Steve stvemillertime
stvemillertime
/ informatr.vba
Created
January 13, 2020 16:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Public Function kaploosh(strstrstr As String, Optional _ | |
| smlplerunt As Boolean = False) As String | |
| Dim skaplow As String | |
| Dim shmoop As Integer | |
| shmoop = 1 | |
| Do Until shmoop - 1 = Len(strstrstr) | |
| Select Case Asc(Mid(strstrstr, shmoop, 1)) | |
| Case 48 To 57, 65 To 90, 97 To 122 | |
| skaplow = skaplow & Mid(strstrstr, shmoop, 1) | |
| Case 32 |
stvemillertime
/ ConventionEngine_Keyword_Csharp_EWS.yar
Created
March 2, 2020 14:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule ConventionEngine_Keyword_Csharp_EWS | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "Searching for PE files with PDB path keywords, terms or anomalies." | |
| sample_md5 = "b08dff2a95426a0e32731ef337eab542" | |
| ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" | |
| strings: | |
| $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}csharp[\x00-\xFF]{0,500}EWS[\x00-\xFF]{0,500}\.pdb\x00/ nocase ascii | |
| condition: |
stvemillertime
/ Methodology_MSDN_Sample_Service.yar
Created
March 2, 2020 14:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_MSDN_Sample_Service | |
| { | |
| meta: | |
| author = "smiller" | |
| date = "03/06/2019" | |
| md5 = "02ab24848f4abbc62a74009a5c08c953" | |
| strings: | |
| $a1 = "My Sample Service: Main: Entry" | |
| $a2 = "My Sample Service: Main: StartServiceCtrlDispatcher returned error" | |
| $a3 = "My Sample Service: Main: Exit" |
stvemillertime
/ XOREngine_HTTP.yar
Last active
November 19, 2021 21:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule XOREngine_HTTP | |
| { | |
| meta: | |
| author = "smiller" | |
| description = "This looks for brute XOR of http:// in a PE." | |
| ref = "578cb44b784125ebd58ecb458d51b23d" | |
| strings: | |
| $key_01 = { 69 75 75 71 3b 2e 2e } | |
| $key_02 = { 6a 76 76 72 38 2d 2d } | |
| $key_03 = { 6b 77 77 73 39 2c 2c } |
stvemillertime
/ ExportEngine_xArch.yar
Created
March 20, 2020 15:11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule ExportEngine_xArch | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "This looks for Win PEs where Export DLL name is a something like x32.dat" | |
| strings: | |
| $pcre = /[\x00-\x7F]{0,100}x(32|64|86)[\x00-\x7F]{0,100}\.(dat|dll|sys|exe)\x00/ | |
| condition: | |
| uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
stvemillertime
/ ExportEngine_APT41_Loader_Prefix.yar
Last active
March 21, 2020 15:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule ExportEngine_APT41_Loader_Prefix | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll" | |
| strings: | |
| $pcre = /loader_[\x00-\x7F]{1,}\x00/ | |
| condition: | |
| uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
stvemillertime
/ ExportEngine_ShortName.yar
Last active
March 21, 2020 15:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule ExportEngine_ShortName_1 | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "This looks for Win PEs where Export DLL name is a single character" | |
| strings: | |
| $pcre = /[A-Za-z0-9]{1}\.(dll|exe|dat|bin|sys|bin)/ | |
| condition: | |
| uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
stvemillertime
/ Methodology_LNK_Win_DefaultHostnames_Bleepboop.yar
Last active
April 15, 2020 02:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_LNK_Win_DefaultHostnames_Bleepboop | |
| { | |
| meta: | |
| author = "smiller" | |
| date = "09/04/2018" | |
| description = "Signature to detect LNK files or OLE objects with embedded LNK files with default and generic hostnames" | |
| strings: | |
| $a01 = /WIN-[0-9a-z]]{11}/ ascii nocase wide | |
| $a02 = /DESKTOP-[a-z0-9]{7}/ ascii nocase wide | |
| $a03 = /[a-z0-9]{1,10]-PC/ ascii nocase wide |
stvemillertime
/ RareEquities_Pcap.yar
Last active
November 19, 2021 21:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule ELF_Methodology_RareEquities_Pcap | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "This is a wide catchall rule looking for executables with pcap equities. Matches on this rule may have built-in pcap collection, sniffing capability such as in MESSAGETAP, RATSNIF, etc." | |
| ref_md5 = "8d3b3d5b68a1d08485773d70c186d877" | |
| strings: | |
| $a1 = "pcap_" | |
| condition: | |
| (uint32(0) == 0x464c457f) and int8(0x10) == 0x02 and $a1 |
stvemillertime
/ tencentproxy.yar
Last active
May 28, 2020 16:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_RareEquities_Tencent_Proxy | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "This is a wide catchall rule looking for executables with odd equities. Matches on this rule may have built-in proxy capability such as in Tropic Trooper's TClient a/k/a FIRESHADOW." | |
| ref_md5 = "ba46bdaa5accee5deca8bd34c5aad55e" | |
| strings: | |
| $a1 = "proxy.tencent.com" ascii nocase wide | |
| condition: | |
| (uint32(0) == 0x464c457f) or (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)and $a1 |