincl = "HDRINCL" fullword + $sock_raw = "SOCK_RAW" fullword + $ipproto_raw = "IPPROTO_RAW" fullword + $proc_net_raw = "/proc/net/raw" + $make_ip = "makeIPPacket" + $impacket = "impacket." + condition: + any of them } diff --git a/rules/net/reuseport.yara b/rules/net/reuseport.yara index b8b46ad78..ae946650c 100644 --- a/rules/net/reuseport.yara +++ b/rules/net/reuseport.yara @@ -1,11 +1,14 @@ -rule reuseport : notable { - meta: - description = "reuse TCP/IP ports for listening and connecting" - strings: - $go = "go-reuseport" - $so_readdr = "SO_REUSEADDR" - $so_report = "SO_REUSEPORT" - condition: - any of them +rule reuseport : medium { + meta: + description = "reuse TCP/IP ports for listening and connecting" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" + hash_2023_Linux_Malware_Samples_2c98 = "2c98b196a51f737f29689d16abeea620b0acfa6380bdc8e94a7a927477d81e3a" + hash_2023_Linux_Malware_Samples_2f85 = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965" + strings: + $go = "go-reuseport" + $so_readdr = "SO_REUSEADDR" + $so_report = "SO_REUSEPORT" + condition: + any of them } diff --git a/rules/net/sniffer.yara b/rules/net/sniffer.yara index 80bb7d8f9..8f81e9959 100644 --- a/rules/net/sniffer.yara +++ b/rules/net/sniffer.yara @@ -1,13 +1,9 @@ -rule pcap_user : notable { + +rule pcap_user : medium { meta: hash_2023_Linux_Malware_Samples_1384 = "1384790107a5f200cab9593a39d1c80136762b58d22d9b3f081c91d99e5d0376" hash_2023_Linux_Malware_Samples_d13f = "d13fd21514f7ee5e58343aa99bf551c6a56486731c50daefcce233fdb162def8" hash_2023_Linux_Malware_Samples_e036 = "e0367097a1450c70177bbc97f315cbb2dcb41eb1dc052f522c9e8869e084bd0f" - hash_2023_articles_https_www_intezer_com_blog_research_new_linux_threat_symbiote = "e7b5e412975f8106a1adaa1e2472ed902148a8ea49738b3741a13960e22c63a1" - hash_2023_BPFDoor_dc83 = "dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a" - hash_2023_Linux_Trojan_ShellBot_accc = "acccf2fa4e21f2cd1d7305186e4c83d6cde5ee98f1b37022b70170533e399a89" - hash_2023_MESSAGETAP_427a = "427a0860365f15c1408708c2d6ed527e4e12ad917a1fa111d190c6601148a1eb" - hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" strings: $p_pcap_ = "pcap_" $p_PCAP_ = "PCAP_" diff --git a/rules/net/socket-connect.yara b/rules/net/socket-connect.yara index 446bc058a..c924d632c 100644 --- a/rules/net/socket-connect.yara +++ b/rules/net/socket-connect.yara @@ -1,36 +1,44 @@ -rule _connect : notable { - meta: - description = "initiate a connection on a socket" - syscall = "connect" - ref = "https://linux.die.net/man/3/connect" - strings: - $connect = "_connect" fullword - $connectx = "_connectx" fullword - condition: - any of them +rule _connect : medium { + meta: + description = "initiate a connection on a socket" + syscall = "connect" + ref = "https://linux.die.net/man/3/connect" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + strings: + $connect = "_connect" fullword + $connectx = "_connectx" fullword + condition: + any of them } -rule connect : notable { - meta: - description = "initiate a connection on a socket" - syscall = "connect" - ref = "https://linux.die.net/man/3/connect" - strings: - $connect = "connect" fullword - condition: - any of them in (1200..3000) +rule connect : medium { + meta: + description = "initiate a connection on a socket" + syscall = "connect" + ref = "https://linux.die.net/man/3/connect" + hash_2018_test_connect_asynct = "d477e83e87219cb2890b04672c192f23fe3fd2cd277884135545775c0ac1e378" + hash_2018_test_readable_asynct = "e155cc7ae149699f1c4563f9837010ef1a5fba8e9e58ebd653735f83a404df44" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + strings: + $connect = "connect" fullword + condition: + any of them in (1200..3000) } - -rule py_connect : notable { - meta: - description = "initiate a connection on a socket" - syscall = "connect" - ref = "https://docs.python.org/3/library/socket.html" - strings: - $socket = "socket.socket" - $ref = ".connect(" - condition: - all of them +rule py_connect : medium { + meta: + description = "initiate a connection on a socket" + syscall = "connect" + ref = "https://docs.python.org/3/library/socket.html" + hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_aaa_bbb_ccc_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2020_Enigma = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de" + strings: + $socket = "socket.socket" + $ref = ".connect(" + condition: + all of them } diff --git a/rules/net/socket_filter.yara b/rules/net/socket_filter.yara index 0a7636091..aedf4b02b 100644 --- a/rules/net/socket_filter.yara +++ b/rules/net/socket_filter.yara @@ -1,6 +1,7 @@ -rule linux_network_filter : notable { + +rule linux_network_filter : medium { meta: - description = "listens for packets without a socket" + description = "listens for packets without a socket" hash_2023_BPFDoor_dc83 = "dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a" strings: $0x = "=0x" @@ -10,4 +11,3 @@ rule linux_network_filter : notable { condition: $0x and any of ($p*) } - diff --git a/rules/net/socks5.yara b/rules/net/socks5.yara index 2fccf890d..0208665bb 100644 --- a/rules/net/socks5.yara +++ b/rules/net/socks5.yara @@ -1,19 +1,21 @@ -rule socks5 : notable { - meta: - description = "Supports SOCK5 proxies" - strings: - $ref = ".Socks5" - $ref2 = "SOCKS5" - $rp_connect = "CONNECT %s" - $rp_socksproxy = "socksproxy" - $rp_socks_proxy = "socks proxy" - $rp_socksv5 = "SOCKSv5" - $rp_socks_percent = "SOCKS %" - $rp_socks5 = "socks5" fullword - $rgo_socks5 = "go-socks5" - - $not_etc_services = "Registered Ports are not controlled by the IANA" - condition: - any of ($r*) and none of ($not*) -} \ No newline at end of file +rule socks5 : medium { + meta: + description = "Supports SOCK5 proxies" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_Downloads_2f13 = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + strings: + $ref = ".Socks5" + $ref2 = "SOCKS5" + $rp_connect = "CONNECT %s" + $rp_socksproxy = "socksproxy" + $rp_socks_proxy = "socks proxy" + $rp_socksv5 = "SOCKSv5" + $rp_socks_percent = "SOCKS %" + $rp_socks5 = "socks5" fullword + $rgo_socks5 = "go-socks5" + $not_etc_services = "Registered Ports are not controlled by the IANA" + condition: + any of ($r*) and none of ($not*) +} diff --git a/rules/net/ssh.yara b/rules/net/ssh.yara index 441096358..6530585b9 100644 --- a/rules/net/ssh.yara +++ b/rules/net/ssh.yara @@ -1,9 +1,12 @@ -rule crypto_ssh : notable { - meta: - description = "Uses crypto/ssh to connect to the SSH (secure shell) service" - strings: - $go = "crypto/ssh" fullword - condition: - any of them -} \ No newline at end of file +rule crypto_ssh : medium { + meta: + description = "Uses crypto/ssh to connect to the SSH (secure shell) service" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" + hash_2020_IPStorm_IPStorm_unpacked = "522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434" + strings: + $go = "crypto/ssh" fullword + condition: + any of them +} diff --git a/rules/net/stat.yara b/rules/net/stat.yara index 788822052..ee9994a8c 100644 --- a/rules/net/stat.yara +++ b/rules/net/stat.yara @@ -1,8 +1,12 @@ -rule netstat : notable { - meta: - description = "Uses 'netstat' for network information" - strings: - $ref1 = /netstat[ \-a-z\|]{0,16}/ - condition: - all of them + +rule netstat : medium { + meta: + description = "Uses 'netstat' for network information" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + strings: + $ref1 = /netstat[ \-a-z\|]{0,16}/ + condition: + all of them } diff --git a/rules/net/sunrpc.yara b/rules/net/sunrpc.yara index b8b71d1b6..1253f62aa 100644 --- a/rules/net/sunrpc.yara +++ b/rules/net/sunrpc.yara @@ -1,10 +1,13 @@ -rule sunrpc : notable { - meta: - description = "Uses SunRPC / XDR" - strings: - $ref = "xdr_bytes" fullword - $ref2 = "Incompatible versions of RPC" - condition: - any of them -} \ No newline at end of file +rule sunrpc : medium { + meta: + description = "Uses SunRPC / XDR" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2023_Linux_Malware_Samples_3668 = "3668b167f5c9083a9738cfc4bd863a07379a5b02ee14f48a10fb1240f3e421a6" + hash_2023_Linux_Malware_Samples_43fa = "43fab92516cdfaa88945996988b7cfe987f26050516503fb2be65592379d7d7f" + strings: + $ref = "xdr_bytes" fullword + $ref2 = "Incompatible versions of RPC" + condition: + any of them +} diff --git a/rules/net/syncookie.yara b/rules/net/syncookie.yara index 028256b3f..fd3d3a4c8 100644 --- a/rules/net/syncookie.yara +++ b/rules/net/syncookie.yara @@ -1,7 +1,10 @@ -rule syn_cookie : notable { + +rule syn_cookie : medium { meta: - description = "references SYN cookies, used to resist DoS attacks" - ref = "https://en.wikipedia.org/wiki/SYN_cookies" + description = "references SYN cookies, used to resist DoS attacks" + ref = "https://en.wikipedia.org/wiki/SYN_cookies" + hash_2023_Linux_Malware_Samples_5a62 = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" + hash_2023_Linux_Malware_Samples_e036 = "e0367097a1450c70177bbc97f315cbb2dcb41eb1dc052f522c9e8869e084bd0f" strings: $syncookie = "syncookie" $syn_cookie = "syn_cookie" diff --git a/rules/net/tcp-state_tracker.yara b/rules/net/tcp-state_tracker.yara index 71f65f506..4acb30832 100644 --- a/rules/net/tcp-state_tracker.yara +++ b/rules/net/tcp-state_tracker.yara @@ -1,13 +1,9 @@ -rule network_state_strings : notable { + +rule network_state_strings : medium { meta: - hash_2022_trojan_Winnti = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" - hash_2020_BirdMiner_arachnoidal = "904ad9bc506a09be0bb83079c07e9a93c99ba5d42ac89d444374d80efd7d8c11" - hash_2021_Mettle = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" - hash_2020_trojan_Meterpreter_Mettle_eukch = "24f3ac76dcd4b0830a1ebd82cc9b1abe98450b8df29cb4f18f032f1077d24404" - hash_2020_trojan_Meterpreter_Metasploit_uzzxo = "444d8f5a716e89b5944f9d605e490c6845d4af369b024dd751111a6f13bca00d" - hash_2020_CoinMiner_nbtoz = "741af7d54a95dd3b4497c73001e7b2ba1f607d19d63068b611505f9ce14c7776" - hash_2020_trojan_Mettle_spuir = "c058aa5d69ce54c42ddd57bd212648fb62ef7325b371bf7198001e1f8bdf3c16" - hash_2020_trojan_miner_cucnl = "ee0e8516bfc431cb103f16117b9426c79263e279dc46bece5d4b96ddac9a5e90" + hash_2023_Downloads_2f13 = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" + hash_2023_Linux_Malware_Samples_1020 = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" strings: $s_ip_frag = "IP_FRAG" $s_icmp = "ICMP" diff --git a/rules/net/tor.yara b/rules/net/tor.yara index cdfd48cca..145c3ca2c 100644 --- a/rules/net/tor.yara +++ b/rules/net/tor.yara @@ -1,16 +1,19 @@ -rule tor_user : suspicious { +rule tor_user : high { meta: ref_eleanor = "https://www.malwarebytes.com/blog/news/2016/07/new-mac-backdoor-malware-eleanor" - description = "Makes use of the TOR/.onion protocol" + description = "Makes use of the TOR/.onion protocol" + hash_2023_Conti_bb64 = "bb64b27bff106d30a7b74b3589cc081c345a2b485a831d7e8c8837af3f238e1e" + hash_2023_Multios_Ransomware_DarkSide_da3b = "da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5" + hash_2023_Downloads_039e = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" strings: $t_tor_addr = "_tor_addr" $t_tor = "TOR Browser" nocase $t_hidden_service_port = "HiddenServicePort" nocase - $t_go = "go-libtor" - $t_rust = "libtor" fullword + $t_go = "go-libtor" + $t_rust = "libtor" fullword $not_drop = "[.onion] drop policy" - $not_bug = "Tor Browser bug" + $not_bug = "Tor Browser bug" condition: filesize < 20971520 and any of ($t*) and none of ($not*) } diff --git a/rules/net/tunnel.yara b/rules/net/tunnel.yara index a381f25bc..f65bc7955 100644 --- a/rules/net/tunnel.yara +++ b/rules/net/tunnel.yara @@ -1,21 +1,28 @@ -rule tunnel : notable { - meta: - description = "creates a network tunnel" - syscall = "setsockopt" - strings: - $tunnel = "tunnel" fullword - $inet = "inet_addr" fullword - condition: - all of them + +rule tunnel : medium { + meta: + description = "creates a network tunnel" + syscall = "setsockopt" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_Linux_Malware_Samples_63f3 = "63f3245f84f7f2931d1586bc35051d26398590aaf71a071597b3662ffc3f24fb" + hash_2023_Linux_Malware_Samples_6481 = "64815d7c84c249e5f3b70d494791498ce85ea9a97c3edaee49ffa89809e20c6e" + strings: + $tunnel = "tunnel" fullword + $inet = "inet_addr" fullword + condition: + all of them } -rule tunnel2 : notable { - meta: - description = "creates a network tunnel" - syscall = "setsockopt" - strings: - $Tunnel = "Tunnel" - $inet = "inet_addr" fullword - condition: - all of them -} \ No newline at end of file +rule tunnel2 : medium { + meta: + description = "creates a network tunnel" + syscall = "setsockopt" + hash_2023_Linux_Malware_Samples_24ee = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819" + hash_2023_Linux_Malware_Samples_2f85 = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965" + hash_2023_Linux_Malware_Samples_43fa = "43fab92516cdfaa88945996988b7cfe987f26050516503fb2be65592379d7d7f" + strings: + $Tunnel = "Tunnel" + $inet = "inet_addr" fullword + condition: + all of them +} diff --git a/rules/net/udp-send.yara b/rules/net/udp-send.yara index 604113322..34eaef5b3 100644 --- a/rules/net/udp-send.yara +++ b/rules/net/udp-send.yara @@ -1,19 +1,21 @@ + rule udp_send { - meta: - description = "Sends UDP packets" - strings: - $ref = "WriteMsgUDP" - $ref2 = "DialUDP" - condition: - any of them + meta: + description = "Sends UDP packets" + strings: + $ref = "WriteMsgUDP" + $ref2 = "DialUDP" + condition: + any of them } -rule go_kcp : notable { - meta: - description = "Sends UDP packets" - strings: - $ref = ".ReleaseTX" - $ref2 = ".WaitSnd" - condition: - all of them +rule go_kcp : medium { + meta: + description = "Sends UDP packets" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + strings: + $ref = ".ReleaseTX" + $ref2 = ".WaitSnd" + condition: + all of them } diff --git a/rules/net/upload.yara b/rules/net/upload.yara index 970c69b5b..94c6cd2c1 100644 --- a/rules/net/upload.yara +++ b/rules/net/upload.yara @@ -1,18 +1,24 @@ -rule upload : notable { - meta: - description = "uploads files" - strings: - $ref = /upload\w{0,16}/ - $ref2 = /UPLOAD\w{0,16}/ - $ref3 = /Upload\w{0,16}/ - condition: - any of them +rule upload : medium { + meta: + description = "uploads files" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_adminer = "2fd7e6d8f987b243ab1839249551f62adce19704c47d3d0c8dd9e57ea5b9c6b3" + hash_2023_0xShell_up = "c72f0194a61dcf25779370a6c8dd0257848789ef59d0108a21f08301569d4441" + strings: + $ref = /upload\w{0,16}/ + $ref2 = /UPLOAD\w{0,16}/ + $ref3 = /Upload\w{0,16}/ + condition: + any of them } -rule curl_upload_command : suspicious { +rule curl_upload_command : high { meta: - description = "Uses curl to upload data" + description = "Uses curl to upload data" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" strings: $curl_upload = "url --upload-file" $kinda_curl_inesecure_data = "--insecure --data" @@ -20,4 +26,4 @@ rule curl_upload_command : suspicious { $kinda_curl_k_d = "-k -d" condition: any of them -} \ No newline at end of file +} diff --git a/rules/net/upnp.yara b/rules/net/upnp.yara index b4abc6183..24d96e5c1 100644 --- a/rules/net/upnp.yara +++ b/rules/net/upnp.yara @@ -1,16 +1,9 @@ -rule upnp_client : notable { + +rule upnp_client : medium { meta: - hash_2011_bin_fxagent = "737bb6fe9a7ad5adcd22c8c9e140166544fa0c573fe5034dfccc0dc237555c83" - hash_2021_trojan_Mirai_3_Gafgyt = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" - hash_2021_trojan_Mirai_dclea = "206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a" - hash_2021_miner_gijuf = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819" - hash_2021_trojan_miner_oztkc = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965" - hash_2021_trojan_Mirai_aspze = "341a49940749d5f07d32d1c8dfddf6388a11e45244cc54bc8768a8cd7f00b46a" - hash_2020_HackTool_Portscan = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" - hash_2021_miner_nyoan = "9f059b341ac4e2e00ab33130fea5da4b1390f980d3db607384d87e736f30273e" - hash_2021_miner_vsdhx = "caa114893cf5cb213b39591bbcb72f66ee4519be07269968e714a8d3f24c3382" - hash_2021_miner_fdxme = "d1a95861c6b9836c0c3d8868019054931d1339ae896ad11575e99d91a358696d" - hash_2021_trojan_Mirai_leeyo = "ff2a39baf61e34f14f9c49c27faed07bdd431605b3c845ab82023c39589e6798" + hash_2023_Linux_Malware_Samples_0afd = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" + hash_2023_Linux_Malware_Samples_1fce = "1fce1d5b977c38e491fe84e529a3eb5730d099a4966c753b551209f4a24524f3" + hash_2023_Linux_Malware_Samples_206a = "206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a" strings: $upnp_firewall = "WANIPv6FirewallControl" $upnp_schema = "schemas-upnp-org" diff --git a/rules/net/url-encode.yara b/rules/net/url-encode.yara index 59e9d98fb..c3756146d 100644 --- a/rules/net/url-encode.yara +++ b/rules/net/url-encode.yara @@ -1,8 +1,12 @@ -rule url_encode : notable { - meta: - description = "encodes URL, likely to pass GET variables" - strings: - $ref = "urlencode" - condition: - any of them + +rule url_encode : medium { + meta: + description = "encodes URL, likely to pass GET variables" + hash_2023_0xShell_adminer = "2fd7e6d8f987b243ab1839249551f62adce19704c47d3d0c8dd9e57ea5b9c6b3" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2017_package_package_setup = "79be89b218ac2160d6047c22a1161a2be048044f24e920872715e130496aec8c" + strings: + $ref = "urlencode" + condition: + any of them } diff --git a/rules/net/url-request.yara b/rules/net/url-request.yara index 5dd943318..77d479bda 100644 --- a/rules/net/url-request.yara +++ b/rules/net/url-request.yara @@ -1,17 +1,21 @@ -rule requests_urls : notable { - meta: - description = "requests resources via URL" - strings: - $ref = "NSMutableURLRequest" - $ref2 = "import requests" - $ref3 = "net/url" - $ref4 = /requests\.get\([\w, =\)]{0,16}/ - $ref5 = "require('request');" - $ref6 = "request(url, " - $ref7 = "require('https').request" - $ref8 = "http.request" - $ref9 = "urllib2.urlopen" - $ref10 = "urllib.request" - condition: - any of them + +rule requests_urls : medium { + meta: + description = "requests resources via URL" + hash_2023_botbait = "1b92cb3d4b562d0eb05c3b2f998e334273ce9b491bc534d73bcd0b4952ce58d2" + hash_2023_misc_mktmpio = "f6b7984c76d92390f5530daeacf4f77047b176ffb8eaf5c79c74d6dd4d514b2b" + hash_2023_misc_mr_robot = "630bbcf0643d9fc9840f2f54ea4ae1ea34dc94b91ee011779c8e8c91f733c9f5" + strings: + $ref = "NSMutableURLRequest" + $ref2 = "import requests" + $ref3 = "net/url" + $ref4 = /requests\.get\([\w, =\)]{0,16}/ + $ref5 = "require('request');" + $ref6 = "request(url, " + $ref7 = "require('https').request" + $ref8 = "http.request" + $ref9 = "urllib2.urlopen" + $ref10 = "urllib.request" + condition: + any of them } diff --git a/rules/net/vnc.yara b/rules/net/vnc.yara index b03b0dc30..c7295563b 100644 --- a/rules/net/vnc.yara +++ b/rules/net/vnc.yara @@ -1,15 +1,14 @@ -rule vnc_user : notable { + +rule vnc_user : medium { meta: - hash_2020_BirdMiner_arachnoidal = "904ad9bc506a09be0bb83079c07e9a93c99ba5d42ac89d444374d80efd7d8c11" hash_2023_Linux_Malware_Samples_1d28 = "1d2800352e15175ae5fa916b48a96b26f0199d9f8a9036648b3e44aa60ed2897" hash_2023_Linux_Malware_Samples_5a62 = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" hash_2023_Linux_Malware_Samples_d13f = "d13fd21514f7ee5e58343aa99bf551c6a56486731c50daefcce233fdb162def8" - hash_2023_Linux_Malware_Samples_e036 = "e0367097a1450c70177bbc97f315cbb2dcb41eb1dc052f522c9e8869e084bd0f" strings: $vnc_password = "vnc_password" $vnc_ = "VNC_" $vnc_port = ":5900" - $not_synergy = "SYNERGY" + $not_synergy = "SYNERGY" condition: any of ($vnc*) and none of ($not*) } diff --git a/rules/net/websocket.yara b/rules/net/websocket.yara index 27304d11e..a86064055 100644 --- a/rules/net/websocket.yara +++ b/rules/net/websocket.yara @@ -1,10 +1,14 @@ -rule websocket : notable { - meta: - description = "supports web sockets" - ref = "https://www.rfc-editor.org/rfc/rfc6455" - strings: - $ref = /[a-zA-Z]{0,16}[wW]ebSocket[\w:]{0,32}/ fullword - $ref2 = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" - condition: - any of them + +rule websocket : medium { + meta: + description = "supports web sockets" + ref = "https://www.rfc-editor.org/rfc/rfc6455" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + strings: + $ref = /[a-zA-Z]{0,16}[wW]ebSocket[\w:]{0,32}/ fullword + $ref2 = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" + condition: + any of them } diff --git a/rules/persist/bash.yara b/rules/persist/bash.yara index a77eec7cd..bb45dec5e 100644 --- a/rules/persist/bash.yara +++ b/rules/persist/bash.yara @@ -1,26 +1,29 @@ -rule bash_persist : notable { + +rule bash_persist : medium { meta: - description = "access bash startup files" + description = "access bash startup files" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" strings: - $ref = ".bash_profile" - $ref2 = ".profile" fullword - $ref3 = ".bashrc" fullword - $ref4 = ".bash_logout" - $ref5 = "/etc/profile" - $ref6 = "/etc/bashrc" - $ref7 = "/etc/bash" + $ref = ".bash_profile" + $ref2 = ".profile" fullword + $ref3 = ".bashrc" fullword + $ref4 = ".bash_logout" + $ref5 = "/etc/profile" + $ref6 = "/etc/bashrc" + $ref7 = "/etc/bash" $not_bash = "POSIXLY_CORRECT" condition: filesize < 2097152 and any of ($ref*) and none of ($not*) } -rule bash_logout_persist : suspicious { +rule bash_logout_persist : high { meta: - description = "Writes to bash configuration files to persist" + description = "Writes to bash configuration files to persist" strings: - $ref = ".bash_logout" + $ref = ".bash_logout" $not_bash = "POSIXLY_CORRECT" condition: filesize < 2097152 and any of ($ref*) and none of ($not*) } - diff --git a/rules/persist/crontab.yara b/rules/persist/crontab.yara index c9b454466..afc864caf 100644 --- a/rules/persist/crontab.yara +++ b/rules/persist/crontab.yara @@ -1,14 +1,10 @@ -rule crontab_writer : suspicious { + +rule crontab_writer : high { meta: - description = "May use crontab to persist" - hash_2020_FinSpy_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0" - hash_2022_XorDDoS_0Xorddos = "d920dec25946a86aeaffd5a53ce8c3f05c9a7bac44d5c71481f497de430cb67e" - hash_2013_Resources_installer = "5dce86eb6881f8088660b961746623b81d38f8bccb6693116296748fbe1f3719" - hash_2021_trojan_Gafgyt_fszhv = "1794cf09f4ea698759b294e27412aa09eda0860475cd67ce7b23665ea6c5d58b" - hash_2021_trojan_Gafgyt_malxmr = "1b5bd0d4989c245af027f6bc0c331417f81a87fff757e19cdbdfe25340be01a6" - hash_2020_Prometei_B_uselvh323 = "2bc860efee229662a3c55dcf6e50d6142b3eec99c606faa1210f24541cad12f5" - hash_2020_Prometei_lbjon = "75ea0d099494b0397697d5245ea6f2b5bf8f22bb3c3e6d6d81e736ac0dac9fbc" - hash_2023_Linux_Malware_Samples_aab5 = "aab526b32d703fd9273635393011a05c9c3f6204854367eb0eb80894bbcfdd42" + description = "May use crontab to persist" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + hash_2023_spirit = "26ba215bcd5d8a9003a904b0eac7dc10054dba7bea9a708668a5f6106fd73ced" + hash_2023_ZIP_server = "b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4" strings: $c_etc_crontab = /\/etc\/cron[\/\w\.]{0,32}/ $c_crontab_e = "crontab -" @@ -21,14 +17,15 @@ rule crontab_writer : suspicious { filesize < 2097152 and any of ($c*) and none of ($not*) } - -rule crontab_danger_path : suspicious { +rule crontab_danger_path : high { meta: ref = "https://blog.xlab.qianxin.com/mirai-nomi-en/" - description = "Starts from a dangerous-looking path" + description = "Starts from a dangerous-looking path" + hash_2023_Linux_Malware_Samples_741a = "741af7d54a95dd3b4497c73001e7b2ba1f607d19d63068b611505f9ce14c7776" + hash_2023_Linux_Malware_Samples_ee0e = "ee0e8516bfc431cb103f16117b9426c79263e279dc46bece5d4b96ddac9a5e90" strings: $any_val = /\* \* \* \/(boot|var|tmp|dev|root)\/[\/\.\w\ \-]{0,64}/ $reboot_val = /@reboot \/(boot|var|tmp|dev|root)\/[\/\.\w\ \-]{0,64}/ condition: - filesize < 100MB and any of them + filesize < 104857600 and any of them } diff --git a/rules/persist/launch-agent.yara b/rules/persist/launch-agent.yara index 71d537817..3112a3680 100644 --- a/rules/persist/launch-agent.yara +++ b/rules/persist/launch-agent.yara @@ -1,35 +1,38 @@ -rule macos_LaunchAgents : notable { - meta: - description = "persist via LaunchAgents" - platforms = "darwin" - strings: - $val = /[\~\/\.\w]{0,32}LaunchAgents[\/\w\%\$]{0,32}/ fullword - condition: - any of them +rule macos_LaunchAgents : medium { + meta: + description = "persist via LaunchAgents" + platforms = "darwin" + hash_2024_2019_02_Shlayer_Malware_a2ec = "a2ec5d9c80794c26a7eaac8586521f7b0eb24aba9ad393c194c86cfd150e5189" + hash_2024_2019_02_Shlayer_Malware_fd93 = "fd93c08678392eae99a1281577a54875a0e1920c49cdea6d56b53dabc4597803" + hash_2021_CDDS_UserAgent_v2019 = "9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70" + strings: + $val = /[\~\/\.\w]{0,32}LaunchAgents[\/\w\%\$]{0,32}/ fullword + condition: + any of them } - -rule launchctl : notable { - meta: - description = "sets up a LaunchAgent and launches it" - platforms = "darwin" - strings: - $upper_val = /[\~\/\.\w]{0,32}LaunchAgents[\/\w\%\$]{0,32}/ fullword - $lower_val = /[\~\/\.\w]{0,32}launchagents[\/\w\%\$]{0,32}/ fullword - $launch= "launchctl" - condition: - $launch and ($upper_val or $lower_val) +rule launchctl : medium { + meta: + description = "sets up a LaunchAgent and launches it" + platforms = "darwin" + hash_2024_2019_02_Shlayer_Malware_a2ec = "a2ec5d9c80794c26a7eaac8586521f7b0eb24aba9ad393c194c86cfd150e5189" + hash_2024_2019_02_Shlayer_Malware_fd93 = "fd93c08678392eae99a1281577a54875a0e1920c49cdea6d56b53dabc4597803" + hash_2021_CDDS_client = "623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a" + strings: + $upper_val = /[\~\/\.\w]{0,32}LaunchAgents[\/\w\%\$]{0,32}/ fullword + $lower_val = /[\~\/\.\w]{0,32}launchagents[\/\w\%\$]{0,32}/ fullword + $launch = "launchctl" + condition: + $launch and ($upper_val or $lower_val) } -rule macos_personal_launch_agent : notable { +rule macos_personal_launch_agent : medium { meta: - description = "sets up a personal launch agent" - hash_2011_bin_p_start = "490f96b3ce11827fe681e0e2bd71d622399f16c688e5fedef4f79089c7cf2856" - hash_2017_Dockster = "8da09fec9262d8bbeb07c4e403d1da88c04393c8fc5db408e1a3a3d86dddc552" - hash_2016_Eleanor_eleanr_script = "2c752b64069e9b078103adf8f5114281b7ce03f1ca7a995228f180140871999e" - hash_2021_Gmera_Licatrade = "ad27ae075010795c04a6c5f1303531f3f2884962be4d741bf38ced0180710d06" - hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" + description = "sets up a personal launch agent" + hash_2024_2019_02_Shlayer_Malware_a2ec = "a2ec5d9c80794c26a7eaac8586521f7b0eb24aba9ad393c194c86cfd150e5189" + hash_2024_2019_02_Shlayer_Malware_fd93 = "fd93c08678392eae99a1281577a54875a0e1920c49cdea6d56b53dabc4597803" + hash_2017_CallMe = "c4b6845e50fd4dce0fa69b25c7e9f7d25e6a04bbca23c279cc13f8b274d865c7" strings: $home_val = /\$HOME\/Library\/LaunchAgents[\.\/\w ]{0,32}/ $tilde_val = /\~\/Library\/LaunchAgents[\.\/\w ]{0,32}/ diff --git a/rules/persist/launchd-load.yara b/rules/persist/launchd-load.yara index ff0a23e05..c32e0ae7f 100644 --- a/rules/persist/launchd-load.yara +++ b/rules/persist/launchd-load.yara @@ -1,11 +1,9 @@ -rule generic_launchctl_loader : suspicious { +rule generic_launchctl_loader : high { meta: + hash_2024_2019_02_Shlayer_Malware_a2ec = "a2ec5d9c80794c26a7eaac8586521f7b0eb24aba9ad393c194c86cfd150e5189" + hash_2024_2019_02_Shlayer_Malware_fd93 = "fd93c08678392eae99a1281577a54875a0e1920c49cdea6d56b53dabc4597803" hash_2020_BirdMiner_tormina = "4179cdef4de0eef44039e9d03d42b3aeca06df533be74fc65f5235b21c9f0fb1" - hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" - hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" - hash_2017_Dockster = "8da09fec9262d8bbeb07c4e403d1da88c04393c8fc5db408e1a3a3d86dddc552" - hash_2016_Eleanor_eleanr_script = "2c752b64069e9b078103adf8f5114281b7ce03f1ca7a995228f180140871999e" strings: $load = /launchctl load [\- \~\w\.