I hereby claim:
- I am stvemillertime on github.
- I am stvemillertime (https://keybase.io/stvemillertime) on keybase.
- I have a public key whose fingerprint is 99F9 3925 376E D382 9D9A 01CB AC67 0A9A 797E 6AFB
To claim this, I am signing this object:
Steve stvemillertime
stvemillertime
/ golang.yar
Created
March 18, 2019 13:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule methodology_golang_build_strings | |
| { | |
| meta: | |
| author = "smiller" | |
| version = "1.0" | |
| date = "10/5/2038" | |
| description = "Looks for PEs with a Golang build ID" | |
| reference_hash = "94fa902d1473c35659d2396eccde596c" | |
| strings: | |
| $a01 = "go.buildid" |
stvemillertime
/ blah.yar
Created
December 7, 2018 15:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule adversary_methods_pe_with_openssh_key { | |
| meta: | |
| author="smiller" | |
| description="Looking for PE files with default OpenSSH private key strings" | |
| strings: | |
| $a1= "[-----BEGIN OPENSSH PRIVATE KEY-----" | |
| $a2= {0A2D2D2D2D2D454E44204F50454E5353482050524956415445204B45592D2D2D2D2D0A257373682D} | |
| condition: | |
| uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them | |
| } |
stvemillertime
/ Methodology_ELF_Modbus.yar
Last active
April 29, 2019 20:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_ELF_Modbus | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "A hilariously simple rule to create a smallllll haystack of ELFs with potential modbus interests, such as the VPNFILTER packet sniffer/logger module." | |
| md5 = "97444b5209278ed611e6a94076e814c8" | |
| strings: | |
| $a1 = "modbus" nocase ascii wide | |
| condition: | |
| uint16(0) == 0x457f and filesize < 3MB and $a1 |
stvemillertime
/ MSCopyrightFail
Created
September 20, 2019 22:14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_VersionEngine_MSCopyrightFail | |
| { | |
| meta: | |
| author = "smiller" | |
| date = "05/15/2019" | |
| description = "This rule looks for a MS copyright string without a terminating period character, which may indicate some manual typing and probably not actually MS." | |
| md5 = "98c72d96350a022fd8e486f9cbcca018" | |
| strings: | |
| $hex = { 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 00 00 00 00 } | |
| condition: |
stvemillertime
/ keybase.md
Created
December 3, 2019 20:19
stvemillertime
/ ConventionEngine_Keyword_master.yar
Created
January 7, 2020 14:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule ConventionEngine_Keyword_master | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "Searching for PE files with PDB path keywords, terms or anomalies." | |
| sample_md5 = "2c47ed277a3471b8e4c5d396d4119c31" | |
| ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" | |
| strings: | |
| $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}-master\\[\x00-\xFF]{0,500}\.pdb\x00/ ascii | |
| condition: |
stvemillertime
/ ConventionEngine_Keyword_Csharp_EWS.yar
Created
March 2, 2020 14:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule ConventionEngine_Keyword_Csharp_EWS | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "Searching for PE files with PDB path keywords, terms or anomalies." | |
| sample_md5 = "b08dff2a95426a0e32731ef337eab542" | |
| ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" | |
| strings: | |
| $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}csharp[\x00-\xFF]{0,500}EWS[\x00-\xFF]{0,500}\.pdb\x00/ nocase ascii | |
| condition: |
stvemillertime
/ Methodology_MSDN_Sample_Service.yar
Created
March 2, 2020 14:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_MSDN_Sample_Service | |
| { | |
| meta: | |
| author = "smiller" | |
| date = "03/06/2019" | |
| md5 = "02ab24848f4abbc62a74009a5c08c953" | |
| strings: | |
| $a1 = "My Sample Service: Main: Entry" | |
| $a2 = "My Sample Service: Main: StartServiceCtrlDispatcher returned error" | |
| $a3 = "My Sample Service: Main: Exit" |
stvemillertime
/ ExportEngine_APT41_Loader_Prefix.yar
Last active
March 21, 2020 15:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule ExportEngine_APT41_Loader_Prefix | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll" | |
| strings: | |
| $pcre = /loader_[\x00-\x7F]{1,}\x00/ | |
| condition: | |
| uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
stvemillertime
/ ExportEngine_ShortName.yar
Last active
March 21, 2020 15:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule ExportEngine_ShortName_1 | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "This looks for Win PEs where Export DLL name is a single character" | |
| strings: | |
| $pcre = /[A-Za-z0-9]{1}\.(dll|exe|dat|bin|sys|bin)/ | |
| condition: | |
| uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) |
OlderNewer