[Rules] Reorganized folders and files (#38)

Author: fusionrace

rules/public/MachO.yara

@@ -0,0 +1,7 @@
+private rule MachO
+{
+    meta:
+        description = "Mach-O binaries"
+    condition:
+        uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
+}

rules/public/hacktool/linux/__init__.py

@@ -1,19 +1,11 @@
-import "pe"
+include "../../MachO.yara"
 
-private rule MachO
-{
-    meta:
-        description = "Mach-O binaries"
-    condition:
-        uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
-}
-
-rule tool_macpmem
+rule hacktool_macos_macpmem
 {
     meta:
         description = "MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers."
         reference = "https://github.com/google/rekall/tree/master/tools/osx/MacPmem"
-        author = "Airbnb CSIRT"
+        author = "@mimeframe"
     strings:
         // osxpmem
         $a1 = "%s/MacPmem.kext" wide ascii

rules/public/hacktool_macos.yara renamed to rules/public/hacktool/macos/hacktool_macos_macpmem.yara

@@ -0,0 +1,20 @@
+rule hacktool_multi_bloodhound_owned
+{
+    meta:
+        description = "Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains"
+        reference = "https://github.com/porterhau5/BloodHound-Owned/"
+        author = "@fusionrace"
+    strings:
+        $s1 = "Find all owned Domain Admins" fullword ascii wide
+        $s2 = "Find Shortest Path from owned node to Domain Admins" fullword ascii wide
+        $s3 = "List all directly owned nodes" fullword ascii wide
+        $s4 = "Set owned and wave properties for a node" fullword ascii wide
+        $s5 = "Find spread of compromise for owned nodes in wave" fullword ascii wide
+        $s6 = "Show clusters of password reuse" fullword ascii wide
+        $s7 = "Something went wrong when creating SharesPasswordWith relationship" fullword ascii wide
+        $s8 = "reference doc of custom Cypher queries for BloodHound" fullword ascii wide
+        $s9 = "Created SharesPasswordWith relationship between" fullword ascii wide
+        $s10 = "Skipping finding spread of compromise due to" fullword ascii wide
+    condition:
+        any of them
+}

rules/public/hacktool/multi/hacktool_multi_bloodhound_owned.yara

@@ -0,0 +1,12 @@
+rule hacktool_multi_jtesta_ssh_mitm
+{
+    meta:
+        description = "intercepts ssh connections to capture credentials"
+        reference = "https://github.com/jtesta/ssh-mitm"
+        author = "@fusionrace"
+    strings:
+        $a1 = "INTERCEPTED PASSWORD:" wide ascii
+        $a2 = "more sshbuf problems." wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/hacktool/multi/hacktool_multi_jtesta_ssh_mitm.yara

@@ -0,0 +1,17 @@
+rule hacktool_multi_masscan
+{
+    meta:
+        description = "masscan is a performant port scanner, it produces results similar to nmap"
+        reference = "https://github.com/robertdavidgraham/masscan"
+        author = "@mimeframe"
+    strings:
+        $a1 = "EHLO masscan" fullword wide ascii
+        $a2 = "User-Agent: masscan/" wide ascii
+        $a3 = "/etc/masscan/masscan.conf" fullword wide ascii
+        $b1 = "nmap(%s): unsupported. This code will never do DNS lookups." wide ascii
+        $b2 = "nmap(%s): unsupported, we do timing WAY different than nmap" wide ascii
+        $b3 = "[hint] I've got some local priv escalation 0days that might work" wide ascii
+        $b4 = "[hint] VMware on Macintosh doesn't support masscan" wide ascii
+    condition:
+        all of ($a*) or any of ($b*)
+}

rules/public/hacktool/multi/hacktool_multi_masscan.yara

@@ -0,0 +1,19 @@
+rule hacktool_multi_ncc_ABPTTS
+{
+    meta:
+        description = "Allows for TCP tunneling over HTTP"
+        reference = "https://github.com/nccgroup/ABPTTS"
+        author = "@mimeframe"
+    strings:
+        $s1 = "---===[[[ A Black Path Toward The Sun ]]]===---" ascii wide
+        $s2 = "https://vulnerableserver/EStatus/" ascii wide
+        $s3 = "Error: no ABPTTS forwarding URL was specified. This utility will now exit." ascii wide
+        // access key
+        $s4 = "tQgGur6TFdW9YMbiyuaj9g6yBJb2tCbcgrEq" fullword ascii wide
+        // encryption key
+        $s5 = "63688c4f211155c76f2948ba21ebaf83" fullword ascii wide
+        // log file
+        $s6 = "ABPTTSClient-log.txt" fullword ascii wide
+    condition:
+        any of them
+}

rules/public/hacktool/multi/hacktool_multi_ncc_ABPTTS.yara

@@ -0,0 +1,15 @@
+rule hacktool_multi_ntlmrelayx
+{
+    meta:
+        description = "https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/"
+        reference = "https://github.com/CoreSecurity/impacket/blob/master/examples/ntlmrelayx.py"
+        author = "@mimeframe"
+    strings:
+        $a1 = "Started interactive SMB client shell via TCP" wide ascii
+        $a2 = "Service Installed.. CONNECT!" wide ascii
+        $a3 = "Done dumping SAM hashes for host:" wide ascii
+        $a4 = "DA already added. Refusing to add another" wide ascii
+        $a5 = "Domain info dumped into lootdir!" wide ascii
+    condition:
+        any of ($a*)
+}

rules/public/hacktool/multi/hacktool_multi_ntlmrelayx.yara

@@ -0,0 +1,24 @@
+rule hacktool_multi_pyrasite_py
+{
+    meta:
+        description = "A tool for injecting arbitrary code into running Python processes."
+        reference = "https://github.com/lmacken/pyrasite"
+        author = "@fusionrace"
+    strings:
+        $s1 = "WARNING: ptrace is disabled. Injection will not work." fullword ascii wide
+        $s2 = "A payload that connects to a given host:port and receives commands" fullword ascii wide
+        $s3 = "A reverse Python connection payload." fullword ascii wide
+        $s4 = "pyrasite - inject code into a running python process" fullword ascii wide
+        $s5 = "The ID of the process to inject code into" fullword ascii wide
+        $s6 = "This file is part of pyrasite." fullword ascii wide
+        $s7 = "https://github.com/lmacken/pyrasite" fullword ascii wide
+        $s8 = "Setup a communication socket with the process by injecting" fullword ascii wide
+        $s9 = "a reverse subshell and having it connect back to us." fullword ascii wide
+        $s10 = "Write out a reverse python connection payload with a custom port" fullword ascii wide
+        $s11 = "Wait for the injected payload to connect back to us" fullword ascii wide
+        $s12 = "PyrasiteIPC" fullword ascii wide
+        $s13 = "A reverse Python shell that behaves like Python interactive interpreter." fullword ascii wide
+        $s14 = "pyrasite cannot establish reverse" fullword ascii wide
+    condition:
+        any of them
+}

rules/public/hacktool/multi/hacktool_multi_pyrasite_py.yara

@@ -0,0 +1,17 @@
+rule hacktool_multi_responder_py
+{
+    meta:
+        description = "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server"
+        reference = "http://www.c0d3xpl0it.com/2017/02/compromising-domain-admin-in-internal-pentest.html"
+        author = "@fusionrace"
+    strings:
+        $s1 = "Poison all requests with another IP address than Responder's one." fullword ascii wide
+        $s2 = "Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned." fullword ascii wide
+        $s3 = "Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network." fullword ascii wide
+        $s4 = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query." fullword ascii wide
+        $s5 = "Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)" fullword ascii wide
+        $s6 = "31mOSX detected, -i mandatory option is missing" fullword ascii wide
+        $s7 = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query." fullword ascii wide
+    condition:
+        any of them
+}