\/]{1,128}\.plist/ $not_osquery = "OSQUERY_WORKER" diff --git a/rules/persist/pid_file.yara b/rules/persist/pid_file.yara index a525ab8a8..85eb98ad9 100644 --- a/rules/persist/pid_file.yara +++ b/rules/persist/pid_file.yara @@ -1,13 +1,16 @@ -rule pid_file : notable { + +rule pid_file : medium { meta: - description = "pid file, likely DIY daemon" + description = "pid file, likely DIY daemon" + hash_2023_Downloads_2f13 = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" + hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" + hash_2023_Downloads_d920 = "d920dec25946a86aeaffd5a53ce8c3f05c9a7bac44d5c71481f497de430cb67e" strings: - $ref = /\w{0,16}pidFile{0,16}/ - $ref2 = /\w{0,16}PidFile{0,16}/ - $ref3 = /\w{0,16}pid_file{0,16}/ - $ref4 = /[\/\~][\w\/]{0,32}\.pid/ - - $not_klog = "/klog/v2.pid" + $ref = /\w{0,16}pidFile{0,16}/ + $ref2 = /\w{0,16}PidFile{0,16}/ + $ref3 = /\w{0,16}pid_file{0,16}/ + $ref4 = /[\/\~][\w\/]{0,32}\.pid/ + $not_klog = "/klog/v2.pid" condition: - any of ($ref*) and none of ($not*) + any of ($ref*) and none of ($not*) } diff --git a/rules/persist/shell-init_files.yara b/rules/persist/shell-init_files.yara index 282886282..f83b3975c 100644 --- a/rules/persist/shell-init_files.yara +++ b/rules/persist/shell-init_files.yara @@ -1,12 +1,5 @@ + rule etc_shell_init_references { - meta: - hash_2020_CoinMiner_nbtoz = "741af7d54a95dd3b4497c73001e7b2ba1f607d19d63068b611505f9ce14c7776" - hash_2020_trojan_miner_cucnl = "ee0e8516bfc431cb103f16117b9426c79263e279dc46bece5d4b96ddac9a5e90" - hash_2023_articles_https_www_intezer_com_blog_malware_analysis_elf_malware_analysis_101_part_3_advanced_analysis = "f63e4d0af48f819b71179109ef7bbeb9029e56e97b288ae7142897143c32fa0b" - hash_2023_articles_https_www_intezer_com_blog_research_kaiji_new_chinese_linux_malware_turning_to_golang = "a748bf68a26573a76505c0ecbdd32fa21b48a705e24213885239d1e8527dd15b" - hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" - hash_2023_Unix_Malware_Kaiji_3e68 = "3e68118ad46b9eb64063b259fca5f6682c5c2cb18fd9a4e7d97969226b2e6fb4" - hash_2023_Unix_Malware_Kaiji_f4a6 = "f4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a" strings: $etc_profile = "/etc/profile" $etc_bash = "/etc/bash" diff --git a/rules/persist/ssh_authorized_keys.yara b/rules/persist/ssh_authorized_keys.yara index 01dd90549..659e16f76 100644 --- a/rules/persist/ssh_authorized_keys.yara +++ b/rules/persist/ssh_authorized_keys.yara @@ -1,12 +1,16 @@ -rule ssh_authorized_key_val : notable { + +rule ssh_authorized_key_val : medium { meta: ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/" - description = "access SSH authorized_keys" + description = "access SSH authorized_keys" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: - $ssh_ = ".ssh" fullword - $ssh2 = "authorized_keys" - $not_ssh_client = "SSH_AUTH_SOCK" - $not_example = "/home/user/.ssh/authorized_keys" + $ssh_ = ".ssh" fullword + $ssh2 = "authorized_keys" + $not_ssh_client = "SSH_AUTH_SOCK" + $not_example = "/home/user/.ssh/authorized_keys" condition: - all of ($ssh*) and none of ($not*) + all of ($ssh*) and none of ($not*) } diff --git a/rules/persist/zsh.yara b/rules/persist/zsh.yara index 64064bb75..51fc06325 100644 --- a/rules/persist/zsh.yara +++ b/rules/persist/zsh.yara @@ -1,4 +1,4 @@ -rule zsh_persist : notable { +rule zsh_persist : medium { meta: description = "access zsh startup files" strings: @@ -11,7 +11,7 @@ rule zsh_persist : notable { filesize < 2097152 and any of ($ref*) and none of ($not*) } -rule zsh_logout_persist : suspicious { +rule zsh_logout_persist : high { meta: description = "Writes to zsh configuration files to persist" strings: diff --git a/rules/privesc/osascript.yara b/rules/privesc/osascript.yara index c7ce58b5b..7ae5ee4aa 100644 --- a/rules/privesc/osascript.yara +++ b/rules/privesc/osascript.yara @@ -1,13 +1,14 @@ -rule osascript_shell_as_admin : notable { + +rule osascript_shell_as_admin : medium { meta: hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" - hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" + hash_2017_MacOS_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" hash_2018_MacOS_SpellingChecker = "a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66" strings: $do_shell = "do shell script" $with_admin = "with administrator privileges" - $not_successfully_installed = "successfully installed" - $not_microsoft = "Microsoft Corporation" + $not_successfully_installed = "successfully installed" + $not_microsoft = "Microsoft Corporation" condition: $do_shell and $with_admin and none of ($not*) } diff --git a/rules/privesc/rootshell.yara b/rules/privesc/rootshell.yara index 6f6de1a43..224cf7bcb 100644 --- a/rules/privesc/rootshell.yara +++ b/rules/privesc/rootshell.yara @@ -1,9 +1,11 @@ -rule rootshell : suspicious { + +rule rootshell : high { meta: - description = "references a root shell" + description = "references a root shell" + hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" strings: - $ref = "rootshell" - $ref2 = "r00tshell" + $ref = "rootshell" + $ref2 = "r00tshell" condition: any of them -} \ No newline at end of file +} diff --git a/rules/privesc/su.yara b/rules/privesc/su.yara index 93c0475c2..a08daa0ae 100644 --- a/rules/privesc/su.yara +++ b/rules/privesc/su.yara @@ -1,9 +1,10 @@ -rule su_c : notable { +rule su_c : medium { meta: description = "uses su -c to execute command as another user" + hash_2023_uacert_py_su = "f6d9de8c96e3a9b24287eff608ba6ae59aed653e465112f31e679ae50b8172f3" strings: $su_c = /su [%\w\-]{0,12} -c[%\w\-]{0,32}/ condition: - $su_c + $su_c } diff --git a/rules/privesc/sudo.yara b/rules/privesc/sudo.yara index 731dce269..2259223ec 100644 --- a/rules/privesc/sudo.yara +++ b/rules/privesc/sudo.yara @@ -1,24 +1,21 @@ -rule unusual_sudo_commands_value : notable { + +rule unusual_sudo_commands_value : medium { meta: description = "Unusual sudo commands" - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" - hash_2023_brawl_earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" - hash_2017_AptorDoc_Bella_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" - hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" - hash_2023_ciscotools_4247 = "42473f2ab26a5a118bd99885b5de331a60a14297219bf1dc1408d1ede7d9a7a6" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" + hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" strings: $sudo_echo = /sudo echo[ \"\%@\-\$\w\\\.\=]{0,48}/ $sudo_u_echo = /sudo -u [ \%@\-\$\w]{2,32} echo/ $sudo_u_args = /sudo -u [\%\$\{\}]{1,2}[ \%\$\w\/]{0,32}/ - $sudo_args =/sudo %@\"\%@\-\$\w]/ + $sudo_args = /sudo %@\"\%@\-\$\w]/ $sudo_no_sleep = /[\|\"\w\-]{0,16}sudo -S[ \%\$\w\/]{1,32}/ $sudo_bash = /sudo bash[\"\%@\-\$\w]{1,64}/ $not_needs_root = "needs to be run as root" $not_sudo_example = "'sudo %@'" - - // https://github.com/oven-sh/bun/blob/main/src/crash_handler.zig - $not_bun_example = "sudo" - $not_bun_example2 = "[36msudo" + $not_bun_example = "sudo" + $not_bun_example2 = "[36msudo" condition: any of ($sudo*) and none of ($not*) } diff --git a/rules/privesc/uac_bypass.yara b/rules/privesc/uac_bypass.yara index 2a21f954a..9a2b31818 100644 --- a/rules/privesc/uac_bypass.yara +++ b/rules/privesc/uac_bypass.yara @@ -1,10 +1,11 @@ -rule uac_bypass : suspicious { +rule uac_bypass : high { meta: description = "may bypass UAC (User Account Control)" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" strings: - $uacbypass = "uacbypass" fullword - $delegate = "fodhelper" fullword + $uacbypass = "uacbypass" fullword + $delegate = "fodhelper" fullword condition: - any of them + any of them } diff --git a/rules/process/chdir-unusual.yara b/rules/process/chdir-unusual.yara index c5659d9ad..1e472b556 100644 --- a/rules/process/chdir-unusual.yara +++ b/rules/process/chdir-unusual.yara @@ -1,26 +1,33 @@ -rule unusual_cd_val : suspicious { - meta: - description = "changes to an unusual system directory" - strings: - $d_dev_mqueue = "cd /dev/mqueue" - $d_dev_shm = "cd /dev/shm" - $d_mnt = "cd /mnt" - $d_root = "cd /root" - $d_tmp = "cd /tmp" - $d_usr = "cd /usr" - $d_var_log = "cd /var/log" - $d_var_run = "cd /var/run" - $d_var_tmp = "cd /var/tmp" - condition: - any of them + +rule unusual_cd_val : high { + meta: + description = "changes to an unusual system directory" + hash_2023_Py_Trojan_NecroBot_0e60 = "0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + hash_2023_spirit = "26ba215bcd5d8a9003a904b0eac7dc10054dba7bea9a708668a5f6106fd73ced" + strings: + $d_dev_mqueue = "cd /dev/mqueue" + $d_dev_shm = "cd /dev/shm" + $d_mnt = "cd /mnt" + $d_root = "cd /root" + $d_tmp = "cd /tmp" + $d_usr = "cd /usr" + $d_var_log = "cd /var/log" + $d_var_run = "cd /var/run" + $d_var_tmp = "cd /var/tmp" + condition: + any of them } -rule unusual_cd_dev_val : suspicious { - meta: - description = "changes to an unusual system directory" - strings: - $d_dev = /cd \/dev[\w\/\.]{0,64}/ - $makedev = "MAKEDEV" - condition: - $d_dev and not $makedev +rule unusual_cd_dev_val : high { + meta: + description = "changes to an unusual system directory" + hash_2023_init_d_vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" + hash_2023_rc0_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" + hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" + strings: + $d_dev = /cd \/dev[\w\/\.]{0,64}/ + $makedev = "MAKEDEV" + condition: + $d_dev and not $makedev } diff --git a/rules/process/detach_daemonize.yara b/rules/process/detach_daemonize.yara index 962a79136..71b7a0e33 100644 --- a/rules/process/detach_daemonize.yara +++ b/rules/process/detach_daemonize.yara @@ -1,10 +1,12 @@ -rule detach : notable { +rule detach : medium { meta: - description = "process detaches and daemonizes" + description = "process detaches and daemonizes" + hash_2023_Linux_Malware_Samples_741a = "741af7d54a95dd3b4497c73001e7b2ba1f607d19d63068b611505f9ce14c7776" + hash_2023_Linux_Malware_Samples_ee0e = "ee0e8516bfc431cb103f16117b9426c79263e279dc46bece5d4b96ddac9a5e90" strings: - $ref = /[\w\/]{0,16}xdaemon/ - $ref2 = /[\w\/]{0,16}go-daemon/ + $ref = /[\w\/]{0,16}xdaemon/ + $ref2 = /[\w\/]{0,16}go-daemon/ condition: - any of them + any of them } diff --git a/rules/process/exists.yara b/rules/process/exists.yara index e03cf1405..2581597b7 100644 --- a/rules/process/exists.yara +++ b/rules/process/exists.yara @@ -1,7 +1,9 @@ -rule proc_probe_with_ps : notable { +rule proc_probe_with_ps : medium { meta: - description = "Checks if a process ID is running" + description = "Checks if a process ID is running" + hash_2021_CDDS_installer_v2021 = "cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8" + hash_2021_CDDS_kAgent = "570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6" strings: $ps_pid = "ps -p %" $hash_bang = "#!" diff --git a/rules/process/find.yara b/rules/process/find.yara index 86c640451..17593d088 100644 --- a/rules/process/find.yara +++ b/rules/process/find.yara @@ -1,9 +1,12 @@ -rule pgrep : notable { +rule pgrep : medium { meta: - description = "Finds program in process table" + description = "Finds program in process table" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Linux_Malware_Samples_060b = "060b01f15c7fab6c4f656aa1f120ebc1221a71bca3177f50083db0ed77596f0f" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: - $val = /pgrep[ \w\$]{0,32}/ fullword + $val = /pgrep[ \w\$]{0,32}/ fullword condition: - $val + $val } diff --git a/rules/process/kill-multiple.yara b/rules/process/kill-multiple.yara index 638fdb340..207546382 100644 --- a/rules/process/kill-multiple.yara +++ b/rules/process/kill-multiple.yara @@ -1,15 +1,9 @@ -rule sigkill_multiple : notable { + +rule sigkill_multiple : medium { meta: - hash_2022_gimmick_coreldraw = "2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f" - hash_2021_malxmr = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" - hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" - hash_2023_Sodinokibi = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" - hash_2022_CloudMensis_mdworker3 = "273633eee4776aef40904124ed1722a0793e6567f3009cdb037ed0a9d79c1b0b" - hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" - hash_2021_Tsunami_Kaiten = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" - hash_2021_trojan_Gafgyt_5E = "31e87fa24f5d3648f8db7caca8dfb15b815add4dfc0fabe5db81d131882b4d38" - hash_2021_Tsunami_gjirtfg = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" - hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" + hash_2023_Downloads_f864 = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" strings: $s_xargs_kill_9 = "xargs kill -9" $s_kill_9_backtick = "kill -9 `" @@ -20,7 +14,7 @@ rule sigkill_multiple : notable { $s_xargs_I_docker_kill = /xargs -I \w{1,64} docker kill/ $not_official = "All Rights Reserved" $not_sysdiagnose = "PROGRAM:sysdiagnose" - $not_postfix = "Postfix" + $not_postfix = "Postfix" condition: any of ($s*) and none of ($not*) } diff --git a/rules/process/list.yara b/rules/process/list.yara index 024f41e13..6391da02b 100644 --- a/rules/process/list.yara +++ b/rules/process/list.yara @@ -1,23 +1,26 @@ -rule proc_listallpids : notable { - meta: - pledge = "exec" - syscall = "vfork" - description = "calls proc_listallpid" - strings: - $ref = "proc_listallpid" fullword - condition: - any of them +rule proc_listallpids : medium { + meta: + pledge = "exec" + syscall = "vfork" + description = "calls proc_listallpid" + strings: + $ref = "proc_listallpid" fullword + condition: + any of them } -rule ps_exec : notable { +rule ps_exec : medium { meta: - pledge = "exec" - syscall = "vfork" + pledge = "exec" + syscall = "vfork" + hash_2018_org_logind_ctp_archive = "02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9" + hash_2022_Gimmick_CorelDRAW = "2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f" + hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" strings: $ps_ef = "ps -ef |" $ps__ax = "ps -ax" - $ps_ax = "ps ax" + $ps_ax = "ps ax" $hash_bang = "#!" $not_node = "NODE_DEBUG_NATIVE" $not_apple = "com.apple." @@ -25,25 +28,27 @@ rule ps_exec : notable { any of ($ps*) and not $hash_bang in (0..2) and none of ($not*) } -rule procfs_listdir : notable { - meta: - pledge = "exec" - syscall = "vfork" - strings: - $shell = "ls /proc" fullword - $python = "os.listdir('/proc')" - condition: - any of them +rule procfs_listdir : medium { + meta: + pledge = "exec" + syscall = "vfork" + strings: + $shell = "ls /proc" fullword + $python = "os.listdir('/proc')" + condition: + any of them } - rule proclist : medium { - meta: - description = "accesses process list" - strings: - $proclist = "proclist" fullword - $gops = "shirou/gopsutil" - $running = "RunningProcesses" - condition: - any of them -} \ No newline at end of file + meta: + description = "accesses process list" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" + hash_2023_Linux_Malware_Samples_4c38 = "4c38654e08bd8d4c2211c5f0be417a77759bf945b0de45eb3581a2beb9226a29" + strings: + $proclist = "proclist" fullword + $gops = "shirou/gopsutil" + $running = "RunningProcesses" + condition: + any of them +} diff --git a/rules/process/multiprocess.yara b/rules/process/multiprocess.yara index 58b8bdd20..8d0fa9d34 100644 --- a/rules/process/multiprocess.yara +++ b/rules/process/multiprocess.yara @@ -1,10 +1,13 @@ -rule py_multiprocessing : notable { - meta: - syscall = "pthread_create" - description = "uses python multiprocessing" - strings: - $ref = "multiprocessing" - condition: - any of them +rule py_multiprocessing : medium { + meta: + syscall = "pthread_create" + description = "uses python multiprocessing" + hash_2023_Downloads_e6b6 = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" + hash_2023_Linux_Malware_Samples_03bb = "03bb1cfd9e45844701aabc549f530d56f162150494b629ca19d83c1c696710d7" + hash_2023_Linux_Malware_Samples_05ca = "05ca0e0228930e9ec53fe0f0b796255f1e44ab409f91bc27d20d04ad34dcb69d" + strings: + $ref = "multiprocessing" + condition: + any of them } diff --git a/rules/process/multithreaded.yara b/rules/process/multithreaded.yara index 52126ab66..4a81fdaf5 100644 --- a/rules/process/multithreaded.yara +++ b/rules/process/multithreaded.yara @@ -1,21 +1,25 @@ + rule pthread_create { - meta: - syscall = "pthread_create" - description = "creates pthreads" - ref = "https://man7.org/linux/man-pages/man3/pthread_create.3.html" - strings: - $ref = "pthread_create" fullword - condition: - any of them + meta: + syscall = "pthread_create" + description = "creates pthreads" + ref = "https://man7.org/linux/man-pages/man3/pthread_create.3.html" + strings: + $ref = "pthread_create" fullword + condition: + any of them } -rule py_thread_create : notable { - meta: - syscall = "pthread_create" - description = "uses python threading" - ref = "https://docs.python.org/3/library/threading.html" - strings: - $ref = "threading.Thread" - condition: - any of them +rule py_thread_create : medium { + meta: + syscall = "pthread_create" + description = "uses python threading" + ref = "https://docs.python.org/3/library/threading.html" + hash_2020_Enigma = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de" + hash_2014_config_libpython2_7 = "6b0388aa64f1e31d86603309609fe295f650e66d518242375c483e1cf402d0b2" + hash_2014_config_libpython2_7 = "6b0388aa64f1e31d86603309609fe295f650e66d518242375c483e1cf402d0b2" + strings: + $ref = "threading.Thread" + condition: + any of them } diff --git a/rules/process/name-get.yara b/rules/process/name-get.yara index 6b0c03ba6..a261cbd4b 100644 --- a/rules/process/name-get.yara +++ b/rules/process/name-get.yara @@ -1,19 +1,25 @@ -rule progname : notable { - meta: - description = "get the current process name" - ref = "https://linux.die.net/man/3/program_invocation_short_name" - strings: - $ref = "program_invocation_short_name" - condition: - any of them in (1200..3000) + +rule progname : medium { + meta: + description = "get the current process name" + ref = "https://linux.die.net/man/3/program_invocation_short_name" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_FontOnLake_771340752985DD8E84CF3843C9843EF7A76A39E7_elf = "602c435834d796943b1e547316c18a9a64c68f032985e7a5a763339d82598915" + strings: + $ref = "program_invocation_short_name" + condition: + any of them in (1200..3000) } -rule process_name : notable { - meta: - description = "get the current process name" - strings: - $ref = "processName" - $ref2 = "process_name" - condition: - any of them -} \ No newline at end of file +rule process_name : medium { + meta: + description = "get the current process name" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" + hash_2023_Linux_Malware_Samples_3b4e = "3b4e756212ea2ed01da98cceeb856449bb50d380339b5564e30cbe7fbfdae2d4" + strings: + $ref = "processName" + $ref2 = "process_name" + condition: + any of them +} diff --git a/rules/process/name-set.yara b/rules/process/name-set.yara index 0ed226ecb..3265ce265 100644 --- a/rules/process/name-set.yara +++ b/rules/process/name-set.yara @@ -1,19 +1,23 @@ -rule __progname : notable { - meta: - description = "get or set the current process name" - ref = "https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0" - strings: - $ref = "__progname" - condition: - any of them + +rule __progname : medium { + meta: + description = "get or set the current process name" + ref = "https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_039e = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + strings: + $ref = "__progname" + condition: + any of them } -rule bash_sets_name_val : notable { +rule bash_sets_name_val : medium { meta: - description = "sets process name" - ref = "https://www.jamf.com/blog/cryptojacking-macos-malware-discovered-by-jamf-threat-labs/" + description = "sets process name" + ref = "https://www.jamf.com/blog/cryptojacking-macos-malware-discovered-by-jamf-threat-labs/" strings: - $ref = /exec -a[ \"\$\{\}\@\w\/\.]{0,64}/ + $ref = /exec -a[ \"\$\{\}\@\w\/\.]{0,64}/ condition: - any of them -} \ No newline at end of file + any of them +} diff --git a/rules/process/root-check.yara b/rules/process/root-check.yara index 9fc8583c5..42f7d3d80 100644 --- a/rules/process/root-check.yara +++ b/rules/process/root-check.yara @@ -1,10 +1,12 @@ -rule getuid_root : notable { - meta: - description = "checks if uid=0 (root)" - strings: - $python = "os.getuid() == 0" - $python_w32 = "ctypes.windll.shell32.IsUserAnAdmin() != 0" - condition: - any of them -} \ No newline at end of file +rule getuid_root : medium { + meta: + description = "checks if uid=0 (root)" + hash_2023_setuptool_setuptool_setup = "50c9a683bc0aa2fbda3981bfdf0bbd4632094c801b224af60166376e479460ec" + hash_2024_aaa_bbb_ccc_setuptool_setup = "50c9a683bc0aa2fbda3981bfdf0bbd4632094c801b224af60166376e479460ec" + strings: + $python = "os.getuid() == 0" + $python_w32 = "ctypes.windll.shell32.IsUserAnAdmin() != 0" + condition: + any of them +} diff --git a/rules/process/username-get.yara b/rules/process/username-get.yara index f6968e13d..29db040b0 100644 --- a/rules/process/username-get.yara +++ b/rules/process/username-get.yara @@ -1,23 +1,27 @@ + rule getlogin { - meta: - syscall = "getlogin" - description = "get login name" - pledge = "id" - ref = "https://linux.die.net/man/3/getlogin" - strings: - $ref = "getlogin" fullword - $ref2 = "getpass.getuser" fullword - condition: - any of them + meta: + syscall = "getlogin" + description = "get login name" + pledge = "id" + ref = "https://linux.die.net/man/3/getlogin" + strings: + $ref = "getlogin" fullword + $ref2 = "getpass.getuser" fullword + condition: + any of them } -rule whoami : notable { - meta: - syscall = "getuid" - description = "returns the user name running this process" - ref = "https://man7.org/linux/man-pages/man1/whoami.1.html" - strings: - $ref = "whoami" fullword - condition: - any of them -} \ No newline at end of file +rule whoami : medium { + meta: + syscall = "getuid" + description = "returns the user name running this process" + ref = "https://man7.org/linux/man-pages/man1/whoami.1.html" + hash_2023_misc_mr_robot = "630bbcf0643d9fc9840f2f54ea4ae1ea34dc94b91ee011779c8e8c91f733c9f5" + hash_2023_Linux_Malware_Samples_2c98 = "2c98b196a51f737f29689d16abeea620b0acfa6380bdc8e94a7a927477d81e3a" + hash_2023_Linux_Malware_Samples_3292 = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76" + strings: + $ref = "whoami" fullword + condition: + any of them +} diff --git a/rules/process/username-set.yara b/rules/process/username-set.yara index 11692ca4a..c2340823c 100644 --- a/rules/process/username-set.yara +++ b/rules/process/username-set.yara @@ -1,10 +1,14 @@ -rule setlogin : notable { - meta: - syscall = "setlogin" - description = "set login name" - pledge = "id" - strings: - $ref = "setlogin" fullword - condition: - any of them -} \ No newline at end of file + +rule setlogin : medium { + meta: + syscall = "setlogin" + description = "set login name" + pledge = "id" + hash_2023_Linux_Malware_Samples_47a4 = "47a4ca5b1b6a2c0c7914b342f668b860041ec826d2ac85825389dba363797431" + hash_2023_Linux_Malware_Samples_6de1 = "6de1e587ac4aa49273042ffb3cdce5b92b86c31c9f85ca48dae8a38243515f75" + hash_2023_Linux_Malware_Samples_9a7e = "9a7e8ed9621c08964bd20eb8a95fbe9853e12ebc613c37f53774b17a2cbe9100" + strings: + $ref = "setlogin" fullword + condition: + any of them +} diff --git a/rules/procfs/1-cgroup.yara b/rules/procfs/1-cgroup.yara index 6b6fea916..de996fb14 100644 --- a/rules/procfs/1-cgroup.yara +++ b/rules/procfs/1-cgroup.yara @@ -1,9 +1,10 @@ -rule pid_1_cgroup : notable { - meta: - description = "checks pid 1 cgroup to determine if it's running in a container" - strings: - $ref = "/proc/1/cgroup" - condition: - any of them +rule pid_1_cgroup : medium { + meta: + description = "checks pid 1 cgroup to determine if it's running in a container" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + strings: + $ref = "/proc/1/cgroup" + condition: + any of them } diff --git a/rules/procfs/arbitrary-pid.yara b/rules/procfs/arbitrary-pid.yara index 40c6f5664..196332d5f 100644 --- a/rules/procfs/arbitrary-pid.yara +++ b/rules/procfs/arbitrary-pid.yara @@ -1,8 +1,12 @@ -rule proc_arbitrary : notable { - meta: - description = "access /proc for arbitrary pids" - strings: - $string_val = /\/proc\/[%{$][\/\$\w\}]{0,12}/ - condition: - any of them + +rule proc_arbitrary : medium { + meta: + description = "access /proc for arbitrary pids" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + hash_2023_Downloads_98e7 = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab" + strings: + $string_val = /\/proc\/[%{$][\/\$\w\}]{0,12}/ + condition: + any of them } diff --git a/rules/procfs/cpuinfo.yara b/rules/procfs/cpuinfo.yara index 2e9340663..61ed01053 100644 --- a/rules/procfs/cpuinfo.yara +++ b/rules/procfs/cpuinfo.yara @@ -1,9 +1,12 @@ -rule proc_cpuinfo : notable { - meta: - description = "get CPU info" - strings: - $ref = "/proc/cpuinfo" fullword - condition: - any of them +rule proc_cpuinfo : medium { + meta: + description = "get CPU info" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + strings: + $ref = "/proc/cpuinfo" fullword + condition: + any of them } diff --git a/rules/procfs/meminfo.yara b/rules/procfs/meminfo.yara index a5dc90fcd..d7e0b14d6 100644 --- a/rules/procfs/meminfo.yara +++ b/rules/procfs/meminfo.yara @@ -1,9 +1,12 @@ -rule proc_meminfo_val : notable { - meta: - description = "get memory info" - strings: - $ref = "/proc/meminfo" fullword - condition: - any of them +rule proc_meminfo_val : medium { + meta: + description = "get memory info" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + strings: + $ref = "/proc/meminfo" fullword + condition: + any of them } diff --git a/rules/procfs/mounts.yara b/rules/procfs/mounts.yara index cb0e51c22..0cf05e55f 100644 --- a/rules/procfs/mounts.yara +++ b/rules/procfs/mounts.yara @@ -1,10 +1,13 @@ -rule proc_mounts : notable { - meta: - description = "Parses active mounts (/proc/mounts" - pledge = "stdio" - strings: - $ref = "/proc/mounts" fullword - condition: - any of them +rule proc_mounts : medium { + meta: + description = "Parses active mounts (/proc/mounts" + pledge = "stdio" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + hash_2023_Linux_Malware_Samples_1b1a = "1b1a56aec5b02355b90f911cdd27a35d099690fcbeb0e0622eaea831d64014d3" + hash_2023_Linux_Malware_Samples_1f1b = "1f1bf32f553b925963485d8bb8cc3f0344720f9e67100d610d9e3f5f6bc002a1" + strings: + $ref = "/proc/mounts" fullword + condition: + any of them } diff --git a/rules/procfs/net-dev.yara b/rules/procfs/net-dev.yara index eb68252f6..782f65521 100644 --- a/rules/procfs/net-dev.yara +++ b/rules/procfs/net-dev.yara @@ -1,9 +1,12 @@ -rule proc_net_dev : notable { - meta: - description = "network device statistics" - strings: - $val = "/proc/net/dev" - condition: - any of them +rule proc_net_dev : medium { + meta: + description = "network device statistics" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_d920 = "d920dec25946a86aeaffd5a53ce8c3f05c9a7bac44d5c71481f497de430cb67e" + hash_2023_Linux_Malware_Samples_1020 = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" + strings: + $val = "/proc/net/dev" + condition: + any of them } diff --git a/rules/procfs/net_route.yara b/rules/procfs/net_route.yara index 529a2b046..002341fa3 100644 --- a/rules/procfs/net_route.yara +++ b/rules/procfs/net_route.yara @@ -1,9 +1,12 @@ -rule proc_net_route : suspicious { - meta: - description = "gets network route information" - strings: - $ref = "/proc/net/route" - condition: - any of them +rule proc_net_route : high { + meta: + description = "gets network route information" + hash_2023_Unix_Dropper_Mirai_1703 = "1703bd27e0ae38a53e897b82554f95eaa5a88f2b0a6c2c9d973d7e34d05b2539" + hash_2023_Unix_Dropper_Mirai_1b29 = "1b29269a4ef50ee56a473eb515732a118d67fe6efa27fd21c057b6fd4ccc501b" + hash_2023_Unix_Dropper_Mirai_1ba6 = "1ba6b973e571bf63bca52c366c3ddb0046511831c533acff280d2047474cd739" + strings: + $ref = "/proc/net/route" + condition: + any of them } diff --git a/rules/procfs/nvidia_gpu.yara b/rules/procfs/nvidia_gpu.yara index dbb8e24ef..3b4c6295a 100644 --- a/rules/procfs/nvidia_gpu.yara +++ b/rules/procfs/nvidia_gpu.yara @@ -1,9 +1,12 @@ -rule proc_nvidia_gpus : notable { - meta: - description = "get GPU info" - strings: - $ref = "/proc/driver/nvidia/gpus" fullword - condition: - any of them +rule proc_nvidia_gpus : medium { + meta: + description = "get GPU info" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_04b5 = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" + strings: + $ref = "/proc/driver/nvidia/gpus" fullword + condition: + any of them } diff --git a/rules/procfs/pid-cmdline.yara b/rules/procfs/pid-cmdline.yara index 8302b34dd..00f707106 100644 --- a/rules/procfs/pid-cmdline.yara +++ b/rules/procfs/pid-cmdline.yara @@ -1,10 +1,14 @@ -rule proc_cmdline : notable { - meta: - description = "access command-line of other processes" - strings: - $string = "/proc/%s/cmdline" fullword - $digit = "/proc/%d/cmdline" fullword - $python = "/proc/{}/cmdline" fullword - condition: - any of them + +rule proc_cmdline : medium { + meta: + description = "access command-line of other processes" + hash_2023_Downloads_98e7 = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab" + hash_2023_Downloads_abf0 = "abf0f87cc7eb6028add2e2bda31ede09709a948e8f7e56390a3f18d1eae58aa6" + hash_2023_Downloads_c91c = "c91c6dbfa746e3c49a6c93f92b4d6c925668e620d4effc5b2bf59cf9100fe87d" + strings: + $string = "/proc/%s/cmdline" fullword + $digit = "/proc/%d/cmdline" fullword + $python = "/proc/{}/cmdline" fullword + condition: + any of them } diff --git a/rules/procfs/pid-environ.yara b/rules/procfs/pid-environ.yara index 175c55019..2a51899a8 100644 --- a/rules/procfs/pid-environ.yara +++ b/rules/procfs/pid-environ.yara @@ -1,4 +1,4 @@ -rule proc_environ : suspicious { +rule proc_environ : high { meta: description = "accesses environment variables of other processes" strings: diff --git a/rules/procfs/pid-exe.yara b/rules/procfs/pid-exe.yara index dceb6a1a7..844cffc69 100644 --- a/rules/procfs/pid-exe.yara +++ b/rules/procfs/pid-exe.yara @@ -1,10 +1,14 @@ -rule proc_exe : suspicious { - meta: - description = "accesses underlying executable of other processes" - strings: - $string = "/proc/%s/exe" fullword - $digit = "/proc/%d/exe" fullword - $python = "/proc/{}/exe" fullword - condition: - any of them + +rule proc_exe : high { + meta: + description = "accesses underlying executable of other processes" + hash_2023_OK_4f5c = "4f5cfb805feb7576e594f1bb3b773ba0ca80e09e49bfb7e3507f815f774ac62d" + hash_2023_Pupy_2ab5 = "2ab59fa690e502a733aa1500a96d8e94ecb892ed9d59736cca16a09538ce7d77" + hash_2023_Unix_Dropper_Mirai_58c5 = "58c54ded0af2fffb8cea743d8ec3538cecfe1afe88d5f7818591fb5d4d2bd4e1" + strings: + $string = "/proc/%s/exe" fullword + $digit = "/proc/%d/exe" fullword + $python = "/proc/{}/exe" fullword + condition: + any of them } diff --git a/rules/procfs/pid-fd.yara b/rules/procfs/pid-fd.yara index b8842464c..4d47e8ecb 100644 --- a/rules/procfs/pid-fd.yara +++ b/rules/procfs/pid-fd.yara @@ -1,11 +1,14 @@ -rule proc_fd : suspicious { - meta: - description = "accesses file descriptors of other processes" - ref = "https://s.tencent.com/research/report/1219.html" - strings: - $ref = /\/proc\/[%{$][\w\}]{0,12}\/fd/ - // https://github.com/ClickHouse/ClickHouse/blob/7022adefb0356b86e91a3dc139446e9909ce0130/src/Common/getCurrentProcessFDCount.cpp#L19 - $not_dev_fd = "/dev/fd" - condition: - $ref and none of ($not*) + +rule proc_fd : high { + meta: + description = "accesses file descriptors of other processes" + ref = "https://s.tencent.com/research/report/1219.html" + hash_2023_FontOnLake_1829B0E34807765F2B254EA5514D7BB587AECA3F_elf = "5e9d356cdfc85a66f8fbab29bf43e95f19489c66d2a970e33d031f267298b482" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + hash_2023_FontOnLake_8D6ACA824D1A717AE908669E356E2D4BB6F857B0_elf = "265e8236da27a35306cde4e57d73077c94c35e7a73da086273af09179f78f37a" + strings: + $ref = /\/proc\/[%{$][\w\}]{0,12}\/fd/ + $not_dev_fd = "/dev/fd" + condition: + $ref and none of ($not*) } diff --git a/rules/procfs/pid-inspector.yara b/rules/procfs/pid-inspector.yara index 7ad663945..019aae905 100644 --- a/rules/procfs/pid-inspector.yara +++ b/rules/procfs/pid-inspector.yara @@ -1,14 +1,10 @@ -rule pid_inspector_val : suspicious { + +rule pid_inspector_val : high { meta: - description = "accesses unusual process information" - hash_2023_trojan_Mirai_ubzhp = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab" - hash_2023_trojan_Mirai_thiwm = "abf0f87cc7eb6028add2e2bda31ede09709a948e8f7e56390a3f18d1eae58aa6" - hash_2023_trojan_Mirai_ghwow = "c91c6dbfa746e3c49a6c93f92b4d6c925668e620d4effc5b2bf59cf9100fe87d" - hash_2023_Linux_Malware_Samples_7ef5 = "7ef53aea7f4308b24db56737ae4ef9d188cdf947639bf078306da599990a2784" + description = "accesses unusual process information" hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" hash_2023_Unix_Dropper_Mirai_58c5 = "58c54ded0af2fffb8cea743d8ec3538cecfe1afe88d5f7818591fb5d4d2bd4e1" hash_2023_Unix_Trojan_Mirai_1233 = "12330634ae5c2ac7da6d8d00f3d680630d596df154f74e03ff37e6942f90639e" - hash_2023_Unix_Trojan_Mirai_53cc = "53cc849f32a5a4f0eba71f8edfe08863d706828bcc94210af9c6ebe29bd368f2" strings: $proc_exe = /\/proc\/[\%\@]\w{1,3}\/exe/ $proc_cmdline = /\/proc\/[\%\@]\w{1,3}\/cmdline/ diff --git a/rules/procfs/pid-maps.yara b/rules/procfs/pid-maps.yara index a716a5f98..2adec9139 100644 --- a/rules/procfs/pid-maps.yara +++ b/rules/procfs/pid-maps.yara @@ -1,11 +1,14 @@ -rule proc_maps : notable { - meta: - description = "access process memory maps" - strings: - $string = "/proc/%s/maps" fullword - $digit = "/proc/%d/maps" fullword - $python = "/proc/{}/maps" fullword - condition: - any of them -} +rule proc_maps : medium { + meta: + description = "access process memory maps" + hash_2023_Downloads_98e7 = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab" + hash_2023_Downloads_abf0 = "abf0f87cc7eb6028add2e2bda31ede09709a948e8f7e56390a3f18d1eae58aa6" + hash_2023_Downloads_c91c = "c91c6dbfa746e3c49a6c93f92b4d6c925668e620d4effc5b2bf59cf9100fe87d" + strings: + $string = "/proc/%s/maps" fullword + $digit = "/proc/%d/maps" fullword + $python = "/proc/{}/maps" fullword + condition: + any of them +} diff --git a/rules/procfs/pid-status.yara b/rules/procfs/pid-status.yara index f7916033d..44ce52a79 100644 --- a/rules/procfs/pid-status.yara +++ b/rules/procfs/pid-status.yara @@ -1,10 +1,14 @@ -rule proc_status : notable { - meta: - description = "access status fields for other processes" - strings: - $string = "/proc/%s/status" fullword - $digit = "/proc/%d/status" fullword - $python = "/proc/{}/status" fullword - condition: - any of them + +rule proc_status : medium { + meta: + description = "access status fields for other processes" + hash_2023_Linux_Malware_Samples_1822 = "1822454a2f12fae1725ef96e588e6fa2eeab58a8043e9a56ac328c14100ba937" + hash_2020_Dacls_SubMenu = "846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6" + hash_2020_Base_lproj_SubMenu = "846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6" + strings: + $string = "/proc/%s/status" fullword + $digit = "/proc/%d/status" fullword + $python = "/proc/{}/status" fullword + condition: + any of them } diff --git a/rules/procfs/self-cgroup.yara b/rules/procfs/self-cgroup.yara index 08ccd3e72..f87ba29df 100644 --- a/rules/procfs/self-cgroup.yara +++ b/rules/procfs/self-cgroup.yara @@ -1,9 +1,12 @@ -rule pid_self_cgroup : notable { - meta: - description = "accesses /proc files within own cgroup" - strings: - $val = /\/proc\/self\/cgroup[a-z\/\-]{0,32}/ - condition: - any of them +rule pid_self_cgroup : medium { + meta: + description = "accesses /proc files within own cgroup" + hash_2023_Downloads_45b8 = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + strings: + $val = /\/proc\/self\/cgroup[a-z\/\-]{0,32}/ + condition: + any of them } diff --git a/rules/procfs/self-cmdline.yara b/rules/procfs/self-cmdline.yara index 67df5c3d3..2c950c49a 100644 --- a/rules/procfs/self-cmdline.yara +++ b/rules/procfs/self-cmdline.yara @@ -1,10 +1,13 @@ -rule proc_self_cmdline : notable { - meta: - description = "Gets the command-line associated to this process" - pledge = "stdio" - strings: - $ref = "/proc/self/cmdline" fullword - condition: - any of them +rule proc_self_cmdline : medium { + meta: + description = "Gets the command-line associated to this process" + pledge = "stdio" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_Linux_Malware_Samples_139b = "139b09543494ead859b857961d230a39b9f4fc730f81cf8445b6d83bacf67f3d" + hash_2023_Linux_Malware_Samples_e212 = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" + strings: + $ref = "/proc/self/cmdline" fullword + condition: + any of them } diff --git a/rules/procfs/self-exe.yara b/rules/procfs/self-exe.yara index 4e6b15ce2..258b7e7e7 100644 --- a/rules/procfs/self-exe.yara +++ b/rules/procfs/self-exe.yara @@ -1,10 +1,13 @@ -rule proc_self_exe : notable { - meta: - description = "gets executable associated to this process" - pledge = "stdio" - strings: - $ref = "/proc/self/exe" fullword - condition: - any of them +rule proc_self_exe : medium { + meta: + description = "gets executable associated to this process" + pledge = "stdio" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + hash_2023_Downloads_2f13 = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" + strings: + $ref = "/proc/self/exe" fullword + condition: + any of them } diff --git a/rules/procfs/self-mountinfo.yara b/rules/procfs/self-mountinfo.yara index db727afec..64605292a 100644 --- a/rules/procfs/self-mountinfo.yara +++ b/rules/procfs/self-mountinfo.yara @@ -1,10 +1,13 @@ -rule proc_self_status : notable { - meta: - description = "gets mountinfo associated to this process" - pledge = "stdio" - strings: - $ref = "/proc/self/mountinfo" fullword - condition: - any of them +rule proc_self_status : medium { + meta: + description = "gets mountinfo associated to this process" + pledge = "stdio" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Linux_Malware_Samples_7955 = "7955542df199c6ce4ca0bb3966dcf9cc71199c592fec38508dad58301a3298d0" + hash_2023_Linux_Malware_Samples_df82 = "df8262a8a7208da235127a10b07fa9b87de71eb2cc9667899da60ad255a90c76" + strings: + $ref = "/proc/self/mountinfo" fullword + condition: + any of them } diff --git a/rules/procfs/self-status.yara b/rules/procfs/self-status.yara index 625095abb..5c6a8133c 100644 --- a/rules/procfs/self-status.yara +++ b/rules/procfs/self-status.yara @@ -1,10 +1,13 @@ -rule proc_self_status : notable { - meta: - description = "gets status associated to this process, including capabilities" - pledge = "stdio" - strings: - $ref = "/proc/self/status" fullword - condition: - any of them +rule proc_self_status : medium { + meta: + description = "gets status associated to this process, including capabilities" + pledge = "stdio" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Linux_Malware_Samples_7955 = "7955542df199c6ce4ca0bb3966dcf9cc71199c592fec38508dad58301a3298d0" + hash_2023_Linux_Malware_Samples_df82 = "df8262a8a7208da235127a10b07fa9b87de71eb2cc9667899da60ad255a90c76" + strings: + $ref = "/proc/self/status" fullword + condition: + any of them } diff --git a/rules/procfs/stat.yara b/rules/procfs/stat.yara index 404a26cc1..e487b62b6 100644 --- a/rules/procfs/stat.yara +++ b/rules/procfs/stat.yara @@ -1,9 +1,12 @@ -rule proc_stat : notable { - meta: - description = "gets kernel/system statistics" - strings: - $ref = "/proc/stat" fullword - condition: - any of them +rule proc_stat : medium { + meta: + description = "gets kernel/system statistics" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + strings: + $ref = "/proc/stat" fullword + condition: + any of them } diff --git a/rules/ref/config/com.apple.plist.yara b/rules/ref/config/com.apple.plist.yara index 3b685cb2e..72067c0cf 100644 --- a/rules/ref/config/com.apple.plist.yara +++ b/rules/ref/config/com.apple.plist.yara @@ -1,27 +1,23 @@ -rule references_com_apple_preferences_file : notable { + +rule references_com_apple_preferences_file : medium { meta: ref = "https://securelist.com/triangulation-validators-modules/110847/" hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_CloudMensis_mdworker3 = "273633eee4776aef40904124ed1722a0793e6567f3009cdb037ed0a9d79c1b0b" - hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" - hash_2022_DazzleSpy_agent_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" - hash_2011_bin_p_start = "490f96b3ce11827fe681e0e2bd71d622399f16c688e5fedef4f79089c7cf2856" - hash_2021_Gmera_Licatrade = "ad27ae075010795c04a6c5f1303531f3f2884962be4d741bf38ced0180710d06" - hash_2014_MacOS_python = "ccd3b137253b8fa1ee7b6557a7beb99350238584a10ea8dd36aabcb00e9fc642" strings: $com_apple_plist = /com\.apple\.[\w\-\.]{0,32}\.plist/ $not_program = "@(#)PROGRAM:" $not_apple = "Copyright Apple Computer Inc" $not_private = "/System/Library/PrivateFrameworks/" $not_apple_internal = "internal to Apple Products" - $not_microsoft = "Microsoft Corporation" - $not_strict = "use strict" - $not_speech_voice = "speech.voice" - $not_apple_inc = "Apple Inc" - $not_sandbox = "andbox profile" - $not_postfix = "com.apple.postfixsetup.plist" - $not_private_literal = "private-literal" + $not_microsoft = "Microsoft Corporation" + $not_strict = "use strict" + $not_speech_voice = "speech.voice" + $not_apple_inc = "Apple Inc" + $not_sandbox = "andbox profile" + $not_postfix = "com.apple.postfixsetup.plist" + $not_private_literal = "private-literal" condition: filesize < 157286400 and $com_apple_plist and none of ($not*) } diff --git a/rules/ref/cve.yara b/rules/ref/cve.yara index 78182c833..41a2c4d3d 100644 --- a/rules/ref/cve.yara +++ b/rules/ref/cve.yara @@ -1,8 +1,5 @@ rule cve_mention { - meta: - hash_finspy_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0" - hash_2023_Linux_Malware_Samples_07d5 = "07d57c97f6af84f35a122b8a98f44242ac9da67f135cc337a88a231906cdece2" strings: $cve_re = /cve[-_]20[12]\d+-\d+/ nocase $not_xul = "XUL_APP_FILE" diff --git a/rules/ref/daemon.yara b/rules/ref/daemon.yara index 01c66ae30..3e792a5e2 100644 --- a/rules/ref/daemon.yara +++ b/rules/ref/daemon.yara @@ -1,10 +1,13 @@ -rule daemon : notable { - meta: - description = "Run as a background daemon" - strings: - $ref = /[\w\-]{0,8}daemon/ fullword - $ref2 = "daemonize" fullword - condition: - any of them -} \ No newline at end of file +rule daemon : medium { + meta: + description = "Run as a background daemon" + hash_2023_misc_mr_robot = "630bbcf0643d9fc9840f2f54ea4ae1ea34dc94b91ee011779c8e8c91f733c9f5" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + strings: + $ref = /[\w\-]{0,8}daemon/ fullword + $ref2 = "daemonize" fullword + condition: + any of them +} diff --git a/rules/ref/email.yara b/rules/ref/email.yara index e50e38141..b8ecf9209 100644 --- a/rules/ref/email.yara +++ b/rules/ref/email.yara @@ -1,9 +1,12 @@ -rule exotic_email_addr : notable { + +rule exotic_email_addr : medium { meta: - description = "Contains an exotic email address" - hash_2023_Unix_Ransomware_Defray_cb40 = "cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849" + description = "Contains an exotic email address" + hash_2023_grandmask_3_13_setup = "8835778f9e75e6493693fc6163477ec94aba723c091393a30d7e7b9eed4f5a54" + hash_2023_py_guigrand_4_67_setup = "4cb4b9fcce78237f0ef025d1ffda8ca8bc79bf8d4c199e4bfc6eff84ce9ce554" + hash_2023_py_killtoolad_3_65_setup = "64ec7b05442356293e903afe028637d821bad4444c4e1e11b73a4ff540fe480b" strings: $e_re = /[\w\.\-]{1,32}@(proton|tuta|mailfence|onion|gmx)[\w\.\-]{1,64}/ condition: any of ($e*) -} \ No newline at end of file +} diff --git a/rules/ref/extensions/office.yara b/rules/ref/extensions/office.yara index 398d003bb..e96dcedb2 100644 --- a/rules/ref/extensions/office.yara +++ b/rules/ref/extensions/office.yara @@ -1,6 +1,10 @@ -rule office_extensions : notable { + +rule office_extensions : medium { meta: - description = "References multiple Office file extensions (possible exfil)" + description = "References multiple Office file extensions (possible exfil)" + hash_2023_Downloads_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + hash_2023_Downloads_f5de = "f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac" strings: $e_doc = "doc" fullword $e_docm = "docm" fullword @@ -12,5 +16,5 @@ rule office_extensions : notable { $e_xls = "xls" fullword $e_xlsx = "xlsx" fullword condition: - 5 of them + 5 of them } diff --git a/rules/ref/google-analytics.yara b/rules/ref/google-analytics.yara index 88bfdf847..af4cf7aa8 100644 --- a/rules/ref/google-analytics.yara +++ b/rules/ref/google-analytics.yara @@ -1,9 +1,13 @@ -rule hardcoded_analytics : suspicious { + +rule hardcoded_analytics : high { meta: - description = "Contains hardcoded Google Analytics ID" + description = "Contains hardcoded Google Analytics ID" + hash_2023_anarchy = "1a6f8d758c6e569109a021c01cc4a5e787a9c876866c0ce5a15f07f266ec8059" + hash_2023_misc_mktmpio = "f6b7984c76d92390f5530daeacf4f77047b176ffb8eaf5c79c74d6dd4d514b2b" + hash_2023_articles_https_pberba_github_io_security_2022_02_07_linux_threat_hunting_for_persistence_systemd_generators = "8c227f67a16162ffd5b453a478ced2950eba4cbe3b004c5cc935fb9551dc2289" strings: $ref = /UA-[\d]{5,9}-\d{1,3}/ fullword - $ref2 = "analytics" + $ref2 = "analytics" condition: - all of them + all of them } diff --git a/rules/ref/ip-dns_resolver.yara b/rules/ref/ip-dns_resolver.yara index 40d6dcc72..0ff0fa621 100644 --- a/rules/ref/ip-dns_resolver.yara +++ b/rules/ref/ip-dns_resolver.yara @@ -1,6 +1,10 @@ -rule google_dns_ip : notable { + +rule google_dns_ip : medium { meta: - description = "contains Google Public DNS resolver IP" + description = "contains Google Public DNS resolver IP" + hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_aaa_bbb_ccc_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" strings: $primary = "8.8.8.8" $secondary = "8.8.4.4" @@ -8,9 +12,11 @@ rule google_dns_ip : notable { any of them } -rule opendns_ip : notable { +rule opendns_ip : medium { meta: - description = "contains OpenDNS DNS resolver IP" + description = "contains OpenDNS DNS resolver IP" + hash_2023_Downloads_2f13 = "2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e" + hash_2023_APT31_1d60 = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2" strings: $primary = "208.67.222.222" $secondary = "208.67.220.220" @@ -18,9 +24,9 @@ rule opendns_ip : notable { any of them } -rule ctrld_ip : suspicious { +rule ctrld_ip : high { meta: - description = "contains 'Control D' DNS resolver IP" + description = "contains 'Control D' DNS resolver IP" strings: $primary = "76.76.2.0" $secondary = "76.76.10.0" @@ -28,9 +34,12 @@ rule ctrld_ip : suspicious { any of them } -rule quad9_ip : notable { +rule quad9_ip : medium { meta: - description = "contains Quad9 DNS resolver IP" + description = "contains Quad9 DNS resolver IP" + hash_2023_APT31_1d60 = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + hash_2024_synthetic_cnc_dns_over_https = "4f07f1c783affdde5ac4eb029e10c1a13d69d8b04f14897277f226b0f342013c" strings: $primary = "9.9.9.9" $secondary = "149.112.112.112" @@ -38,19 +47,24 @@ rule quad9_ip : notable { any of them } - -rule one_one_four_dns_ip : notable { +rule one_one_four_dns_ip : medium { meta: - description = "contains I14DNS DNS resolver IP" + description = "contains I14DNS DNS resolver IP" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + hash_2023_OK_9c77 = "9c770b12a2da76c41f921f49a22d7bc6b5a1166875b9dc732bc7c05b6ae39241" strings: $d_114dns = "114.114.114.114" condition: any of them } -rule ipinfo_dns_ip : suspicious { +rule ipinfo_dns_ip : high { meta: - description = "contains IPInfo DNS resolver IP" + description = "contains IPInfo DNS resolver IP" + hash_2023_Unix_Malware_Setag_2f41 = "2f4163b6a30d738f619513cdcc8ee40056eeef9244455225d629a0fc2c58638a" + hash_2023_Unix_Malware_Setag_d55c = "d55ca59e33aebd0db6c433edac5c5bca6d1781ca4a35e3afcf086abf2047532b" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" strings: $ref = "168.95.1.1" condition: diff --git a/rules/ref/ip.yara b/rules/ref/ip.yara index 491bdf0c4..441afa272 100644 --- a/rules/ref/ip.yara +++ b/rules/ref/ip.yara @@ -1,6 +1,10 @@ -rule hardcoded_ip : notable { + +rule hardcoded_ip : medium { meta: - description = "hardcoded IP address" + description = "hardcoded IP address" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2024_Downloads_0fa8a2e98ba17799d559464ab70cce2432f0adae550924e83d3a5a18fe1a9fc8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" strings: $ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}/ fullword $not_localhost = "127.0.0.1" @@ -9,8 +13,8 @@ rule hardcoded_ip : notable { $not_weirdo = "635.100.12.38" $not_incr = "10.11.12.13" $not_169 = "169.254.169.254" - $not_spyder = "/search/spider" - $not_ruby = "210.251.121.214" + $not_spyder = "/search/spider" + $not_ruby = "210.251.121.214" condition: 1 of ($ip*) and none of ($not*) } diff --git a/rules/ref/ip_port.yara b/rules/ref/ip_port.yara index 75e167c70..468e22968 100644 --- a/rules/ref/ip_port.yara +++ b/rules/ref/ip_port.yara @@ -1,30 +1,34 @@ + rule hardcoded_ip_port : high { meta: - description = "hardcoded IP:port destination" + description = "hardcoded IP:port destination" + hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" strings: $ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}:\d{2,5}/ fullword - $not_ssdp = "239.255.255.250:1900" - $not_2181 = "10.101.203.230:2181" - $not_meta = "169.254.169.254:80" - $not_vnc = "10.10.10.10:5900" - $not_azure_pgsql = "20.66.25.58:5432" + $not_ssdp = "239.255.255.250:1900" + $not_2181 = "10.101.203.230:2181" + $not_meta = "169.254.169.254:80" + $not_vnc = "10.10.10.10:5900" + $not_azure_pgsql = "20.66.25.58:5432" condition: any of ($ip*) and none of ($not*) } -rule ip_and_port : notable { +rule ip_and_port : medium { meta: - description = "mentions an IP and port" + description = "mentions an IP and port" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" strings: - $camelPort = /[a-z]{0,8}Port/ fullword - $camelIP = /[a-z]{0,8}Ip/ fullword - - $underPort = /[a-z]{0,8}_port/ fullword - $underIP = /[a-z]{0,8}_ip/ fullword - - $wordPort = "Port" fullword - $wordIP = "IP" fullword + $camelPort = /[a-z]{0,8}Port/ fullword + $camelIP = /[a-z]{0,8}Ip/ fullword + $underPort = /[a-z]{0,8}_port/ fullword + $underIP = /[a-z]{0,8}_ip/ fullword + $wordPort = "Port" fullword + $wordIP = "IP" fullword condition: - all of ($camel*) or all of ($under*) or all of ($word*) + all of ($camel*) or all of ($under*) or all of ($word*) } - diff --git a/rules/ref/path/Library-Mail.yara b/rules/ref/path/Library-Mail.yara index 5578be4e0..1cec98d35 100644 --- a/rules/ref/path/Library-Mail.yara +++ b/rules/ref/path/Library-Mail.yara @@ -1,7 +1,8 @@ -rule macos_library_mail_ref : notable { + +rule macos_library_mail_ref : medium { meta: - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" + hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_DazzleSpy_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" strings: $mail = "Library/Mail" diff --git a/rules/ref/path/boot.yara b/rules/ref/path/boot.yara index 84a266ca5..d2da199b5 100644 --- a/rules/ref/path/boot.yara +++ b/rules/ref/path/boot.yara @@ -1,19 +1,26 @@ -rule boot_path : notable { - meta: - description = "path reference within /boot" - strings: - $ref = /\/boot\/[\%\w\.\-\/]{4,32}/ fullword - condition: - $ref + +rule boot_path : medium { + meta: + description = "path reference within /boot" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_kill_loop = "a34a36ec6b7b209aaa2092cc28bc65917e310b3181e98ab54d440565871168cb" + strings: + $ref = /\/boot\/[\%\w\.\-\/]{4,32}/ fullword + condition: + $ref } -rule elf_boot_path : notable { - meta: - description = "path reference within /boot" - strings: - $ref = /\/boot\/[\%\w\.\-\/]{4,32}/ fullword - $not_kern = "/boot/vmlinux-%s" - $not_include_path = "_PATH_UNIX" fullword - condition: - uint32(0) == 1179403647 and $ref and none of ($not*) -} \ No newline at end of file +rule elf_boot_path : medium { + meta: + description = "path reference within /boot" + hash_2023_Unix_Malware_Kaiji_3e68 = "3e68118ad46b9eb64063b259fca5f6682c5c2cb18fd9a4e7d97969226b2e6fb4" + hash_2023_Unix_Malware_Kaiji_f4a6 = "f4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a" + hash_2023_Unix_Trojan_IptabLex_b574 = "b5745c865ab5348425e79ce91d79442982c20f3f89e1ffcdd2816895a25d2a1c" + strings: + $ref = /\/boot\/[\%\w\.\-\/]{4,32}/ fullword + $not_kern = "/boot/vmlinux-%s" + $not_include_path = "_PATH_UNIX" fullword + condition: + uint32(0) == 1179403647 and $ref and none of ($not*) +} diff --git a/rules/ref/path/browser_extensions.yara b/rules/ref/path/browser_extensions.yara index b1adc7104..0d1e57471 100644 --- a/rules/ref/path/browser_extensions.yara +++ b/rules/ref/path/browser_extensions.yara @@ -1,17 +1,18 @@ -rule browser_extensions : notable { +rule browser_extensions : medium { meta: - description = "access Browser extensions" + description = "access Browser extensions" + hash_2024_2019_02_Shlayer_Malware_a2ec = "a2ec5d9c80794c26a7eaac8586521f7b0eb24aba9ad393c194c86cfd150e5189" + hash_2024_2019_02_Shlayer_Malware_b53f = "b53fab9dd4b473237a39895372aae51638b25d8f7a659c24d0a3cc21d03ef159" + hash_2024_2019_02_Shlayer_Malware_fd93 = "fd93c08678392eae99a1281577a54875a0e1920c49cdea6d56b53dabc4597803" strings: $b_firefoxExtension = "Firefox/extensions" $b_safariExtension = "Safari/Extensions" $b_installChrome = "installChrome" $b_installFirefox = "installFirefox" $b_installSafari = "installSafari" - $c_chromeExtension = "/Extensions" $c_googleChrome = "Google/Chrome" - condition: any of ($b*) or all of ($c*) -} \ No newline at end of file +} diff --git a/rules/ref/path/dev-mqueue.yara b/rules/ref/path/dev-mqueue.yara index 09a60a88e..32e32e70a 100644 --- a/rules/ref/path/dev-mqueue.yara +++ b/rules/ref/path/dev-mqueue.yara @@ -1,4 +1,4 @@ -rule dev_mqueue : notable { +rule dev_mqueue : medium { meta: description = "path reference within /dev/mqueue (world writeable)" strings: @@ -7,7 +7,7 @@ rule dev_mqueue : notable { any of them } -rule dev_mqueue_hidden : suspicious { +rule dev_mqueue_hidden : high { meta: description = "path reference within /dev/mqueue (world writeable)" strings: diff --git a/rules/ref/path/dev-shm.yara b/rules/ref/path/dev-shm.yara index c037b2e1e..fc92a807d 100644 --- a/rules/ref/path/dev-shm.yara +++ b/rules/ref/path/dev-shm.yara @@ -1,36 +1,45 @@ + rule dev_shm { - meta: - description = "references /dev/shm (world writeable)" - strings: - $ref = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/ - condition: - any of them + meta: + description = "references /dev/shm (world writeable)" + strings: + $ref = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/ + condition: + any of them } -rule dev_shm_file : suspicious { - meta: - description = "reference file within /dev/shm (world writeable)" - strings: - // at least two characters to decrease false-positive rate - $ref = /\/dev\/shm\/[\%\w\.]{2,64}/ - condition: - any of them +rule dev_shm_file : high { + meta: + description = "reference file within /dev/shm (world writeable)" + hash_2023_BPFDoor_8b84 = "8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95" + hash_2023_BPFDoor_8b9d = "8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + strings: + $ref = /\/dev\/shm\/[\%\w\.]{2,64}/ + condition: + any of them } rule dev_shm_sh : critical { - meta: - description = "References shell script within /dev/shm (world writeable)" - strings: - $ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}\.sh/ - condition: - any of them + meta: + description = "References shell script within /dev/shm (world writeable)" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" + strings: + $ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}\.sh/ + condition: + any of them } rule dev_shm_hidden : critical { - meta: - description = "path reference within /dev/shm (world writeable)" - strings: - $dev_shm = /\/dev\/shm\/\.[%\w\.\-\/]{0,64}/ - condition: - any of them -} \ No newline at end of file + meta: + description = "path reference within /dev/shm (world writeable)" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + strings: + $dev_shm = /\/dev\/shm\/\.[%\w\.\-\/]{0,64}/ + condition: + any of them +} diff --git a/rules/ref/path/dev.yara b/rules/ref/path/dev.yara index 5c95dd468..e207fb683 100644 --- a/rules/ref/path/dev.yara +++ b/rules/ref/path/dev.yara @@ -1,10 +1,14 @@ -rule dev_path : notable { - meta: - description = "path reference within /dev" - strings: - $path = /\/dev\/[\w\.\-\/]{1,16}/ - $ignore_null = "/dev/null" - $ignore_shm = "/dev/shm/" - condition: - $path and none of ($ignore*) + +rule dev_path : medium { + meta: + description = "path reference within /dev" + hash_2023_Downloads_039e = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" + hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + strings: + $path = /\/dev\/[\w\.\-\/]{1,16}/ + $ignore_null = "/dev/null" + $ignore_shm = "/dev/shm/" + condition: + $path and none of ($ignore*) } diff --git a/rules/ref/path/etc-hosts.yara b/rules/ref/path/etc-hosts.yara index b85c3b569..db4dfd766 100644 --- a/rules/ref/path/etc-hosts.yara +++ b/rules/ref/path/etc-hosts.yara @@ -1,8 +1,12 @@ -rule etc_hosts : notable { - meta: - description = "references /etc/hosts" - strings: - $ref = "/etc/hosts" - condition: - any of them -} \ No newline at end of file + +rule etc_hosts : medium { + meta: + description = "references /etc/hosts" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + strings: + $ref = "/etc/hosts" + condition: + any of them +} diff --git a/rules/ref/path/etc-ld.so.preload.yara b/rules/ref/path/etc-ld.so.preload.yara index ce5ad708b..3c0c9fe38 100644 --- a/rules/ref/path/etc-ld.so.preload.yara +++ b/rules/ref/path/etc-ld.so.preload.yara @@ -1,8 +1,12 @@ -rule etc_ld_preload : suspicious { - meta: - description = "References /etc/ld.so.preload" - strings: - $ref = "/etc/ld.so.preload" - condition: - any of them -} \ No newline at end of file + +rule etc_ld_preload : high { + meta: + description = "References /etc/ld.so.preload" + hash_2023_Lightning_fd28 = "fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" + strings: + $ref = "/etc/ld.so.preload" + condition: + any of them +} diff --git a/rules/ref/path/file-url.yara b/rules/ref/path/file-url.yara index c91370707..3f51c0509 100644 --- a/rules/ref/path/file-url.yara +++ b/rules/ref/path/file-url.yara @@ -1,16 +1,13 @@ rule file_url { - meta: - hash_2022_DazzleSpy_agent_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" - hash_2018_MacOS_CoinTicker = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" strings: $file_private_url = "file:///private" $file_tmp_url = "file:///tmp" $file_var_url = "file:///var" $file_home_url = "file:///home" $file_users_url = "file:///Users" - $not_file_socket = "file:///tmp/socket" - $not_asl = "/var/log/asl" + $not_file_socket = "file:///tmp/socket" + $not_asl = "/var/log/asl" condition: any of ($file*) and none of ($not*) } diff --git a/rules/ref/path/hidden.yara b/rules/ref/path/hidden.yara index 47105025a..6649fc502 100644 --- a/rules/ref/path/hidden.yara +++ b/rules/ref/path/hidden.yara @@ -1,48 +1,30 @@ -rule dynamic_hidden_path : notable { - meta: - description = "hidden path generated dynamically" - ref = "https://objective-see.org/blog/blog_0x73.html" - strings: - $ref = /%s\/\.[a-z][\w-]{0,32}/ - $config = "%s/.config" - condition: - $ref and not $config +rule dynamic_hidden_path : medium { + meta: + description = "hidden path generated dynamically" + ref = "https://objective-see.org/blog/blog_0x73.html" + hash_2023_Linux_Malware_Samples_3292 = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76" + hash_2023_Linux_Malware_Samples_d2ff = "d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f" + hash_2023_Linux_Malware_Samples_efa8 = "efa875506296d77178884ba8ac68a8b6d6aef24e79025359cf5259669396e8dd" + strings: + $ref = /%s\/\.[a-z][\w-]{0,32}/ + $config = "%s/.config" + condition: + $ref and not $config } rule static_hidden_path { - meta: - description = "possible hidden file path" - strings: - $ref = /\/[a-z]{3,10}[\w\/]{0,24}\/\.\w[\w\_\-\.]{0,16}/ - condition: - $ref + meta: + description = "possible hidden file path" + strings: + $ref = /\/[a-z]{3,10}[\w\/]{0,24}\/\.\w[\w\_\-\.]{0,16}/ + condition: + $ref } rule hidden_path { meta: - description = "hidden path in a system directory" - hash_2016_trojan_Eleanor_eleanr_A_timegrabber = "2532a3feeb656c5467bedfcc0cb4bfa3eb26bcc36b33a51b13f38ae2eef22797" - hash_2016_trojan_Eleanor_eleanr_A_plist = "a975d8232b264e2981559b2e76f779335af37605ca300906fea737f125914c4b" - hash_2016_Eleanor_eleanr_check_hostname = "8b1d98777bd98faeeaed9f2289d8dba8e34c46c694f6f31141404853c3af239d" - hash_2016_Eleanor_eleanr_integritycheck = "049716023e99821230bb8f9b3fa58722ad6e5a0af2c3b8b9c3fe9c09b4bb0141" - hash_2016_Eleanor_eleanr_save = "5dbbb91467e0f6e58497ae0c0c621a84a1f250bb856f3f9f139e70dedf1a32b7" - hash_2016_Eleanor_eleanr_script = "2c752b64069e9b078103adf8f5114281b7ce03f1ca7a995228f180140871999e" - hash_2016_Eleanor_eleanr_storage = "8cee04d45b01743303f6e6e999483cd3f864643c6344d0a46196a67d343cd2ae" - hash_2018_MacOS_CoinTicker = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" - hash_2018_MacOS_Installer = "939cd1780d360792e6df92f415627c4c099bead6a97426a9f49ab179f5e4c47d" - hash_2019_Cointrazer_nytyntrun = "eacf7e3865e9995fd5fe74e61b2073441cba4029610cae739b2006de8e5787dc" - hash_2020_CoinMiner_nbtoz = "741af7d54a95dd3b4497c73001e7b2ba1f607d19d63068b611505f9ce14c7776" - hash_2020_MacOS_TinkaOTP = "90fbc26c65e4aa285a3f7ee6ff8a3a4318a8961ebca71d47f51ef0b4b7829fd0" - hash_2020_trojan_SAgnt_vnqci_sshd = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" - hash_2021_trojan_Gafgyt_malxmr = "1b5bd0d4989c245af027f6bc0c331417f81a87fff757e19cdbdfe25340be01a6" - hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" - hash_2021_Gmera_Licatrade = "ad27ae075010795c04a6c5f1303531f3f2884962be4d741bf38ced0180710d06" - hash_2021_trojan_Mirai_dclea = "206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a" - hash_2021_trojan_Mirai_gsjmm = "dcd318efe5627e07a8eda9104ede1f510e43f5c0ae7f74d411137e1174f2844b" - hash_2021_Tsunami_gjirtfg = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" - hash_2021_Tsunami_Kaiten = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" - hash_2021_Tsunami_Kaiten_ujrzc = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7" + description = "hidden path in a system directory" strings: $crit = /[\w\/\.]{0,32}\/(tmp|usr\/\w{0,8}|bin|lib|LaunchAgents|lib64|var|etc|shm|mqueue|spool|log|Users|Movies|Music|WebServer|Applications|Shared|Library|System)\/\.\w[\w\-\.]{0,16}/ $not_network_manager = "org.freedesktop.NetworkManager" @@ -58,17 +40,12 @@ rule hidden_path { $crit and none of ($not*) } -rule hidden_library : suspicious { +rule hidden_library : high { meta: - description = "hidden path in a Library directory" - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" - hash_2020_MacOS_TinkaOTP = "90fbc26c65e4aa285a3f7ee6ff8a3a4318a8961ebca71d47f51ef0b4b7829fd0" - hash_2016_Eleanor_eleanr_check_hostname = "8b1d98777bd98faeeaed9f2289d8dba8e34c46c694f6f31141404853c3af239d" - hash_2016_Eleanor_eleanr_integritycheck = "049716023e99821230bb8f9b3fa58722ad6e5a0af2c3b8b9c3fe9c09b4bb0141" - hash_2016_Eleanor_eleanr_save = "5dbbb91467e0f6e58497ae0c0c621a84a1f250bb856f3f9f139e70dedf1a32b7" - hash_2016_Eleanor_eleanr_script = "2c752b64069e9b078103adf8f5114281b7ce03f1ca7a995228f180140871999e" - hash_2016_Eleanor_eleanr_storage = "8cee04d45b01743303f6e6e999483cd3f864643c6344d0a46196a67d343cd2ae" + description = "hidden path in a Library directory" + hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" + hash_2020_MacOS_TinkaOTP = "90fbc26c65e4aa285a3f7ee6ff8a3a4318a8961ebca71d47f51ef0b4b7829fd0" strings: $hidden_library = /\/Library\/\.\w{1,128}/ $not_dotdot = "/Library/../" diff --git a/rules/ref/path/home.yara b/rules/ref/path/home.yara index de9a4d149..a4d11ab72 100644 --- a/rules/ref/path/home.yara +++ b/rules/ref/path/home.yara @@ -1,10 +1,14 @@ -rule home_path : notable { - meta: - description = "references path within /home" - strings: - $home = /\/home\/[%\w\.\-\/]{0,64}/ - $not_build = "/home/build" - $not_runner = "/home/runner" - condition: - $home and none of ($not*) -} \ No newline at end of file + +rule home_path : medium { + meta: + description = "references path within /home" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + strings: + $home = /\/home\/[%\w\.