186 lines
4.9 KiB
Markdown
186 lines
4.9 KiB
Markdown
```
|
|
rule ShellJSP {
|
|
meta:
|
|
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
|
|
strings:
|
|
$s1 = "decrypt(fpath)"
|
|
$s2 = "decrypt(fcontext)"
|
|
$s3 = "decrypt(commandEnc)"
|
|
$s4 = "upload failed!"
|
|
$s5 = "aes.encrypt(allStr)"
|
|
$s6 = "newid"
|
|
condition:
|
|
filesize < 50KB and 4 of them
|
|
}
|
|
```
|
|
|
|
```
|
|
rule EncryptJSP {
|
|
meta:
|
|
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
|
|
strings:
|
|
$s1 = "AEScrypt"
|
|
$s2 = "AES/CBC/PKCS5Padding"
|
|
$s3 = "SecretKeySpec"
|
|
$s4 = "FileOutputStream"
|
|
$s5 = "getParameter"
|
|
$s6 = "new ProcessBuilder"
|
|
$s7 = "new BufferedReader"
|
|
$s8 = "readLine()"
|
|
condition:
|
|
filesize < 50KB and 6 of them
|
|
}
|
|
```
|
|
|
|
```
|
|
rule CustomFRPClient {
|
|
meta:
|
|
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
|
|
description=”Identify instances of the actor's custom FRP tool based
|
|
on unique strings chosen by the actor and included in the tool”
|
|
strings:
|
|
$s1 = "%!PS-Adobe-" nocase ascii wide
|
|
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
|
|
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
|
|
ascii wide
|
|
$s4 = "MAGA2024!!!" nocase ascii wide
|
|
$s5 = "HTTP_PROXYHost: %s" nocase ascii wide
|
|
condition:
|
|
all of them
|
|
}
|
|
```
|
|
|
|
```
|
|
rule HACKTOOL_FRPClient {
|
|
meta:
|
|
reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
|
|
description=”Identify instances of FRP tool (Note: This tool is
|
|
known to be used by multiple actors, so hits would not necessarily imply
|
|
activity by the specific actor described in this report)”
|
|
strings:
|
|
$s1 = "%!PS-Adobe-" nocase ascii wide
|
|
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
|
|
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
|
|
ascii wide
|
|
$s4 = "HTTP_PROXYHost: %s" nocase ascii wide
|
|
condition:
|
|
3 of them
|
|
}
|
|
```
|
|
|
|
```
|
|
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda
|
|
{
|
|
meta:
|
|
copyright = "(c) 2023 CrowdStrike Inc."
|
|
description = "Timewarp Java webshell in malicious Tomcat module"
|
|
version = "202306131008"
|
|
last_modified = "2023-06-13"
|
|
actor = "VANGUARD PANDA"
|
|
strings:
|
|
$ = "setKey"
|
|
$ = "ProcessBuilder"
|
|
$ = "AES/ECB/PKCS5Padding"
|
|
$ = "tmp.log"
|
|
$ = "byteKey"
|
|
$ = "method0"
|
|
$ = "failed to read output from process"
|
|
condition:
|
|
filesize<50KB and 4 of them
|
|
}
|
|
```
|
|
|
|
```
|
|
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda
|
|
{
|
|
meta:
|
|
copyright = "(c) 2023 CrowdStrike Inc."
|
|
description = "JAR file containing Timewarp webshell"
|
|
version = "202306131011"
|
|
last_modified = "2023-06-13"
|
|
actor = "VANGUARD PANDA"
|
|
reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
|
|
strings:
|
|
$WsSci = "/WsSci.class"
|
|
$abc1 = "/A.class"
|
|
$abc2 = "/B.class"
|
|
$abc3 = "/C.class"
|
|
$timewarp1 = "/Timewarp.class"
|
|
$timewarp2 = "/Timewarp2.class"
|
|
$timewarp3 = "/Timewarp3.class"
|
|
condition:
|
|
uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))
|
|
}
|
|
```
|
|
|
|
```
|
|
rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
|
|
{
|
|
meta:
|
|
copyright = "(c) 2023 CrowdStrike Inc."
|
|
description = "ClassLoader - Java webshell install and execute script"
|
|
version = "202306131012"
|
|
last_modified = "2023-06-13"
|
|
actor = "VANGUARD PANDA"
|
|
reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
|
|
strings:
|
|
$ = ""
|
|
$ = "customEndpoint1"
|
|
$ = "move true
|
|
"
|
|
$ = "inject true
|
|
"
|
|
$ = "ListName_jsp"
|
|
$ = "photohelp_jsp"
|
|
$ = "photoparse_jsp"
|
|
$ = "Timewarp.class"
|
|
$ = "WsSci.class"
|
|
$ = "/A.class"
|
|
$ = "srcZipfs.getPath"
|
|
condition:
|
|
filesize<50KB and 4 of them
|
|
}
|
|
```
|
|
|
|
```
|
|
rule Volt_Suspicious_IPs
|
|
{
|
|
meta:
|
|
description = "Detects known malicious Volt Typhoon IP addresses"
|
|
author = "Cpl Iverson"
|
|
date = "2025-01-08"
|
|
|
|
strings:
|
|
$ip1 = "46.10.197.206"
|
|
$ip2 = "176.102.35.175"
|
|
$ip3 = "93.62.0.77"
|
|
$ip4 = "194.50.159.3"
|
|
$ip5 = "80.64.80.169"
|
|
$ip6 = "24.212.225.54"
|
|
$ip7 = "208.97.106.10"
|
|
$ip8 = "70.60.30.222"
|
|
$ip9 = "184.67.141.110"
|
|
$ip10 = "202.22.227.179"
|
|
$ip11 = "49.204.75.92"
|
|
$ip12 = "61.2.141.161"
|
|
$ip13 = "49.204.75.90"
|
|
$ip14 = "114.143.222.242"
|
|
$ip15 = "117.211.166.22"
|
|
$ip16 = "49.204.65.90"
|
|
$ip17 = "49.204.73.250"
|
|
$ip18 = "192.149.47.110"
|
|
$ip19 = "212.11.106.139"
|
|
$ip20 = "89.203.140.246"
|
|
$ip21 = "94.125.218.19"
|
|
$ip22 = "183.82.110.178"
|
|
$ip23 = "117.239.157.74"
|
|
$ip24 = "210.212.224.124"
|
|
$ip25 = "109.166.39.139"
|
|
$ip26 = "23.227.198.247"
|
|
$ip27 = "104.161.54.203"
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
```
|