rules/public/hacktool/multi/hacktool_multi_responder_py.yara

@@ -0,0 +1,15 @@
+rule hacktool_windows_hot_potato
+{
+    meta:
+        description = "https://foxglovesecurity.com/2016/01/16/hot-potato/"
+        reference = "https://github.com/foxglovesec/Potato"
+        author = "@mimeframe"
+    strings:
+        $a1 = "Parsing initial NTLM auth..." wide ascii
+        $a2 = "Got PROPFIND for /test..." wide ascii
+        $a3 = "Starting NBNS spoofer..." wide ascii
+        $a4 = "Exhausting UDP source ports so DNS lookups will fail..." wide ascii
+        $a5 = "Usage: potato.exe -ip" wide ascii
+    condition:
+        any of ($a*)
+}

rules/public/hacktool/windows/hacktool_windows_hot_potato.yara

@@ -0,0 +1,24 @@
+rule hacktool_windows_mimikatz_copywrite
+{
+    meta:
+        description = "Mimikatz credential dump tool: Author copywrite"
+        reference = "https://github.com/gentilkiwi/mimikatz"
+        author = "@fusionrace"
+        md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
+        md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
+        md5_3 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"
+        md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
+        md5_5 = "09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca"
+        md5_6 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
+    strings:
+        $s1 = "Kiwi en C" fullword ascii wide
+        $s2 = "Benjamin DELPY `gentilkiwi`" fullword ascii wide
+        $s3 = "http://blog.gentilkiwi.com/mimikatz" fullword ascii wide
+        $s4 = "Build with love for POC only" fullword ascii wide
+        $s5 = "gentilkiwi (Benjamin DELPY)" fullword wide
+        $s6 = "KiwiSSP" fullword wide
+        $s7 = "Kiwi Security Support Provider" fullword wide
+        $s8 = "kiwi flavor !" fullword wide
+    condition:
+        any of them
+}

rules/public/hacktool/windows/hacktool_windows_mimikatz_copywrite.yara

@@ -0,0 +1,16 @@
+rule hacktool_windows_mimikatz_errors
+{
+    meta:
+        description = "Mimikatz credential dump tool: Error messages"
+        reference = "https://github.com/gentilkiwi/mimikatz"
+        author = "@fusionrace"
+        md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
+        md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
+    strings:
+        $s1 = "[ERROR] [LSA] Symbols" fullword ascii wide
+        $s2 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii wide
+        $s3 = "[ERROR] [CRYPTO] Symbols" fullword ascii wide
+        $s4 = "[ERROR] [CRYPTO] Init" fullword ascii wide
+    condition:
+        all of them
+}

rules/public/hacktool/windows/hacktool_windows_mimikatz_errors.yara

@@ -0,0 +1,15 @@
+rule hacktool_windows_mimikatz_files
+{
+    meta:
+        description = "Mimikatz credential dump tool: Files"
+        reference = "https://github.com/gentilkiwi/mimikatz"
+        author = "@fusionrace"
+        md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
+        md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
+    strings:
+        $s1 = "kiwifilter.log" fullword wide
+        $s2 = "kiwissp.log" fullword wide
+        $s3 = "mimilib.dll" fullword ascii wide
+    condition:
+        any of them
+}

rules/public/hacktool/windows/hacktool_windows_mimikatz_files.yara

@@ -0,0 +1,18 @@
+rule hacktool_windows_mimikatz_modules
+{
+    meta:
+        description = "Mimikatz credential dump tool: Modules"
+        reference = "https://github.com/gentilkiwi/mimikatz"
+        author = "@fusionrace"
+        md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
+        md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
+        md5_3 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
+        md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
+        md5_5 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"
+    strings:
+        $s1 = "mimilib" fullword ascii wide
+        $s2 = "mimidrv" fullword ascii wide
+        $s3 = "mimilove" fullword ascii wide
+    condition:
+        any of them
+}

rules/public/hacktool/windows/hacktool_windows_mimikatz_modules.yara

@@ -0,0 +1,18 @@
+rule hacktool_windows_mimikatz_sekurlsa
+{
+    meta:
+        description = "Mimikatz credential dump tool"
+        reference = "https://github.com/gentilkiwi/mimikatz"
+        author = "@fusionrace"
+        SHA256_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
+        SHA256_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
+    strings:
+        $s1 = "dpapisrv!g_MasterKeyCacheList" fullword ascii wide
+        $s2 = "lsasrv!g_MasterKeyCacheList" fullword ascii wide
+        $s3 = "!SspCredentialList" ascii wide
+        $s4 = "livessp!LiveGlobalLogonSessionList" fullword ascii wide
+        $s5 = "wdigest!l_LogSessList" fullword ascii wide
+        $s6 = "tspkg!TSGlobalCredTable" fullword ascii wide
+    condition:
+        all of them
+}

rules/public/hacktool/windows/hacktool_windows_mimikatz_sekurlsa.yara

@@ -0,0 +1,18 @@
+rule hacktool_windows_ncc_wmicmd
+{
+    meta:
+        description = "Command shell wrapper for WMI"
+        reference = "https://github.com/nccgroup/WMIcmd"
+        author = "@mimeframe"
+    strings:
+        $a1 = "Need to specify a username, domain and password for non local connections" wide ascii
+        $a2 = "WS-Management is running on the remote host" wide ascii
+        $a3 = "firewall (if enabled) allows connections" wide ascii
+        $a4 = "WARNING: Didn't see stdout output finished marker - output may be truncated" wide ascii
+        $a5 = "Command sleep in milliseconds - increase if getting truncated output" wide ascii
+        $b1 = "0x800706BA" wide ascii
+        $b2 = "NTLMDOMAIN:" wide ascii
+        $b3 = "cimv2" wide ascii
+    condition:
+        any of ($a*) or all of ($b*)
+}

rules/public/hacktool/windows/hacktool_windows_ncc_wmicmd.yara

@@ -0,0 +1,14 @@
+rule hacktool_windows_rdp_cmd_delivery
+{
+    meta:
+        description = "Delivers a text payload via RDP (rubber ducky)"
+        reference = "https://github.com/nopernik/mytools/blob/master/rdp-cmd-delivery.sh"
+        author = "@fusionrace"
+    strings:
+        $s1 = "Usage: rdp-cmd-delivery.sh OPTIONS" ascii wide
+        $s2 = "[--tofile 'c:\\test.txt' local.ps1 #will copy contents of local.ps1 to c:\\test.txt" ascii wide
+        $s3 = "-cmdfile local.bat                #will execute everything from local.bat" ascii wide
+        $s4 = "To deliver powershell payload, use '--cmdfile script.ps1' but inside powershell console" ascii wide
+    condition:
+        any of them
+}

rules/public/hacktool/windows/hacktool_windows_rdp_cmd_delivery.yara

@@ -0,0 +1,21 @@
+rule hacktool_windows_wmi_implant
+{
+    meta:
+        description = "A PowerShell based tool that is designed to act like a RAT"
+        reference = "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"
+        author = "@fusionrace"
+    strings:
+        $s1 = "This really isn't applicable unless you are using WMImplant interactively." fullword ascii wide
+        $s2 = "What command do you want to run on the remote system? >" fullword ascii wide
+        $s3 = "Do you want to [create] or [delete] a string registry value? >" fullword ascii wide
+        $s4 = "Do you want to run a WMImplant against a list of computers from a file? [yes] or [no] >" fullword ascii wide
+        $s5 = "What is the name of the service you are targeting? >" fullword ascii wide
+        $s6 = "This function enables the user to upload or download files to/from the attacking machine to/from the targeted machine" fullword ascii wide
+        $s7 = "gen_cli - Generate the CLI command to execute a command via WMImplant" fullword ascii wide
+        $s8 = "exit - Exit WMImplant" fullword ascii wide
+        $s9 = "Lateral Movement Facilitation" fullword ascii wide
+        $s10 = "vacant_system - Determine if a user is away from the system." fullword ascii wide
+        $s11 = "Please provide the ProcessID or ProcessName flag to specify the process to kill!" fullword ascii wide
+    condition:
+        any of them
+}