\-\/]{0,64}/ + $not_build = "/home/build" + $not_runner = "/home/runner" + condition: + $home and none of ($not*) +} diff --git a/rules/ref/path/lib-dynamic.yara b/rules/ref/path/lib-dynamic.yara index fd9ac5257..4b97de1c5 100644 --- a/rules/ref/path/lib-dynamic.yara +++ b/rules/ref/path/lib-dynamic.yara @@ -1,8 +1,10 @@ -rule dyntamic_lib : notable { - meta: - description = "References a library file that can be generated dynamically" - strings: - $ref = "/lib/%s" - condition: - $ref + +rule dyntamic_lib : medium { + meta: + description = "References a library file that can be generated dynamically" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + strings: + $ref = "/lib/%s" + condition: + $ref } diff --git a/rules/ref/path/relative-hidden.yara b/rules/ref/path/relative-hidden.yara index d9b30729f..042638f5d 100644 --- a/rules/ref/path/relative-hidden.yara +++ b/rules/ref/path/relative-hidden.yara @@ -1,26 +1,15 @@ rule relative_hidden_launcher { - meta: - hash_2023_brawl_earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" - hash_2023_Linux_Malware_Samples_05ca = "05ca0e0228930e9ec53fe0f0b796255f1e44ab409f91bc27d20d04ad34dcb69d" - hash_2023_Linux_Malware_Samples_1ad6 = "1ad63158b9e0f214a111b4c815d08520c6282de5216e41f604612a12ce879efc" - hash_2023_Linux_Malware_Samples_4c83 = "4c839f32e78fa11aa4ab961f045f7ca744c14d33d7a092dd9dfd1164cd7d4763" - hash_2021_CoinMiner_Sysrv = "5f80945354ea8e28fa8191a37d37235ce5c5448bffb336e8db5b01719a69128f" - hash_2021_Merlin_ispoh = "683e1eb35561da89db96c94f400daf41390bd350698c739c38024a1f621653b3" - hash_2020_CoinMiner_nbtoz = "741af7d54a95dd3b4497c73001e7b2ba1f607d19d63068b611505f9ce14c7776" - hash_2023_Linux_Malware_Samples_7955 = "7955542df199c6ce4ca0bb3966dcf9cc71199c592fec38508dad58301a3298d0" strings: $relative_hidden = /\.\/\.[\w][\w\/\.\_\-]{3,16}/ fullword - - $x_exec = "exec" - $x_bash = "bash" - $x_system = "system" - $x_popen = "popen" - - $not_vscode = "vscode" - $not_test = "./.test" - $not_prove = ".proverc" - $not_private = "/System/Library/PrivateFrameworks" + $x_exec = "exec" + $x_bash = "bash" + $x_system = "system" + $x_popen = "popen" + $not_vscode = "vscode" + $not_test = "./.test" + $not_prove = ".proverc" + $not_private = "/System/Library/PrivateFrameworks" condition: - $relative_hidden and any of ($x*) and none of ($not*) + $relative_hidden and any of ($x*) and none of ($not*) } diff --git a/rules/ref/path/relative.yara b/rules/ref/path/relative.yara index 59e17aa6d..a8e611d2f 100644 --- a/rules/ref/path/relative.yara +++ b/rules/ref/path/relative.yara @@ -1,10 +1,13 @@ -rule relative_path_val : notable { +rule relative_path_val : medium { meta: - description = "references and possibly executes relative path" + description = "references and possibly executes relative path" + hash_2023_3_2_0_servlet_api_3_2_0_sources = "117d692f8796bf9114d99f1486d8e1ea55a62804838b1dc3287c6287039192ef" + hash_2023_package_bgService = "36831e715a152658bab9efbd4c2c75be50ee501b3dffdb5798d846a2259154a2" + hash_2023_package_index = "26f98a78fbb198aec50dc425f53145cc47d031bd4e56fc77fcf22605875f094c" strings: - $ref = /\.\/[a-z_\-]{2,16}/ fullword - $up_ref = /\.\.\/[a-z_\-]{2,16}/ fullword + $ref = /\.\/[a-z_\-]{2,16}/ fullword + $up_ref = /\.\.\/[a-z_\-]{2,16}/ fullword condition: - $ref and not $up_ref + $ref and not $up_ref } diff --git a/rules/ref/path/root.yara b/rules/ref/path/root.yara index 114d3bcd3..abb4d960e 100644 --- a/rules/ref/path/root.yara +++ b/rules/ref/path/root.yara @@ -1,11 +1,14 @@ -rule root_path_val : notable { - meta: - description = "path reference within /root" - strings: - $root = /\/root\/[%\w\.\-\/]{0,64}/ - $root2 = "/root" fullword - $not_go_selinux = "SELINUXTYPE" - condition: - any of them and none of ($not*) -} \ No newline at end of file +rule root_path_val : medium { + meta: + description = "path reference within /root" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + strings: + $root = /\/root\/[%\w\.\-\/]{0,64}/ + $root2 = "/root" fullword + $not_go_selinux = "SELINUXTYPE" + condition: + any of them and none of ($not*) +} diff --git a/rules/ref/path/suspicious-pdb.yara b/rules/ref/path/suspicious-pdb.yara index 5d399c671..ddb4f67f7 100644 --- a/rules/ref/path/suspicious-pdb.yara +++ b/rules/ref/path/suspicious-pdb.yara @@ -1,6 +1,6 @@ -rule suspicious_pdb : suspicious windows { +rule high_pdb : high windows { meta: - description = "suspicious PDB (Windows Program Database) reference" + description = "high PDB (Windows Program Database) reference" strings: // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar $ref = /[a-zA-Z]{0,16}(Dropper|Bypass|Injection|Potato)\.pdb/ nocase diff --git a/rules/ref/path/tmp.yara b/rules/ref/path/tmp.yara index 941be6779..783d3afc7 100644 --- a/rules/ref/path/tmp.yara +++ b/rules/ref/path/tmp.yara @@ -1,24 +1,22 @@ -rule tmp_path : notable { - meta: - description = "path reference within /tmp" - strings: - $resolv = /\/tmp\/[%\w\.\-\/]{0,64}/ - condition: - any of them -} +rule tmp_path : medium { + meta: + description = "path reference within /tmp" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2019_test_sprockets_rails_test = "6c50a21a69f2bcb27a55e909f9fecd4a7bd7fc0898730d1c76e65b2a7172710b" + hash_2019_support_dummy_rails_integration = "b21b9b7fb250558c3340d9d8f11aab5f1c448628a703f14a21db5dbe4ec78520" + strings: + $resolv = /\/tmp\/[%\w\.\-\/]{0,64}/ + condition: + any of them +} -rule weird_tmp_path_not_hidden : notable { +rule weird_tmp_path_not_hidden : medium { meta: - description = "references an unusual path within /tmp" - hash_2017_Dockster = "8da09fec9262d8bbeb07c4e403d1da88c04393c8fc5db408e1a3a3d86dddc552" - hash_2017_FileCoder = "c9c7c7f1afa1d0760f63d895b8c9d5ab49821b2e4fe596b0c5ae94c308009e89" - hash_1980_FruitFly_A_205f = "205f5052dc900fc4010392a96574aed5638acf51b7ec792033998e4043efdf6c" - hash_1980_FruitFly_A_ce07 = "ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044" + description = "references an unusual path within /tmp" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" - hash_2021_malxmr = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" - hash_2021_trojan_Mirai_dclea = "206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a" - hash_2021_trojan_Mirai_aspze = "341a49940749d5f07d32d1c8dfddf6388a11e45244cc54bc8768a8cd7f00b46a" strings: $tmp_digits = /\/tmp\/[\w]*\d{1,128}/ $tmp_short = /\/tmp\/[\w\.\-]{1,3}[^\w\.\-]/ @@ -30,10 +28,10 @@ rule weird_tmp_path_not_hidden : notable { $not_brother = "/tmp/BroH9" $not_compdef = "#compdef" $not_c1 = "/tmp/CaptureOne" - $not_openra = "/tmp/R8" - $not_private_literal = "private-literal" - $not_apple = "Apple Inc" - $not_sandbox = "andbox profile" + $not_openra = "/tmp/R8" + $not_private_literal = "private-literal" + $not_apple = "Apple Inc" + $not_sandbox = "andbox profile" condition: any of ($t*) and none of ($not*) } diff --git a/rules/ref/path/users.yara b/rules/ref/path/users.yara index 234ff2e42..73b7eec44 100644 --- a/rules/ref/path/users.yara +++ b/rules/ref/path/users.yara @@ -1,8 +1,12 @@ -rule home_path : notable { - meta: - description = "references path within /Users" - strings: - $ref = /\/Users\/[%\w\.\-\/]{0,64}/ - condition: - $ref -} \ No newline at end of file + +rule home_path : medium { + meta: + description = "references path within /Users" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + strings: + $ref = /\/Users\/[%\w\.\-\/]{0,64}/ + condition: + $ref +} diff --git a/rules/ref/path/usr-lib-python.yara b/rules/ref/path/usr-lib-python.yara index f4b0af3eb..c71d5f183 100644 --- a/rules/ref/path/usr-lib-python.yara +++ b/rules/ref/path/usr-lib-python.yara @@ -1,8 +1,11 @@ -rule usr_lib_python_path_val : notable { - meta: - description = "References paths within /usr/lib/python" - strings: - $ref = /\/usr\/lib\/python[\w\-\.\/]{0,128}/ - condition: - $ref -} \ No newline at end of file + +rule usr_lib_python_path_val : medium { + meta: + description = "References paths within /usr/lib/python" + hash_2024_2024_PAN_OS_Upstyle_update = "3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac" + hash_2024_2024_PAN_OS_Upstyle_update_base64_payload1 = "e96f6ca8ecc00fcfac88679e475022091ce47f75c54f47570d66a56d77cd5ea6" + strings: + $ref = /\/usr\/lib\/python[\w\-\.\/]{0,128}/ + condition: + $ref +} diff --git a/rules/ref/path/usr-local.yara b/rules/ref/path/usr-local.yara index a6308efe1..a1561f606 100644 --- a/rules/ref/path/usr-local.yara +++ b/rules/ref/path/usr-local.yara @@ -1,27 +1,34 @@ + rule usr_local_path : harmless { - meta: - description = "path reference within /usr/local" - strings: - $val = /\/usr\/local\/[\w\.\-\/]{0,64}/ - $go = "/usr/local/go" - condition: - $val and not $go + meta: + description = "path reference within /usr/local" + strings: + $val = /\/usr\/local\/[\w\.\-\/]{0,64}/ + $go = "/usr/local/go" + condition: + $val and not $go } -rule usr_local_bin_path : notable { - meta: - description = "path reference within /usr/local/bin" - strings: - $val = /\/usr\/local\/bin[\w\.\-\/]{0,64}/ - condition: - $val +rule usr_local_bin_path : medium { + meta: + description = "path reference within /usr/local/bin" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_d920 = "d920dec25946a86aeaffd5a53ce8c3f05c9a7bac44d5c71481f497de430cb67e" + strings: + $val = /\/usr\/local\/bin[\w\.\-\/]{0,64}/ + condition: + $val } -rule usr_local_lib_path : notable { - meta: - description = "path reference within /usr/local/lib" - strings: - $val = /\/usr\/local\/lib[\w\.\-\/]{0,64}/ - condition: - $val -} \ No newline at end of file +rule usr_local_lib_path : medium { + meta: + description = "path reference within /usr/local/lib" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + strings: + $val = /\/usr\/local\/lib[\w\.\-\/]{0,64}/ + condition: + $val +} diff --git a/rules/ref/path/usr-sbin-telnetd.yara b/rules/ref/path/usr-sbin-telnetd.yara index f63ec9424..434a97a62 100644 --- a/rules/ref/path/usr-sbin-telnetd.yara +++ b/rules/ref/path/usr-sbin-telnetd.yara @@ -1,13 +1,14 @@ -rule usr_sbin_telnetd : suspicious { - meta: - description = "References /usr/sbin/telnetd" - strings: - $ref = "/usr/sbin/telnetd" - // ignore lists of busybox hard links - $not_dos2unix = "/usr/bin/dos2unix" - $not_setfont = "/usr/sbin/setfont" - - condition: - $ref and none of ($not*) -} \ No newline at end of file +rule usr_sbin_telnetd : high { + meta: + description = "References /usr/sbin/telnetd" + hash_2023_Unix_Dropper_Mirai_8f9d = "8f9d9e08af48d596a32d8a7da5d045c8b1d3ffd8ccffcf85db7ecb9043c0d4be" + hash_2023_Unix_Dropper_Mirai_b074 = "b074f41a8f2d34f08e99fc1e3d51c5fdb5d3654577d882de99f09b8fa84fa283" + hash_2023_Unix_Dropper_Mirai_da20 = "da20bf020c083eb080bf75879c84f8885b11b6d3d67aa35e345ce1a3ee762444" + strings: + $ref = "/usr/sbin/telnetd" + $not_dos2unix = "/usr/bin/dos2unix" + $not_setfont = "/usr/sbin/setfont" + condition: + $ref and none of ($not*) +} diff --git a/rules/ref/path/var-containers.yara b/rules/ref/path/var-containers.yara index 4d5aa52d7..2f28096bb 100644 --- a/rules/ref/path/var-containers.yara +++ b/rules/ref/path/var-containers.yara @@ -1,8 +1,12 @@ -rule var_root_path : suspicious macos { - meta: - description = "path reference within /var/containers" - strings: - $ref = /\/var\/containers\/[\%\w\.\-\/]{4,32}/ fullword - condition: - $ref -} \ No newline at end of file + +rule var_root_path : high macos { + meta: + description = "path reference within /var/containers" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2022_Gimmick_CorelDRAW = "2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f" + hash_2018_OSX_Dummy_script = "ced05b1f429ade707691b04f59d7929961661963311b768d438317f4d3d82953" + strings: + $ref = /\/var\/containers\/[\%\w\.\-\/]{4,32}/ fullword + condition: + $ref +} diff --git a/rules/ref/path/var-log.yara b/rules/ref/path/var-log.yara index d86b95596..bb6c411fd 100644 --- a/rules/ref/path/var-log.yara +++ b/rules/ref/path/var-log.yara @@ -1,8 +1,12 @@ -rule var_log_path : notable { - meta: - description = "path reference within /var/log" - strings: - $ref = /\/var\/log\/[\%\w\.\-\/]{4,32}/ fullword - condition: - $ref + +rule var_log_path : medium { + meta: + description = "path reference within /var/log" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" + hash_2023_Linux_Malware_Samples_1f94 = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" + strings: + $ref = /\/var\/log\/[\%\w\.\-\/]{4,32}/ fullword + condition: + $ref } diff --git a/rules/ref/path/var-root.yara b/rules/ref/path/var-root.yara index f3c993aae..fb11bd5b0 100644 --- a/rules/ref/path/var-root.yara +++ b/rules/ref/path/var-root.yara @@ -1,8 +1,12 @@ -rule var_root_path : suspicious macos { - meta: - description = "path reference within /var/root" - strings: - $ref = /\/var\/root\/[\%\w\.\-\/]{4,32}/ fullword - condition: - $ref -} \ No newline at end of file + +rule var_root_path : high macos { + meta: + description = "path reference within /var/root" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2022_Gimmick_CorelDRAW = "2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f" + hash_2018_OSX_Dummy_script = "ced05b1f429ade707691b04f59d7929961661963311b768d438317f4d3d82953" + strings: + $ref = /\/var\/root\/[\%\w\.\-\/]{4,32}/ fullword + condition: + $ref +} diff --git a/rules/ref/path/var-run.yara b/rules/ref/path/var-run.yara index 7c318b6ba..5c6321f62 100644 --- a/rules/ref/path/var-run.yara +++ b/rules/ref/path/var-run.yara @@ -1,20 +1,16 @@ -rule var_run_subfolder : notable { + +rule var_run_subfolder : medium { meta: description = "references subfolder within /var/run" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" - hash_2021_miner_malxmr = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" - hash_2021_CoinMiner_TB_Camelot = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" - hash_2023_Linux_Malware_Samples_0dcf = "0dcfa54a7e8a4e631ef466670ce604a61f3b0e8b3e9cf72c943278c0f77c31a2" - hash_2021_Mettle = "1020ce1f18a2721b873152fd9f76503dcba5af7b0dd26d80fdb11efaf4878b1a" - hash_2021_trojan_Gafgyt_fszhv = "1794cf09f4ea698759b294e27412aa09eda0860475cd67ce7b23665ea6c5d58b" - hash_2023_Linux_Malware_Samples_1822 = "1822454a2f12fae1725ef96e588e6fa2eeab58a8043e9a56ac328c14100ba937" - hash_2023_Linux_Malware_Samples_19f7 = "19f76bf2be3ea11732f2c5c562afbd6f363b062c25fba3a143c3c6ef4712774b" strings: $var_run_folder = /\/var\/run\/[\w\.\-]{0,32}\// - $not_var_run_run = "/var/run/run" - $not_named = "/var/run/named" - $not_racoon = "/var/run/racoon" - $not_private = "/Library/PrivateFrameworks" + $not_var_run_run = "/var/run/run" + $not_named = "/var/run/named" + $not_racoon = "/var/run/racoon" + $not_private = "/Library/PrivateFrameworks" condition: - $var_run_folder and none of ($not*) + $var_run_folder and none of ($not*) } diff --git a/rules/ref/path/var-tmp.yara b/rules/ref/path/var-tmp.yara index e6416e216..83070e925 100644 --- a/rules/ref/path/var-tmp.yara +++ b/rules/ref/path/var-tmp.yara @@ -1,8 +1,12 @@ -rule var_tmp_path : notable { - meta: - description = "path reference within /var/tmp" - strings: - $resolv = /var\/tmp\/[%\w\.\-\/]{0,64}/ - condition: - any of them -} \ No newline at end of file + +rule var_tmp_path : medium { + meta: + description = "path reference within /var/tmp" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2024_Downloads_e70e = "e70e96983734ee23e52391aa96d30670b2dcebb0cbca46c8eddb014f450c661f" + hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" + strings: + $resolv = /var\/tmp\/[%\w\.\-\/]{0,64}/ + condition: + any of them +} diff --git a/rules/ref/program/ancient_gcc.yara b/rules/ref/program/ancient_gcc.yara index 558f5f34b..01fe3c11d 100644 --- a/rules/ref/program/ancient_gcc.yara +++ b/rules/ref/program/ancient_gcc.yara @@ -1,30 +1,9 @@ -rule built_by_archaic_gcc_version : suspicious { + +rule built_by_archaic_gcc_version : high { meta: - hash_2023_XorDDoS = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" - hash_2023_icmpshell = "4305c04df40d3ac7966289cc0a81cedbdd4eee2f92324b26fe26f57f57265bca" - hash_2023_RedAlert_redniev = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" - hash_2023_Royal = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" - hash_2023_blackcat_x64 = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f" - hash_2023_HelloKitty_A = "556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed" - hash_2022_blackbasta_genericac = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be" - hash_2023_trojan_Gafgyt_Mirai_gnhow = "b56a89db553d4d927f661f6ff268cd94bdcfe341fd75ba4e7c464946416ac309" - hash_2022_XorDDoS_0Xorddos = "d920dec25946a86aeaffd5a53ce8c3f05c9a7bac44d5c71481f497de430cb67e" - hash_2023_Sodinokibi = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" - hash_2021_trojan_Mirai_3_Gafgyt = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" - hash_2021_trojan_Gafgyt_Mirai_tlduc_bashlite = "16bbeec4e23c0dc04c2507ec0d257bf97cfdd025cd86f8faf912cea824b2a5ba" - hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" - hash_2020_Prometei_B_uselvh323 = "2bc860efee229662a3c55dcf6e50d6142b3eec99c606faa1210f24541cad12f5" - hash_2020_Prometei_B_uselvh323 = "2bc8694c3eba1c5f066495431bb3c9e4ad0529f53ae7df0d66e6ad97a1df4080" - hash_2021_trojan_Gafgyt_5E = "31e87fa24f5d3648f8db7caca8dfb15b815add4dfc0fabe5db81d131882b4d38" - hash_2021_Tsunami_gjirtfg = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" - hash_2021_CoinMiner_Sysrv = "5f80945354ea8e28fa8191a37d37235ce5c5448bffb336e8db5b01719a69128f" - hash_2020_Rekoobe_egiol = "6fc03c92dee363dd88e50e89062dd8a22fe88998aff7de723594ec916c348d0a" - hash_2020_Prometei_lbjon = "75ea0d099494b0397697d5245ea6f2b5bf8f22bb3c3e6d6d81e736ac0dac9fbc" - hash_2021_trojan_Gafgyt_23DZ = "b34bb82ef2a0f3d02b93ed069fee717bd1f9ed9832e2d51b0b2642cb0b4f3891" - hash_2020_trojan_SAgnt_vnqci_sshd = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" - hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" - hash_2021_trojan_Mirai_hefhz = "f01a3c987b422cb86b05c7e65338b238c4b7da5ce13b2e5fcc38dbc818d9b993" - hash_2021_CoinMiner_Camelot = "fadc69995b9f837837595d73be8dce1bbccf0b709d0d8bb2cadf1c90b46763cf" + hash_2023_BPFDoor_07ec = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d" + hash_2023_BPFDoor_2e0a = "2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb" + hash_2023_BPFDoor_3743 = "3743821d55513c52a9f06d3f6603afd167105a871e410c35a3b94e34c51089e6" strings: $gcc_v4 = /GCC: \([\w \.\-\~]{1,128}\) 4\.\d{1,16}\.\d{1,128}/ $not_nacl = "NACLVERBOSITY" diff --git a/rules/ref/program/automator_launcher.yara b/rules/ref/program/automator_launcher.yara index d364ae5d9..5bcb83f48 100644 --- a/rules/ref/program/automator_launcher.yara +++ b/rules/ref/program/automator_launcher.yara @@ -1,9 +1,8 @@ + rule automator_launcher { - meta: - hash_2018_MacOS_Application_Stub = "51678e33f687bea9f4930599c5483a1b0dba74dc9511a740855a20abe07bcfdb" strings: $automator = "/System/Library/CoreServices/Automator Launcher.app" $applet = "com.apple.automator.applet" condition: filesize < 2097152 and all of them -} \ No newline at end of file +} diff --git a/rules/ref/program/dirbuster.yara b/rules/ref/program/dirbuster.yara index 5dc2aee3b..fa3d70561 100644 --- a/rules/ref/program/dirbuster.yara +++ b/rules/ref/program/dirbuster.yara @@ -1,6 +1,9 @@ -rule dirbuster : suspicious { + +rule dirbuster : high { + meta: + hash_2023_uacert_toolrefs = "63acea4dcef0084a9b6ccc17c56f712f32cfd3a5d752c7509fd0553177812a94" strings: - $ref = "dirbuster" fullword + $ref = "dirbuster" fullword condition: - $ref -} \ No newline at end of file + $ref +} diff --git a/rules/ref/program/gnome-keyring-daemon.yara b/rules/ref/program/gnome-keyring-daemon.yara index 6a60180c3..e9630c555 100644 --- a/rules/ref/program/gnome-keyring-daemon.yara +++ b/rules/ref/program/gnome-keyring-daemon.yara @@ -1,4 +1,4 @@ -rule gnome_keyring_daemon : notable { +rule gnome_keyring_daemon : medium { strings: $ref = "gnome-keyring-da" condition: diff --git a/rules/ref/program/hashcat.yara b/rules/ref/program/hashcat.yara index 54af0de14..d2ab325c0 100644 --- a/rules/ref/program/hashcat.yara +++ b/rules/ref/program/hashcat.yara @@ -1,6 +1,10 @@ -rule hashcat : notable { + +rule hashcat : medium { + meta: + hash_2024_hCrypto_main_en = "4d4d52eed849554e1c31d56239bcf8ddc7e27fd387330f5ab1ce7d118589e5f3" + hash_2024_hCrypto_main_ru = "ab531d7eb4160bdf1ef5c3e745ad92601f66afa13c150b2547cbe788db84d7d1" strings: - $ref = "hashcat" fullword + $ref = "hashcat" fullword condition: - $ref -} \ No newline at end of file + $ref +} diff --git a/rules/ref/program/linpeas.yara b/rules/ref/program/linpeas.yara index 76dcd9485..78580f1c0 100644 --- a/rules/ref/program/linpeas.yara +++ b/rules/ref/program/linpeas.yara @@ -1,4 +1,4 @@ -rule linpeas : suspicious { +rule linpeas : high { strings: $ref = "linpeas" fullword condition: diff --git a/rules/ref/program/masscan.yara b/rules/ref/program/masscan.yara index 691c5c2b9..d781f0a7b 100644 --- a/rules/ref/program/masscan.yara +++ b/rules/ref/program/masscan.yara @@ -1,15 +1,18 @@ -rule masscan : notable { + +rule masscan : medium { + meta: + hash_2023_Linux_Malware_Samples_1d28 = "1d2800352e15175ae5fa916b48a96b26f0199d9f8a9036648b3e44aa60ed2897" + hash_2023_Linux_Malware_Samples_5a62 = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" + hash_2023_Linux_Malware_Samples_d13f = "d13fd21514f7ee5e58343aa99bf551c6a56486731c50daefcce233fdb162def8" strings: - $ref = "masscan" fullword + $ref = "masscan" fullword condition: - $ref + $ref } rule masscan_config { meta: ref = "https://cert.gov.ua/article/6123309" - hash_2023_Linux_Malware_Samples_1d28 = "1d2800352e15175ae5fa916b48a96b26f0199d9f8a9036648b3e44aa60ed2897" - hash_2023_Linux_Malware_Samples_5a62 = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" strings: $adapter_ip = "adapter-ip" $nocapture = "nocapture" diff --git a/rules/ref/program/mdworker.yara b/rules/ref/program/mdworker.yara index 328ddcabc..9695fc6b7 100644 --- a/rules/ref/program/mdworker.yara +++ b/rules/ref/program/mdworker.yara @@ -1,8 +1,10 @@ -rule mdworker : suspicious { + +rule mdworker : high { meta: - description = "references mdmorker, may masquerade as it on macOS" + description = "references mdmorker, may masquerade as it on macOS" + hash_2017_mdworker_sysmdworker = "0b62ac27fa0d666e46781dae372fceefd6f889c07dc7259a23dd39dc512a0a79" strings: - $ref = "mdworker" fullword + $ref = "mdworker" fullword condition: - $ref -} \ No newline at end of file + $ref +} diff --git a/rules/ref/program/metasploit.yara b/rules/ref/program/metasploit.yara index 34ae37e9d..7615e81e4 100644 --- a/rules/ref/program/metasploit.yara +++ b/rules/ref/program/metasploit.yara @@ -1,6 +1,11 @@ -rule metasploit : suspicious { + +rule metasploit : high { + meta: + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2024_Downloads_7c63 = "7c636f1c9e4d9032d66a58f263b3006788047488e00fc26997b915e9d1f174bf" + hash_2023_Linux_Malware_Samples_1ea3 = "1ea3dc626b9ccee026502ac8e8a98643c65a055829e8d8b1750b2468254c0ab1" strings: - $ref = "metasploit" fullword + $ref = "metasploit" fullword condition: - $ref -} \ No newline at end of file + $ref +} diff --git a/rules/ref/program/minecraft.yara b/rules/ref/program/minecraft.yara index aae63b75e..015c5cb65 100644 --- a/rules/ref/program/minecraft.yara +++ b/rules/ref/program/minecraft.yara @@ -1,10 +1,14 @@ -rule metasploit : notable { + +rule metasploit : medium { meta: - description = "Has references to Minecraft" + description = "Has references to Minecraft" + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2024_Downloads_7c63 = "7c636f1c9e4d9032d66a58f263b3006788047488e00fc26997b915e9d1f174bf" + hash_2023_Linux_Malware_Samples_1ea3 = "1ea3dc626b9ccee026502ac8e8a98643c65a055829e8d8b1750b2468254c0ab1" strings: - $val1 = "minecraft" fullword - $val2 = "Minecraft" fullword - $val3 = "MINECRAFT" fullword + $val1 = "minecraft" fullword + $val2 = "Minecraft" fullword + $val3 = "MINECRAFT" fullword condition: - any of them -} \ No newline at end of file + any of them +} diff --git a/rules/ref/program/nmap.yara b/rules/ref/program/nmap.yara index 0b7d91100..16728a047 100644 --- a/rules/ref/program/nmap.yara +++ b/rules/ref/program/nmap.yara @@ -1,9 +1,12 @@ -rule nmap : notable { + +rule nmap : medium { + meta: + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b" + hash_2023_Downloads_d920 = "d920dec25946a86aeaffd5a53ce8c3f05c9a7bac44d5c71481f497de430cb67e" strings: - $ref = "nmap" fullword - // referenced by some /etc/protocols files - // example: https://github.com/SerenityOS/serenity/blob/416eb74fa5269d69eefc6baddfb1966c4da2a1e8/Base/etc/protocols#L7 - $not_please = "please install the nmap package" + $ref = "nmap" fullword + $not_please = "please install the nmap package" condition: - $ref and none of ($not*) -} \ No newline at end of file + $ref and none of ($not*) +} diff --git a/rules/ref/program/osascript.yara b/rules/ref/program/osascript.yara index b66e8cd34..019825644 100644 --- a/rules/ref/program/osascript.yara +++ b/rules/ref/program/osascript.yara @@ -1,13 +1,8 @@ -rule osascript_caller : notable { +rule osascript_caller : medium { meta: - hash_2023_amos_stealer_e = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" - hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" - hash_2011_bin_kc_dump = "58a1dbe5cbb1ea38dbc57b6d2cf8c0b03c38a9ed858d7390aca590c2ac017f6f" - hash_2011_Twitterrific_bin_bop = "d2398b764758e23fcac6e29358f36d79e32cdea05c99d95e8423fb0c6943a291" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" - hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" strings: $o_osascript = "osascript" fullword diff --git a/rules/ref/program/powershell.yara b/rules/ref/program/powershell.yara index 9a70d74f4..31927b99d 100644 --- a/rules/ref/program/powershell.yara +++ b/rules/ref/program/powershell.yara @@ -1,7 +1,12 @@ -rule powershell : notable { + +rule powershell : medium { + meta: + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Linux_Malware_Samples_5f80 = "5f80945354ea8e28fa8191a37d37235ce5c5448bffb336e8db5b01719a69128f" + hash_2020_IPStorm_IPStorm_unpacked = "522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434" strings: - $val = /powershell[ \w\-]{0,32}/ fullword - $not_completions = "powershell_completion" + $val = /powershell[ \w\-]{0,32}/ fullword + $not_completions = "powershell_completion" condition: - $val and none of ($not*) -} \ No newline at end of file + $val and none of ($not*) +} diff --git a/rules/ref/program/readelf.yara b/rules/ref/program/readelf.yara index a9940d40d..cb8a5259a 100644 --- a/rules/ref/program/readelf.yara +++ b/rules/ref/program/readelf.yara @@ -1,4 +1,4 @@ -rule readelf : notable { +rule readelf : medium { meta: description = "analyzes or manipulates ELF files" strings: diff --git a/rules/ref/program/sshd.yara b/rules/ref/program/sshd.yara index 9f2eb1187..86c5c9636 100644 --- a/rules/ref/program/sshd.yara +++ b/rules/ref/program/sshd.yara @@ -1,28 +1,34 @@ -rule sshd : notable { +rule sshd : medium { meta: - description = "Mentions SSHD" + description = "Mentions SSHD" + hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" + hash_2023_Linux_Malware_Samples_060b = "060b01f15c7fab6c4f656aa1f120ebc1221a71bca3177f50083db0ed77596f0f" strings: - $ref = "sshd" fullword + $ref = "sshd" fullword condition: $ref } -rule sshd_path_value : suspicious { +rule sshd_path_value : high { meta: - description = "Mentions the SSH daemon by path" + description = "Mentions the SSH daemon by path" + hash_2023_Unix_Trojan_WINNTI_3b37 = "3b378846bc429fdf9bec08b9635885267d8d269f6d941ab1d6e526a03304331b" + hash_2023_Linux_Malware_Samples_060b = "060b01f15c7fab6c4f656aa1f120ebc1221a71bca3177f50083db0ed77596f0f" + hash_2023_Linux_Malware_Samples_d313 = "d313859c242add69d6534f497a256607cf9611fadf06868a1e499c50556e3d3a" strings: - $ref = "/usr/bin/sshd" fullword + $ref = "/usr/bin/sshd" fullword condition: $ref } -rule sshd_net : suspicious { +rule sshd_net : high { meta: - description = "Mentions SSHD network processes" + description = "Mentions SSHD network processes" strings: - $ref = "sshd: [net]" - $ref2 = "sshd: [accepted]" + $ref = "sshd: [net]" + $ref2 = "sshd: [accepted]" condition: any of them } diff --git a/rules/ref/program/sudo.yara b/rules/ref/program/sudo.yara index 05a00c703..6835c9183 100644 --- a/rules/ref/program/sudo.yara +++ b/rules/ref/program/sudo.yara @@ -1,11 +1,14 @@ -rule sudo : notable { + +rule sudo : medium { meta: - description = "calls sudo" + description = "calls sudo" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" strings: - $raw = "sudo" fullword - $cmd_val = /sudo[ \'\"][ \/\,\.\w\%\$\-]{0,32}/ fullword - - $not_sudo_paths = "github.com/hashicorp/vault/api.sudoPaths" + $raw = "sudo" fullword + $cmd_val = /sudo[ \'\"][ \/\,\.\w\%\$\-]{0,32}/ fullword + $not_sudo_paths = "github.com/hashicorp/vault/api.sudoPaths" condition: $raw or $cmd_val and none of ($not*) } diff --git a/rules/ref/site/cdn_cgi.yara b/rules/ref/site/cdn_cgi.yara index dd75a5de3..5c02e4c34 100644 --- a/rules/ref/site/cdn_cgi.yara +++ b/rules/ref/site/cdn_cgi.yara @@ -1,16 +1,23 @@ -rule cdn_cgi : notable { + +rule cdn_cgi : medium { meta: - description = "Mentions Cloudflare cdn-cgi endpoint" + description = "Mentions Cloudflare cdn-cgi endpoint" + hash_2023_Downloads_5f73 = "5f73f54865a1be276d39f5426f497c21e44a309e165e5e2d02f5201e8c1f05e0" + hash_2024_Downloads_fd0b = "fd0b5348bbfd013359f9651268ee67a265bce4e3a1cacf61956e3246bac482e8" + hash_2023_Linux_Malware_Samples_1776 = "17769e5eb8cf401135e55b6c7258d613365baa6e69fb1c17c06806dad76bcc58" strings: $cdn_cgi = "cdn-cgi" fullword $not_ct = "https://report-uri.cloudflare.com/cdn-cgi/" condition: - $cdn_cgi and not $not_ct + $cdn_cgi and not $not_ct } -rule cdn_cgi_xor : suspicious { +rule cdn_cgi_xor : high { meta: - description = "Mentions Cloudflare cdn-cgi endpoint, XOR" + description = "Mentions Cloudflare cdn-cgi endpoint, XOR" + hash_2023_Unix_Dropper_Mirai_d4b9d82859b3624f50c5ad0972f11aa92d19c44dbaaaeb556e0a8_elf = "ee96dc17057d4b9d82859b3624f50c5ad0972f11aa92d19c44dbaaaeb556e0a8" + hash_2023_Unix_Trojan_DarkNexus_6387 = "63873589029ec09e3e73ffa581968026bf38ad446f593d6c85ec853f9982499f" + hash_2023_Unix_Trojan_DarkNexus_e41b = "e41b20b1dc5b3e5a0eea9af3277d94cbc5833d23c53b800993d89bb20e5158a6" strings: $cdn_cgi = "cdn-cgi" xor(1-31) $cdn_cgi2 = "cdn-cgi" xor(33-255) diff --git a/rules/ref/site/download.yara b/rules/ref/site/download.yara index c2145f9ad..6f45fa840 100644 --- a/rules/ref/site/download.yara +++ b/rules/ref/site/download.yara @@ -1,78 +1,67 @@ -rule download_sites : suspicious { +rule download_sites : high { meta: - ref = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_suspicious.yar#L1001" - description = "References known file hosting site" + ref = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001" + description = "References known file hosting site" + hash_2023_zproxy_1_0_setup = "f3d7eec1ae2eba61715fd0652fa333acc2e4c0d517579392043880aa2f158b62" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" + hash_2024_2024_GitHub_Clipper_raw = "e9f89885876c1958bc6eede3373e4f3c4d76a5bc35a247fb7531b757798cb032" strings: - // $d_pastebin = /[\w\.]+astebin[\w\.]+/ $d_privatebin = /[\w\.]+privatebin[\w\.]+/ - // $d_paste_dot = /paste\.[\w\.]{2,3}/ $d_pastecode_dot = /pastecode\.[\w\.]+/ $d_discord = "cdn.discordapp.com" - $d_pastebinger = "paste.bingner.com" + $d_pastebinger = "paste.bingner.com" $d_transfer_sh = "transfer.sh" $d_rentry = "rentry.co" fullword $d_penyacom = "penyacom" $d_controlc = "controlc.com" - $d_anotepad = "anotepad.com" + $d_anotepad = "anotepad.com" $d_privnote = "privnote.com" $d_hushnote = "hushnote" $not_mozilla = "download.mozilla.org" $not_google = "dl.google.com" $not_manual = "manually upload" - $not_paste_go = "paste.go" - $not_netlify = "netlify.app" + $not_paste_go = "paste.go" + $not_netlify = "netlify.app" condition: any of ($d_*) and none of ($not*) } -rule pastebin : notable { +rule pastebin : medium { meta: - ref = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_suspicious.yar#L1001" - description = "References known file hosting site" + ref = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001" + description = "References known file hosting site" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2019_restclient_request = "ba46608e52a24b7583774ba259cf997c6f654a398686028aad56855a2b9d6757" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" strings: $d_pastebin = /[\w\.]{1,128}astebin[\w\.\/]{1,128}/ condition: any of ($d_*) } -rule http_dropper_url : notable { +rule http_dropper_url : medium { meta: ref = "https://unfinished.bike/qubitstrike-and-diamorphine-linux-kernel-rootkits-go-mainstream" - hash_2023_installer_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" - hash_2021_malxmr = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" - hash_2021_trojan_Gafgyt_Mirai_tlduc_bashlite = "16bbeec4e23c0dc04c2507ec0d257bf97cfdd025cd86f8faf912cea824b2a5ba" - hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" - hash_2021_trojan_Gafgyt_U = "3eb78b49994cf3a546f15a7fbeaf7e8b882ebd223bce149ed70c96aab803521a" - hash_2023_Linux_Malware_Samples_525f = "525f97d2e16e8a847ff20b88d113ba73a7b364b921ac7e6bdbde82f6a7a8aee4" strings: $program_url = /https*:\/\/[\w\.]{1,128}\/[\/\.\w]{1,128}\.(sh|gz|zip|Z|exe|bz2|py|bin|plist)/ fullword - $not_gstatic = "https://www.gstatic.com/chrome" - $not_sentry = "https://github.com/getsentry/sentry" - $not_apple = "suconfig.apple.com" - $not_perl = "http://www.perl.com" + $not_gstatic = "https://www.gstatic.com/chrome" + $not_sentry = "https://github.com/getsentry/sentry" + $not_apple = "suconfig.apple.com" + $not_perl = "http://www.perl.com" condition: - $program_url and none of ($not*) + $program_url and none of ($not*) } - -rule executable_url : suspicious { - meta: - hash_2023_KandyKorn_Discord = "2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1" - hash_2023_stealer_hashbreaker = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" - hash_2023_blackcat_x64 = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f" - hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" - hash_2020_FinSpy_installer = "80d6e71c54fb3d4a904637e4d56e108a8255036cbb4760493b142889e47b951f" - hash_2020_finspy_logind_installer = "ac414a14464bf38a59b8acdfcdf1c76451c2d79da0b3f2e53c07ed1c94aeddcd" - hash_2013_MacOS_installer = "962b879e9c5c821a0f6ca1c1a0f66912bd7e03b99da177b3c3a85de140140f02" - hash_2023_RustBucket_Stage_3 = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747" +rule executable_url : high { strings: $xecURL = "xecURL" $xecUrl = "xecUrl" $xecutableUrl = "xecutableUrl" - $not_set = "setExecutable" + $not_set = "setExecutable" condition: any of ($xec*) and none of ($not*) } diff --git a/rules/ref/site/dyndns.yara b/rules/ref/site/dyndns.yara index 8ff8fae1d..35c051947 100644 --- a/rules/ref/site/dyndns.yara +++ b/rules/ref/site/dyndns.yara @@ -1,12 +1,9 @@ -rule dynamic_dns_user : notable { +rule dynamic_dns_user : medium { meta: - hash_2021_miner_KB_Elvuz = "0b1c49ec2d53c4af21a51a34d9aa91e76195ceb442480468685418ba8ece1ba6" - hash_2021_miner_gijuf = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819" - hash_2021_miner_nyoan = "9f059b341ac4e2e00ab33130fea5da4b1390f980d3db607384d87e736f30273e" - hash_2021_miner_vsdhx = "caa114893cf5cb213b39591bbcb72f66ee4519be07269968e714a8d3f24c3382" - hash_2021_miner_fdxme = "d1a95861c6b9836c0c3d8868019054931d1339ae896ad11575e99d91a358696d" - hash_2023_Linux_Malware_Samples_a3a6 = "a3a6f6af9047ef527a89445c2cf297e6dd0828f1ddd6d97bf4bb9ed799a738bb" + hash_2023_Linux_Malware_Samples_0b1c = "0b1c49ec2d53c4af21a51a34d9aa91e76195ceb442480468685418ba8ece1ba6" + hash_2023_Linux_Malware_Samples_24ee = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819" + hash_2023_Linux_Malware_Samples_9f05 = "9f059b341ac4e2e00ab33130fea5da4b1390f980d3db607384d87e736f30273e" strings: $d_dyndns = "dyndns" $d_no_ip = "no-ip." @@ -15,8 +12,8 @@ rule dynamic_dns_user : notable { $d_hopto_org = "hopto.org" $d_ddns_name = "ddns.name" $d_duckdns = "duckdns" - $d_dont = "donttargetme" - $junk = "amakawababia" + $d_dont = "donttargetme" + $junk = "amakawababia" condition: any of ($d*) and not $junk } diff --git a/rules/ref/site/github_comment_attachment.yara b/rules/ref/site/github_comment_attachment.yara index a7410d97a..0af5140a0 100644 --- a/rules/ref/site/github_comment_attachment.yara +++ b/rules/ref/site/github_comment_attachment.yara @@ -1,10 +1,11 @@ -rule github_comment_attachment : suspicious { + +rule github_comment_attachment : high { meta: - ref = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/" - description = "references a GitHub comment attachment, sometimes used to distribute malware" + ref = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/" + description = "references a GitHub comment attachment, sometimes used to distribute malware" + hash_2024_synthetic_github_attach_fetch = "fd2f0e9cf4288d2be6b22bd0c6e8a5eb99777939c9b2278ecf89f5b8ad536719" strings: - $ref = /github\.com\/\w{0,32}\/\w{0,32}\/files\/\d{0,16}\/[\w\.\-]{0,64}/ + $ref = /github\.com\/\w{0,32}\/\w{0,32}\/files\/\d{0,16}\/[\w\.\-]{0,64}/ condition: - all of them + all of them } - diff --git a/rules/ref/site/github_raw.yara b/rules/ref/site/github_raw.yara index 859b2979b..79405ba2a 100644 --- a/rules/ref/site/github_raw.yara +++ b/rules/ref/site/github_raw.yara @@ -1,18 +1,19 @@ -rule github_raw_usercontent : notable { + +rule github_raw_usercontent : medium { meta: - hash_2018_MacOS_CoinTicker = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" - description = "References raw.githubusercontent.com" + description = "References raw.githubusercontent.com" strings: $raw_github = "raw.githubusercontent.com" $not_node = "NODE_DEBUG_NATIVE" condition: - $raw_github and $not_node + $raw_github and $not_node } - -rule github_raw_user : notable { +rule github_raw_user : medium { meta: hash_2018_MacOS_CoinTicker = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + hash_2023_spirit = "26ba215bcd5d8a9003a904b0eac7dc10054dba7bea9a708668a5f6106fd73ced" strings: $github = "github.com" $raw_master = "raw/master" @@ -21,4 +22,3 @@ rule github_raw_user : notable { condition: $github and any of ($raw*) and none of ($not*) } - diff --git a/rules/ref/site/http-dynamic.yara b/rules/ref/site/http-dynamic.yara index bab761abe..a1195251d 100644 --- a/rules/ref/site/http-dynamic.yara +++ b/rules/ref/site/http-dynamic.yara @@ -1,9 +1,13 @@ -rule http_dynamic : notable { + +rule http_dynamic : medium { meta: - description = "URL that is dynamically generated" + description = "URL that is dynamically generated" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2023_Linux_Malware_Samples_1b1a = "1b1a56aec5b02355b90f911cdd27a35d099690fcbeb0e0622eaea831d64014d3" strings: $ref = /https*:\/\/%s[\/\w\.]{0,64}/ - $ref2 = "https://%@:%@%@" + $ref2 = "https://%@:%@%@" condition: - any of them + any of them } diff --git a/rules/ref/site/http-ip.yara b/rules/ref/site/http-ip.yara index 8bc2a91fe..a6e6c1146 100644 --- a/rules/ref/site/http-ip.yara +++ b/rules/ref/site/http-ip.yara @@ -1,13 +1,16 @@ -rule http_hardcoded_ip : suspicious exfil { +rule http_hardcoded_ip : high exfil { meta: - description = "hardcoded IP address within a URL" + description = "hardcoded IP address within a URL" + hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f" + hash_2023_Multios_Trojan_WellMess_bce8 = "bce8ba5b7e6598c15c5ec258199e148272087fde2cd0690ed9b42ba89f2aacea" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" strings: $ipv4 = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}[:\/\w\-\?\.]{0,32}/ - $not_metadata = "http://169.254.169.254" - $not_100 = "http://100.100.100" - $not_11 = "http://11.11.11" - $not_192 = "http://192.168" + $not_metadata = "http://169.254.169.254" + $not_100 = "http://100.100.100" + $not_11 = "http://11.11.11" + $not_192 = "http://192.168" condition: $ipv4 and none of ($not*) } diff --git a/rules/ref/site/interface_testing.yara b/rules/ref/site/interface_testing.yara index 94f443025..e2cbad210 100644 --- a/rules/ref/site/interface_testing.yara +++ b/rules/ref/site/interface_testing.yara @@ -1,5 +1,5 @@ -rule interface_testing_service_user : notable { +rule interface_testing_service_user : medium { strings: $mockbin_org = "mockbin.org" $run_mocky_io = "run.mocky.io" diff --git a/rules/ref/site/php.yara b/rules/ref/site/php.yara index 6577fdd9f..1eb4e410e 100644 --- a/rules/ref/site/php.yara +++ b/rules/ref/site/php.yara @@ -1,7 +1,10 @@ -rule http_url_with_php : notable { - meta: - description = "accesses hardcoded PHP endpoint" +rule http_url_with_php : medium { + meta: + description = "accesses hardcoded PHP endpoint" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2022_laysound_4_5_2_setup = "4465bbf91efedb996c80c773494295ae3bff27c0fff139c6aefdb9efbdf7d078" + hash_2023_libcurl_setup = "5deef153a6095cd263d5abb2739a7b18aa9acb7fb0d542a2b7ff75b3506877ac" strings: $php_url = /https*:\/\/[\w\.]{0,160}\/[\/\w\_\-\?\@=]{0,160}\.php/ $php_question = /[\.\w\-\_\/:]{0,160}\.php\?[\w\-@\=]{0,32}/ @@ -13,7 +16,7 @@ rule http_url_with_php : notable { $not_brotli = "cardshillsteamsPhototruthclean" $not_brotli2 = "examplepersonallyindex" $not_manual = "manually upload" - $not_ecma = "http://wiki.ecmascript.org" + $not_ecma = "http://wiki.ecmascript.org" condition: any of ($php*) and none of ($not_*) } diff --git a/rules/ref/site/proxy.yara b/rules/ref/site/proxy.yara index 1397a424f..06d7599ad 100644 --- a/rules/ref/site/proxy.yara +++ b/rules/ref/site/proxy.yara @@ -1,8 +1,10 @@ -rule ngrok : notable { +rule ngrok : medium { meta: - ref = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_suspicious.yar#L1001" - description = "References known file hosting site" + ref = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001" + description = "References known file hosting site" + hash_2023_Linux_Malware_Samples_24f3 = "24f3ac76dcd4b0830a1ebd82cc9b1abe98450b8df29cb4f18f032f1077d24404" + hash_2023_Linux_Malware_Samples_4eae = "4eae9a20919d84e174430f6d33b4520832c9a05b4f111bb15c8443a18868c893" strings: $d_pastebin = "ngrok.io" condition: diff --git a/rules/ref/site/tor_onion.yara b/rules/ref/site/tor_onion.yara index 6d688382f..b8ffb44f8 100644 --- a/rules/ref/site/tor_onion.yara +++ b/rules/ref/site/tor_onion.yara @@ -1,10 +1,13 @@ + rule hardcoded_onion : critical { meta: - description = "Contains hardcoded TOR onion address" + description = "Contains hardcoded TOR onion address" + hash_2023_Unix_Ransomware_Ech0raix_01ef = "01efdb6d88d9d996a0a7c32e6f36e0563795073cc88fb239571abda498f34ef6" + hash_2023_Unix_Ransomware_Ech0raix_24b5 = "24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073" + hash_2023_Unix_Ransomware_Ech0raix_3d8d = "3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd" strings: $ref = /[a-z0-9]{56}\.onion/ - - $not_listen = "listen.onion" + $not_listen = "listen.onion" condition: - $ref and none of ($not*) -} \ No newline at end of file + $ref and none of ($not*) +} diff --git a/rules/ref/site/unusual.yara b/rules/ref/site/unusual.yara index eda50a849..b31f8e27a 100644 --- a/rules/ref/site/unusual.yara +++ b/rules/ref/site/unusual.yara @@ -1,20 +1,16 @@ -rule unusual_http_hostname : suspicious { + +rule unusual_http_hostname : high { meta: - hash_2023_amos_stealer_a = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" - hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" - hash_2019_C_unioncryptoupdater = "631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680" - hash_2020_OSX_CoinMiner_xbppt = "a2909754783bb5c4fd6955bcebc356e9d6eda94f298ed3e66c7e13511275fbc4" - hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" - hash_2018_Contents_document = "7b90fe8aec599625dd7d4ce0026f839c16fc12aa11839a88055cf49a6db9529b" - hash_2021_trojan_Mirai_gnlsp = "bc5c2358e58876be7955fa0c8f5514f4d35e5353b93ba091216b2371470da988" - hash_2021_trojan_Mirai_Tsunami = "c8aeb927cd1b897a9c31199f33a6df9f297707bed1aa0e66d167270f1fde6ff5" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2023_UPX_cc996d19c3e9b732b5f61fb7a2ad20a4f9e1fd7e62f484f15c7cc984a32dec01_elf_mips = "da7ab6f220f797d3fe3e0daf704cdceba25f3c21f108457344c475de6a23ccf5" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" strings: $http_long_nodename = /https*:\/\/[a-zA-Z0-9]{16,64}\// $http_exotic_tld = /https*:\/\/[\w\-\.]+\.(vip|red|cc|wtf|zw|bd|ke|ru|am|sbs|date|pw|quest|cd|bid|xyz|cm|xxx|casino|poker)\// $not_electron = "ELECTRON_RUN_AS_NODE" $not_mail_ru = "go.mail.ru" $not_rambler = "novarambler.ru" - $not_localhost_app = "localhostapplication" + $not_localhost_app = "localhostapplication" condition: any of ($http*) and none of ($not_*) } diff --git a/rules/ref/site/upload.yara b/rules/ref/site/upload.yara index 5103a65e9..5b1ea42ad 100644 --- a/rules/ref/site/upload.yara +++ b/rules/ref/site/upload.yara @@ -1,56 +1,58 @@ -rule pcloud_storage_user : notable { + +rule pcloud_storage_user : medium { meta: + hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_CloudMensis_mdworker3 = "273633eee4776aef40904124ed1722a0793e6567f3009cdb037ed0a9d79c1b0b" - hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" strings: $pcloud = "api.pcloud.com" condition: any of them } -rule google_drive : notable { +rule google_drive : medium { meta: - ref = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_suspicious.yar#L1001" - description = "References known file hosting site" + ref = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001" + description = "References known file hosting site" + hash_2023_order_book_recorder_watcher = "d87523348d89037b632e4c383372dc1c11e1c266688cc2b67b1333f88a474ae1" strings: $d_gdrive = /drive.google.com[\/\?\w\=]{0,64}/ condition: any of ($d_*) } -rule yandex_disk_user : suspicious { +rule yandex_disk_user : high { meta: - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" + hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" strings: $yandex = "cloud-api.yandex.net/v1/disk" condition: any of them } -rule dropbox_disk_user : notable { +rule dropbox_disk_user : medium { meta: - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" + hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" strings: $dropbox = "dropboxapi.com" condition: any of them } -rule google_drive_uploader : suspicious { +rule google_drive_uploader : high { meta: - description = "uploads content to Google Drive" + description = "uploads content to Google Drive" strings: $guploader = "x-guploader-client-info" condition: any of them } -rule google_docs_uploader : suspicious { +rule google_docs_uploader : high { meta: - description = "uploads content to Google Drive" + description = "uploads content to Google Drive" strings: $writely = "www.google.com/accounts/ServiceLogin?service=writely" condition: diff --git a/rules/ref/site/url-unusual.yara b/rules/ref/site/url-unusual.yara index cf67a0b4c..76180861f 100644 --- a/rules/ref/site/url-unusual.yara +++ b/rules/ref/site/url-unusual.yara @@ -1,24 +1,16 @@ rule unusual_nodename { meta: - description = "Contains HTTP hostname with a long node name" + description = "Contains HTTP hostname with a long node name" strings: $ref = /https*:\/\/\w{16,}\// condition: - $ref + $ref } rule exotic_tld { meta: description = "Contains HTTP hostname with unusual top-level domain" - hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05" - hash_2019_C_unioncryptoupdater = "631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680" - hash_2020_OSX_CoinMiner_xbppt = "a2909754783bb5c4fd6955bcebc356e9d6eda94f298ed3e66c7e13511275fbc4" - hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" - hash_2018_Contents_document = "7b90fe8aec599625dd7d4ce0026f839c16fc12aa11839a88055cf49a6db9529b" - hash_2021_trojan_Mirai_gnlsp = "bc5c2358e58876be7955fa0c8f5514f4d35e5353b93ba091216b2371470da988" - hash_2021_trojan_Mirai_Tsunami = "c8aeb927cd1b897a9c31199f33a6df9f297707bed1aa0e66d167270f1fde6ff5" - hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" strings: $http_exotic_tld = /https*:\/\/[\w\-\.]{1,128}\.(vip|red|cc|wtf|top|pw|ke|space|zw|bd|ke|am|sbs|date|pw|quest|cd|bid|xyz|cm|xxx|casino|online|poker)\// $not_electron = "ELECTRON_RUN_AS_NODE" @@ -26,4 +18,4 @@ rule exotic_tld { $not_gov_bd = ".gov.bd" condition: any of ($http*) and none of ($not_*) -} \ No newline at end of file +} diff --git a/rules/ref/site/wordpress_xmlrpc.yara b/rules/ref/site/wordpress_xmlrpc.yara index 970dbf91b..9e49998fc 100644 --- a/rules/ref/site/wordpress_xmlrpc.yara +++ b/rules/ref/site/wordpress_xmlrpc.yara @@ -1,9 +1,11 @@ -rule wordpress_xmlrpc : suspicious { - meta: - description = "References xmlrpc.php from wordpress" +rule wordpress_xmlrpc : high { + meta: + description = "References xmlrpc.php from wordpress" + hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" + hash_2024_Downloads_8907 = "89073097e72070cc7cc73c178447b70e07b603ccecfe406fe92fe9eafaae830f" strings: $php_url = /[\w\/\.]{0,64}xmlrpc.php/ condition: - any of them + any of them } diff --git a/rules/ref/words/agent.yara b/rules/ref/words/agent.yara index c585f25f5..b9910fc43 100644 --- a/rules/ref/words/agent.yara +++ b/rules/ref/words/agent.yara @@ -1,11 +1,14 @@ -rule agent : notable { - meta: - description = "references an 'agent'" - strings: - $ref = /[a-zA-Z_]{0,16}agent/ fullword - $ref2 = /agent[a-zA-Z_]{0,16}/ fullword - $user_agent = "user-agent" - condition: - any of ($ref*) and not $user_agent +rule agent : medium { + meta: + description = "references an 'agent'" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_misc_mktmpio = "f6b7984c76d92390f5530daeacf4f77047b176ffb8eaf5c79c74d6dd4d514b2b" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + strings: + $ref = /[a-zA-Z_]{0,16}agent/ fullword + $ref2 = /agent[a-zA-Z_]{0,16}/ fullword + $user_agent = "user-agent" + condition: + any of ($ref*) and not $user_agent } diff --git a/rules/ref/words/backdoor.yara b/rules/ref/words/backdoor.yara index c2118f6bc..5a152bbde 100644 --- a/rules/ref/words/backdoor.yara +++ b/rules/ref/words/backdoor.yara @@ -1,11 +1,15 @@ -rule backdoor : suspicious { - meta: - description = "References a 'backdoor'" - strings: - $ref = /[a-zA-Z\-_ ]{0,16}backdoor[a-zA-Z\-_ ]{0,16}/ fullword - $ref2 = /[a-zA-Z\-_ ]{0,16}BACKDOOR[a-zA-Z\-_ ]{0,16}/ fullword - $ref3 = /[a-zA-Z\-_ ]{0,16}Backdoor[a-zA-Z\-_ ]{0,16}/ - $ref4 = /[a-zA-Z\-_ ]{0,16}backd00r[a-zA-Z\-_ ]{0,16}/ - condition: - any of them -} \ No newline at end of file + +rule backdoor : high { + meta: + description = "References a 'backdoor'" + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2023_FontOnLake_27E868C0505144F0708170DF701D7C1AE8E1FAEA_elf = "d7ad1bff4c0e6d094af27b4d892b3398b48eab96b64a8f8a2392e26658c63f30" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + strings: + $ref = /[a-zA-Z\-_ ]{0,16}backdoor[a-zA-Z\-_ ]{0,16}/ fullword + $ref2 = /[a-zA-Z\-_ ]{0,16}BACKDOOR[a-zA-Z\-_ ]{0,16}/ fullword + $ref3 = /[a-zA-Z\-_ ]{0,16}Backdoor[a-zA-Z\-_ ]{0,16}/ + $ref4 = /[a-zA-Z\-_ ]{0,16}backd00r[a-zA-Z\-_ ]{0,16}/ + condition: + any of them +} diff --git a/rules/ref/words/c2.yara b/rules/ref/words/c2.yara index c22824398..94ec49232 100644 --- a/rules/ref/words/c2.yara +++ b/rules/ref/words/c2.yara @@ -1,30 +1,37 @@ -rule command_and_control : notable { + +rule command_and_control : medium { meta: - description = "Uses terms that may reference a command and control server" + description = "Uses terms that may reference a command and control server" + hash_2023_Linux_Malware_Samples_24f3 = "24f3ac76dcd4b0830a1ebd82cc9b1abe98450b8df29cb4f18f032f1077d24404" + hash_2023_Linux_Malware_Samples_444d = "444d8f5a716e89b5944f9d605e490c6845d4af369b024dd751111a6f13bca00d" + hash_2023_Linux_Malware_Samples_4eae = "4eae9a20919d84e174430f6d33b4520832c9a05b4f111bb15c8443a18868c893" strings: $c_and_c = "command & control" - $c2_addr = "c2_addr" - $c2_port = "c2_port" - $c2_event = "c2_event" + $c2_addr = "c2_addr" + $c2_port = "c2_port" + $c2_event = "c2_event" condition: - any of them + any of them } -rule send_to_c2 : suspicious { +rule send_to_c2 : high { meta: - description = "References sending data to a C2 server" + description = "References sending data to a C2 server" strings: - $send_to = "SendDataToC2" + $send_to = "SendDataToC2" condition: - any of them + any of them } -rule remote_control : notable { +rule remote_control : medium { meta: - description = "Uses terms that may reference remote control abilities" + description = "Uses terms that may reference remote control abilities" + hash_2023_Linux_Malware_Samples_2c98 = "2c98b196a51f737f29689d16abeea620b0acfa6380bdc8e94a7a927477d81e3a" + hash_2023_Linux_Malware_Samples_3292 = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76" + hash_2023_Linux_Malware_Samples_3ffc = "3ffc2327a5dd17978f62c44807e5bf9904bcdef222012a11e48801faf6861a67" strings: $ref = "remote_control" $ref2 = "remote control" condition: - any of them + any of them } diff --git a/rules/ref/words/collection.yara b/rules/ref/words/collection.yara index d219868c4..ade70e762 100644 --- a/rules/ref/words/collection.yara +++ b/rules/ref/words/collection.yara @@ -1,12 +1,14 @@ - -rule collect_data : notable { +rule collect_data : medium { meta: - description = "Uses terms that reference data collection" + description = "Uses terms that reference data collection" + hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_04b5 = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2" strings: $ref = "collect_data" $ref2 = "CollectData" - $ref3 = "DataCollection" + $ref3 = "DataCollection" condition: - any of them + any of them } diff --git a/rules/ref/words/ddos.yara b/rules/ref/words/ddos.yara index 786059423..64fba6af8 100644 --- a/rules/ref/words/ddos.yara +++ b/rules/ref/words/ddos.yara @@ -1,23 +1,30 @@ -rule flooder : suspicious { - meta: - description = "References an IP flooder" - strings: - $ref = "flooder" fullword - $ref2 = "FLOODER" fullword - $ref3 = "Flood operation" - $ref4 = "Starting Flood" - $ref5 = "stresser" fullword - $ref6 = "dosia" fullword - condition: - any of them + +rule flooder : high { + meta: + description = "References an IP flooder" + hash_2023_Downloads_21ca = "21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2023_Linux_Malware_Samples_0afd = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" + strings: + $ref = "flooder" fullword + $ref2 = "FLOODER" fullword + $ref3 = "Flood operation" + $ref4 = "Starting Flood" + $ref5 = "stresser" fullword + $ref6 = "dosia" fullword + condition: + any of them } -rule ddos : notable { - meta: - description = "References DDoS" - strings: - $ref = "DDoS" fullword - $ref2 = "DD0S" fullword - condition: - any of them -} \ No newline at end of file +rule ddos : medium { + meta: + description = "References DDoS" + hash_2023_Downloads_039e = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" + hash_2023_UPX_11e5 = "11e557e139b44494dd243510b398bb2ac1037055c565d25ef86f04773f9b0389" + hash_2023_UPX_11e557e139b44494dd243510b398bb2ac1037055c565d25ef86f04773f9b0389_elf_x86_64 = "4bcb87c9cd36f49d91a795b510ac1d38ea78b538b59f88cc161cdb54390d2bce" + strings: + $ref = "DDoS" fullword + $ref2 = "DD0S" fullword + condition: + any of them +} diff --git a/rules/ref/words/decryptor.yara b/rules/ref/words/decryptor.yara index 7b2e23271..83e16f12f 100644 --- a/rules/ref/words/decryptor.yara +++ b/rules/ref/words/decryptor.yara @@ -1,8 +1,12 @@ -rule decryptor : notable { - meta: - description = "References 'decryptor'" - strings: - $ref = "decryptor" - condition: - any of them -} \ No newline at end of file + +rule decryptor : medium { + meta: + description = "References 'decryptor'" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_039e = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" + strings: + $ref = "decryptor" + condition: + any of them +} diff --git a/rules/ref/words/dropper.yara b/rules/ref/words/dropper.yara index 7719542f2..54ee59e1c 100644 --- a/rules/ref/words/dropper.yara +++ b/rules/ref/words/dropper.yara @@ -1,9 +1,13 @@ -rule decryptor : notable { - meta: - description = "References 'dropper'" - strings: - $ref = "dropper" fullword - $ref2 = "Dropper" fullword - condition: - any of them -} \ No newline at end of file + +rule decryptor : medium { + meta: + description = "References 'dropper'" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_039e = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" + strings: + $ref = "dropper" fullword + $ref2 = "Dropper" fullword + condition: + any of them +} diff --git a/rules/ref/words/exclamation.yara b/rules/ref/words/exclamation.yara index 538fb2e5a..150439f8a 100644 --- a/rules/ref/words/exclamation.yara +++ b/rules/ref/words/exclamation.yara @@ -1,9 +1,12 @@ -rule exclamations : notable { - meta: - description = "gets very excited" - strings: - // trying to match multiple words - $exclaim = /[\w ]{2,32} [\w ]{2,32}\!{2,16}/ - condition: - any of them + +rule exclamations : medium { + meta: + description = "gets very excited" + hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" + hash_2019_restclient_platform = "ce6e2d39229127b8b618be461aa241c2f37d43b3d23a3e066b43cd68b47acfca" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + strings: + $exclaim = /[\w ]{2,32} [\w ]{2,32}\!