I hereby claim:
- I am stvemillertime on github.
- I am stvemillertime (https://keybase.io/stvemillertime) on keybase.
- I have a public key whose fingerprint is 99F9 3925 376E D382 9D9A 01CB AC67 0A9A 797E 6AFB
To claim this, I am signing this object:
rule methodology_golang_build_strings | |
{ | |
meta: | |
author = "smiller" | |
version = "1.0" | |
date = "10/5/2038" | |
description = "Looks for PEs with a Golang build ID" | |
reference_hash = "94fa902d1473c35659d2396eccde596c" | |
strings: | |
$a01 = "go.buildid" |
rule adversary_methods_pe_with_openssh_key { | |
meta: | |
author="smiller" | |
description="Looking for PE files with default OpenSSH private key strings" | |
strings: | |
$a1= "[-----BEGIN OPENSSH PRIVATE KEY-----" | |
$a2= {0A2D2D2D2D2D454E44204F50454E5353482050524956415445204B45592D2D2D2D2D0A257373682D} | |
condition: | |
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them | |
} |
rule Methodology_ELF_Modbus | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "A hilariously simple rule to create a smallllll haystack of ELFs with potential modbus interests, such as the VPNFILTER packet sniffer/logger module." | |
md5 = "97444b5209278ed611e6a94076e814c8" | |
strings: | |
$a1 = "modbus" nocase ascii wide | |
condition: | |
uint16(0) == 0x457f and filesize < 3MB and $a1 |
rule Methodology_VersionEngine_MSCopyrightFail | |
{ | |
meta: | |
author = "smiller" | |
date = "05/15/2019" | |
description = "This rule looks for a MS copyright string without a terminating period character, which may indicate some manual typing and probably not actually MS." | |
md5 = "98c72d96350a022fd8e486f9cbcca018" | |
strings: | |
$hex = { 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 00 00 00 00 } | |
condition: |
I hereby claim:
To claim this, I am signing this object:
rule ConventionEngine_Keyword_master | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "Searching for PE files with PDB path keywords, terms or anomalies." | |
sample_md5 = "2c47ed277a3471b8e4c5d396d4119c31" | |
ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" | |
strings: | |
$pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}-master\\[\x00-\xFF]{0,500}\.pdb\x00/ ascii | |
condition: |
rule ConventionEngine_Keyword_Csharp_EWS | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "Searching for PE files with PDB path keywords, terms or anomalies." | |
sample_md5 = "b08dff2a95426a0e32731ef337eab542" | |
ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" | |
strings: | |
$pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}csharp[\x00-\xFF]{0,500}EWS[\x00-\xFF]{0,500}\.pdb\x00/ nocase ascii | |
condition: |
rule Methodology_MSDN_Sample_Service | |
{ | |
meta: | |
author = "smiller" | |
date = "03/06/2019" | |
md5 = "02ab24848f4abbc62a74009a5c08c953" | |
strings: | |
$a1 = "My Sample Service: Main: Entry" | |
$a2 = "My Sample Service: Main: StartServiceCtrlDispatcher returned error" | |
$a3 = "My Sample Service: Main: Exit" |
import "pe" | |
rule ExportEngine_APT41_Loader_Prefix | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll" | |
strings: | |
$pcre = /loader_[\x00-\x7F]{1,}\x00/ | |
condition: | |
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
import "pe" | |
rule ExportEngine_ShortName_1 | |
{ | |
meta: | |
author = "@stvemillertime" | |
description = "This looks for Win PEs where Export DLL name is a single character" | |
strings: | |
$pcre = /[A-Za-z0-9]{1}\.(dll|exe|dat|bin|sys|bin)/ | |
condition: | |
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |