Merge pull request #111 from 2d4d/master

more c# tools, rules for standard fnv1a + sunburst like XOR + RET
2024-11-06 18:15:20 +00:00 · 2020-12-24 11:04:25 +01:00 · 2020-12-24 11:04:25 +01:00 · 95cfe7a225
commit 95cfe7a225
parent c898053424 c5c6720a15
2 changed files with 269 additions and 1 deletions
--- a/yara/apt_backdoor_sunburst_fnv1a_experimental.yar
+++ b/yara/apt_backdoor_sunburst_fnv1a_experimental.yar
@ -0,0 +1,69 @@
+
+rule APT_fnv1a_plus_extra_XOR_in_MSIL_experimental
+{
+    meta:
+        description = "This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.)"
+		reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+        author = "Arnim Rupp"
+		license = "https://creativecommons.org/licenses/by-nc/4.0/"
+		date = "2020-12-22"
+		hash1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77"
+		hash2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6"
+		hash3 = "019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134"
+    strings:
+		$fnv64a_offset = { 25 23 22 84 e4 9c f2 cb }
+		$fnv64a_prime_plus_gap_plus_xor_ret = { B3 01 00 00 00 01 [8-40] 61 2A 00 00 }
+
+		// use for less false positives, xor before fnv1a prime
+		//$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A }
+		// even less false positives, not sure if it misses beef
+		//$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A 00 00 }
+    condition:
+		(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
+}
+
+
+rule APT_fnv1a_plus_extra_XOR_in_x64_experimental
+{
+    meta:
+        description = "This rule detects the specific x64 implementation of fnv1a like used in the SUNBURST backdoor (standard fnv1a + one final XOR before RET), rewritten in c. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.)"
+		reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+        author = "Arnim Rupp"
+		license = "https://creativecommons.org/licenses/by-nc/4.0/"
+		date = "2020-12-22"
+    strings:
+		$fnv64a_offset = { 25 23 22 84 e4 9c f2 cb }
+
+		// self compiled c examples end with 31 D0 C3
+		// C3 followed by NOP/multibyte NOPs to reduce false positives
+		$fnv64a_prime_plus_gap_plus_xor_ret = { B3 01 00 00 00 01 [4-44] ( 31 | 33 ) [0-1] C3 ( 90 | 66 90 | 0F 1F 00 | 0F 1F 40 00 | 0F 1F 44 00 00 | 66 0F 1F 44 00 00 | 0F 1F 80 00 00 00 00 | 0F 1F 84 00 00 00 00 00 | 66 0F 1F 84 00 00 00 00 00 ) }
+
+    condition:
+		// MZ or ELF
+		( uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46 ) and all of them
+}
+
+// todo:
+// Rules wouldn't work yet for bitshift instead of multiplication as described in http://www.isthe.com/chongo/tech/comp/fnv/index.html :  hval += (hval << 1) + (hval << 4) + (hval << 5) + (hval << 7) + (hval << 8) + (hval << 40);
+
+
+
+// Deactivated. This rule is probably only useful for developers to check their own software repository
+/*
+rule TEST_false_positive_plain_fnv1a_in_x64
+{
+    meta:
+        description = "This rule detects x64 implementations of standard fnv1a just by looking for the standard fnv64a_offset and fnv64a_prime (unless bitshifting is used instead of multiplication). This rule would have found the SUNBURST backdoor at Solarwinds but will also find any other programm which implements fnv1a. Just useful for developers, pls check if that fnv1a was put there by you ;)"
+		reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+        author = "Arnim Rupp"
+		license = "https://creativecommons.org/licenses/by-nc/4.0/"
+		date = "2020-12-22"
+		score = 10
+    strings:
+		$fnv64a_offset = { 25 23 22 84 e4 9c f2 cb }
+		$fnv64a_prime = { B3 01 00 00 00 01 }
+    condition:
+		// MZ or ELF
+		( uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46 ) and all of them
+}
+*/
--- a/yara/gen_github_net_redteam_tools_guids.yara
+++ b/yara/gen_github_net_redteam_tools_guids.yara
@ -1199,7 +1199,6 @@ rule HKTL_NET_GUID_SharpPack {
        $typelibguid1 = "b59c7741-d522-4a41-bf4d-9badddebb84a" ascii nocase wide
        $typelibguid2 = "fd6bdf7a-fef4-4b28-9027-5bf750f08048" ascii nocase wide
        $typelibguid3 = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii nocase wide
-        $typelibguid4 = "7760248f-9247-4206-be42-a6952aa46da2" ascii nocase wide
        $typelibguid5 = "f3037587-1a3b-41f1-aa71-b026efdb2a82" ascii nocase wide
        $typelibguid6 = "41a90a6a-f9ed-4a2f-8448-d544ec1fd753" ascii nocase wide
        $typelibguid7 = "3787435b-8352-4bd8-a1c6-e5a1b73921f4" ascii nocase wide
@ -2002,3 +2001,203 @@ rule HKTL_NET_GUID_SharpEDRChecker {
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
 }