{2,16}/ + condition: + any of them } diff --git a/rules/ref/words/exfil.yara b/rules/ref/words/exfil.yara index 84d2cb2b0..3ef52f3b6 100644 --- a/rules/ref/words/exfil.yara +++ b/rules/ref/words/exfil.yara @@ -1,4 +1,4 @@ -rule exfil : notable { +rule exfil : medium { meta: description = "References 'exfil'" strings: diff --git a/rules/ref/words/exploit.yara b/rules/ref/words/exploit.yara index b6a09077f..7dd227dde 100644 --- a/rules/ref/words/exploit.yara +++ b/rules/ref/words/exploit.yara @@ -1,16 +1,20 @@ -rule exploiter : suspicious { - meta: - description = "References an exploit" - strings: - $ref = "exploiter" fullword - $ref2 = "EXPLOITER" fullword - $ref3 = "sploit" fullword - $ref4 = "spl0it" fullword - $ref5 = "pop a shell" fullword - $ref6 = "Exploit" fullword - $ref7 = "Exploiting" fullword - $ref8 = "exploiting" fullword - $not_ms_example = "Drive-by Compromise" - condition: - any of ($ref*) and none of ($not*) -} \ No newline at end of file + +rule exploiter : high { + meta: + description = "References an exploit" + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + strings: + $ref = "exploiter" fullword + $ref2 = "EXPLOITER" fullword + $ref3 = "sploit" fullword + $ref4 = "spl0it" fullword + $ref5 = "pop a shell" fullword + $ref6 = "Exploit" fullword + $ref7 = "Exploiting" fullword + $ref8 = "exploiting" fullword + $not_ms_example = "Drive-by Compromise" + condition: + any of ($ref*) and none of ($not*) +} diff --git a/rules/ref/words/heartbeat.yara b/rules/ref/words/heartbeat.yara index c9f23969c..fd917babe 100644 --- a/rules/ref/words/heartbeat.yara +++ b/rules/ref/words/heartbeat.yara @@ -1,8 +1,12 @@ -rule heartbeat : notable { - meta: - description = "references a 'heartbeat' - often used by background daemons" - strings: - $ref = /[\w \:]{0,32}[hH]eart[bB]eat[\w\: ]{0,8}/ - condition: - any of ($ref*) + +rule heartbeat : medium { + meta: + description = "references a 'heartbeat' - often used by background daemons" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + strings: + $ref = /[\w \:]{0,32}[hH]eart[bB]eat[\w\: ]{0,8}/ + condition: + any of ($ref*) } diff --git a/rules/ref/words/implant.yara b/rules/ref/words/implant.yara index e18d61042..85d6429aa 100644 --- a/rules/ref/words/implant.yara +++ b/rules/ref/words/implant.yara @@ -1,4 +1,4 @@ -rule implant : suspicious { +rule implant : high { meta: description = "References an Implant" strings: diff --git a/rules/ref/words/infected.yara b/rules/ref/words/infected.yara index 504feaada..08e0ab5a1 100644 --- a/rules/ref/words/infected.yara +++ b/rules/ref/words/infected.yara @@ -1,18 +1,25 @@ -rule infected : notable { - meta: - description = "References being 'infected'" - strings: - $ref = "infected" - $ref2 = "INFECTED" - condition: - any of them + +rule infected : medium { + meta: + description = "References being 'infected'" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2023_Linux_Malware_Samples_31e8 = "31e87fa24f5d3648f8db7caca8dfb15b815add4dfc0fabe5db81d131882b4d38" + hash_2023_Linux_Malware_Samples_5880 = "5880e4bbc87fbeff3b0550feeab8f965b66c914100a840db02daa7529d259181" + strings: + $ref = "infected" + $ref2 = "INFECTED" + condition: + any of them } -rule infection : notable { - meta: - description = "References 'infectio'" - strings: - $ref3 = "infectio" - condition: - any of them -} \ No newline at end of file +rule infection : medium { + meta: + description = "References 'infectio'" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" + hash_2023_Linux_Malware_Samples_9e35 = "9e35f0a9eef0b597432cb8a7dfbd7ce16f657e7a74c26f7a91d81b998d00b24d" + hash_2023_Linux_Malware_Samples_a385 = "a385b3b1ed6e0480aa495361ab5b5ed9448f52595b383f897dd0a56e7ab35496" + strings: + $ref3 = "infectio" + condition: + any of them +} diff --git a/rules/ref/words/intercept.yara b/rules/ref/words/intercept.yara index c10952ef2..83daba1f5 100644 --- a/rules/ref/words/intercept.yara +++ b/rules/ref/words/intercept.yara @@ -1,8 +1,12 @@ -rule interceptor : notable { - meta: - description = "References interception" - strings: - $ref = /intercept[\w\_]{0,64}/ fullword - condition: - any of them -} \ No newline at end of file + +rule interceptor : medium { + meta: + description = "References interception" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" + hash_2023_Linux_Malware_Samples_6734 = "6734f3e911fadf340fc0aa4f8f55c15c8936c61f9b0e38bdfe9dde561cf09fa9" + strings: + $ref = /intercept[\w\_]{0,64}/ fullword + condition: + any of them +} diff --git a/rules/ref/words/killed_all.yara b/rules/ref/words/killed_all.yara index f5d129305..236fea9e9 100644 --- a/rules/ref/words/killed_all.yara +++ b/rules/ref/words/killed_all.yara @@ -1,8 +1,10 @@ -rule killed_all : notable { - meta: - description = "References 'killed all'" - strings: - $ref = /killed all[\w ]+/ - condition: - any of them -} \ No newline at end of file + +rule killed_all : medium { + meta: + description = "References 'killed all'" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + strings: + $ref = /killed all[\w ]+/ + condition: + any of them +} diff --git a/rules/ref/words/known_exploits.yara b/rules/ref/words/known_exploits.yara index 9033b7b02..778aa4f32 100644 --- a/rules/ref/words/known_exploits.yara +++ b/rules/ref/words/known_exploits.yara @@ -1,17 +1,24 @@ -rule heartbleed : notable { - meta: - description = "References 'heartbleed'" - strings: - $ref = "heartbleed" - condition: - any of them + +rule heartbleed : medium { + meta: + description = "References 'heartbleed'" + hash_2023_Linux_Malware_Samples_1d28 = "1d2800352e15175ae5fa916b48a96b26f0199d9f8a9036648b3e44aa60ed2897" + hash_2023_Linux_Malware_Samples_5a62 = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" + hash_2023_Linux_Malware_Samples_d13f = "d13fd21514f7ee5e58343aa99bf551c6a56486731c50daefcce233fdb162def8" + strings: + $ref = "heartbleed" + condition: + any of them } -rule ticketbleed : notable { - meta: - description = "References 'ticketbleed'" - strings: - $ref = "ticketbleed" - condition: - any of them -} \ No newline at end of file +rule ticketbleed : medium { + meta: + description = "References 'ticketbleed'" + hash_2023_Linux_Malware_Samples_1d28 = "1d2800352e15175ae5fa916b48a96b26f0199d9f8a9036648b3e44aa60ed2897" + hash_2023_Linux_Malware_Samples_5a62 = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" + hash_2023_Linux_Malware_Samples_d13f = "d13fd21514f7ee5e58343aa99bf551c6a56486731c50daefcce233fdb162def8" + strings: + $ref = "ticketbleed" + condition: + any of them +} diff --git a/rules/ref/words/locked-files.yara b/rules/ref/words/locked-files.yara index 9b3827b4c..a4cc8dcb7 100644 --- a/rules/ref/words/locked-files.yara +++ b/rules/ref/words/locked-files.yara @@ -1,4 +1,4 @@ -rule lockedFiles : notable { +rule lockedFiles : medium { meta: description = "References 'locked files'" strings: @@ -7,7 +7,7 @@ rule lockedFiles : notable { any of them } -rule lockedFileNames : notable { +rule lockedFileNames : medium { meta: description = "References 'locked file names'" strings: diff --git a/rules/ref/words/password_finder.yara b/rules/ref/words/password_finder.yara index 875f8901a..dac4f94c8 100644 --- a/rules/ref/words/password_finder.yara +++ b/rules/ref/words/password_finder.yara @@ -1,19 +1,22 @@ -rule password_finder_generic : suspicious { + +rule password_finder_generic : high { meta: - description = "password finder or dumper" + description = "password finder or dumper" + hash_2024_hCrypto_main_en = "4d4d52eed849554e1c31d56239bcf8ddc7e27fd387330f5ab1ce7d118589e5f3" + hash_2024_hCrypto_main_ru = "ab531d7eb4160bdf1ef5c3e745ad92601f66afa13c150b2547cbe788db84d7d1" strings: - $ref = "findPassword" - $ref2 = "find_password" + $ref = "findPassword" + $ref2 = "find_password" condition: - any of them + any of them } -rule password_dumper_generic : suspicious { +rule password_dumper_generic : high { meta: - description = "password dumper" + description = "password dumper" strings: - $ref3 = "dumpPassword" - $ref4 = "dump_password" + $ref3 = "dumpPassword" + $ref4 = "dump_password" condition: - any of them + any of them } diff --git a/rules/ref/words/payload_url.yara b/rules/ref/words/payload_url.yara index 99f34e851..4ba866d2e 100644 --- a/rules/ref/words/payload_url.yara +++ b/rules/ref/words/payload_url.yara @@ -1,10 +1,12 @@ -rule payload_url : suspicious { - meta: - description = "References a 'payload URL'" - strings: - $ref = "payload_url" fullword - $ref2 = "payload url" fullword - $ref3 = "payload URL" fullword - condition: - any of them -} \ No newline at end of file + +rule payload_url : high { + meta: + description = "References a 'payload URL'" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + strings: + $ref = "payload_url" fullword + $ref2 = "payload url" fullword + $ref3 = "payload URL" fullword + condition: + any of them +} diff --git a/rules/ref/words/random_target.yara b/rules/ref/words/random_target.yara index cac19d6b9..c2350acfb 100644 --- a/rules/ref/words/random_target.yara +++ b/rules/ref/words/random_target.yara @@ -1,12 +1,13 @@ - -rule random_target : notable { - meta: - description = "References a random target" - strings: - $ref = "random target" - $ref2 = "RandomTarget" - $ref3 = "randomIP" - condition: - any of them -} \ No newline at end of file +rule random_target : medium { + meta: + description = "References a random target" + hash_2024_Downloads_384e = "384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3" + hash_2023_pan_chan_b9e6 = "b9e643a8e78d2ce745fbe73eb505c8a0cc49842803077809b2267817979d10b0" + strings: + $ref = "random target" + $ref2 = "RandomTarget" + $ref3 = "randomIP" + condition: + any of them +} diff --git a/rules/ref/words/ransomware-conti.yara b/rules/ref/words/ransomware-conti.yara index 926260278..2796d07b2 100644 --- a/rules/ref/words/ransomware-conti.yara +++ b/rules/ref/words/ransomware-conti.yara @@ -1,49 +1,53 @@ + rule conti_phrases : critical { - meta: - description = "Ransomware phrases used by Conti" - strings: - $a = "All of your files are currently" - $b = "currently encrypted by" - $c = "If you don't know who we are" - $d = "It cannot be recovered" - $e = "recovered by any means" - $f = "without contacting our team" - $g = "DON'T TRY TO RECOVER" - $g2 = "your data by yourselves" - $g3 = "attempt to recover your" - $g4 = "additional recovery software" - $h = "choosing the data of the lowtest" - $i = "we recommend choosing" - $j = "better for both sides" - $k = "contact us as soon as possible" - $l = "DON'T TRY TO IGNORE" - $m = "DON'T TRY TO CONTACT" - $n = "any recovery companies" - $o = "your internal data" - $p = "ready to publi" - $q = "on our news website" - $r = "you do not repsond" - $s = "our informants in" - $t = "a hostile intent" - $u = "initiate the publication" - $v = "compromised data" - $w = "get your data back" - $x = "we offer you to" - $y = "random files completely" - $z = "free of charge" - $aa = "for further instructions" - $ac = "install TOR browser" - $ad = "torproject.org" - $ae = "YOU SHOULD BE AWARE" - $af = "We will speak only" - $ag = "an authorized person" - $ah = "CEO, top management" - $ai = "you are not such a person" - $aj = "DON'T CONTACT US" - $ak = "serious harm to" - $al = "Inform your supervisors" - $am = "and stay calm" - $an = "CONTI" fullword - condition: - 2 of them -} \ No newline at end of file + meta: + description = "Ransomware phrases used by Conti" + hash_2023_Conti_bb64 = "bb64b27bff106d30a7b74b3589cc081c345a2b485a831d7e8c8837af3f238e1e" + hash_2023_Multios_Ransomware_DarkSide_da3b = "da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5" + hash_2023_Downloads_8b57 = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201" + strings: + $a = "All of your files are currently" + $b = "currently encrypted by" + $c = "If you don't know who we are" + $d = "It cannot be recovered" + $e = "recovered by any means" + $f = "without contacting our team" + $g = "DON'T TRY TO RECOVER" + $g2 = "your data by yourselves" + $g3 = "attempt to recover your" + $g4 = "additional recovery software" + $h = "choosing the data of the lowtest" + $i = "we recommend choosing" + $j = "better for both sides" + $k = "contact us as soon as possible" + $l = "DON'T TRY TO IGNORE" + $m = "DON'T TRY TO CONTACT" + $n = "any recovery companies" + $o = "your internal data" + $p = "ready to publi" + $q = "on our news website" + $r = "you do not repsond" + $s = "our informants in" + $t = "a hostile intent" + $u = "initiate the publication" + $v = "compromised data" + $w = "get your data back" + $x = "we offer you to" + $y = "random files completely" + $z = "free of charge" + $aa = "for further instructions" + $ac = "install TOR browser" + $ad = "torproject.org" + $ae = "YOU SHOULD BE AWARE" + $af = "We will speak only" + $ag = "an authorized person" + $ah = "CEO, top management" + $ai = "you are not such a person" + $aj = "DON'T CONTACT US" + $ak = "serious harm to" + $al = "Inform your supervisors" + $am = "and stay calm" + $an = "CONTI" fullword + condition: + 2 of them +} diff --git a/rules/ref/words/ransomware-lvt.yara b/rules/ref/words/ransomware-lvt.yara index 9cc9689f2..32e5ced74 100644 --- a/rules/ref/words/ransomware-lvt.yara +++ b/rules/ref/words/ransomware-lvt.yara @@ -1,50 +1,53 @@ + rule lvt : critical { - meta: - description = "Ransomware phrases used by LVT Locker" - strings: - $a = "By LVT LOCKER" - $b = "Your computers and servers" - $c = "servers are encrypted" - $d = "backups are deleted" - $e = "strong encryption algorithms" - $f = "no one has yet" - $g = "been able to decrypt" - $h = "decrypt their files" - $i = "without our participation" - $j = "only way to decrypt" - $k = "decrypt your files is" - $l = "is to purchase a" - $m = "universal decoder from" - $n = "will restore all" - $o = "the encrypted data" - $p = "and your network" - $q = "Follow our instructions" - $r = "you will recover" - $s = "all yourl data" - $aa = "1) Pay 0.0" - $ab = "bitcoin to" - $ac = "Send us message" - $ad = "with tranaction id and" - $ae = "your personal key" - $af = "README_lvt" - $ag = "Launch decryptor" - $ah = "which our support will" - $ai = "send you through email" - $aj = "We value our reputation" - $ak = "we will not do our work" - $al = "nobody will pay us" - $am = "is not in our interests" - $an = "our decryption software" - $ao = "tested by time" - $ap = "will decrypt all" - $aq = "all your data" - $ba = "DO NOT TRY TO" - $bc = "TRY TO RECOVER ANY" - $bd = "RECOVER ANY FILES" - $be = "ANY FILES YOURSELF" - $bf = "WE WILL NOT BE ABLE" - $bg = "ABLE TO RESTORE" - $bh = "TO RESTORE THEM" - condition: - 2 of them -} \ No newline at end of file + meta: + description = "Ransomware phrases used by LVT Locker" + hash_2023_Multios_Ransomware_DarkSide_da3b = "da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5" + hash_2023_UPX_0a07c056fec72668d3f05863f103987cc1aaec92e72148bf16db6cfd58308617_elf_x86_64 = "94f4de1bd8c85b8f820bab936ec16cdb7f7bc19fa60d46ea8106cada4acc79a2" + strings: + $a = "By LVT LOCKER" + $b = "Your computers and servers" + $c = "servers are encrypted" + $d = "backups are deleted" + $e = "strong encryption algorithms" + $f = "no one has yet" + $g = "been able to decrypt" + $h = "decrypt their files" + $i = "without our participation" + $j = "only way to decrypt" + $k = "decrypt your files is" + $l = "is to purchase a" + $m = "universal decoder from" + $n = "will restore all" + $o = "the encrypted data" + $p = "and your network" + $q = "Follow our instructions" + $r = "you will recover" + $s = "all yourl data" + $aa = "1) Pay 0.0" + $ab = "bitcoin to" + $ac = "Send us message" + $ad = "with tranaction id and" + $ae = "your personal key" + $af = "README_lvt" + $ag = "Launch decryptor" + $ah = "which our support will" + $ai = "send you through email" + $aj = "We value our reputation" + $ak = "we will not do our work" + $al = "nobody will pay us" + $am = "is not in our interests" + $an = "our decryption software" + $ao = "tested by time" + $ap = "will decrypt all" + $aq = "all your data" + $ba = "DO NOT TRY TO" + $bc = "TRY TO RECOVER ANY" + $bd = "RECOVER ANY FILES" + $be = "ANY FILES YOURSELF" + $bf = "WE WILL NOT BE ABLE" + $bg = "ABLE TO RESTORE" + $bh = "TO RESTORE THEM" + condition: + 2 of them +} diff --git a/rules/ref/words/ransomware.yara b/rules/ref/words/ransomware.yara index b57fda79c..1402ed435 100644 --- a/rules/ref/words/ransomware.yara +++ b/rules/ref/words/ransomware.yara @@ -1,16 +1,5 @@ + rule ransom_detection { - meta: - hash_2020_gonnacry = "f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac" - hash_2023_RedAlert_redniev = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" - hash_2023_HelloKitty_A = "556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed" - hash_2022_babuk_conti = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201" - hash_2023_Sodinokibi = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" - hash_2023_LockBit_locker_Apple_M1_64 = "3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79" - hash_2021_TsunamiCNC = "450a7e35f13b57e15c8f4ce1fa23025a7c313931a394c40bd9f3325b981eb8a8" - hash_2021_trojan_Mirai_adconn = "458e3e66eff090bc5768779d5388336c8619a744f486962f5dfbf436a524ee04" - hash_2021_Merlin_ispoh = "683e1eb35561da89db96c94f400daf41390bd350698c739c38024a1f621653b3" - hash_2021_miner_TQ = "7955542df199c6ce4ca0bb3966dcf9cc71199c592fec38508dad58301a3298d0" - hash_2021_miner_whnqj = "9f20d2cf098609450792723a4410c6887fdaa00e53f207671fcf1eb22d9fb008" strings: $s_data_recovery = "data recovery" $s_to_my_address = "to my address" diff --git a/rules/ref/words/rootkit.yara b/rules/ref/words/rootkit.yara index c34f99565..43e69de20 100644 --- a/rules/ref/words/rootkit.yara +++ b/rules/ref/words/rootkit.yara @@ -1,19 +1,24 @@ -rule rootkit_up : suspicious { - meta: - description = "references a 'rootkit'" - strings: - $s_Rootkit = "Rootkit" - $s_r00tkit = "r00tkit" - $s_r00tk1t = "r00tk1t" - condition: - any of them + +rule rootkit_up : high { + meta: + description = "references a 'rootkit'" + hash_2023_articles_https_pberba_github_io_security_2022_02_07_linux_threat_hunting_for_persistence_systemd_generators = "8c227f67a16162ffd5b453a478ced2950eba4cbe3b004c5cc935fb9551dc2289" + strings: + $s_Rootkit = "Rootkit" + $s_r00tkit = "r00tkit" + $s_r00tk1t = "r00tk1t" + condition: + any of them } -rule rootkit : notable { - meta: - description = "references a 'rootkit'" - strings: - $s_rootkit = "rootkit" fullword - condition: - any of them -} \ No newline at end of file +rule rootkit : medium { + meta: + description = "references a 'rootkit'" + hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" + hash_2022_LQvKibDTq4_diamorphine = "aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + strings: + $s_rootkit = "rootkit" fullword + condition: + any of them +} diff --git a/rules/ref/words/server_address.yara b/rules/ref/words/server_address.yara index 3339bfe66..1bc964f07 100644 --- a/rules/ref/words/server_address.yara +++ b/rules/ref/words/server_address.yara @@ -1,9 +1,13 @@ -rule server_address : notable { - meta: - description = "references a 'server address', possible C2 client" - strings: - $underscores = /\w{0,32}server_addr\w{0,32}/ - $mixed = /\w{0,32}serverAddr\w{0,32}/ - condition: - any of them -} \ No newline at end of file + +rule server_address : medium { + meta: + description = "references a 'server address', possible C2 client" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2023_Linux_Malware_Samples_450a = "450a7e35f13b57e15c8f4ce1fa23025a7c313931a394c40bd9f3325b981eb8a8" + hash_2023_Linux_Malware_Samples_458e = "458e3e66eff090bc5768779d5388336c8619a744f486962f5dfbf436a524ee04" + strings: + $underscores = /\w{0,32}server_addr\w{0,32}/ + $mixed = /\w{0,32}serverAddr\w{0,32}/ + condition: + any of them +} diff --git a/rules/ref/words/target_ip.yara b/rules/ref/words/target_ip.yara index 3b39296a2..fb0a532e2 100644 --- a/rules/ref/words/target_ip.yara +++ b/rules/ref/words/target_ip.yara @@ -1,11 +1,15 @@ -rule target_ip : notable { - meta: - description = "References a target IP" - strings: - $ref = "target ip" - $ref2 = "TargetIP" - $ref3 = "target_ip" - $ref4 = "target IP" - condition: - any of them -} \ No newline at end of file + +rule target_ip : medium { + meta: + description = "References a target IP" + hash_2023_Linux_Malware_Samples_123e = "123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096" + hash_2023_Linux_Malware_Samples_4fc4 = "4fc458c46bc0b15f8c7e73d1979ad844e97072f4b1b7ad7fc9c8ca1e211ef98b" + hash_2023_Linux_Malware_Samples_514c = "514cf58af53eca0f8aeb7c2567b40b03804a70804170baca08176d404baaf587" + strings: + $ref = "target ip" + $ref2 = "TargetIP" + $ref3 = "target_ip" + $ref4 = "target IP" + condition: + any of them +} diff --git a/rules/ref/words/trojan.yara b/rules/ref/words/trojan.yara index a1a352632..61b41a70b 100644 --- a/rules/ref/words/trojan.yara +++ b/rules/ref/words/trojan.yara @@ -1,10 +1,14 @@ -rule trojan_ref : suspicious { + +rule trojan_ref : high { meta: - description = "References a Trojan" + description = "References a Trojan" + hash_2023_Linux_Malware_Samples_0afd = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" + hash_2023_Linux_Malware_Samples_206a = "206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a" + hash_2023_Linux_Malware_Samples_341a = "341a49940749d5f07d32d1c8dfddf6388a11e45244cc54bc8768a8cd7f00b46a" strings: $s_trojan = "trojan" fullword $s_Trojan = "Trojan" $s_tr0jan = "tr0jan" fullword condition: any of ($s*) -} \ No newline at end of file +} diff --git a/rules/secrets/aws.yara b/rules/secrets/aws.yara index a7e50d9b9..b84dfc94f 100644 --- a/rules/secrets/aws.yara +++ b/rules/secrets/aws.yara @@ -1,4 +1,4 @@ -rule aws_folder : notable { +rule aws_folder : medium { meta: description = "access AWS configuration files and/or keys" ref = "https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/" diff --git a/rules/secrets/bash_history.yara b/rules/secrets/bash_history.yara index f7ad09fa2..fb6e9f784 100644 --- a/rules/secrets/bash_history.yara +++ b/rules/secrets/bash_history.yara @@ -1,8 +1,12 @@ -rule bash_history : suspicious { + +rule bash_history : high { meta: - description = "access .bash_history file" + description = "access .bash_history file" + hash_2023_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" + hash_2023_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" + hash_2023_Chaos_27cd = "27cdb8d8f64ce395795fdbde10cf3a08e7b217c92b7af89cde22abbf951b9e99" strings: - $ref = ".bash_history" fullword + $ref = ".bash_history" fullword condition: all of them } diff --git a/rules/secrets/chrome_cookies.yara b/rules/secrets/chrome_cookies.yara index 1065038ec..93cd5193d 100644 --- a/rules/secrets/chrome_cookies.yara +++ b/rules/secrets/chrome_cookies.yara @@ -1,10 +1,14 @@ -rule chrome_cookies : suspicious { + +rule chrome_cookies : high { meta: ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/" - description = "access Google Chrome Cookie files" + description = "access Google Chrome Cookie files" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" + hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" strings: - $ref = "/Google/Chrome" - $ref2 = "/Cookies" + $ref = "/Google/Chrome" + $ref2 = "/Cookies" condition: all of them -} \ No newline at end of file +} diff --git a/rules/secrets/chromium_credit_cards.yara b/rules/secrets/chromium_credit_cards.yara index 4cbeb24d0..1caa15f31 100644 --- a/rules/secrets/chromium_credit_cards.yara +++ b/rules/secrets/chromium_credit_cards.yara @@ -1,13 +1,16 @@ -rule chromium_master_password : suspicious { - meta: - description = "Gets Chromium credit card information" - strings: - $web_data = "Web Data" - $encrypted_key = "credit_cards" - $c = "Chrome" - $c2 = "Chromium" - $not_chromium = "CHROMIUM_TIMESTAMP" - condition: - any of ($c*) and $web_data and $encrypted_key and none of ($not*) +rule chromium_master_password : high { + meta: + description = "Gets Chromium credit card information" + hash_2018_CookieMiner_nonelittlecode = "7bc657c96c15ec0629740e00a9c7497417b599694c6b7598eeff095136cbd507" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" + strings: + $web_data = "Web Data" + $encrypted_key = "credit_cards" + $c = "Chrome" + $c2 = "Chromium" + $not_chromium = "CHROMIUM_TIMESTAMP" + condition: + any of ($c*) and $web_data and $encrypted_key and none of ($not*) } diff --git a/rules/secrets/chromium_master_password.yara b/rules/secrets/chromium_master_password.yara index f3af4758b..848b3f25e 100644 --- a/rules/secrets/chromium_master_password.yara +++ b/rules/secrets/chromium_master_password.yara @@ -1,10 +1,14 @@ -rule chromium_master_password : suspicious { - meta: - description = "Decrypts Chromium master password" - strings: - $local_state = "Local State" - $encrypted_key = "encrypted_key" - $os_crypt = "os_crypt" - condition: - all of them + +rule chromium_master_password : high { + meta: + description = "Decrypts Chromium master password" + hash_2018_CookieMiner_nonelittlecode = "7bc657c96c15ec0629740e00a9c7497417b599694c6b7598eeff095136cbd507" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" + strings: + $local_state = "Local State" + $encrypted_key = "encrypted_key" + $os_crypt = "os_crypt" + condition: + all of them } diff --git a/rules/secrets/cookies.yara b/rules/secrets/cookies.yara index 256e603cf..b71eda115 100644 --- a/rules/secrets/cookies.yara +++ b/rules/secrets/cookies.yara @@ -1,21 +1,23 @@ -rule macos_cookies_val : suspicious { + +rule macos_cookies_val : high { meta: ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/" - description = "access macOS Cookie files" + description = "access macOS Cookie files" + hash_2022_DazzleSpy_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" strings: - $ref = "/Library/Cookies" - $ref2 = ".binarycookies" + $ref = "/Library/Cookies" + $ref2 = ".binarycookies" condition: any of them } -rule browser_cookies : suspicious { +rule browser_cookies : high { meta: - description = "accesses browser cookies" + description = "accesses browser cookies" ref = "https://pypi.org/project/pycookiecheat/" strings: - $ref = "pycookiecheat" - $ref2 = "browserutils/kooky" + $ref = "pycookiecheat" + $ref2 = "browserutils/kooky" condition: all of them } diff --git a/rules/secrets/dot_env.yara b/rules/secrets/dot_env.yara index 2fdbb2248..b5f96332c 100644 --- a/rules/secrets/dot_env.yara +++ b/rules/secrets/dot_env.yara @@ -1,8 +1,10 @@ -rule dot_env_getter : suspicious { - meta: - description = "Requests /.env URLs via HTTP" - strings: - $ref = "GET /.env" - condition: - any of them + +rule dot_env_getter : high { + meta: + description = "Requests /.env URLs via HTTP" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + strings: + $ref = "GET /.env" + condition: + any of them } diff --git a/rules/secrets/firefox-cookies.yara b/rules/secrets/firefox-cookies.yara index fb86db013..954985d2b 100644 --- a/rules/secrets/firefox-cookies.yara +++ b/rules/secrets/firefox-cookies.yara @@ -1,11 +1,14 @@ -rule firefox_cookies : suspicious { - meta: - description = "access Firefox cookies" - strings: - $firefox = "Firefox" - $fcookie = "cookies.sqlite" - $not_chromium = "CHROMIUM_TIMESTAMP" - condition: - all of ($f*) and none of ($not*) +rule firefox_cookies : high { + meta: + description = "access Firefox cookies" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" + strings: + $firefox = "Firefox" + $fcookie = "cookies.sqlite" + $not_chromium = "CHROMIUM_TIMESTAMP" + condition: + all of ($f*) and none of ($not*) } diff --git a/rules/secrets/firefox-formhistory.yara b/rules/secrets/firefox-formhistory.yara index e0f93abc0..915351d90 100644 --- a/rules/secrets/firefox-formhistory.yara +++ b/rules/secrets/firefox-formhistory.yara @@ -1,11 +1,14 @@ -rule firefox_history : suspicious { - meta: - description = "access Firefox form history, which contains passwords" - strings: - $firefox = "Firefox" - $formhist = "formhistory.sqlite" - $not_chromium = "CHROMIUM_TIMESTAMP" - condition: - all of ($f*) and none of ($not*) +rule firefox_history : high { + meta: + description = "access Firefox form history, which contains passwords" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" + hash_2023_Downloads_e6b6 = "e6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f" + strings: + $firefox = "Firefox" + $formhist = "formhistory.sqlite" + $not_chromium = "CHROMIUM_TIMESTAMP" + condition: + all of ($f*) and none of ($not*) } diff --git a/rules/secrets/firefox-master_password.yara b/rules/secrets/firefox-master_password.yara index 1c1a8c0eb..fdcdec583 100644 --- a/rules/secrets/firefox-master_password.yara +++ b/rules/secrets/firefox-master_password.yara @@ -1,9 +1,11 @@ -rule firefox_master_password : suspicious { - meta: - description = "Decrypts Firefox master password" - strings: - $firefox = "Firefox" - $nssPrivate = "nssPrivate" - condition: - all of them + +rule firefox_master_password : high { + meta: + description = "Decrypts Firefox master password" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" + strings: + $firefox = "Firefox" + $nssPrivate = "nssPrivate" + condition: + all of them } diff --git a/rules/secrets/gcloud.yara b/rules/secrets/gcloud.yara index 33018805c..c03c678cf 100644 --- a/rules/secrets/gcloud.yara +++ b/rules/secrets/gcloud.yara @@ -1,4 +1,4 @@ -rule gcloud_config_value : notable { +rule gcloud_config_value : medium { meta: description = "Access gcloud configuration files" strings: diff --git a/rules/secrets/gshadow.yara b/rules/secrets/gshadow.yara index 9fa491134..7c79aa7c2 100644 --- a/rules/secrets/gshadow.yara +++ b/rules/secrets/gshadow.yara @@ -1,4 +1,4 @@ -rule etc_gshadow : notable { +rule etc_gshadow : medium { meta: description = "accesses /etc/gshadow (group passwords)" strings: diff --git a/rules/secrets/htpasswd.yara b/rules/secrets/htpasswd.yara index bd177bb4c..b17c5ea47 100644 --- a/rules/secrets/htpasswd.yara +++ b/rules/secrets/htpasswd.yara @@ -1,9 +1,12 @@ -rule htpasswd : notable { - meta: - description = "Access .htpasswd files" - strings: - $ref = ".htpasswd" - $ref2 = "Htpasswd" - condition: - any of them + +rule htpasswd : medium { + meta: + description = "Access .htpasswd files" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + strings: + $ref = ".htpasswd" + $ref2 = "Htpasswd" + condition: + any of them } diff --git a/rules/secrets/keychain-dump.yara b/rules/secrets/keychain-dump.yara index 44234230b..7449eae6b 100644 --- a/rules/secrets/keychain-dump.yara +++ b/rules/secrets/keychain-dump.yara @@ -1,7 +1,6 @@ rule security_dump_keychain : critical { meta: - hash_2011_Twitterrific_bin_bop = "d2398b764758e23fcac6e29358f36d79e32cdea05c99d95e8423fb0c6943a291" hash_2011_bin_kd = "8eb5ab5d71c84c9927b420948abedcf510369c8d566ee94c0cb5bc276d0d0a72" strings: $dump = "dump-keychain" @@ -9,4 +8,3 @@ rule security_dump_keychain : critical { condition: $dump and not $ctkcard } - diff --git a/rules/secrets/keychain-unlock.yara b/rules/secrets/keychain-unlock.yara index a148e9117..de82c9814 100644 --- a/rules/secrets/keychain-unlock.yara +++ b/rules/secrets/keychain-unlock.yara @@ -1,4 +1,4 @@ -rule keychain_unlcok : suspicious macos { +rule keychain_unlcok : high macos { meta: description = "Unlocks the Keychain" ref = "https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/" diff --git a/rules/secrets/keychain.yara b/rules/secrets/keychain.yara index 0696a54e3..eed0c9114 100644 --- a/rules/secrets/keychain.yara +++ b/rules/secrets/keychain.yara @@ -1,39 +1,45 @@ -rule keychain : notable macos { - meta: - description = "May access the macOS keychain" - strings: - $ref = "Keychain" - $ref2 = "keychain" - condition: - any of them + +rule keychain : medium macos { + meta: + description = "May access the macOS keychain" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + strings: + $ref = "Keychain" + $ref2 = "keychain" + condition: + any of them } -rule macos_library_keychains : notable { - meta: - description = "access system keychain via files" - strings: - $ref = "/Library/Keychains" - condition: - any of them +rule macos_library_keychains : medium { + meta: + description = "access system keychain via files" + hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" + hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" + hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" + strings: + $ref = "/Library/Keychains" + condition: + any of them } -rule find_generic_password : suspicious { +rule find_generic_password : high { meta: - description = "Looks up a password from the Keychain" + description = "Looks up a password from the Keychain" strings: - $ref = /find-generic-passsword[ \-\w\']{0,32}/ - $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard" + $ref = /find-generic-passsword[ \-\w\']{0,32}/ + $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard" condition: $ref and not $ctkcard } - -rule find_internet_password : suspicious { +rule find_internet_password : high { meta: - description = "Looks up an internet password from the Keychain" + description = "Looks up an internet password from the Keychain" strings: $ref = /find-internet-passsword[ \-\w\']{0,32}/ $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard" condition: $ref and not $ctkcard -} \ No newline at end of file +} diff --git a/rules/secrets/putty.yara b/rules/secrets/putty.yara index 432671967..4cc4b97af 100644 --- a/rules/secrets/putty.yara +++ b/rules/secrets/putty.yara @@ -1,6 +1,5 @@ + rule putty_ssh_sessions_reference { - meta: - hash_2023_ciscotools_4247 = "42473f2ab26a5a118bd99885b5de331a60a14297219bf1dc1408d1ede7d9a7a6" strings: $putty = "Software\\SimonTatham\\PuTTY\\Sessions" condition: diff --git a/rules/secrets/shadow.yara b/rules/secrets/shadow.yara index 6d4a55e65..69fe6a8ed 100644 --- a/rules/secrets/shadow.yara +++ b/rules/secrets/shadow.yara @@ -1,10 +1,14 @@ -rule etc_shadow : notable { + +rule etc_shadow : medium { meta: - description = "accesses /etc/shadow" + description = "accesses /etc/shadow" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + hash_2023_UNC1945_c94f = "c94fdfedd40e0b194165294f484977947df9da2000cb8fe02243961384b249ff" strings: - $ref = /\/{0,1}etc\/shadow/ - $not_vim = "VIMRUNTIME" - $not_go_selinux = "SELINUXTYPE" + $ref = /\/{0,1}etc\/shadow/ + $not_vim = "VIMRUNTIME" + $not_go_selinux = "SELINUXTYPE" condition: $ref and none of ($not*) } diff --git a/rules/secrets/slack.yara b/rules/secrets/slack.yara index deb545e74..5c98af0ab 100644 --- a/rules/secrets/slack.yara +++ b/rules/secrets/slack.yara @@ -1,4 +1,4 @@ -rule slack_storage : suspicious { +rule slack_storage : high { meta: ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/" description = "access Slack Storage files" @@ -8,7 +8,7 @@ rule slack_storage : suspicious { all of them } -rule slack_leveldb : suspicious { +rule slack_leveldb : high { meta: ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/" description = "accesses Slack data" diff --git a/rules/secrets/ssh.yara b/rules/secrets/ssh.yara index 2292abb97..a19ae6e07 100644 --- a/rules/secrets/ssh.yara +++ b/rules/secrets/ssh.yara @@ -1,9 +1,13 @@ -rule ssh_folder : notable { + +rule ssh_folder : medium { meta: ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/" - description = "accesses SSH configuration and/or keys" + description = "accesses SSH configuration and/or keys" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" strings: - $ref = /[\$\%\{\}\w\/]{0,16}\.ssh[\w\/]{0,16}/ fullword + $ref = /[\$\%\{\}\w\/]{0,16}\.ssh[\w\/]{0,16}/ fullword condition: all of them -} \ No newline at end of file +} diff --git a/rules/secrets/ssh_authorized_hosts.yara b/rules/secrets/ssh_authorized_hosts.yara index b50fe47d2..b42c8e54f 100644 --- a/rules/secrets/ssh_authorized_hosts.yara +++ b/rules/secrets/ssh_authorized_hosts.yara @@ -1,9 +1,13 @@ -rule ssh_authorized_hosts : notable { + +rule ssh_authorized_hosts : medium { meta: - description = "accesses SSH authorized_keys files" + description = "accesses SSH authorized_keys files" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Linux_Malware_Samples_6de1 = "6de1e587ac4aa49273042ffb3cdce5b92b86c31c9f85ca48dae8a38243515f75" + hash_2023_Linux_Malware_Samples_d2ff = "d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f" strings: - $ref = ".ssh" - $authorized_hosts = /[\/\.\$\%]{0,32}authorized_keys/ + $ref = ".ssh" + $authorized_hosts = /[\/\.\$\%]{0,32}authorized_keys/ condition: all of them } diff --git a/rules/secrets/sshd-memory-map.yara b/rules/secrets/sshd-memory-map.yara index 8947fe2d8..75d9a3aa4 100644 --- a/rules/secrets/sshd-memory-map.yara +++ b/rules/secrets/sshd-memory-map.yara @@ -1,4 +1,4 @@ -rule ssh_password_trace : suspicious { +rule ssh_password_trace : high { meta: ref = "https://github.com/blendin/3snake" description = "May access the memory map for sshd" diff --git a/rules/secrets/ssl-private.yara b/rules/secrets/ssl-private.yara index 7372cf867..a2fca4977 100644 --- a/rules/secrets/ssl-private.yara +++ b/rules/secrets/ssl-private.yara @@ -1,8 +1,10 @@ -rule etc_ssl_private { - meta: - description = "access SSL private key material" - strings: - $ref = "/etc/ssl/private" - condition: - any of them -} \ No newline at end of file + +rule etc_ssl_private : notable { + meta: + description = "access SSL private key material" + hash_2023_Linux_Malware_Samples_d2ff = "d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f" + strings: + $ref = "/etc/ssl/private" + condition: + any of them +} diff --git a/rules/security_controls/linux/iptables.yara b/rules/security_controls/linux/iptables.yara index f1bbe439d..23899a5d5 100644 --- a/rules/security_controls/linux/iptables.yara +++ b/rules/security_controls/linux/iptables.yara @@ -1,41 +1,54 @@ -rule iptables : notable { - meta: - description = "interacts with the iptables/nftables firewall" - ref = "https://www.netfilter.org/projects/iptables/" - strings: - $ref = "iptables" fullword - $ref2 = "nftables" fullword - condition: - any of them + +rule iptables : medium { + meta: + description = "interacts with the iptables/nftables firewall" + ref = "https://www.netfilter.org/projects/iptables/" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2024_Downloads_8907 = "89073097e72070cc7cc73c178447b70e07b603ccecfe406fe92fe9eafaae830f" + strings: + $ref = "iptables" fullword + $ref2 = "nftables" fullword + condition: + any of them } rule iptables_disable : critical { - meta: - description = "stops or disables the iptables firewall" - ref = "https://www.netfilter.org/projects/iptables/" - strings: - $systemctl = /systemctl[\w\- ]{0,16} (stop|disable) iptables/ - $service = /service[\w\- ]{0,16} iptables (stop|disable)/ - condition: - any of them + meta: + description = "stops or disables the iptables firewall" + ref = "https://www.netfilter.org/projects/iptables/" + hash_2023_Unix_Malware_Agent_b79a = "b79af4e394cbc8c19fc9b5410fa69b10325fd23f58bec330954caae135239a1f" + hash_2023_Unix_Trojan_IptabLex_b574 = "b5745c865ab5348425e79ce91d79442982c20f3f89e1ffcdd2816895a25d2a1c" + hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" + strings: + $systemctl = /systemctl[\w\- ]{0,16} (stop|disable) iptables/ + $service = /service[\w\- ]{0,16} iptables (stop|disable)/ + condition: + any of them } -rule iptables_flush : notable { - meta: - description = "flushes firewall rules" - ref = "https://www.netfilter.org/projects/iptables/" - strings: - $ref = /iptables -F[\w]{0,16}/ - condition: - any of them +rule iptables_flush : medium { + meta: + description = "flushes firewall rules" + ref = "https://www.netfilter.org/projects/iptables/" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Linux_Malware_Samples_0638 = "063830221431f8136766f2d740df6419c8cd2f73b10e07fa30067df506592210" + hash_2023_Linux_Malware_Samples_1f94 = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" + strings: + $ref = /iptables -F[\w]{0,16}/ + condition: + any of them } -rule iptables_delete : notable { - meta: - description = "deletes firewall rules" - ref = "https://www.netfilter.org/projects/iptables/" - strings: - $ref = /iptables -X[\w]{0,16}/ - condition: - any of them +rule iptables_delete : medium { + meta: + description = "deletes firewall rules" + ref = "https://www.netfilter.org/projects/iptables/" + hash_2023_BPFDoor_8b84 = "8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95" + hash_2023_BPFDoor_8b9d = "8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" + strings: + $ref = /iptables -X[\w]{0,16}/ + condition: + any of them } diff --git a/rules/security_controls/linux/iptables_append.yara b/rules/security_controls/linux/iptables_append.yara index af1675c32..817d8c168 100644 --- a/rules/security_controls/linux/iptables_append.yara +++ b/rules/security_controls/linux/iptables_append.yara @@ -1,10 +1,14 @@ -rule iptables_append : suspicious { - meta: - syscall = "posix_spawn" - pledge = "exec" - description = "Appends rules to a iptables chain" - strings: - $ref = /iptables [\-\w% ]{0,8} -A[\-\w% ]{0,32}/ - condition: - any of them -} \ No newline at end of file + +rule iptables_append : high { + meta: + syscall = "posix_spawn" + pledge = "exec" + description = "Appends rules to a iptables chain" + hash_2023_BPFDoor_8b84 = "8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95" + hash_2023_BPFDoor_8b9d = "8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" + strings: + $ref = /iptables [\-\w% ]{0,8} -A[\-\w% ]{0,32}/ + condition: + any of them +} diff --git a/rules/security_controls/linux/iptables_delete.yara b/rules/security_controls/linux/iptables_delete.yara index 055670273..10aa3d4c3 100644 --- a/rules/security_controls/linux/iptables_delete.yara +++ b/rules/security_controls/linux/iptables_delete.yara @@ -1,10 +1,14 @@ -rule iptables_delete : suspicious { - meta: - syscall = "posix_spawn" - pledge = "exec" - description = "Appends rules to a iptables chain" - strings: - $ref = /iptables [\-\w% ]{0,8} -D[\-\w% ]{0,32}/ - condition: - any of them -} \ No newline at end of file + +rule iptables_delete : high { + meta: + syscall = "posix_spawn" + pledge = "exec" + description = "Appends rules to a iptables chain" + hash_2023_BPFDoor_8b84 = "8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95" + hash_2023_BPFDoor_8b9d = "8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" + strings: + $ref = /iptables [\-\w% ]{0,8} -D[\-\w% ]{0,32}/ + condition: + any of them +} diff --git a/rules/security_controls/linux/selinux.yara b/rules/security_controls/linux/selinux.yara index d7d5fedad..8e7c94cba 100644 --- a/rules/security_controls/linux/selinux.yara +++ b/rules/security_controls/linux/selinux.yara @@ -1,7 +1,12 @@ -rule selinux : notable { + +rule selinux : medium { + meta: + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Linux_Malware_Samples_450a = "450a7e35f13b57e15c8f4ce1fa23025a7c313931a394c40bd9f3325b981eb8a8" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: - $ref1 = "SELINUX" fullword - $ref2 = "setenforce" fullword + $ref1 = "SELINUX" fullword + $ref2 = "setenforce" fullword condition: - any of them -} \ No newline at end of file + any of them +} diff --git a/rules/security_controls/linux/selinux_disable.yara b/rules/security_controls/linux/selinux_disable.yara index ae3d6a94b..ba8b80b4b 100644 --- a/rules/security_controls/linux/selinux_disable.yara +++ b/rules/security_controls/linux/selinux_disable.yara @@ -1,9 +1,13 @@ -rule selinux_disable_val : suspicious { + +rule selinux_disable_val : high { meta: - description = "disables SELinux security control" + description = "disables SELinux security control" + hash_2023_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" + hash_2023_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" + hash_2023_Chaos_27cd = "27cdb8d8f64ce395795fdbde10cf3a08e7b217c92b7af89cde22abbf951b9e99" strings: - $ref1 = "SELINUX=disabled" - $ref2 = "setenforce 0" + $ref1 = "SELINUX=disabled" + $ref2 = "setenforce 0" condition: - any of them -} \ No newline at end of file + any of them +} diff --git a/rules/security_controls/linux/ufw.yara b/rules/security_controls/linux/ufw.yara index 027655a6f..3f6f596e6 100644 --- a/rules/security_controls/linux/ufw.yara +++ b/rules/security_controls/linux/ufw.yara @@ -1,8 +1,12 @@ -rule ufw : notable { - meta: - description = "interacts with the ufw firewall" - strings: - $ref = "ufw" fullword - condition: - any of them + +rule ufw : medium { + meta: + description = "interacts with the ufw firewall" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Downloads_82f5 = "82f509473dbacadaeb2373b309566e7e1a46a67ae9d9c74159aa65bf6424ded8" + hash_2023_Linux_Malware_Samples_03bb = "03bb1cfd9e45844701aabc549f530d56f162150494b629ca19d83c1c696710d7" + strings: + $ref = "ufw" fullword + condition: + any of them } diff --git a/rules/security_controls/macos/authorization.yara b/rules/security_controls/macos/authorization.yara index 5bccb18ae..42b5c1fe8 100644 --- a/rules/security_controls/macos/authorization.yara +++ b/rules/security_controls/macos/authorization.yara @@ -1,4 +1,5 @@ -rule system_privilege_admin : notable { + +rule system_privilege_admin : medium { meta: hash_2015_MacOS_EasyDoc_Converter = "896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb" hash_2020_EvilQuest_patch = "5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b" diff --git a/rules/security_controls/macos/sip.yara b/rules/security_controls/macos/sip.yara index 9adf2762c..49928ffc2 100644 --- a/rules/security_controls/macos/sip.yara +++ b/rules/security_controls/macos/sip.yara @@ -1,8 +1,9 @@ -rule csrutil_user : notable { + +rule csrutil_user : medium { meta: - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" - hash_2022_DazzleSpy_agent_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" + hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" + hash_2022_DazzleSpy_softwareupdate = "f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348" strings: $csrutil = "csrutil" $not_private = "/System/Library/PrivateFrameworks/" diff --git a/rules/security_controls/macos/tcc.yara b/rules/security_controls/macos/tcc.yara index a61acba11..ebbadcb9c 100644 --- a/rules/security_controls/macos/tcc.yara +++ b/rules/security_controls/macos/tcc.yara @@ -1,13 +1,10 @@ -rule macos_tcc_db : suspicious { +rule macos_tcc_db : high { meta: - description = "access TCC (Transparency, Consent, and Control) database" - hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" - hash_2023_trojan_JokerSpy_Python_xcc = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" - hash_2023_trojan_JokerSpy_Python_xcc_2 = "951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c" + description = "access TCC (Transparency, Consent, and Control) database" + hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" - hash_2023_trojan_JokerSpy_Python_xcc_3 = "6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c" + hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" strings: $com_apple_TCC = "com.apple.TCC/TCC.db" $not_arc = "WelcomeToArc" diff --git a/rules/security_controls/macos/trusted-certs.yara b/rules/security_controls/macos/trusted-certs.yara index 8b2294968..7f292302a 100644 --- a/rules/security_controls/macos/trusted-certs.yara +++ b/rules/security_controls/macos/trusted-certs.yara @@ -1,12 +1,13 @@ -rule trusted_cert_manipulator : suspicious { + +rule trusted_cert_manipulator : high { meta: hash_2018_CookieMiner_uploadminer = "6236f77899cea6c32baf0032319353bddfecaf088d20a4b45b855a320ba41e93" - hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" + hash_2017_MacOS_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" strings: $security = "security" $add_trusted_cert = "add-trusted-cert" - $not_certtool = "PROGRAM:certtool" - $not_private = "/System/Library/PrivateFrameworks" + $not_certtool = "PROGRAM:certtool" + $not_private = "/System/Library/PrivateFrameworks" condition: - $security and $add_trusted_cert and none of ($not*) + $security and $add_trusted_cert and none of ($not*) } diff --git a/rules/security_controls/macos/xprotect.yara b/rules/security_controls/macos/xprotect.yara index a66f2e2b8..7dbb29d38 100644 --- a/rules/security_controls/macos/xprotect.yara +++ b/rules/security_controls/macos/xprotect.yara @@ -1,8 +1,9 @@ -rule XProtectMention : notable { + +rule XProtectMention : medium { meta: - hash_2023_trojan_JokerSpy_Python_xcc = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" - hash_2023_trojan_JokerSpy_Python_xcc_2 = "951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c" - hash_2023_trojan_JokerSpy_Python_xcc_3 = "6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c" + hash_2023_JokerSpy_xcc = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" + hash_2023_JokerSpy_xcc_2 = "951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c" + hash_2023_JokerSpy_xcc_3 = "6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c" strings: $xprotect = "XProtect" $not_apple = "com.apple.private" diff --git a/rules/service/systemd.yara b/rules/service/systemd.yara index 3c321fafa..3e78ee23f 100644 --- a/rules/service/systemd.yara +++ b/rules/service/systemd.yara @@ -1,13 +1,9 @@ -rule systemctl_calls_val : notable { + +rule systemctl_calls_val : medium { meta: hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" - hash_2020_Rekoobe_egiol = "6fc03c92dee363dd88e50e89062dd8a22fe88998aff7de723594ec916c348d0a" - hash_2020_CoinMiner_nbtoz = "741af7d54a95dd3b4497c73001e7b2ba1f607d19d63068b611505f9ce14c7776" - hash_2023_Linux_Malware_Samples_ee0e = "ee0e8516bfc431cb103f16117b9426c79263e279dc46bece5d4b96ddac9a5e90" - hash_2023_articles_https_www_intezer_com_blog_malware_analysis_elf_malware_analysis_101_part_3_advanced_analysis = "f63e4d0af48f819b71179109ef7bbeb9029e56e97b288ae7142897143c32fa0b" - hash_2023_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" - hash_2023_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" + hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd" strings: $systemctl_cmd = /systemctl (daemon-reload|reload|enable|stop|disable|restart|start)[\w _-]{0,32}/ condition: diff --git a/rules/shell/arbitrary_command-dev_null.yara b/rules/shell/arbitrary_command-dev_null.yara index 0ec9ffe22..56149885e 100644 --- a/rules/shell/arbitrary_command-dev_null.yara +++ b/rules/shell/arbitrary_command-dev_null.yara @@ -1,9 +1,13 @@ -rule cmd_dev_null : notable { - meta: - description = "runs commands, discards output" - strings: - $ref = /"{0,1}%s"{0,1} {0,2}[12&]{0,1}> {0,1}\/dev\/null/ - $ref2 = "\"%s\" >/dev/null" - condition: - any of them + +rule cmd_dev_null : medium { + meta: + description = "runs commands, discards output" + hash_2023_Linux_Malware_Samples_a07b = "a07bd8aedde27e776480bb375d191ce11c3a03275f6a03616b4a0bfbc1b9dfe6" + hash_2023_Linux_Malware_Samples_ee22 = "ee22d8b31eecf2c7dd670dde075df199be44ef4f61eb869f943ede7f5c3d61cb" + hash_2021_CDDS_installer_v2021 = "cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8" + strings: + $ref = /"{0,1}%s"{0,1} {0,2}[12&]{0,1}> {0,1}\/dev\/null/ + $ref2 = "\"%s\" >/dev/null" + condition: + any of them } diff --git a/rules/shell/background-sleep.yara b/rules/shell/background-sleep.yara index 6f70beff1..55bc9676c 100644 --- a/rules/shell/background-sleep.yara +++ b/rules/shell/background-sleep.yara @@ -1,14 +1,10 @@ -rule sleep_and_background : notable { + +rule sleep_and_background : medium { meta: description = "calls sleep and runs shell code in the background" - hash_gmera_licatrade = "49feb795e6d9bce63ee445e581c4cf4a8297fbf7848b6026538298d708bed172" - hash_2019_Cointrazer = "138a54a0a1fe717cf0ffd63ef2a27d296456b5338aed8ef301ad0e90b0fe25ae" - hash_2019_trojan_NukeSped_Lazarus_AppleJeus = "e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55" - hash_2020_OSX_CoinMiner_xbppt_installer = "b1fff5d501e552b535639aedaf4e5c7709b8405a9f063afcff3d6bbccffec725" - hash_2023_CoinMiner_lauth = "fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf" - hash_2021_Tsunami_Kaiten = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" hash_2023_Linux_Malware_Samples_3668 = "3668b167f5c9083a9738cfc4bd863a07379a5b02ee14f48a10fb1240f3e421a6" - hash_2021_Tsunami_Kaiten_ujrzc = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7" strings: $s_sleep_time = /sleep \d{1,128}/ $s_nohup = "nohup" diff --git a/rules/shell/background_launcher.yara b/rules/shell/background_launcher.yara index ddbffdbe8..288844e61 100644 --- a/rules/shell/background_launcher.yara +++ b/rules/shell/background_launcher.yara @@ -1,6 +1,10 @@ -rule hidden_background_launcher : suspicious { + +rule hidden_background_launcher : high { meta: - description = "Launches background processes from a hidden path" + description = "Launches background processes from a hidden path" + hash_2023_rc_d = "30b0e00414ce76f7f64175fb133632d5c517394bc013b0efe3d8ead384d5e464" + hash_2024_2019_02_Shlayer_Malware_a2ec = "a2ec5d9c80794c26a7eaac8586521f7b0eb24aba9ad393c194c86cfd150e5189" + hash_2024_2019_02_Shlayer_Malware_b53f = "b53fab9dd4b473237a39895372aae51638b25d8f7a659c24d0a3cc21d03ef159" strings: $b_hidden_background = /\/\.[\w\/ \.\%]{1,64} \&[^&]/ $not_private = "/System/Library/PrivateFrameworks/" @@ -10,9 +14,12 @@ rule hidden_background_launcher : suspicious { any of ($b*) and none of ($not*) } -rule relative_background_launcher : suspicious { +rule relative_background_launcher : high { meta: - description = "Launches background processes from a relative path" + description = "Launches background processes from a relative path" + hash_2023_src_pscan = "59bb224cca5d33e442d21da26a33eaab1aa57dac5ba4e43bd72e262d115c23c8" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2011_bin_fxagent = "737bb6fe9a7ad5adcd22c8c9e140166544fa0c573fe5034dfccc0dc237555c83" strings: $b_relative_background = /\.\/\w[\w\/ \.\%]{1,64} \&[^&]/ $not_private = "/System/Library/PrivateFrameworks/" diff --git a/rules/shell/bash_dev_tcp.yara b/rules/shell/bash_dev_tcp.yara index 9f34295e6..76d27eba0 100644 --- a/rules/shell/bash_dev_tcp.yara +++ b/rules/shell/bash_dev_tcp.yara @@ -1,7 +1,10 @@ -rule bash_dev_tcp : suspicious exfil { +rule bash_dev_tcp : high exfil { meta: - description = "uses /dev/tcp for network access (bash)" + description = "uses /dev/tcp for network access (bash)" + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + hash_2023_spirit = "26ba215bcd5d8a9003a904b0eac7dc10054dba7bea9a708668a5f6106fd73ced" strings: $ref = "/dev/tcp" $posixly_correct = "POSIXLY_CORRECT" diff --git a/rules/shell/bash_dev_udp.yara b/rules/shell/bash_dev_udp.yara index 6ffbb6d4d..df8656719 100644 --- a/rules/shell/bash_dev_udp.yara +++ b/rules/shell/bash_dev_udp.yara @@ -1,5 +1,5 @@ -rule bash_dev_udp : suspicious exfil { +rule bash_dev_udp : high exfil { meta: description = "uses /dev/udp for network access (bash)" strings: diff --git a/rules/shell/busybox-exec.yara b/rules/shell/busybox-exec.yara index d8ba4c2e9..f9397355b 100644 --- a/rules/shell/busybox-exec.yara +++ b/rules/shell/busybox-exec.yara @@ -1,13 +1,9 @@ -rule busybox_runner : suspicious { + +rule busybox_runner : high { meta: - hash_2021_trojan_Mirai_3_Gafgyt = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" - hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05" - hash_2023_Linux_Malware_Samples_1fce = "1fce1d5b977c38e491fe84e529a3eb5730d099a4966c753b551209f4a24524f3" - hash_2023_Linux_Malware_Samples_68c6 = "68c67c4e38c1b5a1a2897c5f6d25456e989f5a94c359137ea040e79ca4a588aa" - hash_2023_Linux_Malware_Samples_9ae6 = "9ae6e75c6c9b98b96a411eed54ec07ce1d9e658d7e9a3ad84f03da2f53dfc9b7" - hash_2023_Linux_Malware_Samples_b698 = "b6984474b33ca3f299ff586dae6822ed70d297803258e860c2a3a1e47abbf915" - hash_2023_Linux_Malware_Samples_bc5c = "bc5c2358e58876be7955fa0c8f5514f4d35e5353b93ba091216b2371470da988" - hash_2021_trojan_Mirai_Tsunami = "c8aeb927cd1b897a9c31199f33a6df9f297707bed1aa0e66d167270f1fde6ff5" + hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb" + hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0" + hash_2023_Unix_Dropper_Mirai_56ca = "56ca15bdedf9751f282b24d868b426b76d3cbd7aecff5655b60449ef0d2ca5c8" strings: $b_busybox_val = /\/bin\/busybox \w{2,16}[ \/\w\.]{0,64}/ condition: diff --git a/rules/shell/byte_offsets.yara b/rules/shell/byte_offsets.yara index 588a95214..3621e8420 100644 --- a/rules/shell/byte_offsets.yara +++ b/rules/shell/byte_offsets.yara @@ -1,4 +1,4 @@ -rule tail_byte_offsets : notable { +rule tail_byte_offsets : medium { meta: description = "uses the tail command with exotic offset values" strings: @@ -7,7 +7,7 @@ rule tail_byte_offsets : notable { any of them } -rule head_byte_offsets : notable { +rule head_byte_offsets : medium { meta: description = "uses the head command with exotic offset values" strings: diff --git a/rules/shell/exec.yara b/rules/shell/exec.yara index 0021deee8..8ff4147d5 100644 --- a/rules/shell/exec.yara +++ b/rules/shell/exec.yara @@ -1,16 +1,19 @@ -rule calls_shell : notable { + +rule calls_shell : medium { meta: - description = "executes shell" + description = "executes shell" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796" + hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" strings: - $bin_sh = "/bin/sh" - $bin_bash = "/bin/bash" - $bin_dash = "/bin/dash" - $bin_zsh = "/bin/zsh" - // maybe even pull out a full command-line if we can - $sh_val = /\/bin\/sh[ \%\{\}\$\-\"\'][ \%\{\}\$\-\w\"\']{1,64}/ - $bash_val = /\/bin\/bash[ \%\{\}\$\-\"\'][ \%\{\}\$\-\w\"\']{1,64}/ - $dash_val = /\/bin\/dash[ \%\{\}\$\-\"\'][ \%\{\}\$\-\w\"\']{1,64}/ - $zsh_val = /\/bin\/zsh[ \%\{\}\$\-\"\'][ \%\{\}\$\-\w\"\']{1,64}/ + $bin_sh = "/bin/sh" + $bin_bash = "/bin/bash" + $bin_dash = "/bin/dash" + $bin_zsh = "/bin/zsh" + $sh_val = /\/bin\/sh[ \%\{\}\$\-\"\'][ \%\{\}\$\-\w\"\']{1,64}/ + $bash_val = /\/bin\/bash[ \%\{\}\$\-\"\'][ \%\{\}\$\-\w\"\']{1,64}/ + $dash_val = /\/bin\/dash[ \%\{\}\$\-\"\'][ \%\{\}\$\-\w\"\']{1,64}/ + $zsh_val = /\/bin\/zsh[ \%\{\}\$\-\"\'][ \%\{\}\$\-\w\"\']{1,64}/ condition: - filesize < 100MB and any of them + filesize < 104857600 and any of them } diff --git a/rules/shell/ignore_output.yara b/rules/shell/ignore_output.yara index f02000974..01fd25c3d 100644 --- a/rules/shell/ignore_output.yara +++ b/rules/shell/ignore_output.yara @@ -1,12 +1,15 @@ -rule ignore_output_val : notable { - meta: - description = "Runs shell commands but throws output away" - strings: - $kind_bash = /[\/\-\w ]{0,64}\> {0,2}\/dev\/null 2> {0,2}&1/ - $kind_both = /[\/\-\w ]{0,64}\> {0,2}\/dev\/null 2> {0,2}\/dev\/null/ - $kind_all = /[\/\-\w ]{0,64}> \/dev\/null 2>&1/ - $not_declare = /declare -\w [\w]{0,64} >/ - condition: - any of ($kind*) and none of ($not*) +rule ignore_output_val : medium { + meta: + description = "Runs shell commands but throws output away" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" + hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea" + strings: + $kind_bash = /[\/\-\w ]{0,64}\> {0,2}\/dev\/null 2> {0,2}&1/ + $kind_both = /[\/\-\w ]{0,64}\> {0,2}\/dev\/null 2> {0,2}\/dev\/null/ + $kind_all = /[\/\-\w ]{0,64}> \/dev\/null 2>&1/ + $not_declare = /declare -\w [\w]{0,64} >/ + condition: + any of ($kind*) and none of ($not*) } diff --git a/rules/shell/nohup.yara b/rules/shell/nohup.yara index 7eb4d2111..c988eeb63 100644 --- a/rules/shell/nohup.yara +++ b/rules/shell/nohup.yara @@ -1,16 +1,13 @@ -rule nohup_reference_value : notable { + +rule nohup_reference_value : medium { meta: - description = "Runs command that is protected from termination" - hash_2018_MacOS_CoinTicker = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" - hash_2019_Cointrazer = "138a54a0a1fe717cf0ffd63ef2a27d296456b5338aed8ef301ad0e90b0fe25ae" - hash_2013_trojan_Janicab_python = "7684a74becf520141ff59dcfe5cbc391d5d710a67c2241bb75a05e9694156982" - hash_2021_Tsunami_Kaiten = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" - hash_2021_Tsunami_gjirtfg = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" - hash_2021_Tsunami_Kaiten_ujrzc = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7" - hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" + description = "Runs command that is protected from termination" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" + hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" + hash_2023_Linux_Malware_Samples_553a = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" strings: $nohup = "nohup" fullword - $nohup_re_val = /nohup[ \%\{\}\$\-\w\"\']{2,64}/ + $nohup_re_val = /nohup[ \%\{\}\$\-\w\"\']{2,64}/ $not_append = "appending output" $not_usage = "usage: nohup" $not_nohup_out = "nohup.out" @@ -21,35 +18,44 @@ rule nohup_reference_value : notable { filesize < 52428800 and any of ($nohup*) and none of ($not*) and not $bin_sh in (0..2) and not $bin_bash in (0..2) } -rule elf_nohup : suspicious { +rule elf_nohup : high { meta: - description = "Runs command that is protected from termination" + description = "Runs command that is protected from termination" + hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f" + hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" + hash_2023_Unix_Malware_Agent_b79a = "b79af4e394cbc8c19fc9b5410fa69b10325fd23f58bec330954caae135239a1f" strings: $nohup = "nohup" fullword - $nohup_re_val = /nohup[ \%\{\}\$\-\w\"\']{2,64}/ + $nohup_re_val = /nohup[ \%\{\}\$\-\w\"\']{2,64}/ $not_append = "appending output" $not_usage = "usage: nohup" $not_nohup_out = "nohup.out" $not_pushd = "pushd" condition: - uint32(0) == 1179403647 and any of ($nohup*) and none of ($not*) + uint32(0) == 1179403647 and any of ($nohup*) and none of ($not*) } -rule trap_1 : suspicious { +rule trap_1 : high { meta: - description = "Protects itself from early termination via SIGHUP" + description = "Protects itself from early termination via SIGHUP" + hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" + hash_2023_Linux_Malware_Samples_553a = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" + hash_2023_Linux_Malware_Samples_7a60 = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7" strings: $ref = "trap '' 1" - $ref2 = "trap \"\" 1" + $ref2 = "trap \"\" 1" condition: - any of them + any of them } -rule nohup_bash : suspicious { +rule nohup_bash : high { meta: - description = "Calls bash with nohup" + description = "Calls bash with nohup" + hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3" + hash_2023_Unix_Malware_Agent_b79a = "b79af4e394cbc8c19fc9b5410fa69b10325fd23f58bec330954caae135239a1f" + hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" strings: - $ref = /nohup bash[ \w\/\&\.\-\%\>]{0,32}/ + $ref = /nohup bash[ \w\/\&\.\-\%\>]{0,32}/ condition: any of them } diff --git a/rules/shell/pipe_sh.yara b/rules/shell/pipe_sh.yara index 1953216aa..e662f1c94 100644 --- a/rules/shell/pipe_sh.yara +++ b/rules/shell/pipe_sh.yara @@ -1,11 +1,15 @@ -rule pipe_to_shell : notable { + +rule pipe_to_shell : medium { meta: - description = "pipes to shell" + description = "pipes to shell" + hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" + hash_2023_Linux_Malware_Samples_2023 = "2023eafb964cc555ec9fc4e949db9ba3ec2aea5c237c09db4cb71abba8dcaa97" strings: $val_sh = "| sh" $val_bin_sh = "| /bin/sh" $val_bash = "| bash" $val_bin_bash = "| /bin/bash" condition: - any of them + any of them } diff --git a/rules/shell/pipe_to_background.yara b/rules/shell/pipe_to_background.yara index cd4017e54..7a1ec817e 100644 --- a/rules/shell/pipe_to_background.yara +++ b/rules/shell/pipe_to_background.yara @@ -1,8 +1,10 @@ -rule pipe_to_bg : notable { + +rule pipe_to_bg : medium { meta: - description = "pipes to backgrounded shell" + description = "pipes to backgrounded shell" + hash_2024_Downloads_a031 = "a031da66c6f6cd07343d5bc99cc283528a5b7f04f97b2c33c2226a388411ec61" strings: $ref = "| sh &" condition: - $ref + $ref } diff --git a/rules/shell/relative-semicolon.yara b/rules/shell/relative-semicolon.yara index 0dc2b2368..8e5062a83 100644 --- a/rules/shell/relative-semicolon.yara +++ b/rules/shell/relative-semicolon.yara @@ -1,14 +1,10 @@ -rule semicolon_relative_path : suspicious { + +rule semicolon_relative_path : high { meta: ref = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" - hash_2021_trojan_Mirai_3_Gafgyt = "0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2" - hash_2021_trojan_Mirai_dclea = "206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a" - hash_2021_trojan_Mirai_aspze = "341a49940749d5f07d32d1c8dfddf6388a11e45244cc54bc8768a8cd7f00b46a" - hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" - hash_2021_trojan_Mirai_leeyo = "ff2a39baf61e34f14f9c49c27faed07bdd431605b3c845ab82023c39589e6798" - hash_2023_Linux_Malware_Samples_cbad = "cbadb658ba16ad9a635cdd984ce56bb3f39da33524aded8d40371c0e1ae9be44" - hash_2021_trojan_Mirai_gsjmm = "dcd318efe5627e07a8eda9104ede1f510e43f5c0ae7f74d411137e1174f2844b" - hash_2023_Linux_Malware_Samples_fdcd = "fdcda1da780db220c77a44b294221a2ab9f2ca8c60f84d65e032cb5bc271e927" + hash_2023_Py_Trojan_NecroBot_0e60 = "0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322" + hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb" + hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0" strings: $semi_relative = /[\/\w]{3,};[ +]{0,8}\.\/\.