valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
93f5f200ed
signature-base/yara/gen_metasploit_payloads.yar
Florian Roth 7925094cee Metasploit in-memory rule
2020-07-03 08:39:45 +02:00

339 lines
13 KiB
Plaintext
Raw Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-02-09
Identifier: MSF Payloads
*/
/* Rule Set ----------------------------------------------------------------- */
rule Msfpayloads_msf {
meta:
description = "Metasploit Payloads - file msf.sh"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c"
strings:
$s1 = "export buf=\\" fullword ascii
condition:
( uint16(0) == 0x7865 and filesize < 4KB and ( 10 of ($s*) ) ) or ( all of them )
}
rule Msfpayloads_msf_2 {
meta:
description = "Metasploit Payloads - file msf.asp"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "e52f98466b92ee9629d564453af6f27bd3645e00a9e2da518f5a64a33ccf8eb5"
strings:
$s1 = "& \"\\\" & \"svchost.exe\"" fullword ascii
$s2 = "CreateObject(\"Wscript.Shell\")" fullword ascii
$s3 = "<% @language=\"VBScript\" %>" fullword ascii
condition:
all of them
}
rule Msfpayloads_msf_psh {
meta:
description = "Metasploit Payloads - file msf-psh.vba"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f"
strings:
$s1 = "powershell.exe -nop -w hidden -e" ascii
$s2 = "Call Shell(" fullword ascii
$s3 = "Sub Workbook_Open()" fullword ascii
condition:
all of them
}
rule Msfpayloads_msf_exe {
meta:
description = "Metasploit Payloads - file msf-exe.vba"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd"
strings:
$s1 = "'* PAYLOAD DATA" fullword ascii
$s2 = " = Shell(" ascii
$s3 = "= Environ(\"USERPROFILE\")" fullword ascii
$s4 = "'**************************************************************" fullword ascii
$s5 = "ChDir (" fullword ascii
$s6 = "'* MACRO CODE" fullword ascii
condition:
4 of them
}
rule Msfpayloads_msf_3 {
meta:
description = "Metasploit Payloads - file msf.psh"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054"
strings:
$s1 = "[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(" ascii
$s2 = "public enum MemoryProtection { ExecuteReadWrite = 0x40 }" fullword ascii
$s3 = ".func]::VirtualAlloc(0,"
$s4 = ".func+AllocationType]::Reserve -bOr [" ascii
$s5 = "New-Object System.CodeDom.Compiler.CompilerParameters" fullword ascii
$s6 = "ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))" fullword ascii
$s7 = "public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }" fullword ascii
$s8 = ".func]::CreateThread(0,0,$" fullword ascii
$s9 = "public enum Time : uint { Infinite = 0xFFFFFFFF }" fullword ascii
$s10 = "= [System.Convert]::FromBase64String(\"/" ascii
$s11 = "{ $global:result = 3; return }" fullword ascii
condition:
4 of them
}
rule Msfpayloads_msf_4 {
meta:
description = "Metasploit Payloads - file msf.aspx"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef"
strings:
$s1 = "= VirtualAlloc(IntPtr.Zero,(UIntPtr)" ascii
$s2 = ".Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);" ascii
$s3 = "[System.Runtime.InteropServices.DllImport(\"kernel32\")]" fullword ascii
$s4 = "private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;" fullword ascii
$s5 = "private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);" fullword ascii
condition:
4 of them
}
rule Msfpayloads_msf_exe_2 {
meta:
description = "Metasploit Payloads - file msf-exe.aspx"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "3a2f7a654c1100e64d8d3b4cd39165fba3b101bbcce6dd0f70dae863da338401"
strings:
$x1 = "= new System.Diagnostics.Process();" fullword ascii
$x2 = ".StartInfo.UseShellExecute = true;" fullword ascii
$x3 = ", \"svchost.exe\");" ascii
$s4 = " = Path.GetTempPath();" ascii
condition:
all of them
}
rule Msfpayloads_msf_5 {
meta:
description = "Metasploit Payloads - file msf.msi"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "7a6c66dfc998bf5838993e40026e1f400acd018bde8d4c01ef2e2e8fba507065"
strings:
$s1 = "required to install Foobar 1.0." fullword ascii
$s2 = "Copyright 2009 The Apache Software Foundation." fullword wide
$s3 = "{50F36D89-59A8-4A40-9689-8792029113AC}" fullword ascii
condition:
all of them
}
rule Msfpayloads_msf_6 {
meta:
description = "Metasploit Payloads - file msf.vbs"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f"
strings:
$s1 = "= CreateObject(\"Wscript.Shell\")" fullword ascii
$s2 = "= CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$s3 = ".GetSpecialFolder(2)" ascii
$s4 = ".Write Chr(CLng(\"" ascii
$s5 = "= \"4d5a90000300000004000000ffff00" ascii
$s6 = "For i = 1 to Len(" ascii
$s7 = ") Step 2" ascii
condition:
5 of them
}
