Skip to content

Commit c89d23d

Browse files
mthchtmthcht
committed
february update
1 parent c473160 commit c89d23d

File tree

346 files changed

+129662
-93008
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

346 files changed

+129662
-93008
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,4 @@ _utils/Intel_Reports_yara_hunting_results.txt
44
_utils/scan_results.txt
55
tests
66
_utils/test.txt
7+
_utils/translated_matched.txt

_utils/threathunting-keywords.csv

Lines changed: 52242 additions & 51100 deletions
Large diffs are not rendered by default.

yara_rules/all.yara

Lines changed: 15376 additions & 6582 deletions
Large diffs are not rendered by default.

yara_rules/greyware_tool_keyword/A-C/Box.yara

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
rule Box
2+
{
3+
meta:
4+
description = "Detection patterns for the tool 'Box' taken from the ThreatHunting-Keywords github project"
5+
author = "@mthcht"
6+
reference = "https://github.com/mthcht/ThreatHunting-Keywords"
7+
tool = "Box"
8+
rule_category = "greyware_tool_keyword"
9+
10+
strings:
11+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
12+
// Reference: https://app.box.com/
13+
$string1 = /\.realtime\.services\.box\.net/ nocase ascii wide
14+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
15+
// Reference: https://app.box.com/
16+
$string2 = /\/BoxDrive\.msi/ nocase ascii wide
17+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
18+
// Reference: https://app.box.com/
19+
$string3 = /\\\.boxcanvas\\BoxDesktop/ nocase ascii wide
20+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
21+
// Reference: https://app.box.com/
22+
$string4 = /\\box\.desktop\.updateservice\.exe/ nocase ascii wide
23+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
24+
// Reference: https://app.box.com/
25+
$string5 = /\\Box\.Updater\.Common\.dll/ nocase ascii wide
26+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
27+
// Reference: https://app.box.com/
28+
$string6 = /\\box\\box\.exe/ nocase ascii wide
29+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
30+
// Reference: https://app.box.com/
31+
$string7 = /\\Box\\ui\\BoxUI\.exe/ nocase ascii wide
32+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
33+
// Reference: https://app.box.com/
34+
$string8 = /\\BoxDesktop\.boxnote\\shell\\/ nocase ascii wide
35+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
36+
// Reference: https://app.box.com/
37+
$string9 = /\\BoxDrive\.msi/ nocase ascii wide
38+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
39+
// Reference: https://app.box.com/
40+
$string10 = /\\Program\sFiles\\Box\\Box\\/ nocase ascii wide
41+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
42+
// Reference: https://app.box.com/
43+
$string11 = /\\Root\\InventoryApplicationFile\\boxui\.exe/ nocase ascii wide
44+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
45+
// Reference: https://app.box.com/
46+
$string12 = /\>Box\,\sInc\.\</ nocase ascii wide
47+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
48+
// Reference: https://app.box.com/
49+
$string13 = /Box\.Desktop\.Installer\.CustomActions/ nocase ascii wide
50+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
51+
// Reference: https://app.box.com/
52+
$string14 = /cdn.{0,1000}\.boxcdn\.net/ nocase ascii wide
53+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
54+
// Reference: https://app.box.com/
55+
$string15 = /HKLM\\SOFTWARE\\Box\\Box/ nocase ascii wide
56+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
57+
// Reference: https://app.box.com/
58+
$string16 = /sanalytics\.box\.com/ nocase ascii wide
59+
// Description: Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers
60+
// Reference: https://app.box.com/
61+
$string17 = /upload\.box\.com/ nocase ascii wide
62+
63+
condition:
64+
any of them
65+
}

