mandiant / red_team_tool_countermeasures Goto Github PK

View Code? Open in Web Editor NEW

2.6K 243.0 861.0 411 KB

License: BSD 2-Clause "Simplified" License

YARA 100.00%

red_team_tool_countermeasures's Introduction

FireEye Red Team Tool Countermeasures

These rules are provided freely to the community without warranty.

In this GitHub repository you will find rules in multiple languages:

Snort
Yara
ClamAV
HXIOC

The rules are categorized and labeled into two release states:

Production: rules that are expected to perform with minimal tuning.
Supplemental: rules that are known to require further environment-specific tuning and tweaking to perform, and are often used for hunting workflows.

Please check back to this GitHub for updates to these rules.

FireEye customers can refer to the FireEye Community (community.fireeye.com) for information on how FireEye products detect these threats.

The entire risk as to quality and performance of these rules is with the users.

red_team_tool_countermeasures's People

Contributors

Stargazers

Watchers

Forkers

ohc192 kyle-rainey-rc kaloudis adam-dodson cephurs 0xtaake mynameiscfed tattymennis schrodyn korsecured techbutton jamesjguthrie baffledjimmy natekrussel timetology ecxr brandongalbraith josehelps sulaimanzai gum0x1a diskurse michaelritsema papadope-zz hoggmania hadojae pablossjui ruppde chubbymaggie osu-soc adipi dviros harmj0y t3ap0t thewover timb-machine-mirrors imuledx fortify24x7 ltorresv imamimam morpheusme drakevonduck kerbalette acumenix cybersecdatasci notmylogin cudeso c0ntr07 r3comp1le pimps slw07g grahamlecture m00zh33 stuartsmiles01 trashpandas pancak3lullz clearsec franciscosd issapolska twodzinski cukupupas carloanez hhuckleberry reanimat0r devnull044 eztech93 frankbwalsh silentsoul04 mischev nconder ndejong 4k4xs4ph1r3 fullstackinfo sfrias bahadirpektas byronwai securitytimes miniminilabcom nikushakalatozi 0xfatty winstar0070 jim-fun mihabin khoiasd ggscott rev10d unmerited777 nimitzufo rulosan thurday irony0egoist littlecodemonkey v1ckxy thecodearchiveproject lordsky securitywarrior gubertoli gmti-bwhyle gr3yr0n1n pe4ch ivanwork

red_team_tool_countermeasures's Issues

False-Positive ( APT_Backdoor_Win_DShell_2.yar )

It looks like this rule matches with D compiler. Some vendors started flagging with relying on this yara rule;

https://www.virustotal.com/gui/file/a022820a62198fa3e3b89749b38db1cc3a09136524682fb99a3ce36652725065/details

https://github.com/fireeye/red_team_tool_countermeasures/blob/ac479ae150e1541445023952f569b7ca0d190b7b/rules/DSHELL/supplemental/yara/APT_Backdoor_Win_DShell_2.yar

Conflict in conditions - Wdscore.dll Hijack (Methodology)

In this rule "Wdscore.dll Hijack (Methodology)", we have observed that this rule is for the filename Wdscore.dll from filepath "windows\system32\oobe". But again we have the condition for the same file not from the same path in that same rule. Please clarify on this issue.

Rule:

windows\system32\oobe windows\system32\oobe

"Tweak Two Rules

in "all-yara.yar: tweak two rules" what are the two rules that need to be tweaked?

Thank you,

Subtle: Identical rule names (ignoring capitalization)

I noticed you have two rules named identically if you ignore capitalization. While these are valid, unique identifiers according to YARA it's not good form to do this, IMO. If anything is consuming matches from these rules and is case insensitive it will consider the two rules to be identical, which they are obviously not.

The two rules are:

Loader_MSIL_RURALBISHOP_1
Loader_MSIL_RuralBishop_1

Given that this is a subtle thing and can lead to unintended consequences downstream from these rules I suggest renaming one of the rules. I'd do it myself but I see these rules exist in a couple of places (including one in a directory called "prod") and I'm not sure exactly how this might affect anything currently using these rules so I'm just bringing this up in an issue.

Inconsistency between all-yara.yar and the rules dir (APT_Backdoor_Win_GORAT)

all-yara.yar has:

APT_Backdoor_Win_GORAT_1
APT_Backdoor_Win_GORAT_2
APT_Backdoor_Win_GORAT_3
APT_Backdoor_Win_GORAT_4
APT_Backdoor_Win_GORAT_5

but https://github.com/fireeye/red_team_tool_countermeasures/tree/master/rules/REDFLARE%20(Gorat)/production/yara only has the first four of these (and APT_Backdoor_Win_GORAT_1 there corresponds to APT_Backdoor_Win_GORAT_5 in all-yara.yar).

Also, https://github.com/fireeye/red_team_tool_countermeasures/blob/master/signatures_table_of_content.csv#L222 has APT_Backdoor_Win_GORAT_1 twice

Documentation for yara rules

Yara’s metadata fields are not normalized.

Is it possible to document how they are used here?

Examples (two first rules of all-yara.yar)

rule HackTool_MSIL_Rubeus_1
{
    meta:
        description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project."
        md5 = "66e0681a500c726ed52e5ea9423d2654"
        rev = 4
        author = "FireEye"
    strings:
        $typelibguid = "658C8B7F-3664-4A95-9572-A3E5871DFC06" ascii nocase wide
    condition:
        uint16(0) == 0x5A4D and $typelibguid
}
rule Trojan_Raw_Generic_4
{
    meta:
        date_created = "2020-12-02"
        date_modified = "2020-12-02"
        md5 = "f41074be5b423afb02a74bc74222e35d"
        rev = 1
        author = "FireEye"
    strings:
        $s0 = { 83 ?? 02 [1-16] 40 [1-16] F3 A4 [1-16] 40 [1-16] E8 [4-32] FF ( D? | 5? | 1? ) }
        $s1 = { 0F B? [1-16] 4D 5A [1-32] 3C [16-64] 50 45 [8-32] C3 }
    condition:
        uint16(0) != 0x5A4D and all of them
}

SIDs in the Snort rules file are below 1 Million

SIDs under 1Million are reserved for the official Snort ruleset, and the sids in the snort.rules file posted should have their SIDs re-numbered to not conflict.

Yara rules DSHELL/production/yara/APT_Backdoor_Win_DShell_1.yar and APT_Backdoor_Win_DShell_2.yar trigger too many matches exception in yara-python

Using yara-python to match against these rules, the following rules trigger a too many matches exception ("internal error: 30") when run against certain files:

rules/DSHELL/production/yara/APT_Backdoor_Win_DShell_1.yar
rules/DSHELL/production/yara/APT_Backdoor_Win_DShell_3.yar

At least one example hash that will trigger the exception against these rules is:
sha256: 04a88437468e6e9c447805d733ec82e08fd4256af44542797f16a7e318f763f8
md5: 86031c9fc72b42fef6a4c7f8b72cda83
sha1: 6a4c3370eaa373aca1113f0067d40076615b4d66

ریدید

با این همه ادعا

REDFLARE (GORAT) - APT_Backdoor_Win_GORAT_4.yar is missing import statement

I've compiled yarac from source with crypto, cuckoo, and magic - however I think there is still a missing import statement in this file:

❯ pwd
/tmp/fireeye/rules/REDFLARE (Gorat)/production/yara

❯ yarac APT_Backdoor_Win_GORAT_4.yar test.bin
APT_Backdoor_Win_GORAT_4.yar(14): error in rule "APT_Backdoor_Win_GORAT_4": undefined identifier "pe"

The following diff fixes it (simply add import "pe")

❯ git diff
diff --git a/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_4.yar b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_4.yar
index ab29d86..8e480eb 100644
--- a/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_4.yar
+++ b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_4.yar
@@ -1,6 +1,8 @@
 // Copyright 2020 by FireEye, Inc.
 // You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
 // https://github.com/fireeye/red_team_tool_countermeasures/blob/master/LICENSE.txt
+import "pe"
+
 rule APT_Backdoor_Win_GORAT_4
 {
     meta:
@@ -12,4 +14,4 @@ rule APT_Backdoor_Win_GORAT_4
         $mz = "MZ"
     condition:
         $mz at 0 and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10MB and pe.exports("MemoryCallEntryPoint") and pe.exports("MemoryDefaultAlloc") and pe.exports("MemoryDefaultFree") and pe.exports("MemoryDefaultFreeLibrary") and pe.exports("MemoryDefaultGetProcAddress") and pe.exports("MemoryDefaultLoadLibrary") and pe.exports("MemoryFindResource") and pe.exports("MemoryFindResourceEx") and pe.exports("MemoryFreeLibrary") and pe.exports("MemoryGetProcAddress") and pe.exports("MemoryLoadLibrary") and pe.exports("MemoryLoadLibraryEx") and pe.exports("MemoryLoadResource") and pe.exports("MemoryLoadString") and pe.exports("MemoryLoadStringEx") and pe.exports("MemorySizeofResource") and pe.exports("callback") and pe.exports("crosscall2") and pe.exports("crosscall_386")
-}
\ No newline at end of file
+}

which lets me compile it.

SHA-1 and SHA-256

Can you please add SHA-1 and SHA-256 Checksum?

SUSPICIOUS DLL LOAD (METHODOLOGY).ioc is broken (missing end tags)

rule is currently terminating at 'sear' and the following is needed to complete the file:

ch="processEvent/processCmdLine" type="event" />
              <Content type="string">-userconfig</Content>
            </IndicatorItem>
          </Indicator>
        </Indicator>
      </Indicator>
  </criteria>
</OpenIOC>