This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Public Function kaploosh(strstrstr As String, Optional _ | |
smlplerunt As Boolean = False) As String | |
Dim skaplow As String | |
Dim shmoop As Integer | |
shmoop = 1 | |
Do Until shmoop - 1 = Len(strstrstr) | |
Select Case Asc(Mid(strstrstr, shmoop, 1)) | |
Case 48 To 57, 65 To 90, 97 To 122 | |
skaplow = skaplow & Mid(strstrstr, shmoop, 1) | |
Case 32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule ConventionEngine_Keyword_Csharp_EWS | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "Searching for PE files with PDB path keywords, terms or anomalies." | |
sample_md5 = "b08dff2a95426a0e32731ef337eab542" | |
ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" | |
strings: | |
$pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}csharp[\x00-\xFF]{0,500}EWS[\x00-\xFF]{0,500}\.pdb\x00/ nocase ascii | |
condition: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Methodology_MSDN_Sample_Service | |
{ | |
meta: | |
author = "smiller" | |
date = "03/06/2019" | |
md5 = "02ab24848f4abbc62a74009a5c08c953" | |
strings: | |
$a1 = "My Sample Service: Main: Entry" | |
$a2 = "My Sample Service: Main: StartServiceCtrlDispatcher returned error" | |
$a3 = "My Sample Service: Main: Exit" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule XOREngine_HTTP | |
{ | |
meta: | |
author = "smiller" | |
description = "This looks for brute XOR of http:// in a PE." | |
ref = "578cb44b784125ebd58ecb458d51b23d" | |
strings: | |
$key_01 = { 69 75 75 71 3b 2e 2e } | |
$key_02 = { 6a 76 76 72 38 2d 2d } | |
$key_03 = { 6b 77 77 73 39 2c 2c } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "pe" | |
rule ExportEngine_xArch | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "This looks for Win PEs where Export DLL name is a something like x32.dat" | |
strings: | |
$pcre = /[\x00-\x7F]{0,100}x(32|64|86)[\x00-\x7F]{0,100}\.(dat|dll|sys|exe)\x00/ | |
condition: | |
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "pe" | |
rule ExportEngine_APT41_Loader_Prefix | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll" | |
strings: | |
$pcre = /loader_[\x00-\x7F]{1,}\x00/ | |
condition: | |
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "pe" | |
rule ExportEngine_ShortName_1 | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "This looks for Win PEs where Export DLL name is a single character" | |
strings: | |
$pcre = /[A-Za-z0-9]{1}\.(dll|exe|dat|bin|sys|bin)/ | |
condition: | |
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Methodology_LNK_Win_DefaultHostnames_Bleepboop | |
{ | |
meta: | |
author = "smiller" | |
date = "09/04/2018" | |
description = "Signature to detect LNK files or OLE objects with embedded LNK files with default and generic hostnames" | |
strings: | |
$a01 = /WIN-[0-9a-z]]{11}/ ascii nocase wide | |
$a02 = /DESKTOP-[a-z0-9]{7}/ ascii nocase wide | |
$a03 = /[a-z0-9]{1,10]-PC/ ascii nocase wide |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule ELF_Methodology_RareEquities_Pcap | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "This is a wide catchall rule looking for executables with pcap equities. Matches on this rule may have built-in pcap collection, sniffing capability such as in MESSAGETAP, RATSNIF, etc." | |
ref_md5 = "8d3b3d5b68a1d08485773d70c186d877" | |
strings: | |
$a1 = "pcap_" | |
condition: | |
(uint32(0) == 0x464c457f) and int8(0x10) == 0x02 and $a1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Methodology_RareEquities_Tencent_Proxy | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "This is a wide catchall rule looking for executables with odd equities. Matches on this rule may have built-in proxy capability such as in Tropic Trooper's TClient a/k/a FIRESHADOW." | |
ref_md5 = "ba46bdaa5accee5deca8bd34c5aad55e" | |
strings: | |
$a1 = "proxy.tencent.com" ascii nocase wide | |
condition: | |
(uint32(0) == 0x464c457f) or (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)and $a1 |