yara_rules/greyware_tool_keyword/A-C/adobe.com.yara

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
rule adobe_com
2+
{
3+
meta:
4+
description = "Detection patterns for the tool 'adobe.com' taken from the ThreatHunting-Keywords github project"
5+
author = "@mthcht"
6+
reference = "https://github.com/mthcht/ThreatHunting-Keywords"
7+
tool = "adobe.com"
8+
rule_category = "greyware_tool_keyword"
9+
10+
strings:
11+
// Description: Attackers can use adobe.com to masquerade their domain for phishing purposes.
12+
// Reference: N/A
13+
$string1 = /https\:\/\/new\.express\.adobe\.com\/publishedV2\/urn\:aaid\:sc\:/ nocase ascii wide
14+
// Description: Attackers can use adobe.com to masquerade their domain for phishing purposes.
15+
// Reference: https://www.joesandbox.com/analysis/515360/0/html
16+
$string2 = /https\:\/\/spark\.adobe\.com\/page\// nocase ascii wide
17+
18+
condition:
19+
any of them
20+
}

yara_rules/greyware_tool_keyword/A-C/anydesk.yara

Lines changed: 71 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -18,155 +18,176 @@ rule anydesk
1818
// Reference: https://vx-underground.org/Archive/Dispossessor%20Leaks
1919
$string3 = /\sInvoke\-WebRequest\s\-Uri\shttp\:\/\/download\.anydesk\.com\/AnyDesk\.exe/ nocase ascii wide
2020
// Description: Anydesk RMM usage
21+
// Reference: https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1
22+
$string4 = /\$outputPath\s\=\s\\"C\:\\AnyDesk\.exe\\"/ nocase ascii wide
23+
// Description: Anydesk RMM usage
2124
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
22-
$string4 = /\/\.anydesk\/\.anydesk\.trace/
25+
$string5 = /\/\.anydesk\/\.anydesk\.trace/
2326
// Description: Anydesk RMM usage
2427
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
25-
$string5 = /\/\.anydesk\/service\.conf/
28+
$string6 = /\/\.anydesk\/service\.conf/
2629
// Description: Anydesk RMM usage
2730
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
28-
$string6 = /\/\.anydesk\/system\.conf/
31+
$string7 = /\/\.anydesk\/system\.conf/
2932
// Description: Anydesk RMM usage
3033
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
31-
$string7 = /\/\.anydesk\/user\.conf/
34+
$string8 = /\/\.anydesk\/user\.conf/
3235
// Description: Anydesk RMM usage
3336
// Reference: https://anydesk.com/
34-
$string8 = /\/Anydesk\.exe/ nocase ascii wide
37+
$string9 = /\/Anydesk\.exe/ nocase ascii wide
3538
// Description: Anydesk RMM usage
3639
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
37-
$string9 = /\/Applications\/Anydesk\.app\// nocase ascii wide
40+
$string10 = /\/Applications\/Anydesk\.app\// nocase ascii wide
3841
// Description: Anydesk RMM usage
3942
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
40-
$string10 = /\/etc\/systemd\/system\/anydesk\.service/
43+
$string11 = /\/etc\/systemd\/system\/anydesk\.service/
4144
// Description: Anydesk RMM usage
4245
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
43-
$string11 = /\/home\/.{0,1000}\/\.anydesk\//
46+
$string12 = /\/home\/.{0,1000}\/\.anydesk\//
4447
// Description: Anydesk RMM usage
4548
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
46-
$string12 = /\/log\/anydesk\.trace/
49+
$string13 = /\/log\/anydesk\.trace/
4750
// Description: Anydesk RMM usage
4851
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
49-
$string13 = "/usr/bin/anydesk"
52+
$string14 = "/usr/bin/anydesk"
5053
// Description: Anydesk RMM usage
5154
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
52-
$string14 = "/usr/lib64/anydesk"
55+
