Steve stvemillertime

## blah.yar
rule adversary_methods_pe_with_openssh_key {
meta:
author="smiller"
description="Looking for PE files with default OpenSSH private key strings"
strings:
$a1= "[-----BEGIN OPENSSH PRIVATE KEY-----"
$a2= {0A2D2D2D2D2D454E44204F50454E5353482050524956415445204B45592D2D2D2D2D0A257373682D}
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
}

## golang.yar
rule methodology_golang_build_strings
{
meta:
author = "smiller"
version = "1.0"
date = "10/5/2038"
description = "Looks for PEs with a Golang build ID"
reference_hash = "94fa902d1473c35659d2396eccde596c"
strings:
$a01 = "go.buildid"

## wolfssl.yar
rule Methodology_RareEquities_Library_WolfSSL
{
	meta:
		author = "@stvemillertime"
		description = "This looks for PEs with strings from WolfSSL libraries (formerly CyaSSL). Matches on this rule may have built-in SSL capability. This hilariously catches 15+ distinct malware families from 8+ distinct APT and UNC clusters...and...TRICKBOT (shame, shame)."
    		ref_md5 = "ad41c3e660cb6cfad9b4d63af5d96469"
	strings:
	  	$base = "CLNTSRVRclient finished" ascii wide
    		$base2 = "CLNTserver finished" ascii wide
		$a1 = "server finished" ascii wide

## Methodology_ELF_Modbus.yar
rule Methodology_ELF_Modbus
{
    meta:
        author = "@stvemillertime"
        description = "A hilariously simple rule to create a smallllll haystack of ELFs with potential modbus interests, such as the VPNFILTER packet sniffer/logger module."
        md5 = "97444b5209278ed611e6a94076e814c8"
    strings:
    	$a1 = "modbus" nocase ascii wide
    condition:
	uint16(0) == 0x457f and filesize < 3MB and $a1

## Methodology_LNK_Github
rule methodology_lnk_with_github
{
meta:
author = "smiller"
version = "1.0"
date = "4/5/2018"
description = "Generic LNK files or docs with LNK and also Github domains, as possible download URL"
reference_hash = "dbd6c4cb1f9b090aec34723000a602af"
strings:
$a01 = "github.com" nocase ascii wide

## pe_pdb_keywords.yar
rule PE_PDB_Keyword_Admin
{
    meta:
        author = "@stvemillertime"
        date = "11/06/2018"
        description = "Looking for PEs with PDB paths containing suspicious strings, as part of common developer convention. #ConventionEngine"
        md5 = "06c19cd73471f0db027ab9eb85edc607"
        ref = "https://twitter.com/stvemillertime/status/1059650975068315648"
   strings:
        $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\\\S|*\S]?.{0,250}admin[\\\S|*\S]?.{0,250}\.pdb\x00/ nocase // this could probs use some updating

## MSCopyrightFail
rule Methodology_VersionEngine_MSCopyrightFail
{
    meta:
        author = "smiller"
        date = "05/15/2019"
        description = "This rule looks for a MS copyright string without a terminating period character, which may indicate some manual typing and probably not actually MS."
        md5 = "98c72d96350a022fd8e486f9cbcca018"
    strings:
        $hex = { 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 00 00 00 00 }
    condition:

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                stvemillertime
                / keybase.md
            
            
              Created
              December 3, 2019 20:19
            
          
    Keybase proof

I hereby claim:

I am stvemillertime on github.
I am stvemillertime (https://keybase.io/stvemillertime) on keybase.
I have a public key whose fingerprint is 99F9 3925 376E D382 9D9A  01CB AC67 0A9A 797E 6AFB

To claim this, I am signing this object:

  
## Methodology_AscensionEngine_KCP_Strings.yar
rule Methodology_AscensionEngine_KCP_Strings
{
    meta:
        author = "smiller"
        date = "2/5/2019"
        description = "This is a wide catchall rule looking for executables with equities for a transport library called KCP. Matches on this rule may have built-in KCP transport ability."
        md5 = "6f8bdd64736075303b9082bbfcc95cfe"
    strings:
        $a01 = "[RO] %ld bytes"
        $a02 = "recv sn=%lu"

