Florian Roth Neo23x0

## crime_petya_jun17.yar
I just pushed the rule to "signature-base"

https://github.com/Neo23x0/signature-base/blob/master/yara/crime_nopetya_jun17.yar

Some of the other rules are running in QS right now.
I'll update the 'crime_nopetya_jun17.yar' file frequently.

## ms_ts_anomaly.yar

rule Microsoft_PE_Timestamp_Copyright_Anomaly {
   meta:
      description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2017-06-02"
      score = 30
   strings:
      $a1 = "Copyright (C) Microsoft Corp. 19" wide

## nmap-cmdline
# Scan for CVE-2017-0143 MS17-010
# The vulnerability used by WannaCry Ransomware
#
# 1. Use @calderpwn's script
#    http://seclists.org/nmap-dev/2017/q2/79
#
# 2. Save it to Nmap NSE script directory
#    Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
#    OSX - /opt/local/share/nmap/scripts/
#

## wannacry-vaccine.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "

## pulggable.patch
--- pluggable.php	2017-05-04 09:37:27.000000000 +0200
+++ pluggable_patched.php	2017-05-04 09:40:39.000000000 +0200
@@ -323,10 +323,7 @@

 	if ( !isset( $from_email ) ) {
 		// Get the site domain and get rid of www.
-		$sitename = strtolower( $_SERVER['SERVER_NAME'] );
-		if ( substr( $sitename, 0, 4 ) == 'www.' ) {
-			$sitename = substr( $sitename, 4 );
-		}

## annotations.xml
<?xml version="1.0" encoding="UTF-8"?>
<Annotations start="0" num="171" total="171">
  <Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
    <Label name="_cse_turlh5vi4xc"/>
    <AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
  </Annotation>
  <Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
    <Label name="_cse_turlh5vi4xc"/>
    <AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
  </Annotation>

## detect-dirtycow.sh
#!/bin/bash
# - Matches on source and compiled code
# - Searches in user home directories by default
# - Detects certain strings in files smaller 300 kbyte
# - Does not print anything if nothing was found
# - Appends the file's time stamp of the files in question > good indicator to spot false positives
# - Should work on most Linux systems with bash
# Old version
# for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(strings -a "$f" 2> /dev/null | egrep "/proc/(self|%d)/(mem|maps)") != "" ]];then m=$(stat -c %y $f); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(egrep "/proc/(self|%d)/(mem|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;

## config-server.xml
<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.2.1 December 2016
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)

## config-client.xml
<!--
   This is a Microsoft Sysmon configuration to be used on Windows workstations
   v0.2.1 December 2016
   Florian Roth (with the help and ideas of others)

   The focus of this configuration is
   - malware detection (execution)
   - malware detection (network connections)
   - exploit detection
   It is not focussed on

## yara_performance_guidelines.md

      
        
          
            
              
              1 file
            
          
          
            
              
              26 forks
            
          
          
            
              
              1 comment
            
          
          
            
              
              118 stars
            
          
        
        
          
              
          
          
            
                Neo23x0
                / yara_performance_guidelines.md
            
            
              Last active
              April 30, 2024 10:39
            
              
                YARA Performance Guidelines
              
          
        
      
        
  
      
    This Gist has been transfered into a Github Repo.
You'll find the most recent version here.
YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7
	I just pushed the rule to "signature-base"

	https://github.com/Neo23x0/signature-base/blob/master/yara/crime_nopetya_jun17.yar

	Some of the other rules are running in QS right now.
	I'll update the 'crime_nopetya_jun17.yar' file frequently.

	rule Microsoft_PE_Timestamp_Copyright_Anomaly {
	meta:
	description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp"
	author = "Florian Roth"
	reference = "Internal Research"
	date = "2017-06-02"
	score = 30
	strings:
	$a1 = "Copyright (C) Microsoft Corp. 19" wide
	# Scan for CVE-2017-0143 MS17-010
	# The vulnerability used by WannaCry Ransomware
	#
	# 1. Use @calderpwn's script
	# http://seclists.org/nmap-dev/2017/q2/79
	#
	# 2. Save it to Nmap NSE script directory
	# Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
	# OSX - /opt/local/share/nmap/scripts/
	#
	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
	"Debugger"="taskkill /F /IM "

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
	"Debugger"="taskkill /F /IM "

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
	"Debugger"="taskkill /F /IM "
	--- pluggable.php 2017-05-04 09:37:27.000000000 +0200
	+++ pluggable_patched.php 2017-05-04 09:40:39.000000000 +0200
	@@ -323,10 +323,7 @@

	if ( !isset( $from_email ) ) {
	// Get the site domain and get rid of www.
	- $sitename = strtolower( $_SERVER['SERVER_NAME'] );
	- if ( substr( $sitename, 0, 4 ) == 'www.' ) {
	- $sitename = substr( $sitename, 4 );
	- }
	<?xml version="1.0" encoding="UTF-8"?>
	<Annotations start="0" num="171" total="171">
	<Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
	<Label name="_cse_turlh5vi4xc"/>
	<AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
	</Annotation>
	<Annotation about=".thedfirreport.com/" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
	<Label name="_cse_turlh5vi4xc"/>
	<AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
	</Annotation>
	#!/bin/bash
	# - Matches on source and compiled code
	# - Searches in user home directories by default
	# - Detects certain strings in files smaller 300 kbyte
	# - Does not print anything if nothing was found
	# - Appends the file's time stamp of the files in question > good indicator to spot false positives
	# - Should work on most Linux systems with bash
	# Old version
	# for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(strings -a "$f" 2> /dev/null \| egrep "/proc/(self\|%d)/(mem\|maps)") != "" ]];then m=$(stat -c %y $f); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
	for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(egrep "/proc/(self\|%d)/(mem\|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
	<!--
	This is a Microsoft Sysmon configuation to be used on Windows server systems
	v0.2.1 December 2016
	Florian Roth

	The focus of this configuration is
	- hacking activity on servers / lateral movement (bad admin, attacker)
	It is not focussed on
	- malware detection (execution)
	- malware detection (network connections)
	<!--
	This is a Microsoft Sysmon configuration to be used on Windows workstations
	v0.2.1 December 2016
	Florian Roth (with the help and ideas of others)

	The focus of this configuration is
	- malware detection (execution)
	- malware detection (network connections)
	- exploit detection
	It is not focussed on