$string15 = "/usr/lib64/anydesk"
5356
// Description: Anydesk RMM usage
5457
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
55-
$string15 = "/usr/libexec/anydesk"
58+
$string16 = "/usr/libexec/anydesk"
5659
// Description: Anydesk RMM usage
5760
// Reference: https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html
58-
$string16 = /\\ad_svc\.trace/ nocase ascii wide
61+
$string17 = /\\ad_svc\.trace/ nocase ascii wide
5962
// Description: Anydesk RMM usage
6063
// Reference: https://anydesk.com/
61-
$string17 = /\\adprinterpipe/ nocase ascii wide
64+
$string18 = /\\adprinterpipe/ nocase ascii wide
6265
// Description: Anydesk RMM usage
6366
// Reference: https://anydesk.com/
64-
$string18 = /\\AnyDesk\s\(1\)\.exe/ nocase ascii wide
67+
$string19 = /\\AnyDesk\s\(1\)\.exe/ nocase ascii wide
6568
// Description: Anydesk RMM usage
6669
// Reference: https://anydesk.com/
67-
$string19 = /\\AnyDesk\.exe/ nocase ascii wide
70+
$string20 = /\\AnyDesk\.exe/ nocase ascii wide
6871
// Description: Anydesk RMM usage
6972
// Reference: https://anydesk.com/
70-
$string20 = /\\AnyDesk\.lnk/ nocase ascii wide
73+
$string21 = /\\AnyDesk\.lnk/ nocase ascii wide
7174
// Description: Anydesk RMM usage
7275
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
73-
$string21 = /\\AnyDesk\\ad\.trace/ nocase ascii wide
76+
$string22 = /\\AnyDesk\\ad\.trace/ nocase ascii wide
7477
// Description: Anydesk RMM usage
7578
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
76-
$string22 = /\\AnyDesk\\ad_svc\.trace/ nocase ascii wide
79+
$string23 = /\\AnyDesk\\ad_svc\.trace/ nocase ascii wide
80+
// Description: Anydesk RMM usage
81+
// Reference: https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1
82+
$string24 = /\\AnyDesk\\AnyDesk_Output\.txt/ nocase ascii wide
7783
// Description: Anydesk RMM usage
7884
// Reference: https://anydesk.com/
79-
$string23 = /\\AnyDesk\\connection_trace\.txt/ nocase ascii wide
85+
$string25 = /\\AnyDesk\\connection_trace\.txt/ nocase ascii wide
8086
// Description: Anydesk RMM usage
8187
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
82-
$string24 = /\\AnyDesk\\connection_trace\.txt/ nocase ascii wide
88+
$string26 = /\\AnyDesk\\connection_trace\.txt/ nocase ascii wide
8389
// Description: Anydesk RMM usage
8490
// Reference: https://anydesk.com/
85-
$string25 = /\\anydesk\\printer_driver/ nocase ascii wide
91+
$string27 = /\\anydesk\\printer_driver/ nocase ascii wide
8692
// Description: Anydesk RMM usage
8793
// Reference: https://anydesk.com/
88-
$string26 = /\\AnyDesk\\service\.conf/ nocase ascii wide
94+
$string28 = /\\AnyDesk\\service\.conf/ nocase ascii wide
8995
// Description: Anydesk RMM usage
9096
// Reference: https://anydesk.com/
91-
$string27 = /\\AnyDeskPrintDriver\.cat/ nocase ascii wide
97+
$string29 = /\\AnyDeskPrintDriver\.cat/ nocase ascii wide
9298
// Description: Anydesk RMM usage
9399
// Reference: https://anydesk.com/
94-
$string28 = /\\anydeskprintdriver\.inf/ nocase ascii wide
100+
$string30 = /\\anydeskprintdriver\.inf/ nocase ascii wide
95101
// Description: Anydesk RMM usage
96102
// Reference: https://anydesk.com/
97-
$string29 = /\\AppData\\Roaming\\AnyDesk\\system\.conf/ nocase ascii wide
103+
$string31 = /\\AppData\\Roaming\\AnyDesk\\system\.conf/ nocase ascii wide
98104
// Description: Anydesk RMM usage
99105
// Reference: https://anydesk.com/
100-
$string30 = /\\AppData\\Roaming\\AnyDesk\\user\.conf/ nocase ascii wide
106+
$string32 = /\\AppData\\Roaming\\AnyDesk\\user\.conf/ nocase ascii wide
