mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 10:05:18 +00:00
53 lines
1.8 KiB
Plaintext
53 lines
1.8 KiB
Plaintext
|
|
rule SUSP_WER_Critical_HeapCorruption {
|
|
meta:
|
|
description = "Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)"
|
|
author = "Florian Roth"
|
|
reference = "Internal Research"
|
|
date = "2019-10-18"
|
|
score = 45
|
|
strings:
|
|
$a1 = "ReportIdentifier=" wide
|
|
$a2 = ".Name=Fault Module Name" wide
|
|
|
|
$s1 = "c0000374" wide /* Heap Corruption */
|
|
condition:
|
|
( uint32be(0) == 0x56006500 or uint32be(0) == 0xfffe5600 )
|
|
and all of them
|
|
}
|
|
|
|
rule SUSP_WER_Suspicious_Crash_Directory {
|
|
meta:
|
|
description = "Detects a crashed application executed in a suspicious directory"
|
|
author = "Florian Roth"
|
|
reference = "Internal Research"
|
|
date = "2019-10-18"
|
|
score = 45
|
|
strings:
|
|
$a1 = "ReportIdentifier=" wide
|
|
$a2 = ".Name=Fault Module Name" wide
|
|
$a3 = "AppPath=" wide nocase
|
|
|
|
/* Whitelist */
|
|
$l1 = "AppPath=C:\\Windows\\" wide nocase
|
|
$l2 = "AppPath=C:\\Program" wide nocase
|
|
$l3 = "AppPath=C:\\Python" wide nocase
|
|
$l4 = "AppPath=C:\\Users\\" wide nocase
|
|
|
|
/* Blacklist */
|
|
/* covered via Whitelist
|
|
$s1 = "AppPath=C:\\$Recycle.Bin\\" wide
|
|
$s2 = "AppPath=C:\\Perflogs\\" wide
|
|
$s3 = "AppPath=C:\\Temp\\" wide
|
|
$s4 = "AppPath=\\\\" wide // network share, or \\tsclient\c etc.
|
|
$s5 = /AppPath=[C-Z]:\\\\[^\\]{1,64}\.exe/ wide nocase // in the root of a partition - no sub folder
|
|
*/
|
|
$s6 = "AppPath=C:\\Users\\Public\\" nocase wide
|
|
$s7 = "AppPath=C:\\Users\\Default\\" nocase wide
|
|
/* Root of AppData */
|
|
$s8 = /AppPath=C:\\Users\\[^\\]{1,64}\\AppData\\(Local|Roaming)\\[^\\]{1,64}\.exe/ wide nocase
|
|
condition:
|
|
( uint32be(0) == 0x56006500 or uint32be(0) == 0xfffe5600 )
|
|
and all of ($a*) and ( not 1 of ($l*) or 1 of ($s*) )
|
|
}
|