LFBernardo/iddqd.yar

## iddqd.yar
/*
      _____        __  __  ___        __
     / ___/__  ___/ / /  |/  /__  ___/ /__
    / (_ / _ \/ _  / / /|_/ / _ \/ _  / -_)
    \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
     \ \/ / _ | / _ \/ _ |   / _ \__ __/ /__
      \  / __ |/ , _/ __ |  / , _/ // / / -_)
      /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
      Florian Roth - v0.2 May 2019

      A proof-of-concept rule that shows how easy it actually is to detect red teamer
      and threat group tools and code
*/

rule IDDQD_Godmode_Rule {
   meta:
      description = "This is the most powerful YARA rule. It detects literally everything."
      author = "Florian Roth"
      reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems"
      date = "2019-05-14"
      score = 60
   strings:
      $ = "sekurlsa::logonpasswords" ascii wide nocase      /* Mimikatz Command */
      $ = "ERROR kuhl" wide                                 /* Mimikatz Error */
      $ = "@subtee" fullword ascii                          /* Red Team Tools */
      $ = " -w hidden " ascii wide                          /* Power Shell Params */
      $ = " -decode " ascii wide                            /* certutil command */
      $ = "Koadic." ascii                                   /* Koadic Framework */
      $ = "ReflectiveLoader" fullword ascii wide            /* Generic - Common Export Name */
      $ = "InjectDLL" fullword ascii wide                   /* DLL Injection Keyword */
      $ = "[System.Convert]::FromBase64String(" ascii wide  /* PowerShell - Base64 Encoded Payload */
      $ = /\\(Release|Debug)\\ms1[2-9]/ ascii               /* Exploit Codes / PoCs */
      $ = "windows/meterpreter" ascii                       /* Metasploit Framework - Meterpreter */
      $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide  /* PowerShell Encoded Code */
      $ = /  (sEt|SEt|SeT|sET|seT)  / ascii wide            /* Casing Obfuscation */
      $ = ");iex " nocase ascii wide                        /* PowerShell - compact code */
      $ = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide           /* Casing Obfuscation */
      $ = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide /* Base64 Encoded UA */
      $ = "Nir Sofer" fullword wide                         /* Hack Tool Producer */
      $ = "Web Shell By " nocase ascii                      /* Web Shell Copyright */
      $ = "impacket." ascii                                 /* Impacket Library */
      $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject|dump)/ nocase  /* Hack Tool Output Pattern */
      $ = "ecalper" fullword ascii wide                     /* Reversed String - often found in scripts or web shells */
      $ = "0000FEEDACDC}" ascii wide                        /* Squiblydoo - Class ID */
      $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii  /* Phishing Docs */
      $ = "vssadmin delete shadows"                         /* Shadow Copy Deletion - often used in Ransomware */
      $ = "stratum+tcp://"                                  /* Stratum Address - used in Crypto Miners */
      $ = ".onion" ascii wide                               /* Onion Address - Tor Network */
   condition:
      1 of them
}
	/*
	_____ __ __ ___ __
	/ ___/__ ___/ / / \|/ /__ ___/ /__
	/ (_ / _ \/ _ / / /\|_/ / _ \/ _ / -_)
	\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
	\ \/ / _ \| / _ \/ _ \| / _ \__ __/ /__
	\ / __ \|/ , _/ __ \| / , _/ // / / -_)
	/_/_/ \|_/_/\|_/_/ \|_\| /_/\|_\|\_,_/_/\__/
	Florian Roth - v0.2 May 2019

	A proof-of-concept rule that shows how easy it actually is to detect red teamer
	and threat group tools and code
	*/

	rule IDDQD_Godmode_Rule {
	meta:
	description = "This is the most powerful YARA rule. It detects literally everything."
	author = "Florian Roth"
	reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems"
	date = "2019-05-14"
	score = 60
	strings:
	$ = "sekurlsa::logonpasswords" ascii wide nocase /* Mimikatz Command */
	$ = "ERROR kuhl" wide /* Mimikatz Error */
	$ = "@subtee" fullword ascii /* Red Team Tools */
	$ = " -w hidden " ascii wide /* Power Shell Params */
	$ = " -decode " ascii wide /* certutil command */
	$ = "Koadic." ascii /* Koadic Framework */
	$ = "ReflectiveLoader" fullword ascii wide /* Generic - Common Export Name */
	$ = "InjectDLL" fullword ascii wide /* DLL Injection Keyword */
	$ = "[System.Convert]::FromBase64String(" ascii wide /* PowerShell - Base64 Encoded Payload */
	$ = /\\(Release\|Debug)\\ms1[2-9]/ ascii /* Exploit Codes / PoCs */
	$ = "windows/meterpreter" ascii /* Metasploit Framework - Meterpreter */
	$ = / (-e \|-enc \|'\|")(JAB\|SUVYI\|aWV4I\|SQBFAFgA\|aQBlAHgA)/ ascii wide /* PowerShell Encoded Code */
	$ = / (sEt\|SEt\|SeT\|sET\|seT) / ascii wide /* Casing Obfuscation */
	$ = ");iex " nocase ascii wide /* PowerShell - compact code */
	$ = / (cMd\.\|cmD\.\|CmD\.\|cMD\.)/ ascii wide /* Casing Obfuscation */
	$ = /(TW96aWxsYS\|1vemlsbGEv\|Nb3ppbGxhL\|TQBvAHoAaQBsAGwAYQAv\|0AbwB6AGkAbABsAGEAL\|BNAG8AegBpAGwAbABhAC)/ ascii wide /* Base64 Encoded UA */
	$ = "Nir Sofer" fullword wide /* Hack Tool Producer */
	$ = "Web Shell By " nocase ascii /* Web Shell Copyright */
	$ = "impacket." ascii /* Impacket Library */
	$ = /\[[\+\-!E]\] (exploit\|target\|vulnerab\|shell\|inject\|dump)/ nocase /* Hack Tool Output Pattern */
	$ = "ecalper" fullword ascii wide /* Reversed String - often found in scripts or web shells */
	$ = "0000FEEDACDC}" ascii wide /* Squiblydoo - Class ID */
	$ = /(click enable editing\|click enable content\|"Enable Editing"\|"Enable Content")/ ascii /* Phishing Docs */
	$ = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */
	$ = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */
	$ = ".onion" ascii wide /* Onion Address - Tor Network */
	condition:
	1 of them
	}