424 lines
No EOL
37 KiB
JSON
424 lines
No EOL
37 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-11-06",
|
|
"extends_uuid": "",
|
|
"info": "Yara Rule Set - detection of Empire by Florian Roth (PowerShell and Python post-exploitation agent.)",
|
|
"publish_timestamp": "1478426865",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1478426853",
|
|
"uuid": "581efd8c-7320-42e1-93b6-430102de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#380046",
|
|
"local": false,
|
|
"name": "ms-caro-malware:malware-type=\"HackTool\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#002b4a",
|
|
"local": false,
|
|
"name": "osint:source-type=\"technical-report\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426015",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "581efd9f-1ed4-4575-ad8c-475702de0b81",
|
|
"value": "https://github.com/Neo23x0/signature-base/blob/master/yara/gen_empire.yar"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426052",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efdc5-cc10-43e2-a9d2-407302de0b81",
|
|
"value": "rule Empire_Invoke_MetasploitPayload {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-MetasploitPayload.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54\"\r\n strings:\r\n $s1 = \"$ProcessInfo.Arguments=\\\"-nop -c $DownloadCradle\\\"\" fullword ascii\r\n $s2 = \"$PowershellExe=$env:windir+'\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 9KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426075",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efddb-b6e0-4b40-a2f4-47ba02de0b81",
|
|
"value": "rule Empire_Exploit_Jenkins {\r\n meta:\r\n description = \"Detects Empire component - file Exploit-Jenkins.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729\"\r\n strings:\r\n $s1 = \"$postdata=\\\"script=println+new+ProcessBuilder%28%27\\\"+$($Cmd)+\\\"\" ascii\r\n $s2 = \"$url = \\\"http://\\\"+$($Rhost)+\\\":\\\"+$($Port)+\\\"/script\\\"\" fullword ascii\r\n $s3 = \"$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x6620 and filesize < 7KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426091",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efdeb-a918-444f-912c-4b9602de0b81",
|
|
"value": "rule Empire_Get_SecurityPackages {\r\n meta:\r\n description = \"Detects Empire component - file Get-SecurityPackages.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1\"\r\n strings:\r\n $s1 = \"$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)\" fullword ascii\r\n $s2 = \"$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426111",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efdff-6ddc-4752-89fb-485f02de0b81",
|
|
"value": "rule Empire_Invoke_PowerDump {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-PowerDump.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1\"\r\n strings:\r\n $x16 = \"$enc = Get-PostHashdumpScript\" fullword ascii\r\n $x19 = \"$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;\" fullword ascii\r\n $x20 = \"$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x2023 and filesize < 60KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426133",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efe15-182c-4a00-bded-439202de0b81",
|
|
"value": "rule Empire_Install_SSP {\r\n meta:\r\n description = \"Detects Empire component - file Install-SSP.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165\"\r\n strings:\r\n $s1 = \"Install-SSP -Path .\\\\mimilib.dll\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426150",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efe26-b710-4586-9ddd-418d02de0b81",
|
|
"value": "rule Empire_Invoke_ShellcodeMSIL {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-ShellcodeMSIL.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f\"\r\n strings:\r\n $s1 = \"$FinalShellcode.Length\" fullword ascii\r\n $s2 = \"@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)\" fullword ascii\r\n $s3 = \"@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,\" fullword ascii\r\n $s4 = \"$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426167",
|
|
"to_ids": false,
|
|
"type": "yara",
|
|
"uuid": "581efe37-7244-49f0-84fe-412a02de0b81",
|
|
"value": "rule Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp {\r\n meta:\r\n description = \"Detects Empire component - file PowerUp.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c\"\r\n strings:\r\n $x2 = \"$PoolPasswordCmd = 'c:\\\\windows\\\\system32\\\\inetsrv\\\\appcmd.exe list apppool\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426185",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efe49-2f28-46a9-9855-429e02de0b81",
|
|
"value": "rule Empire_Invoke_Mimikatz {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-Mimikatz.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n strings:\r\n $s1 = \"= \\\"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ\" ascii\r\n $s2 = \"Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \\\"Void\\\", 0, \\\"\\\", $ExeArgs)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426203",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efe5b-442c-4aa2-bb73-4d7502de0b81",
|
|
"value": "rule Empire_Get_GPPPassword {\r\n meta:\r\n description = \"Detects Empire component - file Get-GPPPassword.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0\"\r\n strings:\r\n $s1 = \"$Base64Decoded = [Convert]::FromBase64String($Cpassword)\" fullword ascii\r\n $s2 = \"$XMlFiles += Get-ChildItem -Path \\\"\\\\\\\\$DomainController\\\\SYSVOL\\\" -Recurse\" ascii\r\n $s3 = \"function Get-DecryptedCpassword {\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426220",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efe6c-9c48-4143-a91f-4c6002de0b81",
|
|
"value": "rule Empire_Invoke_SmbScanner {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-SmbScanner.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd\"\r\n strings:\r\n $s1 = \"$up = Test-Connection -count 1 -Quiet -ComputerName $Computer \" fullword ascii\r\n $s2 = \"$out | add-member Noteproperty 'Password' $Password\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426241",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efe81-4d54-4fbf-b687-4bca02de0b81",
|
|
"value": "rule Empire_Exploit_JBoss {\r\n meta:\r\n description = \"Detects Empire component - file Exploit-JBoss.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653\"\r\n strings:\r\n $s1 = \"Exploit-JBoss\" fullword ascii\r\n $s2 = \"$URL = \\\"http$($SSL)://\\\" + $($Rhost) + ':' + $($Port)\" ascii\r\n $s3 = \"\\\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service\" ascii\r\n $s4 = \"http://blog.rvrsh3ll.net\" fullword ascii\r\n $s5 = \"Remote URL to your own WARFile to deploy.\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426257",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efe91-8460-4156-8bdc-48e302de0b81",
|
|
"value": "rule Empire_dumpCredStore {\r\n meta:\r\n description = \"Detects Empire component - file dumpCredStore.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350\"\r\n strings:\r\n $x1 = \"[DllImport(\\\"Advapi32.dll\\\", SetLastError = true, EntryPoint = \\\"CredReadW\\\"\" ascii\r\n $s12 = \"[String] $Msg = \\\"Failed to enumerate credentials store for user '$Env:UserName'\\\"\" fullword ascii\r\n $s15 = \"Rtn = CredRead(\\\"Target\\\", CRED_TYPE.GENERIC, out Cred);\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x233c and filesize < 40KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426275",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efea3-d140-46a5-83b3-464302de0b81",
|
|
"value": "rule Empire_Invoke_EgressCheck {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-EgressCheck.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534\"\r\n strings:\r\n $s1 = \"egress -ip $ip -port $c -delay $delay -protocol $protocol\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x233c and filesize < 10KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426293",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efeb5-eaac-4beb-a104-4d4702de0b81",
|
|
"value": "rule Empire_ReflectivePick_x64_orig {\r\n meta:\r\n description = \"Detects Empire component - file ReflectivePick_x64_orig.dll\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2\"\r\n strings:\r\n $s1 = \"\\\\PowerShellRunner.pdb\" fullword ascii\r\n $s2 = \"PowerShellRunner.dll\" fullword wide\r\n $s3 = \"ReflectivePick_x64.dll\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426308",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efec4-4e58-4de6-a706-44e702de0b81",
|
|
"value": "rule Empire_Out_Minidump {\r\n meta:\r\n description = \"Detects Empire component - file Out-Minidump.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1\"\r\n strings:\r\n $s1 = \"$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,\" fullword ascii\r\n $s2 = \"$ProcessFileName = \\\"$($ProcessName)_$($ProcessId).dmp\\\"\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426329",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efed9-3cc0-4170-84ba-430a02de0b81",
|
|
"value": "rule Empire_Invoke_PsExec {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-PsExec.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88\"\r\n strings:\r\n $s1 = \"Invoke-PsExecCmd\" fullword ascii\r\n $s2 = \"\\\"[*] Executing service .EXE\" fullword ascii\r\n $s3 = \"$cmd = \\\"%COMSPEC% /C echo $Command ^> %systemroot%\\\\Temp\\\\\" ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426354",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efef2-27a4-4558-8c9a-43b502de0b81",
|
|
"value": "rule Empire_Invoke_PostExfil {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-PostExfil.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e\"\r\n strings:\r\n $s1 = \"# upload to a specified exfil URI\" fullword ascii\r\n $s2 = \"Server path to exfil to.\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x490a and filesize < 2KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426368",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581eff00-8ed0-4b83-8ce5-468302de0b81",
