Daniel Stinson-Diess shellcromancer
💻
shellcromancer
/ mal_sysjoker_macOS.yara
Created
January 14, 2022 04:02
YARA rule to identify the SysJoker macOS backdoor.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule mal_sysjoker_macOS { | |
| meta: | |
| description = "Identify string artifacts from the SysJoker macOS backdoor." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-13" | |
| reference = "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/" | |
| reference = "https://objective-see.com/blog/blog_0x6C.html" | |
| sha256 = "1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac" | |
| strings: |
shellcromancer
/ args_socket_tcpip.yara
Created
January 13, 2022 03:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule ARGS_socket_TCPIP { | |
| meta: | |
| author = "@notareverser" | |
| date = "2022-01-12" | |
| source = "https://twitter.com/notareverser/status/1481242024460312581" | |
| strings: | |
| /* | |
| 6a06 push 6 ; IPPROTO_TCP | |
| 6a01 push 1 ; SOCK_STREAM | |
| 6a02 push 2 ; AF_INET |
shellcromancer
/ alg_crypto_blake.yara
Created
January 13, 2022 03:13
Identify constants used as the IV or precomputed sigmas in BLAKE.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_blake { | |
| meta: | |
| description = "Identify code/constants for the BLAKE2/3 hashing algorithm." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-11" | |
| reference = "https://en.wikipedia.org/wiki/BLAKE_(hash_function)" | |
| implementation = "https://cs.opensource.google/go/x/crypto/+/master:blake2b/blake2b_amd64.s" | |
| strings: | |
| // BLAKE2 uses the same IV as SHA-256 and BLAKE3 so matches should be investigated |
shellcromancer
/ alg_crypto_md5.yara
Last active
January 12, 2022 13:44
Identify code/constants for the MD5 hashing algorithm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_md5 { | |
| meta: | |
| description = "Identify code/constants for the MD5 hashing algorithm." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-11" | |
| reference = "https://en.wikipedia.org/wiki/MD5" | |
| strings: | |
| $cA = { 67452301 } | |
| $cB = { efcdab89 } |
shellcromancer
/ shellcode_metasploit_x86.yara
Created
January 11, 2022 02:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule metasploit_shellcode_x86 { | |
| meta: | |
| descrption = "Identify pushed strings from metasploint x86 shellcode." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-10" | |
| strings: | |
| // https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/linux/ia32/single_adduser.asm#L48 | |
| $pass1 = { 63 74 65 2f} // /etc | |
| $pass2 = { 61 70 2f 2f} // //pa |
shellcromancer
/ lang_rust.yara
Created
January 10, 2022 03:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| import "elf" | |
| rule lang_rust { | |
| meta: | |
| desc = "Identify a Rust binary regardless of format (PE, Macho, ELF) or arch." | |
| author = "@shellcromancer" | |
| version = "1.0" | |
| last_modified = "2022.01.09" | |
| strings: |
shellcromancer
/ macho_space_in_seg_or_sect.yara
Created
January 9, 2022 05:05
Identify spaces in either a segment or section name of a Mach-o.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "macho" | |
| rule macho_space_in_segment_or_section { | |
| meta: | |
| descrption = "Identify spaces in either a segment or section name of a Mach-o." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-08" | |
| condition: | |
| for any segment in macho.segments: ( |
shellcromancer
/ imov_stackstrings.yara
Created
January 8, 2022 03:51
YARA rule to find stack strings via indirect moves.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule obfus_stackstring_imov { | |
| meta: | |
| descrption = "Identify stack-strings obfuscation via indirect moves." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-07" | |
| reference = "https://www.mandiant.com/resources/automatically-extracting-obfuscated-strings" | |
| strings: | |
| $mov_r = { c6 4? ?? 72 } // mov byte [rdi + ?], 0x72 ; 'r' | |
| $mov_s = { c6 4? 0? 73 } // mov byte [rdi + ?], 0x73 ; 's' |
shellcromancer
/ alg_crypto_crc32.yara
Created
January 7, 2022 03:25
Identify constants in the CRC32 cryptographic algorithm.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_crc32 { | |
| meta: | |
| descrption = "Identify constants in the CRC32 cryptographic algorithm." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| creation_date = "2022-01-06" | |
| reference = "https://en.wikipedia.org/wiki/Cyclic_redundancy_check#CRC-32_algorithm" | |
| reference = "http://www.woodmann.com/fravia/crctut1.htm" | |
| hash = "c4f370622b7c8da5247e78a22e04a7778bd6712dbb84a05e60136b8defca4eed" | |
| location = "0x00401b50" |
shellcromancer
/ alg_crypto_aes.yara
Last active
January 6, 2022 03:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_aes { | |
| meta: | |
| descrption = "Identify code/constants for the AES cryptographic algorithm." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-03" | |
| reference = "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions-aes" | |
| strings: | |
| // T-Table value | |
| $c1 = { a5 63 63 c6 } |