+rule HKTL_NET_GUID_SharpClipHistory {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/FSecureLABS/SharpClipHistory"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "1126d5b4-efc7-4b33-a594-b963f107fe82" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/FSecureLABS/SharpGPO-RemoteAccessPolicies"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "fbb1abcf-2b06-47a0-9311-17ba3d0f2a50" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_solarflare {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/mubix/solarflare"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "ca60e49e-eee9-409b-8d1a-d19f1d27b7e4" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_Absinthe {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/cameronhotchkies/Absinthe"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "9936ae73-fb4e-4c5e-a5fb-f8aaeb3b9bd6" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_ExploitRemotingService {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/tyranid/ExploitRemotingService"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "fd17ae38-2fd3-405f-b85b-e9d14e8e8261" ascii nocase wide
+        $typelibguid1 = "1850b9bb-4a23-4d74-96b8-58f274674566" ascii nocase wide
+        $typelibguid2 = "297cbca1-efa3-4f2a-8d5f-e1faf02ba587" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_Xploit {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/shargon/Xploit"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "4545cfde-9ee5-4f1b-b966-d128af0b9a6e" ascii nocase wide
+        $typelibguid1 = "33849d2b-3be8-41e8-a1e2-614c94c4533c" ascii nocase wide
+        $typelibguid2 = "c2dc73cc-a959-4965-8499-a9e1720e594b" ascii nocase wide
+        $typelibguid3 = "77059fa1-4b7d-4406-bc1a-cb261086f915" ascii nocase wide
+        $typelibguid4 = "a4a04c4d-5490-4309-9c90-351e5e5fd6d1" ascii nocase wide
+        $typelibguid5 = "ca64f918-3296-4b7d-9ce6-b98389896765" ascii nocase wide
+        $typelibguid6 = "10fe32a0-d791-47b2-8530-0b19d91434f7" ascii nocase wide
+        $typelibguid7 = "679bba57-3063-4f17-b491-4f0a730d6b02" ascii nocase wide
+        $typelibguid8 = "0981e164-5930-4ba0-983c-1cf679e5033f" ascii nocase wide
+        $typelibguid9 = "2a844ca2-5d6c-45b5-963b-7dca1140e16f" ascii nocase wide
+        $typelibguid10 = "7d75ca11-8745-4382-b3eb-c41416dbc48c" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_PoC {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/thezdi/PoC"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "89f9d411-e273-41bb-8711-209fd251ca88" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_SharpGPOAbuse {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/FSecureLABS/SharpGPOAbuse"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "4f495784-b443-4838-9fa6-9149293af785" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_Watson {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/rasta-mouse/Watson"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "49ad5f38-9e37-4967-9e84-fe19c7434ed7" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_StandIn {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/FuzzySecurity/StandIn"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "01c142ba-7af1-48d6-b185-81147a2f7db7" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_SharpSploit {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/cobbr/SharpSploit"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "7760248f-9247-4206-be42-a6952aa46da2" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_azure_password_harvesting {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/guardicore/azure_password_harvesting"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "7ad1ff2d-32ac-4c54-b615-9bb164160dac" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_PowerOPS {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/fdiskyou/PowerOPS"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "2a3c5921-7442-42c3-8cb9-24f21d0b2414" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+
+rule HKTL_NET_GUID_Random_CSharpTools {
+    meta:
+        description = "Detects c# red/black-team tools via typelibguid"
+        reference = "https://github.com/xorrior/Random-CSharpTools"
+        license = "https://creativecommons.org/licenses/by-nc/4.0/"
+        author = "Arnim Rupp"
+        date = "2020-12-21"
+    strings:
+        $typelibguid0 = "f7fc19da-67a3-437d-b3b0-2a257f77a00b" ascii nocase wide
+        $typelibguid1 = "47e85bb6-9138-4374-8092-0aeb301fe64b" ascii nocase wide
+        $typelibguid2 = "c7d854d8-4e3a-43a6-872f-e0710e5943f7" ascii nocase wide
+        $typelibguid3 = "d6685430-8d8d-4e2e-b202-de14efa25211" ascii nocase wide
+        $typelibguid4 = "1df925fc-9a89-4170-b763-1c735430b7d0" ascii nocase wide
+        $typelibguid5 = "817cc61b-8471-4c1e-b5d6-c754fc550a03" ascii nocase wide
+        $typelibguid6 = "60116613-c74e-41b9-b80e-35e02f25891e" ascii nocase wide
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}
+