## ConventionEngine_Keyword_master.yar
rule ConventionEngine_Keyword_master
{
 meta:
 author = "@stvemillertime"
 description = "Searching for PE files with PDB path keywords, terms or anomalies."
 sample_md5 = "2c47ed277a3471b8e4c5d396d4119c31"
 ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 strings:
        $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}-master\\[\x00-\xFF]{0,500}\.pdb\x00/ ascii
 condition:
	rule adversary_methods_pe_with_openssh_key {
	meta:
	author="smiller"
	description="Looking for PE files with default OpenSSH private key strings"
	strings:
	$a1= "[-----BEGIN OPENSSH PRIVATE KEY-----"
	$a2= {0A2D2D2D2D2D454E44204F50454E5353482050524956415445204B45592D2D2D2D2D0A257373682D}
	condition:
	uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
	}
	rule methodology_golang_build_strings
	{
	meta:
	author = "smiller"
	version = "1.0"
	date = "10/5/2038"
	description = "Looks for PEs with a Golang build ID"
	reference_hash = "94fa902d1473c35659d2396eccde596c"
	strings:
	$a01 = "go.buildid"
	rule Methodology_RareEquities_Library_WolfSSL
	{
	meta:
	author = "@stvemillertime"
	description = "This looks for PEs with strings from WolfSSL libraries (formerly CyaSSL). Matches on this rule may have built-in SSL capability. This hilariously catches 15+ distinct malware families from 8+ distinct APT and UNC clusters...and...TRICKBOT (shame, shame)."
	ref_md5 = "ad41c3e660cb6cfad9b4d63af5d96469"
	strings:
	$base = "CLNTSRVRclient finished" ascii wide
	$base2 = "CLNTserver finished" ascii wide
	$a1 = "server finished" ascii wide
	rule Methodology_ELF_Modbus
	{
	meta:
	author = "@stvemillertime"
	description = "A hilariously simple rule to create a smallllll haystack of ELFs with potential modbus interests, such as the VPNFILTER packet sniffer/logger module."
	md5 = "97444b5209278ed611e6a94076e814c8"
	strings:
	$a1 = "modbus" nocase ascii wide
	condition:
	uint16(0) == 0x457f and filesize < 3MB and $a1
	rule methodology_lnk_with_github
	{
	meta:
	author = "smiller"
	version = "1.0"
	date = "4/5/2018"
	description = "Generic LNK files or docs with LNK and also Github domains, as possible download URL"
	reference_hash = "dbd6c4cb1f9b090aec34723000a602af"
	strings:
	$a01 = "github.com" nocase ascii wide
	rule PE_PDB_Keyword_Admin
	{
	meta:
	author = "@stvemillertime"
	date = "11/06/2018"
	description = "Looking for PEs with PDB paths containing suspicious strings, as part of common developer convention. #ConventionEngine"
	md5 = "06c19cd73471f0db027ab9eb85edc607"
	ref = "https://twitter.com/stvemillertime/status/1059650975068315648"
	strings:
	$pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\\\S\|\S]?.{0,250}admin[\\\S\|\S]?.{0,250}\.pdb\x00/ nocase // this could probs use some updating
	rule Methodology_VersionEngine_MSCopyrightFail
	{
	meta:
	author = "smiller"
	date = "05/15/2019"
	description = "This rule looks for a MS copyright string without a terminating period character, which may indicate some manual typing and probably not actually MS."
	md5 = "98c72d96350a022fd8e486f9cbcca018"
	strings:
	$hex = { 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 00 00 00 00 }
	condition:
	rule Methodology_AscensionEngine_KCP_Strings
	{
	meta:
	author = "smiller"
	date = "2/5/2019"
	description = "This is a wide catchall rule looking for executables with equities for a transport library called KCP. Matches on this rule may have built-in KCP transport ability."
	md5 = "6f8bdd64736075303b9082bbfcc95cfe"
	strings:
	$a01 = "[RO] %ld bytes"
	$a02 = "recv sn=%lu"
	rule ConventionEngine_Keyword_master
	{
	meta:
	author = "@stvemillertime"
	description = "Searching for PE files with PDB path keywords, terms or anomalies."
	sample_md5 = "2c47ed277a3471b8e4c5d396d4119c31"
	ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
	strings:
	$pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}-master\\[\x00-\xFF]{0,500}\.pdb\x00/ ascii
	condition: