Tag: powershell

#100Days0fYARA 2024 – Day 94 – LATCHKEY

FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.

LATCHKEY is a PowerShell to EXE (PS2EXE) compiled dropper that base64 decodes and executes the PowerSploit function Out-Minidump which generates a minidump for the LSASS system process to disk.

FIN13: A Cybercriminal Threat Actor Focused on Mexico
rule MAL_FIN13_LATCHKEY {
    meta:
        description = "Matches strings found in LATCHKEY ps2exe loader used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
        last_modified = "2024-04-03"
        author = "@petermstewart"
        DaysofYara = "94/100"
        sha256 = "b23621caf5323e2207d8fbf5bee0a9bd9ce110af64b8f5579a80f2767564f917"
        ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"

    strings:
        $a1 = "Unhandeled exception in PS2EXE" wide
        $b1 = "function Out-Minidump" base64wide
        $b2 = "$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)" base64wide
        $b3 = "Get-Process lsass | Out-Minidump" base64wide

    condition:
        filesize < 50KB and
        uint16(0) == 0x5a4d and
        all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 92 – BLUEAGAVE (PowerShell)

In my job as a threat hunter I tend to focus on eCrime activity. Most of the time this means finding and tracking ransomware actors, but now and again I get to work on something a little bit different!

FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.

Today’s rule matches strings contained in a PowerShell passive backdoor named BLUEAGAVE, which is deployed during initial access.

rule MAL_FIN13_BLUEAGAVE_PowerShell {
    meta:
        description = "Matches code sample of BLUEAGAVE PowerShell webshell used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
        last_modified = "2024-04-01"
        author = "@petermstewart"
        DaysofYara = "92/100"
        ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"

    strings:
        $a1 = "$decode = [System.Web.HttpUtility]::UrlDecode($data.item('kmd'))" ascii wide
        $a2 = "$Out =  cmd.exe /c $decode 2>&1" ascii wide
        $a3 = "$url = 'http://*:" ascii wide

    condition:
        filesize < 5KB and
        all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 51 – PowerShell Download Commands

There are so many ways to obfuscate PowerShell commands that this might seem like a bit of a waste of time, but today’s rule attempts to find simple PowerShell download commands.

rule TTP_PowerShell_Download_command {
	meta:
		description = "Matches strings commonly found in PowerShell download cradles."
		last_modified = "2024-02-20"
		author = "@petermstewart"
		DaysofYara = "51/100"
		ref = "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters"

	strings:
		$a = "powershell" nocase ascii wide
		$b = "IEX" nocase ascii wide
		$c = "New-Object" nocase ascii wide
		$d = "Net.Webclient" nocase ascii wide
		$e = ".downloadstring(" nocase ascii wide

	condition:
		4 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 41 – Base64-Encoded CobaltStrike PowerShell Loader

In my day job I most commonly find CobaltStrike Beacon payloads executed via base64-encoded PowerShell following an initial compromise; maybe phishing or a web application vulnerability leading to command execution. Encoding the command means the threat actor doesn’t need to worry about matching quotes, brackets, etc when passing the command over the channel.

This rule uses YARA’s base64 modifier to match encoded variants of the loader command.

rule MAL_CobaltStrike_Powershell_loader_base64 {
    meta:
        description = "Matches base64-encoded strings found in CobaltStrike PowerShell loader commands."
        last_modified = "2024-02-10"
        author = "@petermstewart"
        DaysofYara = "41/100"

    strings:
        $a1 = "=New-Object IO.MemoryStream(" base64 wide
        $a2 = "[Convert]::FromBase64String(" base64 wide
        $a3 = "IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()" base64 wide

    condition:
        all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 40 – CobaltStrike PowerShell Loader

I deal with CobaltStrike pretty much every day in my job and in my experience it is by far the most commonly abused C2 framework. CobaltStrike isn’t new and there is already a huge collection of public research and detections available; Google, for example, published an extensive collection of YARA rules in 2022. One aspect that I did not find a public rule for though was the PowerShell Beacon loader:

rule MAL_CobaltStrike_Powershell_loader {
    meta:
        description = "Matches strings found in CobaltStrike PowerShell loader samples."
        last_modified = "2024-02-09"
        author = "@petermstewart"
        DaysofYara = "40/100"
        sha256 = "9c9e8841d706406bc23d05589f77eec6f8df6d5e4076bc6a762fdb423bfe8c24"
        sha256 = "6881531ab756d62bdb0c3279040a5cbe92f9adfeccb201cca85b7d3cff7158d3"
        ref = "https://medium.com/@cybenfolland/deobfuscating-a-powershell-cobalt-strike-beacon-loader-c650df862c34"
        ref = "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/"

    strings:
        $a1 = "=New-Object IO.MemoryStream("
        $a2 = "[Convert]::FromBase64String("
        $a3 = "IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()"
        $b1 = "Set-StrictMode -Version 2"
        $b2 = "$DoIt = @'"
        $b3 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt))"
        $b4 = "start-job { param($a) IEX $a }"

    condition:
        all of ($a*) or
        all of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.