Matt Suiche msuiche

## EternalBlue-SmbHandler.asm
Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description

kd> dps srv!SrvTransaction2DispatchTable
91463530  9148b56f srv!SrvSmbOpen2
91463534  91485fe4 srv!SrvSmbFindFirst2
91463538  9148606d srv!SrvSmbFindNext2
9146353c  91488a89 srv!SrvSmbQueryFsInformation
91463540  914892f3 srv!SrvSmbSetFsInformation
91463544  9147ff65 srv!SrvSmbQueryPathInformation
91463548  91480c74 srv!SrvSmbSetPathInformation

## ruleMOVEit.yara
rule MOVEit_Transfer_exploit_webshell_memory {
    meta:
        date = "2023-06-15"
        description = "Hunts for memory IOCs MOVEit Transfer exploitation."
        author = "Matt Suiche - Magnet Forensics"
        reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/"
        reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/"
        reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643"
        reference4 = "https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara"
        verdict = "dangerous"

## ruleAPTSnake.yar
/*
    Hunting Russian Intelligence “Snake” Malware

    The Snake implant is considered the most sophisticated cyber espionage tool designed and used by
    Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive
    targets.
*/

rule Windows_Snake_Malware {
    meta:

## TrueBot_Domains_IOC.yara
rule TrueBot_Domains_IOC {
    meta:
        date = "2023-07-08"
        description = "Hunts for memory IOCs TRUEBOT."
        author = "Matt Suiche - Magnet Forensics"
        reference1 = "https://github.com/The-DFIR-Report/Yara-Rules/blob/main/21619/21619.yar"
        reference2 = "https://www.ic3.gov/Media/News/2023/230707.pdf"
        verdict = "dangerous"
        mitre = "T1082"
        platform = "windows"
	Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description

	kd> dps srv!SrvTransaction2DispatchTable
	91463530 9148b56f srv!SrvSmbOpen2
	91463534 91485fe4 srv!SrvSmbFindFirst2
	91463538 9148606d srv!SrvSmbFindNext2
	9146353c 91488a89 srv!SrvSmbQueryFsInformation
	91463540 914892f3 srv!SrvSmbSetFsInformation
	91463544 9147ff65 srv!SrvSmbQueryPathInformation
	91463548 91480c74 srv!SrvSmbSetPathInformation
	rule MOVEit_Transfer_exploit_webshell_memory {
	meta:
	date = "2023-06-15"
	description = "Hunts for memory IOCs MOVEit Transfer exploitation."
	author = "Matt Suiche - Magnet Forensics"
	reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/"
	reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/"
	reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643"
	reference4 = "https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara"
	verdict = "dangerous"
	/*
	Hunting Russian Intelligence “Snake” Malware

	The Snake implant is considered the most sophisticated cyber espionage tool designed and used by
	Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive
	targets.
	*/

	rule Windows_Snake_Malware {
	meta:
	rule TrueBot_Domains_IOC {
	meta:
	date = "2023-07-08"
	description = "Hunts for memory IOCs TRUEBOT."
	author = "Matt Suiche - Magnet Forensics"
	reference1 = "https://github.com/The-DFIR-Report/Yara-Rules/blob/main/21619/21619.yar"
	reference2 = "https://www.ic3.gov/Media/News/2023/230707.pdf"
	verdict = "dangerous"
	mitre = "T1082"
	platform = "windows"