ashr/iddqd.yar

## iddqd.yar
/*
      _____        __  __  ___        __
     / ___/__  ___/ / /  |/  /__  ___/ /__
    / (_ / _ \/ _  / / /|_/ / _ \/ _  / -_)
    \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
     \ \/ / _ | / _ \/ _ |   / _ \__ __/ /__
      \  / __ |/ , _/ __ |  / , _/ // / / -_)
      /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/

      Florian Roth - v0.1 May 2019
*/

rule IDDQD_Godmode_Rule {
   meta:
      description = "This is the most powerful YARA rule. It detects literally everything."
      author = "Florian Roth"
      reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems"
      date = "2019-05-13"
      score = 60
   strings:
      $ = "sekurlsa::logonpasswords" ascii wide nocase
      $ = "ERROR kuhl" wide
      $ = "@subtee" fullword ascii
      $ = " -w hidden " ascii wide
      $ = " -decode " ascii wide
      $ = "Koadic." ascii
      $ = "ReflectiveLoader" fullword ascii wide
      $ = "InjectDLL" fullword ascii wide
      $ = "[System.Convert]::FromBase64String(" ascii wide
      $ = /\\(Release|Debugger)\\ms1[2-9]/ ascii
      $ = "windows/meterpreter" ascii
      $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide
      $ = /  (sEt|SEt|SeT|sET|seT)  / ascii wide
      $ = ");iex " nocase ascii wide
      $ = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide
      $ = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide
      $ = "Nir Sofer" fullword wide
      $ = "Web Shell By " nocase ascii
      $ = "impacket." ascii
      $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject|dump)/ nocase
      $ = "ecalper" fullword ascii wide
      $ = "0000FEEDACDC}" ascii wide
      $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii
      $ = "vssadmin delete shadows"
      $ = "stratum+tcp://"
      $ = ".onion" ascii wide
   condition:
      1 of them
}
	/*
	_____ __ __ ___ __
	/ ___/__ ___/ / / \|/ /__ ___/ /__
	/ (_ / _ \/ _ / / /\|_/ / _ \/ _ / -_)
	\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
	\ \/ / _ \| / _ \/ _ \| / _ \__ __/ /__
	\ / __ \|/ , _/ __ \| / , _/ // / / -_)
	/_/_/ \|_/_/\|_/_/ \|_\| /_/\|_\|\_,_/_/\__/

	Florian Roth - v0.1 May 2019
	*/

	rule IDDQD_Godmode_Rule {
	meta:
	description = "This is the most powerful YARA rule. It detects literally everything."
	author = "Florian Roth"
	reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems"
	date = "2019-05-13"
	score = 60
	strings:
	$ = "sekurlsa::logonpasswords" ascii wide nocase
	$ = "ERROR kuhl" wide
	$ = "@subtee" fullword ascii
	$ = " -w hidden " ascii wide
	$ = " -decode " ascii wide
	$ = "Koadic." ascii
	$ = "ReflectiveLoader" fullword ascii wide
	$ = "InjectDLL" fullword ascii wide
	$ = "[System.Convert]::FromBase64String(" ascii wide
	$ = /\\(Release\|Debugger)\\ms1[2-9]/ ascii
	$ = "windows/meterpreter" ascii
	$ = / (-e \|-enc \|'\|")(JAB\|SUVYI\|aWV4I\|SQBFAFgA\|aQBlAHgA)/ ascii wide
	$ = / (sEt\|SEt\|SeT\|sET\|seT) / ascii wide
	$ = ");iex " nocase ascii wide
	$ = / (cMd\.\|cmD\.\|CmD\.\|cMD\.)/ ascii wide
	$ = /(TW96aWxsYS\|1vemlsbGEv\|Nb3ppbGxhL\|TQBvAHoAaQBsAGwAYQAv\|0AbwB6AGkAbABsAGEAL\|BNAG8AegBpAGwAbABhAC)/ ascii wide
	$ = "Nir Sofer" fullword wide
	$ = "Web Shell By " nocase ascii
	$ = "impacket." ascii
	$ = /\[[\+\-!E]\] (exploit\|target\|vulnerab\|shell\|inject\|dump)/ nocase
	$ = "ecalper" fullword ascii wide
	$ = "0000FEEDACDC}" ascii wide
	$ = /(click enable editing\|click enable content\|"Enable Editing"\|"Enable Content")/ ascii
	$ = "vssadmin delete shadows"
	$ = "stratum+tcp://"
	$ = ".onion" ascii wide
	condition:
	1 of them
	}