{0,8}\w{3,}/ condition: diff --git a/rules/shell/reverse.yara b/rules/shell/reverse.yara index df3fe1866..1b2edb909 100644 --- a/rules/shell/reverse.yara +++ b/rules/shell/reverse.yara @@ -1,9 +1,9 @@ + rule reverse_shell : critical { meta: - hash_2018_MacOS_CoinTicker = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" - hash_2021_Gmera_Licatrade = "ad27ae075010795c04a6c5f1303531f3f2884962be4d741bf38ced0180710d06" - hash_2023_pack_pack_cc6fbeece99f392c9c2228fcc6babc5dd09ab31b = "d6e781df92a93bc867b53c8310d6b04ceed9df64bd28b2e6e6264fa4fc44e1aa" - hash_2023_Linux_Malware_Samples_d744 = "d7444cf0e30f3fc35cf13fa3726041bf0fbf80b289a88632fdae062a41094fb8" + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + hash_2023_ciscotools_4247 = "42473f2ab26a5a118bd99885b5de331a60a14297219bf1dc1408d1ede7d9a7a6" strings: $bash_dev_tcp = "bash -i >& /dev/tcp/" $stdin_redir = "0>&1" fullword @@ -15,20 +15,18 @@ rule reverse_shell : critical { } rule mkfifo_netcat : critical { - meta: - description = "creates a reverse shell using mkfifo and netcat" - strings: - $mkfifo = "mkfifo" fullword - $sh_i = "sh -i" - $nc = /\| {0,2}nc / - condition: - filesize < 16384 and all of them + meta: + description = "creates a reverse shell using mkfifo and netcat" + strings: + $mkfifo = "mkfifo" fullword + $sh_i = "sh -i" + $nc = /\| {0,2}nc / + condition: + filesize < 16384 and all of them } rule perl_reverse_shell : critical { meta: - hash_2023_Linux_Malware_Samples_caa1 = "caa114893cf5cb213b39591bbcb72f66ee4519be07269968e714a8d3f24c3382" - hash_2018_OSX_Dummy_script = "ced05b1f429ade707691b04f59d7929961661963311b768d438317f4d3d82953" hash_2023_Win_Trojan_Perl_9aed = "9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44" hash_2023_uacert_socket = "912dc3aee7d5c397225f77e3ddbe3f0f4cf080de53ccdb09c537749148c1cc08" strings: @@ -36,7 +34,6 @@ rule perl_reverse_shell : critical { $open = "open(" $redir_double = "\">&" $redir_single = "'>&" - $sh_i = "sh -i" condition: $socket and $open and any of ($redir*) and $sh_i diff --git a/rules/shell/tmp_semicolon.yara b/rules/shell/tmp_semicolon.yara index ca4e91077..12ab48459 100644 --- a/rules/shell/tmp_semicolon.yara +++ b/rules/shell/tmp_semicolon.yara @@ -1,11 +1,15 @@ -rule semicolon_short_tmp : suspicious { + +rule semicolon_short_tmp : high { meta: - description = "unusual one-liners involving /tmp" + description = "unusual one-liners involving /tmp" + hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" + hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb" + hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0" strings: - $tmp_before = /[\w\/ \-\;]{0,32} \/tmp\/[a-z]{1,5} {0,2};/ - $var_tmp_before = /[\w\/ \-\;]{0,32} \/var\/tmp\/[a-z]{1,5} {0,2};/ - $tmp_after = /[\w\/ \-]{0,32}; {0,2}\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ - $var_tmp_after = /[\w\/ \-]{0,32}; {0,2}\/var\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ + $tmp_before = /[\w\/ \-\;]{0,32} \/tmp\/[a-z]{1,5} {0,2};/ + $var_tmp_before = /[\w\/ \-\;]{0,32} \/var\/tmp\/[a-z]{1,5} {0,2};/ + $tmp_after = /[\w\/ \-]{0,32}; {0,2}\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ + $var_tmp_after = /[\w\/ \-]{0,32}; {0,2}\/var\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ condition: any of them } diff --git a/rules/shell/unusual_redirect.yara b/rules/shell/unusual_redirect.yara index 4b43b7a0a..efb4223f9 100644 --- a/rules/shell/unusual_redirect.yara +++ b/rules/shell/unusual_redirect.yara @@ -1,13 +1,5 @@ + rule unusual_redir { - meta: - hash_2021_trojan_Gafgyt_fszhv = "1794cf09f4ea698759b294e27412aa09eda0860475cd67ce7b23665ea6c5d58b" - hash_2021_trojan_Gafgyt_malxmr = "1b5bd0d4989c245af027f6bc0c331417f81a87fff757e19cdbdfe25340be01a6" - hash_2018_trojan_TickerCoin_contir = "c344730f41f52a2edabf95730389216a9327d6acc98346e5738b3eb99631634d" - hash_gmera_licatrade = "49feb795e6d9bce63ee445e581c4cf4a8297fbf7848b6026538298d708bed172" - hash_2023_Linux_Malware_Samples_aab5 = "aab526b32d703fd9273635393011a05c9c3f6204854367eb0eb80894bbcfdd42" - hash_2023_Linux_Malware_Samples_da75 = "da7596a5308afddaa2197d62446761b9b437d423e57e7599a57d7ec65e342dce" - hash_2023_Linux_Malware_Samples_eb67 = "eb67c56ec169940481e075a6b638d5f16e324aef6c2afcb8c4491b7ec1ed0058" - hash_2021_Gmera_Licatrade = "ad27ae075010795c04a6c5f1303531f3f2884962be4d741bf38ced0180710d06" strings: $s_redir_stdin = " 0>&1" $s_redir_bash = "bash 2>/dev/null" diff --git a/rules/systemd/execstart-elsewhere.yara b/rules/systemd/execstart-elsewhere.yara index 2bd6e1fcf..72a16b9fe 100644 --- a/rules/systemd/execstart-elsewhere.yara +++ b/rules/systemd/execstart-elsewhere.yara @@ -1,19 +1,21 @@ -rule execstart_danger_path_val : suspicious { + +rule execstart_danger_path_val : high { meta: ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" - description = "Starts from a dangerous-looking path" + description = "Starts from a dangerous-looking path" strings: $awkward = /ExecStart=\/(boot|var|tmp|dev|root)\/[\.\w\-\/]{0,32}/ condition: - filesize < 4KB and any of them + filesize < 4096 and any of them } -rule execstart_unexpected_dir_val : notable { +rule execstart_unexpected_dir_val : medium { meta: - description = "Starts from an unusual path" + description = "Starts from an unusual path" ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" - hash_2023_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0" + hash_2023_Downloads_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0" hash_2023_articles_https_pberba_github_io_security_2022_02_07_linux_threat_hunting_for_persistence_systemd_generators = "8c227f67a16162ffd5b453a478ced2950eba4cbe3b004c5cc935fb9551dc2289" + hash_2024_2024_Spinning_YARN_yarn_fragments = "723326f8551f2a92ccceeec93859f58df380a3212e7510bc64181f2a0743231c" strings: $execstart = /ExecStart=\/[\w\/]{1,128}/ $expected_bin = "ExecStart=/bin" @@ -25,5 +27,5 @@ rule execstart_unexpected_dir_val : notable { $expected_sbin = "ExecStart=/sbin" $expected_usr = "ExecStart=/usr" condition: - filesize < 100KB and $execstart and none of ($expected_*) + filesize < 102400 and $execstart and none of ($expected_*) } diff --git a/rules/systemd/execstop-bin-sh.yara b/rules/systemd/execstop-bin-sh.yara index e582a889b..5d018d212 100644 --- a/rules/systemd/execstop-bin-sh.yara +++ b/rules/systemd/execstop-bin-sh.yara @@ -1,4 +1,4 @@ -rule usr_bin_execstop : notable { +rule usr_bin_execstop : medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs shell script at stop" diff --git a/rules/systemd/execstop-elsewhere.yara b/rules/systemd/execstop-elsewhere.yara index bb3aeb738..3bc7aff54 100644 --- a/rules/systemd/execstop-elsewhere.yara +++ b/rules/systemd/execstop-elsewhere.yara @@ -1,4 +1,4 @@ -rule execstop_elsewhere : notable { +rule execstop_elsewhere : medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs program from unexpected directory at stop" diff --git a/rules/systemd/execstop-usr-bin.yara b/rules/systemd/execstop-usr-bin.yara index 89d963e61..9b74c020a 100644 --- a/rules/systemd/execstop-usr-bin.yara +++ b/rules/systemd/execstop-usr-bin.yara @@ -1,4 +1,4 @@ -rule usr_bin_execstop : notable { +rule usr_bin_execstop : medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs program from /usr/bin at stop" diff --git a/rules/systemd/no_blank_lines.yara b/rules/systemd/no_blank_lines.yara index 9b8836f90..e1b219b59 100644 --- a/rules/systemd/no_blank_lines.yara +++ b/rules/systemd/no_blank_lines.yara @@ -1,10 +1,11 @@ -rule systemd_no_blank_lines : suspicious { + +rule systemd_no_blank_lines : high { meta: ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" - hash_2023_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0" + hash_2023_Downloads_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0" strings: $execstart = "ExecStart" $blank = "\n\n" condition: - filesize < 4KB and $execstart and not $blank + filesize < 4096 and $execstart and not $blank } diff --git a/rules/systemd/no_docs_or_comments.yara b/rules/systemd/no_docs_or_comments.yara index 4e56f4a75..613b56bb3 100644 --- a/rules/systemd/no_docs_or_comments.yara +++ b/rules/systemd/no_docs_or_comments.yara @@ -1,5 +1,5 @@ -rule systemd_no_comments_or_documentation : suspicious { +rule systemd_no_comments_or_documentation : high { meta: ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" description = "systemd unit is undocumented" diff --git a/rules/systemd/no_output.yara b/rules/systemd/no_output.yara index f010f3eb5..43362555a 100644 --- a/rules/systemd/no_output.yara +++ b/rules/systemd/no_output.yara @@ -1,4 +1,4 @@ -rule systemd_no_output : suspicious { +rule systemd_no_output : high { meta: description = "Discards all logging output" strings: diff --git a/rules/systemd/out_of_dependency_tree.yara b/rules/systemd/out_of_dependency_tree.yara index 21d47f7e1..9f4a60bed 100644 --- a/rules/systemd/out_of_dependency_tree.yara +++ b/rules/systemd/out_of_dependency_tree.yara @@ -1,7 +1,8 @@ -rule systemd_not_in_dependency_tree : suspicious { +rule systemd_not_in_dependency_tree : high { meta: - description = "Relies on nothing, nothing relies on it" + description = "Relies on nothing, nothing relies on it" + hash_2023_Downloads_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0" strings: $execstart = "ExecStart=" $expect_after = /After=\w/ @@ -15,13 +16,11 @@ rule systemd_not_in_dependency_tree : suspicious { $expect_idle = "Type=idle" $expect_systemd = "ExecStart=systemd-" condition: - filesize < 4KB and $execstart and none of ($expect_*) + filesize < 4096 and $execstart and none of ($expect_*) } -rule type_forking_not_in_dep_tree : suspicious { +rule type_forking_not_in_dep_tree : high { meta: - hash_2023_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0" - hash_2020_trojan_SAgnt_vnqci_sshd = "df3b41b28d5e7679cddb68f92ec98bce090af0b24484b4636d7d84f579658c52" hash_2023_Txt_Malware_Sustes_0e77 = "0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe" hash_2023_Unix_Malware_Kaiji_3e68 = "3e68118ad46b9eb64063b259fca5f6682c5c2cb18fd9a4e7d97969226b2e6fb4" hash_2023_Unix_Malware_Kaiji_f4a6 = "f4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a" diff --git a/rules/systemd/restart-always.yara b/rules/systemd/restart-always.yara index 3c1e9dfdd..131463612 100644 --- a/rules/systemd/restart-always.yara +++ b/rules/systemd/restart-always.yara @@ -1,8 +1,10 @@ -rule systemd_restart_always : notable { + +rule systemd_restart_always : medium { meta: - description = "service restarts no matter how many times it crashes" + description = "service restarts no matter how many times it crashes" + hash_2023_Downloads_kinsing = "05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0" strings: $restart = "Restart=always" condition: - filesize < 4KB and any of them + filesize < 4096 and any of them } diff --git a/rules/systemd/short-description.yara b/rules/systemd/short-description.yara index c76c8eef3..e4d6b1a81 100644 --- a/rules/systemd/short-description.yara +++ b/rules/systemd/short-description.yara @@ -1,12 +1,10 @@ + rule systemd_short_description { meta: - description = "Short or no description" - hash_2021_malxmr_install_sh = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" - hash_2023_articles_https_pberba_github_io_security_2022_02_07_linux_threat_hunting_for_persistence_systemd_generators = "8c227f67a16162ffd5b453a478ced2950eba4cbe3b004c5cc935fb9551dc2289" - hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" + description = "Short or no description" strings: $execstart = "ExecStart=" $short_desc = /Description=\w{,4}/ fullword condition: - filesize < 4KB and all of them + filesize < 4096 and all of them } diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara index 19d4b733c..e045e054e 100644 --- a/rules/techniques/code_eval.yara +++ b/rules/techniques/code_eval.yara @@ -1,30 +1,39 @@ -rule eval : notable { - meta: - description = "evaluate code dynamically using eval()" - strings: - $val = /eval\([a-z\"\'\(\,\)]{1,32}/ fullword - $not_empty = "eval()" - condition: - $val and none of ($not*) + +rule eval : medium { + meta: + description = "evaluate code dynamically using eval()" + hash_2023_0xShell_f = "9ce3da0322ee42e9119abb140b829efc3c94ea802df7a6f3968829645e1a5330" + hash_2023_0xShell_lndex = "9b073472cac7f3f8274165a575e96cfb4f4eb38471f6a8e57bb9789f3f307495" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + strings: + $val = /eval\([a-z\"\'\(\,\)]{1,32}/ fullword + $not_empty = "eval()" + condition: + $val and none of ($not*) } -rule python_exec : notable { - meta: - description = "evaluate code dynamically using exec()" - strings: - $val = /exec\([a-z\"\'\(\,\)]{1,32}/ fullword - $empty = "exec()" - condition: - $val and not $empty +rule python_exec : medium { + meta: + description = "evaluate code dynamically using exec()" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + hash_2023_misc_mr_robot = "630bbcf0643d9fc9840f2f54ea4ae1ea34dc94b91ee011779c8e8c91f733c9f5" + strings: + $val = /exec\([a-z\"\'\(\,\)]{1,32}/ fullword + $empty = "exec()" + condition: + $val and not $empty } -rule shell_eval : notable { - meta: - description = "evaluate shell code dynamically using eval" - strings: - $val = /eval \$\w{0,64}/ fullword - // https://github.com/spf13/cobra/blob/0fc86c2ffd0326b6f6ed5fa36803d26993655c08/fish_completions.go#L59 - $not_fish_completion = "fish completion" - condition: - $val and none of ($not*) -} \ No newline at end of file +rule shell_eval : medium { + meta: + description = "evaluate shell code dynamically using eval" + hash_1980_FruitFly_A_205f = "205f5052dc900fc4010392a96574aed5638acf51b7ec792033998e4043efdf6c" + hash_1980_FruitFly_A_ce07 = "ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044" + hash_2023_init_d_netconsole = "ce60bd5b98735dc901a8ca8080fb7137a068de5cb0b75561c04ab4cb3bad3dbe" + strings: + $val = /eval \$\w{0,64}/ fullword + $not_fish_completion = "fish completion" + condition: + $val and none of ($not*) +} diff --git a/rules/tools/backdoor/brute_ratel.yara b/rules/tools/backdoor/brute_ratel.yara index 5c2b748a1..7b1c5dd7f 100644 --- a/rules/tools/backdoor/brute_ratel.yara +++ b/rules/tools/backdoor/brute_ratel.yara @@ -1,4 +1,4 @@ -rule brute_ratel_c4 : suspicious { +rule brute_ratel_c4 : high { meta: description = "XOR'ed shellcode from Brute Ratel" author = "Florian Roth" diff --git a/rules/tools/backdoor/cobalt_strike.yara b/rules/tools/backdoor/cobalt_strike.yara index f8810a3b3..bc3ec486f 100644 --- a/rules/tools/backdoor/cobalt_strike.yara +++ b/rules/tools/backdoor/cobalt_strike.yara @@ -1,10 +1,11 @@ -rule cobalt_strike_indicator : suspicious { + +rule cobalt_strike_indicator : high { meta: - description = "CobaltStrike indicator" - author = "Florian Roth" + description = "CobaltStrike indicator" + author = "Florian Roth" + hash_2024_2018_04_Common_Malware_Carrier_payload = "8cdd29e28daf040965d4cad8bf3c73d00dde3f2968bab44c7d8fe482ba2057f9" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar - $ref = "%s as %s\\%s: %d" ascii xor + $ref = "%s as %s\\%s: %d" ascii xor condition: any of them } diff --git a/rules/tools/backdoor/diamorphine.yara b/rules/tools/backdoor/diamorphine.yara index 35c01c308..089d0a378 100644 --- a/rules/tools/backdoor/diamorphine.yara +++ b/rules/tools/backdoor/diamorphine.yara @@ -1,18 +1,17 @@ + rule diamorphine_linux_kernel_rootkit : critical { meta: ref = "https://github.com/m0nad/Diamorphine" + hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" hash_2022_LQvKibDTq4_diamorphine = "aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede" hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" - hash_2023_LQvKibDTq4_diamorphine = "d83f43f47c1438d900143891e7a542d1d24f9adcbd649b7698d8ee7585068039" - hash_2023_hf_tar_diamorphine = "19bab35afb1accd6004e648540643a114c5cfdf572564ad0b12668db46b167b2" - hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" strings: $pfx_hacked_getdents = "hacked_getdents" $pfx_original_getdents = "original_getdents" $pfx_give_root = "give_root" $pfx_hacked_kill = "hacked_kill" $pfx_module_show = "module_show" - $pfx_is_invisible = "is_invisible" + $pfx_is_invisible = "is_invisible" condition: 4 of them -} \ No newline at end of file +} diff --git a/rules/tools/backdoor/geacon.yara b/rules/tools/backdoor/geacon.yara index 35b3efa5b..dca17af36 100644 --- a/rules/tools/backdoor/geacon.yara +++ b/rules/tools/backdoor/geacon.yara @@ -1,7 +1,8 @@ + rule c2_geacon_cobalt_strike : critical { meta: - hash_2023_cobaltstrike_beacon = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" - description = "Geacon is a Cobalt Strike beacon" + description = "Geacon is a Cobalt Strike beacon" + hash_2023_Downloads_21b3 = "21b3e304db526e2c80df1f2da2f69ab130bdad053cb6df1e05eb487a86a19b7c" strings: $geacon_coded = "geacon coded" $geacon = "geacon/" @@ -12,4 +13,4 @@ rule c2_geacon_cobalt_strike : critical { $fake_ie = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" condition: filesize < 20971520 and 2 of them -} \ No newline at end of file +} diff --git a/rules/tools/backdoor/havoc.yara b/rules/tools/backdoor/havoc.yara index 01c1b5428..18442639f 100644 --- a/rules/tools/backdoor/havoc.yara +++ b/rules/tools/backdoor/havoc.yara @@ -1,4 +1,4 @@ -rule havoc_c2_xor : suspicious { +rule havoc_c2_xor : high { meta: description = "Havoc C2 implant" author = "Florian Roth" diff --git a/rules/tools/backdoor/merlin.yara b/rules/tools/backdoor/merlin.yara index a340e5aac..c377df41c 100644 --- a/rules/tools/backdoor/merlin.yara +++ b/rules/tools/backdoor/merlin.yara @@ -1,4 +1,4 @@ -rule merlin_c2 : suspicious { +rule merlin_c2 : high { meta: description = "XOR'ed shellcode from Brute Ratel" author = "Florian Roth" diff --git a/rules/tools/backdoor/silver.yara b/rules/tools/backdoor/silver.yara index cf374d18b..417a9a076 100644 --- a/rules/tools/backdoor/silver.yara +++ b/rules/tools/backdoor/silver.yara @@ -1,6 +1,9 @@ + rule c2_implant_sliver_proto : critical { meta: - description = "Sliver C2 implant" + description = "Sliver C2 implant" + hash_2023_Downloads_78eb = "78eb647f3d2aae5c52fcdc46ac1b27fb5a388ad39abbe614c0cfc902d223ccd6" + hash_2023_Covid_softwareupdated = "d9bba1cfca6b1d20355ce08eda37d6d0bca8cb8141073b699000d05025510dcc" strings: $sliverpb = "sliverpb" $bishopfox = "bishopfox" @@ -13,7 +16,9 @@ rule c2_implant_sliver_proto : critical { rule c2_implant_sliver_functions : critical { meta: - description = "Sliver C2 implant" + description = "Sliver C2 implant" + hash_2023_Downloads_78eb = "78eb647f3d2aae5c52fcdc46ac1b27fb5a388ad39abbe614c0cfc902d223ccd6" + hash_2023_Covid_softwareupdated = "d9bba1cfca6b1d20355ce08eda37d6d0bca8cb8141073b699000d05025510dcc" strings: $sliverpb = "GetImplantBuilds" $bishopfox = "GetBeaconJitter" @@ -23,12 +28,13 @@ rule c2_implant_sliver_functions : critical { filesize < 20971520 and 2 of them } -rule beaconjitter_xor : suspicious { +rule beaconjitter_xor : high { meta: - description = "Sliver C2 implant" + description = "Sliver C2 implant" + hash_2023_Downloads_78eb = "78eb647f3d2aae5c52fcdc46ac1b27fb5a388ad39abbe614c0cfc902d223ccd6" + hash_2023_Covid_softwareupdated = "d9bba1cfca6b1d20355ce08eda37d6d0bca8cb8141073b699000d05025510dcc" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar - $ref = "BeaconJitter" xor + $ref = "BeaconJitter" xor condition: - any of them + any of them } diff --git a/rules/tools/net/nmap.yara b/rules/tools/net/nmap.yara index ba3d79662..ca65e7859 100644 --- a/rules/tools/net/nmap.yara +++ b/rules/tools/net/nmap.yara @@ -1,7 +1,8 @@ -rule hacktool_nmap : notable { + +rule hacktool_nmap : medium { meta: hash_2023_Linux_Malware_Samples_1d28 = "1d2800352e15175ae5fa916b48a96b26f0199d9f8a9036648b3e44aa60ed2897" - hash_2020_HackTool_Portscan = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" + hash_2023_Linux_Malware_Samples_5a62 = "5a628dc26dae0309941d70021cfbb4281189f85b074bf3e696058d73c4609101" strings: $nmap_payload = "nmap-payload" condition: diff --git a/rules/tools/net/venom.yara b/rules/tools/net/venom.yara index cb38bab08..5fef1399c 100644 --- a/rules/tools/net/venom.yara +++ b/rules/tools/net/venom.yara @@ -1,11 +1,12 @@ rule venom : critical { - meta: - description = "Uses Venom, a multi-hop proxy and RAT for penetration testers" - strings: - $ref1 = "/Venom/agent" - $ref2 = "venom_agent" - $ref3 = "Dliv3/Venom" - condition: - any of them -} \ No newline at end of file + meta: + description = "Uses Venom, a multi-hop proxy and RAT for penetration testers" + hash_2024_Downloads_e100 = "e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da" + strings: + $ref1 = "/Venom/agent" + $ref2 = "venom_agent" + $ref3 = "Dliv3/Venom" + condition: + any of them +} diff --git a/rules/tools/pua/backtrack.yara b/rules/tools/pua/backtrack.yara index 7988444ed..90ad0d6d4 100644 --- a/rules/tools/pua/backtrack.yara +++ b/rules/tools/pua/backtrack.yara @@ -1,7 +1,7 @@ + rule pua_backtrack_keylogger : malware trojan { meta: - description = "Backtrack Keylogger" - hash_2013_BackTrack = "1996ddc461861c59034fae84a4db45788d9f3b3e809389d36800d194dab138bd" + description = "Backtrack Keylogger" strings: $modesitt = "Modesitt Software" $modesitt_web = "www.modesittsoftware" diff --git a/rules/tools/vulncheck/metasploit.yara b/rules/tools/vulncheck/metasploit.yara index d19db2ace..c09f83485 100644 --- a/rules/tools/vulncheck/metasploit.yara +++ b/rules/tools/vulncheck/metasploit.yara @@ -1,7 +1,8 @@ + rule metasploit_payload : critical { meta: - hash_2012_getshell_siggen = "4863d9a15f3a1ed5dd1f84cf9883eafb6bf2b483c2c6032cfbf0d3caf3cf6dd8" - description = "Metasploit shellcode (msfpayload)" + description = "Metasploit shellcode (msfpayload)" + hash_2013_GetShell = "4863d9a15f3a1ed5dd1f84cf9883eafb6bf2b483c2c6032cfbf0d3caf3cf6dd8" strings: $msfpayload = "msfpayload" $metasploit = "http://www.metasploit.com" @@ -13,12 +14,11 @@ rule metasploit_payload : critical { rule meterpreter : scritical windows { meta: - description = "extensible payload for DLL injection and remote access" - ref = "https://www.offsec.com/metasploit-unleashed/about-meterpreter/" + description = "extensible payload for DLL injection and remote access" + ref = "https://www.offsec.com/metasploit-unleashed/about-meterpreter/" author = "Florian Roth" strings: - // extracted from https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar - $ref = "/meterpreter/" ascii xor + $ref = "/meterpreter/" ascii xor condition: any of them } diff --git a/rules/tty/open.yara b/rules/tty/open.yara index 1891b3e48..d933914d3 100644 --- a/rules/tty/open.yara +++ b/rules/tty/open.yara @@ -1,10 +1,13 @@ -rule openpty : notable { - meta: - description = "finds and opens an available pseudoterminal" - strings: - $ref = "openpty" fullword - $ref2 = "pty.Open" - condition: - any of them +rule openpty : medium { + meta: + description = "finds and opens an available pseudoterminal" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_Linux_Malware_Samples_14a3 = "14a33415e95d104cf5cf1acaff9586f78f7ec3ffb26efd0683c468edeaf98fd7" + hash_2023_Linux_Malware_Samples_6de1 = "6de1e587ac4aa49273042ffb3cdce5b92b86c31c9f85ca48dae8a38243515f75" + strings: + $ref = "openpty" fullword + $ref2 = "pty.Open" + condition: + any of them } diff --git a/rules/tty/parameters-get.yara b/rules/tty/parameters-get.yara index 283a91aa5..7fbf84a83 100644 --- a/rules/tty/parameters-get.yara +++ b/rules/tty/parameters-get.yara @@ -1,9 +1,13 @@ -rule tcgetattr : notable { - meta: - description = "get terminal parameters" - strings: - $ref = "tcgetaddr" fullword - $ref2 = "cfgetospeed" fullword - condition: - any of them + +rule tcgetattr : medium { + meta: + description = "get terminal parameters" + hash_2023_Linux_Malware_Samples_3292 = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76" + hash_2023_Linux_Malware_Samples_6de1 = "6de1e587ac4aa49273042ffb3cdce5b92b86c31c9f85ca48dae8a38243515f75" + hash_2023_Linux_Malware_Samples_ee22 = "ee22d8b31eecf2c7dd670dde075df199be44ef4f61eb869f943ede7f5c3d61cb" + strings: + $ref = "tcgetaddr" fullword + $ref2 = "cfgetospeed" fullword + condition: + any of them } diff --git a/rules/tty/pathname.yara b/rules/tty/pathname.yara index d810361cf..be2d79ab2 100644 --- a/rules/tty/pathname.yara +++ b/rules/tty/pathname.yara @@ -1,9 +1,12 @@ -rule ttyname : notable { - meta: - description = "returns the pathname of a terminal device" - strings: - $ref = "ttyname" fullword - condition: - any of them +rule ttyname : medium { + meta: + description = "returns the pathname of a terminal device" + hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" + hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" + hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73" + strings: + $ref = "ttyname" fullword + condition: + any of them } diff --git a/rules/ui/clipboard.yara b/rules/ui/clipboard.yara index 3ea06a35b..a80f43cb9 100644 --- a/rules/ui/clipboard.yara +++ b/rules/ui/clipboard.yara @@ -1,13 +1,14 @@ -rule nspasteboard : notable macos { + +rule nspasteboard : medium macos { meta: - ref = "https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/" - description = "access clipboard contents" + ref = "https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/" + description = "access clipboard contents" + hash_2024_2024_GitHub_Clipper_main = "7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d" strings: - $pb1 = "NSPasteboard" fullword - $pb2 = "pbpaste" fullword - - $lib = "golang.design/x/clipboard" - $lib2 = "atotto/clipboard" + $pb1 = "NSPasteboard" fullword + $pb2 = "pbpaste" fullword + $lib = "golang.design/x/clipboard" + $lib2 = "atotto/clipboard" condition: - all of ($pb*) or any of ($lib*) + all of ($pb*) or any of ($lib*) } diff --git a/rules/ui/control.yara b/rules/ui/control.yara index b06cf40eb..bf6bb9005 100644 --- a/rules/ui/control.yara +++ b/rules/ui/control.yara @@ -1,16 +1,15 @@ -rule tell_app_system_events : notable { + +rule tell_app_system_events : medium { meta: - hash_2011_merin_kcd = "1ae8945732fa3aa6c59220a5b18abeb4e6a0f723c3bb0d3dbae3ad7c64541be1" - hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" - hash_2017_AptorDoc_Bella_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" - hash_2012_PUP_MiceLoot = "ff30a2860eab4705ff547d23ae6c342b8f5c4115b46b7a94495ac9cd2ea13313" + hash_2011_bin_kcd = "1ae8945732fa3aa6c59220a5b18abeb4e6a0f723c3bb0d3dbae3ad7c64541be1" + hash_2017_MacOS_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" hash_2017_MacOS_AppStore = "363d151d451a9687d5c0863933a15f7968d3d7018b26f6ba8df54dea9e2f635c" strings: $system_events = "tell application \"System Events\"" $not_front = "set frontmost" $not_copyright = "Copyright" $not_voice = "VoiceOver" - $not_current_screensaver = "start current screen saver" + $not_current_screensaver = "start current screen saver" condition: $system_events and none of ($not*) } diff --git a/rules/ui/dock-hide.yara b/rules/ui/dock-hide.yara index 3aac51f28..73e939ef2 100644 --- a/rules/ui/dock-hide.yara +++ b/rules/ui/dock-hide.yara @@ -1,4 +1,5 @@ -rule dock_hider { + +rule dock_hider : high { meta: hash_2016_MacOS_Mac_File_Opener = "ae00bcacc5947754b018b043d3fa746caca850fe0715d5ea47ba94df58171690" strings: diff --git a/rules/ui/screen-capture.yara b/rules/ui/screen-capture.yara index b1b0cafa8..faf221255 100644 --- a/rules/ui/screen-capture.yara +++ b/rules/ui/screen-capture.yara @@ -1,12 +1,9 @@ -rule macos_screencapture_caller : suspicious { + +rule macos_screencapture_caller : high { meta: - hash_2019_Macma_AgentB = "9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70" - hash_2021_Macma_CDDS_UserAgent = "d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4" - hash_2017_Perl_FruitFly_A = "205f5052dc900fc4010392a96574aed5638acf51b7ec792033998e4043efdf6c" - hash_2017_Perl_FruitFly_quimitchin = "ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044" - hash_2017_Perl_FruitFly_spaud = "befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271" + hash_2021_CDDS_UserAgent_v2019 = "9b71fad3280cf36501fe110e022845b29c1fb1343d5250769eada7c36bc45f70" + hash_2021_CDDS_UserAgent_v2021 = "d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4" hash_2021_CDDS_client = "623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a" - hash_2021_MacMa_qmfus = "cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8" strings: $screencap = "screencapture" $not_program = "@(#)PROGRAM:" @@ -18,18 +15,13 @@ rule macos_screencapture_caller : suspicious { $screencap and none of ($not_*) } - rule macos_screen_capture { - meta: - hash_2021_CDDS_arch = "a63466d09c3a6a2596a98de36083b6d268f393a27f7b781e52eeb98ae055af97" - hash_2021_CDDS_client = "623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a" - hash_2021_MacMa_qmfus = "cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8" strings: $capture_screen = "captureScreen" $cg_window = "CGWindowListCreateImageFromArray" $not_private = "/System/Library/PrivateFrameworks" $not_nuclei = "projectdiscovery" - $not_microsoft = "Microsoft Corporation" + $not_microsoft = "Microsoft Corporation" condition: 1 of ($c*) and none of ($not*) } diff --git a/rules/ui/screensaver.yara b/rules/ui/screensaver.yara index e6e38d486..56dc0f9c2 100644 --- a/rules/ui/screensaver.yara +++ b/rules/ui/screensaver.yara @@ -1,7 +1,8 @@ -rule macos_screensaver_engine_ref : notable { + +rule macos_screensaver_engine_ref : medium { meta: - hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" + hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" strings: $pgrep = "ScreenSaverEngine" $not_synergy = "_SYNERGY" diff --git a/rules/ui/window-watcher.yara b/rules/ui/window-watcher.yara index 2d51d7413..8b26166fc 100644 --- a/rules/ui/window-watcher.yara +++ b/rules/ui/window-watcher.yara @@ -1,8 +1,9 @@ -rule macos_window_watcher { + +rule macos_window_watcher : high { meta: - hash_2023_trojan_JokerSpy_Python_xcc_3 = "6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c" - hash_2023_trojan_JokerSpy_Python_xcc_2 = "951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c" - hash_2023_trojan_JokerSpy_Python_xcc = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" + hash_2023_JokerSpy_xcc = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" + hash_2023_JokerSpy_xcc_2 = "951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c" + hash_2023_JokerSpy_xcc_3 = "6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c" strings: $w_cglocked = "CGSSessionScreenIsLocked" $w_idle = "HIDIdleTime" diff --git a/rules/ui/x11-auth.yara b/rules/ui/x11-auth.yara index 3f5a10f14..a3ece386f 100644 --- a/rules/ui/x11-auth.yara +++ b/rules/ui/x11-auth.yara @@ -1,11 +1,14 @@ -rule x11_refs { - meta: - description = "X Window System client authentication" - ref = "https://en.wikipedia.org/wiki/X_Window_authorization" - strings: - $cookie = "MIT-MAGIC-COOKIE-1" fullword - $xauth = "xauth" fullword - condition: - any of them -} \ No newline at end of file +rule x11_refs : notable { + meta: + description = "X Window System client authentication" + ref = "https://en.wikipedia.org/wiki/X_Window_authorization" + hash_2023_Linux_Malware_Samples_4259 = "4259f2da90bf344092abc071f376753adaf077e13aeed684a7a3c2950ec82f69" + hash_2023_Linux_Malware_Samples_6de1 = "6de1e587ac4aa49273042ffb3cdce5b92b86c31c9f85ca48dae8a38243515f75" + hash_2023_Linux_Malware_Samples_d2ff = "d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f" + strings: + $cookie = "MIT-MAGIC-COOKIE-1" fullword + $xauth = "xauth" fullword + condition: + any of them +} diff --git a/samples/macOS/2024.LightSpy/dropper.simple b/samples/macOS/2024.LightSpy/dropper.simple index 3739ac71d..3d0821ac8 100644 --- a/samples/macOS/2024.LightSpy/dropper.simple +++ b/samples/macOS/2024.LightSpy/dropper.simple @@ -1,5 +1,6 @@ # macOS/2024.LightSpy/dropper 3P/huntress/lightspy/loader +combo/dropper/cocoa_bundle combo/recon/system_network crypto/aes crypto/xor