3.9 KiB
3.9 KiB
rule ShellJSP {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings:
$s1 = "decrypt(fpath)"
$s2 = "decrypt(fcontext)"
$s3 = "decrypt(commandEnc)"
$s4 = "upload failed!"
$s5 = "aes.encrypt(allStr)"
$s6 = "newid"
condition:
filesize < 50KB and 4 of them
}
rule EncryptJSP {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings:
$s1 = "AEScrypt"
$s2 = "AES/CBC/PKCS5Padding"
$s3 = "SecretKeySpec"
$s4 = "FileOutputStream"
$s5 = "getParameter"
$s6 = "new ProcessBuilder"
$s7 = "new BufferedReader"
$s8 = "readLine()"
condition:
filesize < 50KB and 6 of them
}
rule CustomFRPClient {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of the actor's custom FRP tool based
on unique strings chosen by the actor and included in the tool”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "MAGA2024!!!" nocase ascii wide
$s5 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
all of them
}
rule HACKTOOL_FRPClient {
meta:
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of FRP tool (Note: This tool is
known to be used by multiple actors, so hits would not necessarily imply
activity by the specific actor described in this report)”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
3 of them
}
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "Timewarp Java webshell in malicious Tomcat module"
version = "202306131008"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
strings:
$ = "setKey"
$ = "ProcessBuilder"
$ = "AES/ECB/PKCS5Padding"
$ = "tmp.log"
$ = "byteKey"
$ = "method0"
$ = "failed to read output from process"
condition:
filesize<50KB and 4 of them
}
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "JAR file containing Timewarp webshell"
version = "202306131011"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
strings:
$WsSci = "/WsSci.class"
$abc1 = "/A.class"
$abc2 = "/B.class"
$abc3 = "/C.class"
$timewarp1 = "/Timewarp.class"
$timewarp2 = "/Timewarp2.class"
$timewarp3 = "/Timewarp3.class"
condition:
uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))
}
rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
{
meta:
copyright = "(c) 2023 CrowdStrike Inc."
description = "ClassLoader - Java webshell install and execute script"
version = "202306131012"
last_modified = "2023-06-13"
actor = "VANGUARD PANDA"
reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
strings:
$ = ""
$ = "customEndpoint1"
$ = "move true
"
$ = "inject true
"
$ = "ListName_jsp"
$ = "photohelp_jsp"
$ = "photoparse_jsp"
$ = "Timewarp.class"
$ = "WsSci.class"
$ = "/A.class"
$ = "srcZipfs.getPath"
condition:
filesize<50KB and 4 of them
}