valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

more Exchange

Browse Source
This commit is contained in:
Florian Roth 2021-03-08 10:09:04 +01:00
parent e6a3b23587
commit 0b88517938
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
yara/apt_hafnium.yar
View File

@ -225,7 +225,7 @@ rule APT_HAFNIUM_ForensicArtefacts_WER_Mar21_1 {
author = "Florian Roth"
reference = "https://twitter.com/cyb3rops/status/1368471533048446976"
date = "2021-03-07"
score = 50
score = 40
strings:
$s1 = "AppPath=c:\\windows\\system32\\inetsrv\\w3wp.exe" wide fullword
$s7 = ".Value=w3wp#MSExchangeECPAppPool" wide

18
yara/apt_hafnium_log_sigs.yar
View File

@ -41,3 +41,21 @@ rule LOG_APT_HAFNIUM_Exchange_Log_Traces_Mar21_1 : LOG {
condition:
1 of them
}
rule LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1 : LOG {
meta:
description = "Detects forensic artefacts showing cleanup activity found in HAFNIUM intrusions exploiting"
author = "Florian Roth"
reference = "https://twitter.com/jdferrell3/status/1368626281970024448"
date = "2021-03-08"
score = 70
strings:
$x1 = "cmd.exe /c cd /d C:/inetpub/wwwroot/aspnet_client" ascii wide
$x2 = "cmd.exe /c cd /d C:\\inetpub\\wwwroot\\aspnet_client" ascii wide
$s1 = "aspnet_client&del '"
$s2 = "aspnet_client&attrib +h +s +r "
$s3 = "&echo [S]"
condition:
1 of ($x*) or 2 of them
}