-
-
Save LFBernardo/6f537c70af2b28035b3953b7b9d0eccd to your computer and use it in GitHub Desktop.
IDDQD - Godmode YARA Rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
_____ __ __ ___ __ | |
/ ___/__ ___/ / / |/ /__ ___/ /__ | |
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/ | |
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__ | |
\ / __ |/ , _/ __ | / , _/ // / / -_) | |
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ | |
Florian Roth - v0.2 May 2019 | |
A proof-of-concept rule that shows how easy it actually is to detect red teamer | |
and threat group tools and code | |
*/ | |
rule IDDQD_Godmode_Rule { | |
meta: | |
description = "This is the most powerful YARA rule. It detects literally everything." | |
author = "Florian Roth" | |
reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems" | |
date = "2019-05-14" | |
score = 60 | |
strings: | |
$ = "sekurlsa::logonpasswords" ascii wide nocase /* Mimikatz Command */ | |
$ = "ERROR kuhl" wide /* Mimikatz Error */ | |
$ = "@subtee" fullword ascii /* Red Team Tools */ | |
$ = " -w hidden " ascii wide /* Power Shell Params */ | |
$ = " -decode " ascii wide /* certutil command */ | |
$ = "Koadic." ascii /* Koadic Framework */ | |
$ = "ReflectiveLoader" fullword ascii wide /* Generic - Common Export Name */ | |
$ = "InjectDLL" fullword ascii wide /* DLL Injection Keyword */ | |
$ = "[System.Convert]::FromBase64String(" ascii wide /* PowerShell - Base64 Encoded Payload */ | |
$ = /\\(Release|Debug)\\ms1[2-9]/ ascii /* Exploit Codes / PoCs */ | |
$ = "windows/meterpreter" ascii /* Metasploit Framework - Meterpreter */ | |
$ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide /* PowerShell Encoded Code */ | |
$ = / (sEt|SEt|SeT|sET|seT) / ascii wide /* Casing Obfuscation */ | |
$ = ");iex " nocase ascii wide /* PowerShell - compact code */ | |
$ = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide /* Casing Obfuscation */ | |
$ = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide /* Base64 Encoded UA */ | |
$ = "Nir Sofer" fullword wide /* Hack Tool Producer */ | |
$ = "Web Shell By " nocase ascii /* Web Shell Copyright */ | |
$ = "impacket." ascii /* Impacket Library */ | |
$ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject|dump)/ nocase /* Hack Tool Output Pattern */ | |
$ = "ecalper" fullword ascii wide /* Reversed String - often found in scripts or web shells */ | |
$ = "0000FEEDACDC}" ascii wide /* Squiblydoo - Class ID */ | |
$ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii /* Phishing Docs */ | |
$ = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */ | |
$ = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */ | |
$ = ".onion" ascii wide /* Onion Address - Tor Network */ | |
condition: | |
1 of them | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment