-
-
Save andreyglauzer/6e6f8ec2c0532480aa3e1f972696cb2c to your computer and use it in GitHub Desktop.
Revisions
-
Neo23x0 revised this gist
Oct 28, 2019 . 1 changed file with 34 additions and 29 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,7 @@ \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ \ / __ |/ , _/ __ | / , _/ // / / -_) /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ Florian Roth - v0.5.0 October 2019 A proof-of-concept rule that shows how easy it actually is to detect red teamer and threat group tools and code @@ -20,33 +20,38 @@ rule IDDQD_Godmode_Rule { date = "2019-05-15" score = 60 strings: /* Plain strings */ $s01 = "sekurlsa::logonpasswords" ascii wide nocase /* Mimikatz Command */ $s02 = "ERROR kuhl" wide /* Mimikatz Error */ $s03 = /(@subtee|@mattifestation|@enigma0x3)/ fullword ascii /* Red Team Tools */ $s04 = " -w hidden " ascii wide /* Power Shell Params */ $s05 = " -decode " ascii wide /* certutil command */ $s06 = "Koadic." ascii /* Koadic Framework */ $s07 = "ReflectiveLoader" fullword ascii wide /* Generic - Common Export Name */ $s08 = "InjectDLL" fullword ascii wide /* DLL Injection Keyword */ $s09 = "[System.Convert]::FromBase64String(" ascii wide /* PowerShell - Base64 Encoded Payload */ $s10 = /\\(Release|Debug)\\ms1[2-9]/ ascii /* Exploit Codes / PoCs */ $s11 = "/meterpreter/" ascii /* Metasploit Framework - Meterpreter */ $s12 = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide /* PowerShell Encoded Code */ $s13 = / (sEt|SEt|SeT|sET|seT) / ascii wide /* Casing Obfuscation */ $s14 = ");iex " nocase ascii wide /* PowerShell - compact code */ $s15 = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide /* Casing Obfuscation */ $s16 = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide /* Base64 Encoded UA */ $s17 = "Nir Sofer" fullword wide /* Hack Tool Producer */ $s18 = "Web Shell By " nocase ascii /* Web Shell Copyright */ $s19 = "impacket." ascii /* Impacket Library */ $s20 = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject|dump)/ nocase /* Hack Tool Output Pattern */ $s21 = "ecalper" fullword ascii wide /* Reversed String - often found in scripts or web shells */ $s22 = "0000FEEDACDC}" ascii wide /* Squiblydoo - Class ID */ $s23 = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii /* Phishing Docs */ $s24 = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */ $s25 = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */ $s26 = /\\(Debug|Release)\\(Downloader|Key[lL]og|[Ii]nject|Steal|By[Pp]ass|UAC|Dropper|Loader|CVE\-)/ /* Typical PDB Strings 1 */ $s27 = /(Dropper|Downloader|Bypass|Injection)\.pdb/ nocase /* Typical PDF strings 2 */ /* Combos */ $xo1 = "Mozilla/5.0" xor ascii wide $xf1 = "Mozilla/5.0" ascii wide condition: 1 of ($s*) or ( $xo1 and not $xf1 ) } -
Aug 30, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,7 @@ \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ \ / __ |/ , _/ __ | / , _/ // / / -_) /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ Florian Roth - v0.4.1 August 2019 A proof-of-concept rule that shows how easy it actually is to detect red teamer and threat group tools and code -
Aug 30, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,7 +45,7 @@ rule IDDQD_Godmode_Rule { $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii /* Phishing Docs */ $ = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */ $ = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */ $ = /\\(Debug|Release)\\(Downloader|Key[lL]og|[Ii]nject|Steal|By[Pp]ass|UAC|Dropper|Loader|CVE\-)/ /* Typical PDB Strings 1 */ $ = /(Dropper|Downloader|Bypass|Injection)\.pdb/ nocase /* Typical PDF strings 2 */ condition: 1 of them -
May 27, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,7 @@ \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ \ / __ |/ , _/ __ | / , _/ // / / -_) /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ Florian Roth - v0.4 May 2019 A proof-of-concept rule that shows how easy it actually is to detect red teamer and threat group tools and code -
May 27, 2019 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,7 +45,8 @@ rule IDDQD_Godmode_Rule { $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii /* Phishing Docs */ $ = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */ $ = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */ $ = /\\(Debug|Release)\\(Downloader|Key[lL]og|[Ii]nject|Steal|By[Pp]ass|UAC|Dropper|Loader)/ /* Typical PDB Strings 1 */ $ = /(Dropper|Downloader|Bypass|Injection)\.pdb/ nocase /* Typical PDF strings 2 */ condition: 1 of them } -
May 15, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -17,7 +17,7 @@ rule IDDQD_Godmode_Rule { description = "This is the most powerful YARA rule. It detects literally everything." author = "Florian Roth" reference = "Internal Research - get a Godmode YARA rule set with Valhalla by Nextron Systems" date = "2019-05-15" score = 60 strings: $ = "sekurlsa::logonpasswords" ascii wide nocase /* Mimikatz Command */ -
May 15, 2019 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,7 +45,6 @@ rule IDDQD_Godmode_Rule { $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii /* Phishing Docs */ $ = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */ $ = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */ $ = /\\(Debug|Release)\\(Downloader|Key[lL]og|[Ii]nject|Steal|By[Pp]ass|UAC|Dropper|Loader)/ /* Typical PDB Strings */ condition: 1 of them -
May 15, 2019 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,7 @@ \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ \ / __ |/ , _/ __ | / , _/ // / / -_) /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ Florian Roth - v0.3 May 2019 A proof-of-concept rule that shows how easy it actually is to detect red teamer and threat group tools and code @@ -46,6 +46,7 @@ rule IDDQD_Godmode_Rule { $ = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */ $ = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */ $ = ".onion" ascii wide /* Onion Address - Tor Network */ $ = /\\(Debug|Release)\\(Downloader|Key[lL]og|[Ii]nject|Steal|By[Pp]ass|UAC|Dropper|Loader)/ /* Typical PDB Strings */ condition: 1 of them } -
May 15, 2019 . 1 changed file with 22 additions and 22 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -20,32 +20,32 @@ rule IDDQD_Godmode_Rule { date = "2019-05-14" score = 60 strings: $ = "sekurlsa::logonpasswords" ascii wide nocase /* Mimikatz Command */ $ = "ERROR kuhl" wide /* Mimikatz Error */ $ = /(@subtee|@mattifestation|@enigma0x3)/ fullword ascii /* Red Team Tools */ $ = " -w hidden " ascii wide /* Power Shell Params */ $ = " -decode " ascii wide /* certutil command */ $ = "Koadic." ascii /* Koadic Framework */ $ = "ReflectiveLoader" fullword ascii wide /* Generic - Common Export Name */ $ = "InjectDLL" fullword ascii wide /* DLL Injection Keyword */ $ = "[System.Convert]::FromBase64String(" ascii wide /* PowerShell - Base64 Encoded Payload */ $ = /\\(Release|Debug)\\ms1[2-9]/ ascii /* Exploit Codes / PoCs */ $ = "/meterpreter/" ascii /* Metasploit Framework - Meterpreter */ $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide /* PowerShell Encoded Code */ $ = / (sEt|SEt|SeT|sET|seT) / ascii wide /* Casing Obfuscation */ $ = ");iex " nocase ascii wide /* PowerShell - compact code */ $ = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide /* Casing Obfuscation */ $ = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide /* Base64 Encoded UA */ $ = "Nir Sofer" fullword wide /* Hack Tool Producer */ $ = "Web Shell By " nocase ascii /* Web Shell Copyright */ $ = "impacket." ascii /* Impacket Library */ $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject|dump)/ nocase /* Hack Tool Output Pattern */ $ = "ecalper" fullword ascii wide /* Reversed String - often found in scripts or web shells */ $ = "0000FEEDACDC}" ascii wide /* Squiblydoo - Class ID */ $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii /* Phishing Docs */ $ = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */ $ = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */ $ = ".onion" ascii wide /* Onion Address - Tor Network */ condition: 1 of them } -
May 14, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,7 +30,7 @@ rule IDDQD_Godmode_Rule { $ = "InjectDLL" fullword ascii wide /* DLL Injection Keyword */ $ = "[System.Convert]::FromBase64String(" ascii wide /* PowerShell - Base64 Encoded Payload */ $ = /\\(Release|Debug)\\ms1[2-9]/ ascii /* Exploit Codes / PoCs */ $ = "/meterpreter/" ascii /* Metasploit Framework - Meterpreter */ $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide /* PowerShell Encoded Code */ $ = / (sEt|SEt|SeT|sET|seT) / ascii wide /* Casing Obfuscation */ $ = ");iex " nocase ascii wide /* PowerShell - compact code */ -
May 14, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,7 +16,7 @@ rule IDDQD_Godmode_Rule { meta: description = "This is the most powerful YARA rule. It detects literally everything." author = "Florian Roth" reference = "Internal Research - get a Godmode YARA rule set with Valhalla by Nextron Systems" date = "2019-05-14" score = 60 strings: -
May 14, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,7 +30,7 @@ rule IDDQD_Godmode_Rule { $ = "InjectDLL" fullword ascii wide /* DLL Injection Keyword */ $ = "[System.Convert]::FromBase64String(" ascii wide /* PowerShell - Base64 Encoded Payload */ $ = /\\(Release|Debug)\\ms1[2-9]/ ascii /* Exploit Codes / PoCs */ $ = "/meterpreter" ascii /* Metasploit Framework - Meterpreter */ $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide /* PowerShell Encoded Code */ $ = / (sEt|SEt|SeT|sET|seT) / ascii wide /* Casing Obfuscation */ $ = ");iex " nocase ascii wide /* PowerShell - compact code */ -
May 14, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,7 +9,7 @@ Florian Roth - v0.2 May 2019 A proof-of-concept rule that shows how easy it actually is to detect red teamer and threat group tools and code */ rule IDDQD_Godmode_Rule { -
May 14, 2019 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,8 +6,10 @@ \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ \ / __ |/ , _/ __ | / , _/ // / / -_) /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ Florian Roth - v0.2 May 2019 A proof-of-concept rule that shows how easy it actually is to detect red teamer and threat group tools and code - as most of them are f#&%ing lazy */ rule IDDQD_Godmode_Rule { -
May 14, 2019 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,15 +7,15 @@ \ / __ |/ , _/ __ | / , _/ // / / -_) /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ Florian Roth - v0.2 May 2019 */ rule IDDQD_Godmode_Rule { meta: description = "This is the most powerful YARA rule. It detects literally everything." author = "Florian Roth" reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems" date = "2019-05-14" score = 60 strings: $ = "sekurlsa::logonpasswords" ascii wide nocase /* Mimikatz Command */ -
May 14, 2019 . 1 changed file with 26 additions and 26 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,32 +18,32 @@ rule IDDQD_Godmode_Rule { date = "2019-05-13" score = 60 strings: $ = "sekurlsa::logonpasswords" ascii wide nocase /* Mimikatz Command */ $ = "ERROR kuhl" wide /* Mimikatz Error */ $ = "@subtee" fullword ascii /* Red Team Tools */ $ = " -w hidden " ascii wide /* Power Shell Params */ $ = " -decode " ascii wide /* certutil command */ $ = "Koadic." ascii /* Koadic Framework */ $ = "ReflectiveLoader" fullword ascii wide /* Generic - Common Export Name */ $ = "InjectDLL" fullword ascii wide /* DLL Injection Keyword */ $ = "[System.Convert]::FromBase64String(" ascii wide /* PowerShell - Base64 Encoded Payload */ $ = /\\(Release|Debug)\\ms1[2-9]/ ascii /* Exploit Codes / PoCs */ $ = "windows/meterpreter" ascii /* Metasploit Framework - Meterpreter */ $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide /* PowerShell Encoded Code */ $ = / (sEt|SEt|SeT|sET|seT) / ascii wide /* Casing Obfuscation */ $ = ");iex " nocase ascii wide /* PowerShell - compact code */ $ = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide /* Casing Obfuscation */ $ = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide /* Base64 Encoded UA */ $ = "Nir Sofer" fullword wide /* Hack Tool Producer */ $ = "Web Shell By " nocase ascii /* Web Shell Copyright */ $ = "impacket." ascii /* Impacket Library */ $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject|dump)/ nocase /* Hack Tool Output Pattern */ $ = "ecalper" fullword ascii wide /* Reversed String - often found in scripts or web shells */ $ = "0000FEEDACDC}" ascii wide /* Squiblydoo - Class ID */ $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii /* Phishing Docs */ $ = "vssadmin delete shadows" /* Shadow Copy Deletion - often used in Ransomware */ $ = "stratum+tcp://" /* Stratum Address - used in Crypto Miners */ $ = ".onion" ascii wide /* Onion Address - Tor Network */ condition: 1 of them } -
May 14, 2019 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -42,6 +42,8 @@ rule IDDQD_Godmode_Rule { $ = "0000FEEDACDC}" ascii wide $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii $ = "vssadmin delete shadows" $ = "stratum+tcp://" $ = ".onion" ascii wide condition: 1 of them } -
May 13, 2019 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,15 @@ /* _____ __ __ ___ __ / ___/__ ___/ / / |/ /__ ___/ /__ / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/ \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ \ / __ |/ , _/ __ | / , _/ // / / -_) /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ Florian Roth - v0.1 May 2019 */ rule IDDQD_Godmode_Rule { meta: description = "This is the most powerful YARA rule. It detects literally everything." -
May 13, 2019 . 1 changed file with 4 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,9 +25,11 @@ rule IDDQD_Godmode_Rule { $ = "Nir Sofer" fullword wide $ = "Web Shell By " nocase ascii $ = "impacket." ascii $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject|dump)/ nocase $ = "ecalper" fullword ascii wide $ = "0000FEEDACDC}" ascii wide $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii $ = "vssadmin delete shadows" condition: 1 of them } -
May 13, 2019 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ rule IDDQD_Godmode_Rule { $ = "ReflectiveLoader" fullword ascii wide $ = "InjectDLL" fullword ascii wide $ = "[System.Convert]::FromBase64String(" ascii wide $ = /\\(Release|Debugger)\\ms1[2-9]/ ascii $ = "windows/meterpreter" ascii $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide $ = / (sEt|SEt|SeT|sET|seT) / ascii wide @@ -27,6 +27,7 @@ rule IDDQD_Godmode_Rule { $ = "impacket." ascii $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject)/ nocase $ = "ecalper" fullword ascii wide $ = "0000FEEDACDC}" ascii wide condition: 1 of them } -
May 13, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ rule IDDQD_Godmode_Rule { $ = "ReflectiveLoader" fullword ascii wide $ = "InjectDLL" fullword ascii wide $ = "[System.Convert]::FromBase64String(" ascii wide $ = /\\(Release|Debug)\\ms1[2-9]/ ascii $ = "windows/meterpreter" ascii $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide $ = / (sEt|SEt|SeT|sET|seT) / ascii wide -
May 13, 2019 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,6 +26,7 @@ rule IDDQD_Godmode_Rule { $ = "Web Shell By " nocase ascii $ = "impacket." ascii $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject)/ nocase $ = "ecalper" fullword ascii wide condition: 1 of them } -
May 13, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,31 @@ rule IDDQD_Godmode_Rule { meta: description = "This is the most powerful YARA rule. It detects literally everything." author = "Florian Roth" reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems" date = "2019-05-13" score = 60 strings: $ = "sekurlsa::logonpasswords" ascii wide nocase $ = "ERROR kuhl" wide $ = "@subtee" fullword ascii $ = " -w hidden " ascii wide $ = " -decode " ascii wide $ = "Koadic." ascii $ = "ReflectiveLoader" fullword ascii wide $ = "InjectDLL" fullword ascii wide $ = "[System.Convert]::FromBase64String(" ascii wide $ = /\\(Release|Debugger)\\ms1[2-9]/ ascii $ = "windows/meterpreter" ascii $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide $ = / (sEt|SEt|SeT|sET|seT) / ascii wide $ = ");iex " nocase ascii wide $ = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide $ = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide $ = "Nir Sofer" fullword wide $ = "Web Shell By " nocase ascii $ = "impacket." ascii $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject)/ nocase condition: 1 of them }