|
|
"value": "rule Empire_Invoke_SMBAutoBrute {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-SMBAutoBrute.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2\"\r\n strings:\r\n $s1 = \"[*] PDC: LAB-2008-DC1.lab.com\" fullword ascii\r\n $s2 = \"$attempts = Get-UserBadPwdCount $userid $dcs\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426387",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581eff13-aa70-4a4f-b9df-49c402de0b81",
|
|
"value": "rule Empire_Get_Keystrokes {\r\n meta:\r\n description = \"Detects Empire component - file Get-Keystrokes.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad\"\r\n strings:\r\n $s1 = \"$RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426448",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581eff50-d410-4275-a70b-4e2d02de0b81",
|
|
"value": "rule Empire_Invoke_DllInjection {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-DllInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0\"\r\n strings:\r\n $s1 = \"-Dll evil.dll\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 40KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426464",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581eff60-2ff4-4280-88cd-406502de0b81",
|
|
"value": "rule Empire_KeePassConfig {\r\n meta:\r\n description = \"Detects Empire component - file KeePassConfig.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3\"\r\n strings:\r\n $s1 = \"$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426479",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581eff6f-0f04-446d-a5c0-40fa02de0b81",
|
|
"value": "rule Empire_Invoke_SSHCommand {\r\n meta:\r\n description = \"Detects Empire component - file Invoke-SSHCommand.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n hash1 = \"cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242\"\r\n strings:\r\n $s1 = \"$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA\" ascii\r\n $s2 = \"Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \\\"id\\\"\" fullword ascii\r\n $s3 = \"Write-Verbose \\\"[*] Error loading dll\\\"\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x660a and filesize < 2000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426516",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581eff94-9c94-4ce6-bb0b-4bbf02de0b81",
|
|
"value": "rule Empire_PowerShell_Framework_Gen1 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash2 = \"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28\"\r\n hash3 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n hash4 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash5 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $s1 = \"Write-BytesToMemory -Bytes $Shellcode\" ascii\r\n $s2 = \"$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426535",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581effa7-6eec-4e0b-9925-4e9302de0b81",
|
|
"value": "rule Empire_PowerUp_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files PowerUp.ps1, PowerUp.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c\"\r\n strings:\r\n $s1 = \"$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath\" fullword ascii\r\n $s2 = \"$Result = sc.exe pause $($TargetService.Name)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426556",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581effbc-5838-4a76-9cce-4e8702de0b81",
|
|
"value": "rule Empire_PowerShell_Framework_Gen2 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash3 = \"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28\"\r\n hash5 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n hash6 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash8 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $x1 = \"$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)\" fullword ascii\r\n $s20 = \"#Shellcode: CallDllMain.asm\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426574",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581effce-d7e4-4a05-9385-40d602de0b81",
|
|
"value": "rule Empire_Agent_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files agent.ps1, agent.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db\"\r\n hash2 = \"380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db\"\r\n strings:\r\n $s1 = \"$wc.Headers.Add(\\\"User-Agent\\\",$script:UserAgent)\" fullword ascii\r\n $s2 = \"$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)\" fullword ascii\r\n $s3 = \"if ($script:AgentDelay -ne 0){\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x660a and filesize < 100KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426598",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581effe6-df20-4d6d-b2a1-4a7602de0b81",
|
|
"value": "rule Empire_PowerShell_Framework_Gen3 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash2 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n hash3 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash4 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $s1 = \"if (($PEInfo.FileType -ieq \\\"DLL\\\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))\" fullword ascii\r\n $s2 = \"remote DLL injection\" ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426619",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581efffb-bb00-4a06-a9b1-41ff02de0b81",
|
|
"value": "rule Empire_Invoke_InveighRelay_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash2 = \"21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41\"\r\n strings:\r\n $s1 = \"$inveigh.SMBRelay_failed_list.Add(\\\"$HTTP_NTLM_domain_string\\\\$HTTP_NTLM_user_string $SMBRelayTarget\\\")\" fullword ascii\r\n $s2 = \"$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 200KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426642",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581f0012-cce0-4716-a3fa-47be02de0b81",
|
|
"value": "rule Empire_KeePassConfig_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash2 = \"5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3\"\r\n strings:\r\n $s1 = \"$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426661",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581f0025-2108-4e3e-9f88-4c4c02de0b81",
|
|
"value": "rule Empire_Invoke_Portscan_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash2 = \"cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3\"\r\n strings:\r\n $s1 = \"Test-Port -h $h -p $Port -timeout $Timeout\" fullword ascii\r\n $s2 = \"1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 100KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426692",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581f0044-47d0-4258-ad34-4ec902de0b81",
|
|
"value": "rule Empire_PowerShell_Framework_Gen4 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-BypassUAC.ps1, Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DllInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PsExec.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-Shellcode.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"743c51334f17751cfd881be84b56f648edbdaf31f8186de88d094892edc644a9\"\r\n hash2 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash3 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash4 = \"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28\"\r\n hash5 = \"304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0\"\r\n hash6 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n hash7 = \"0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88\"\r\n hash8 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash9 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n hash10 = \"fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438\"\r\n strings:\r\n $s1 = \"Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\\\\\')[-1].Equals('System.dll') }\" fullword ascii\r\n $s2 = \"# Get a handle to the module specified\" fullword ascii\r\n $s3 = \"$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))\" fullword ascii\r\n $s4 = \"$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426714",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581f005a-74d4-42c2-b69a-492e02de0b81",
|
|
"value": "rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash2 = \"4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3\"\r\n strings:\r\n $s1 = \"$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle\" fullword ascii\r\n $s2 = \"$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426733",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581f006d-c9cc-4b62-98d5-461202de0b81",
|
|
"value": "rule Empire_Invoke_Gen {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28\"\r\n hash2 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash3 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $s1 = \"$Shellcode1 += 0x48\" fullword ascii\r\n $s2 = \"$PEHandle = [IntPtr]::Zero\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Super Rules",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478426751",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "581f007f-b594-4b1d-8a3f-466702de0b81",
|
|
"value": "rule Empire_PowerShell_Framework_Gen5 {\r\n meta:\r\n description = \"Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1\"\r\n author = \"Florian Roth\"\r\n reference = \"https://github.com/adaptivethreat/Empire\"\r\n date = \"2016-11-05\"\r\n super_rule = 1\r\n hash1 = \"1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8\"\r\n hash2 = \"61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4\"\r\n hash3 = \"eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5\"\r\n strings:\r\n $s1 = \"if ($ExeArgs -ne $null -and $ExeArgs -ne '')\" fullword ascii\r\n $s2 = \"$ExeArgs = \\\"ReflectiveExe $ExeArgs\\\"\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them\r\n}"
|
|
}
|
|
]
|
|
}
|
|
} |