101107
// Description: Anydesk RMM usage
102108
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
103-
$string31 = /\\ControlSet001\\Services\\AnyDesk/ nocase ascii wide
109+
$string33 = /\\ControlSet001\\Services\\AnyDesk/ nocase ascii wide
104110
// Description: anydesk added in safeboot - abused by attackers to maintain persistence and bypass detection
105111
// Reference: https://vx-underground.org/Archive/Dispossessor%20Leaks
106-
$string32 = /\\CurrentControlSet\\Control\\SafeBoot\\Network\\AnyDesk/ nocase ascii wide
112+
$string34 = /\\CurrentControlSet\\Control\\SafeBoot\\Network\\AnyDesk/ nocase ascii wide
107113
// Description: Anydesk RMM usage
108114
// Reference: https://upadhyayraj.medium.com/beyond-connection-logs-understanding-file-transfer-artifacts-in-anydesk-forensics-b5812c817aad
109-
$string33 = /\\file_transfer_trace\.txt/ nocase ascii wide
115+
$string35 = /\\file_transfer_trace\.txt/ nocase ascii wide
110116
// Description: Anydesk RMM usage
111117
// Reference: https://anydesk.com/
112-
$string34 = /\\Pictures\\AnyDesk/ nocase ascii wide
118+
$string36 = /\\Pictures\\AnyDesk/ nocase ascii wide
113119
// Description: Anydesk RMM usage
114120
// Reference: https://anydesk.com/
115-
$string35 = /\\Prefetch\\ANYDESK\.EXE/ nocase ascii wide
121+
$string37 = /\\Prefetch\\ANYDESK\.EXE/ nocase ascii wide
116122
// Description: Anydesk RMM usage
117123
// Reference: https://anydesk.com/
118-
$string36 = /\\ProgramFile.{0,1000}\\previous\-version/ nocase ascii wide
124+
$string38 = /\\ProgramFile.{0,1000}\\previous\-version/ nocase ascii wide
119125
// Description: Anydesk RMM usage
120126
// Reference: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/
121-
$string37 = /\\SOFTWARE\\Clients\\Media\\AnyDesk/ nocase ascii wide
127+
$string39 = /\\SOFTWARE\\Clients\\Media\\AnyDesk/ nocase ascii wide
122128
// Description: Anydesk RMM usage
123129
// Reference: https://anydesk.com/
124-
$string38 = /\\Temp\\AnyDeskUninst/ nocase ascii wide
130+
$string40 = /\\Temp\\AnyDeskUninst/ nocase ascii wide
125131
// Description: Anydesk RMM usage
126132
// Reference: https://anydesk.com/
127-
$string39 = /\\Videos\\AnyDesk/ nocase ascii wide
133+
$string41 = /\\Videos\\AnyDesk/ nocase ascii wide
128134
// Description: Anydesk RMM usage - compromised certificate - https://anydesk.com/en/changelog/windows
129135
// Reference: https://anydesk.com/
130-
$string40 = "0DBF152DEAF0B981A8A938D53F769DB8" nocase ascii wide
136+
$string42 = "0DBF152DEAF0B981A8A938D53F769DB8" nocase ascii wide
131137
// Description: Anydesk RMM usage - compromised certificate - https://anydesk.com/en/changelog/windows
132138
// Reference: https://anydesk.com/
133-
$string41 = "9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE" nocase ascii wide
139+
$string43 = "9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE" nocase ascii wide
134140
// Description: Anydesk RMM usage - compromised certificate - https://anydesk.com/en/changelog/windows
135141
// Reference: https://anydesk.com/
136-
$string42 = "9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF" nocase ascii wide
142+
$string44 = "9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF" nocase ascii wide
143+
// Description: Anydesk RMM usage
144+
// Reference: https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1
145+
$string45 = "Ab4y98/VerySimpleAnyDeskBackdoor" nocase ascii wide
146+
// Description: Anydesk RMM usage
147+
// Reference: https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1
148+
$string46 = /AnyDesk\sID\sis\:\s\$ID\sAND\sPassword\sis\:\sAa123456\!/ nocase ascii wide
137149
// Description: Anydesk RMM usage
138150
// Reference: https://anydesk.com/
139-
$string43 = "AnyDesk Software GmbH" nocase ascii wide
151+
$string47 = "AnyDesk Software GmbH" nocase ascii wide
140152
// Description: Anydesk RMM usage
141153
// Reference: https://anydesk.com/
142-
$string44 = /Anydesk.{0,1000}\s\-\-start\-with\-win\s\-\-silent/ nocase ascii wide
154+
$string48 = /Anydesk.{0,1000}\s\-\-start\-with\-win\s\-\-silent/ nocase ascii wide
155+
// Description: Anydesk RMM usage
156+
// Reference: https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1
157+
$string49 = /AnyDesk\.exe\s\-\-install\s\\"C\:\\Program\sFiles\s\(x86\)\\AnyDesk\\"\s\-\-start\-with\-win\s\-\-silent/ nocase ascii wide
143158
// Description: setting the AnyDesk service password manually
144159
// Reference: https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
145-
$string45 = /anydesk\.exe\s\-\-set\-password/ nocase ascii wide
160+
$string50 = /anydesk\.exe\s\-\-set\-password/ nocase ascii wide
146161
// Description: Anydesk RMM usage
147162
// Reference: https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html
148-
$string46 = /Anydesk\\ad\.trace/ nocase ascii wide
163+
$string51 = /Anydesk\\ad\.trace/ nocase ascii wide
164+
// Description: Anydesk RMM usage
165+
// Reference: https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1
166+
$string52 = /AnydeskBackdoor\.ps1/ nocase ascii wide
149167
// Description: Anydesk RMM usage
150168
// Reference: https://anydesk.com/
151-
$string47 = /boot\.net\.anydesk\.com/ nocase ascii wide
169+
$string53 = /boot\.net\.anydesk\.com/ nocase ascii wide
152170
// Description: Anydesk RMM usage
153171
// Reference: https://anydesk.com/
154-
$string48 = /C\:\\Program\sFiles\s\(x86\)\\AnyDesk/ nocase ascii wide
172+
$string54 = /C\:\\Program\sFiles\s\(x86\)\\AnyDesk/ nocase ascii wide
173+
// Description: Anydesk RMM usage
174+
// Reference: https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1
175+
$string55 = /cmd\s\/c\s\'echo\sAa123456\!\s.{0,1000}\s\-\-set\-password/ nocase ascii wide
155176
// Description: Anydesk RMM usage
156177
// Reference: https://anydesk.com/
157-
$string49 = /Desktop\\AnyDesk\.lnk/ nocase ascii wide
178+
$string56 = /Desktop\\AnyDesk\.lnk/ nocase ascii wide
158179
// Description: Anydesk RMM usage
159180
// Reference: https://anydesk.com/
160-
$string50 = /download\.anydesk\.com/ nocase ascii wide
181+
$string57 = /download\.anydesk\.com/ nocase ascii wide
161182
// Description: Anydesk RMM usage
162183
// Reference: https://anydesk.com/
163-
$string51 = /HKCR\\\.anydesk\\/ nocase ascii wide
184+
$string58 = /HKCR\\\.anydesk\\/ nocase ascii wide
164185
// Description: command line used with anydesk in the notes of the Dispossessor ransomware group
165186
// Reference: https://vx-underground.org/Archive/Dispossessor%20Leaks
166-
$string52 = /programdata\\.{0,1000}\s\-\-start\-with\-win\s\-\-remove\-first\s\-\-silent\s\-\-start\-service/ nocase ascii wide
187+
$string59 = /programdata\\.{0,1000}\s\-\-start\-with\-win\s\-\-remove\-first\s\-\-silent\s\-\-start\-service/ nocase ascii wide
167188
// Description: Anydesk RMM usage
168189
// Reference: https://anydesk.com/
169-
$string53 = /relay\-.{0,1000}\.net\.anydesk\.com/ nocase ascii wide
190+
$string60 = /relay\-.{0,1000}\.net\.anydesk\.com/ nocase ascii wide
170191
171192
condition:
172193
any of them

0 commit comments

Comments
 (0)