valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
signature-base/yara/apt_tick_weaponized_usb.yar

57 lines
2.4 KiB
Plaintext
Raw Permalink Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-06-23
Identifier: Tick Group - Weaponized USB
Reference: https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule APT_Tick_Sysmon_Loader_Jun18 {
meta:
description = "Detects Sysmon Loader from Tick group incident - Weaponized USB"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/"
date = "2018-06-23"
hash1 = "31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8"
strings:
$x1 = "SysMonitor_3A2DCB47" fullword ascii
$s1 = "msxml.exe" fullword ascii
$s2 = "wins.log" fullword ascii
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run" fullword ascii
$s4 = "%2d-%2d-%2d-%2d" fullword ascii
$s5 = "%USERPROFILE%" fullword ascii /* Goodware String - occured 22 times */
$s6 = "Windows NT" fullword ascii /* Goodware String - occured 72 times */
$s7 = "device monitor" fullword ascii
$s8 = "\\Accessories" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
pe.imphash() == "c5bb16e79fb500c430edce9481ae5b2b" or
$x1 or 6 of them
)
}
rule APT_Tick_HomamDownloader_Jun18 {
meta:
description = "Detects HomamDownloader from Tick group incident - Weaponized USB"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/"
date = "2018-06-23"
hash1 = "f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec"
strings:
$s1 = "cmd /c hostname >>" fullword ascii
$s2 = "Mstray.exe" fullword ascii
$s3 = "msupdata.exe" fullword ascii
$s5 = "Windows\\CurrentVersion\\run" fullword ascii
$s6 = "Content-Type: */*" fullword ascii
$s11 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" fullword ascii /* Goodware String - occured 3 times */
condition:
uint16(0) == 0x5a4d and filesize < 30KB and 3 of them
}
Reference in New Issue View Git Blame Copy Permalink