rule Msfpayloads_msf_7 {
meta:
description = "Metasploit Payloads - file msf.vba"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "425beff61a01e2f60773be3fcb74bdfc7c66099fe40b9209745029b3c19b5f2f"
strings:
$s1 = "Private Declare PtrSafe Function CreateThread Lib \"kernel32\" (ByVal" ascii
$s2 = "= VirtualAlloc(0, UBound(Tsw), &H1000, &H40)" fullword ascii
$s3 = "= RtlMoveMemory(" ascii
condition:
all of them
}
rule Msfpayloads_msf_8 {
meta:
description = "Metasploit Payloads - file msf.ps1"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "519717e01f0cb3f460ef88cd70c3de8c7f00fb7c564260bd2908e97d11fde87f"
strings:
$s1 = "[DllImport(\"kernel32.dll\")]" fullword ascii
$s2 = "[DllImport(\"msvcrt.dll\")]" fullword ascii
$s3 = "-Name \"Win32\" -namespace Win32Functions -passthru" fullword ascii
$s4 = "::VirtualAlloc(0,[Math]::Max($" ascii
$s5 = ".Length,0x1000),0x3000,0x40)" ascii
$s6 = "public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);" fullword ascii
$s7 = "::memset([IntPtr]($" ascii
condition:
6 of them
}
rule Msfpayloads_msf_cmd {
meta:
description = "Metasploit Payloads - file msf-cmd.ps1"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f"
strings:
$x1 = "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e" ascii
condition:
all of them
}
rule Msfpayloads_msf_9 {
meta:
description = "Metasploit Payloads - file msf.war - contents"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81"
strings:
$s1 = "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1)" fullword ascii
$s2 = ".concat(\".exe\");" fullword ascii
$s3 = "[0] = \"chmod\";" ascii
$s4 = "= Runtime.getRuntime().exec(" ascii
$s5 = ", 16) & 0xff;" ascii
$x1 = "4d5a9000030000000" ascii
condition:
4 of ($s*) or (
uint32(0) == 0x61356434 and $x1 at 0
)
}
rule Msfpayloads_msf_10 {
meta:
description = "Metasploit Payloads - file msf.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082"
strings:
$s1 = { 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff ac 3c 61 }
$s2 = { 01 c7 38 e0 75 f6 03 7d f8 3b 7d 24 75 e4 58 8b }
$s3 = { 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 5f 5f }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
rule Msfpayloads_msf_svc {
meta:
description = "Metasploit Payloads - file msf-svc.exe"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "2b02c9c10577ee0c7590d3dadc525c494122747a628a7bf714879b8e94ae5ea1"
strings:
$s1 = "PAYLOAD:" fullword ascii
$s2 = ".exehll" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 50KB and all of them )
}
rule Msfpayloads_msf_11 {
meta:
description = "Metasploit Payloads - file msf.hta"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "d1daf7bc41580322333a893133d103f7d67f5cd8a3e0f919471061d41cf710b6"
strings:
$s1 = ".ExpandEnvironmentStrings(\"%PSModulePath%\") + \"..\\powershell.exe\") Then" fullword ascii
$s2 = "= CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$s3 = "= CreateObject(\"Wscript.Shell\") " fullword ascii
condition:
all of them
}
rule Msfpayloads_msf_ref {
meta:
description = "Metasploit Payloads - file msf-ref.ps1"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-02-09"
hash1 = "4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87"
strings:
$s1 = "kernel32.dll WaitForSingleObject)," ascii
$s2 = "= ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')" ascii
$s3 = "GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object" ascii
$s4 = ".DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual'," ascii
$s5 = "= [System.Convert]::FromBase64String(" ascii
$s6 = "[Parameter(Position = 0, Mandatory = $True)] [Type[]]" fullword ascii
$s7 = "DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard," ascii
condition:
5 of them
}
rule MAL_Metasploit_Framework_UA {
meta:
description = "Detects User Agent used in Metasploit Framework"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7"
date = "2018-08-16"
score = 65
hash1 = "1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29"
strings:
$s3 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of them
}
rule HKTL_Meterpreter_inMemory {
meta:
description = "Detects Meterpreter in-memory"
author = "netbiosX, Florian Roth"
reference = "https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/"
date = "2020-06-29"
score = 85
strings:
$xc1 = { 6D 65 74 73 72 76 2E 64 6C 6C 00 00 52 65 66 6C
65 63 74 69 76 65 4C 6F 61 64 65 72 }
$xs1 = "metsrv.x64.dll" ascii fullword
$s1 = "WS2_32.dll" ascii fullword
$s2 = "ReflectiveLoader" ascii fullword
condition:
1 of ($x*) or 2 of them
}
Reference in New Issue View Git Blame Copy Permalink