Created
June 16, 2021 18:17
-
-
Save ajpc500/7b3f44e6cae093ace68396adb3f27bfa to your computer and use it in GitHub Desktop.
Yara rule to detect James Coote's (@jkcoote) SharpSphere tool, either on-disk or in-memory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule SharpSphere { | |
| meta: | |
| description = "Strings in SharpSphere binary." | |
| author = "Alfie Champion (ajpc500)" | |
| date = "2021-06-12" | |
| strings: | |
| $s0 = "SharpSphere" ascii wide | |
| $s1 = "Upload file to target VM" ascii wide | |
| $s2 = "Download file from target VM" ascii wide | |
| $s3 = "[x] Attempting to execute with cmd /c the following command:" wide | |
| $s4 = "[x] Creating snapshot for VM" wide | |
| $s5 = "[x] Download complete, zipping up so it's easier to exfiltrate..." wide | |
| $s6 = "[x] Execution finished, attempting to retrieve the results" wide | |
| $s7 = "[x] Finding existing snapshots for" wide | |
| $s8 = "[x] Output file deleted" wide | |
| $s9 = "[x] Output:" wide | |
| $s10 = "[x] Process started with PID" wide | |
| $s11 = "[x] Snapshot created successfully" wide | |
| $s12 = "[x] Zipping complete, download " wide | |
| condition: | |
| all of them | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment