Daniel Stinson-Diess shellcromancer
💻
shellcromancer
/ macho_space_in_seg_or_sect.yara
Created
January 9, 2022 05:05
Identify spaces in either a segment or section name of a Mach-o.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "macho" | |
| rule macho_space_in_segment_or_section { | |
| meta: | |
| descrption = "Identify spaces in either a segment or section name of a Mach-o." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-08" | |
| condition: | |
| for any segment in macho.segments: ( |
shellcromancer
/ lang_rust.yara
Created
January 10, 2022 03:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| import "elf" | |
| rule lang_rust { | |
| meta: | |
| desc = "Identify a Rust binary regardless of format (PE, Macho, ELF) or arch." | |
| author = "@shellcromancer" | |
| version = "1.0" | |
| last_modified = "2022.01.09" | |
| strings: |
shellcromancer
/ shellcode_metasploit_x86.yara
Created
January 11, 2022 02:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule metasploit_shellcode_x86 { | |
| meta: | |
| descrption = "Identify pushed strings from metasploint x86 shellcode." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-10" | |
| strings: | |
| // https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/linux/ia32/single_adduser.asm#L48 | |
| $pass1 = { 63 74 65 2f} // /etc | |
| $pass2 = { 61 70 2f 2f} // //pa |
shellcromancer
/ alg_crypto_md5.yara
Last active
January 12, 2022 13:44
Identify code/constants for the MD5 hashing algorithm
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_md5 { | |
| meta: | |
| description = "Identify code/constants for the MD5 hashing algorithm." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-11" | |
| reference = "https://en.wikipedia.org/wiki/MD5" | |
| strings: | |
| $cA = { 67452301 } | |
| $cB = { efcdab89 } |
shellcromancer
/ alg_crypto_blake.yara
Created
January 13, 2022 03:13
Identify constants used as the IV or precomputed sigmas in BLAKE.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_blake { | |
| meta: | |
| description = "Identify code/constants for the BLAKE2/3 hashing algorithm." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-11" | |
| reference = "https://en.wikipedia.org/wiki/BLAKE_(hash_function)" | |
| implementation = "https://cs.opensource.google/go/x/crypto/+/master:blake2b/blake2b_amd64.s" | |
| strings: | |
| // BLAKE2 uses the same IV as SHA-256 and BLAKE3 so matches should be investigated |
shellcromancer
/ args_socket_tcpip.yara
Created
January 13, 2022 03:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule ARGS_socket_TCPIP { | |
| meta: | |
| author = "@notareverser" | |
| date = "2022-01-12" | |
| source = "https://twitter.com/notareverser/status/1481242024460312581" | |
| strings: | |
| /* | |
| 6a06 push 6 ; IPPROTO_TCP | |
| 6a01 push 1 ; SOCK_STREAM | |
| 6a02 push 2 ; AF_INET |
shellcromancer
/ mal_sysjoker_macOS.yara
Created
January 14, 2022 04:02
YARA rule to identify the SysJoker macOS backdoor.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule mal_sysjoker_macOS { | |
| meta: | |
| description = "Identify string artifacts from the SysJoker macOS backdoor." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-13" | |
| reference = "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/" | |
| reference = "https://objective-see.com/blog/blog_0x6C.html" | |
| sha256 = "1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac" | |
| strings: |
shellcromancer
/ alg_crypto_sha1.yara
Created
January 15, 2022 05:35
YARA rule to detect the SHA1 hashing algorithm.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_sha1 { | |
| meta: | |
| description = "Identify constants for the SHA1 hashing algorithm." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-14" | |
| reference = "https://en.wikipedia.org/wiki/SHA-1" | |
| implementation = "https://cs.opensource.google/go/go/+/master:src/crypto/sha1/sha1block_amd64.s" | |
| strings: | |
| $init0 = { 67452301 } |
shellcromancer
/ alg_crypto_des.yara
Created
January 16, 2022 03:47
YARA signature for the DES algorithm's constants.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule alg_crypto_des { | |
| meta: | |
| description = "Identify code/constants for the DES encryption algorithm." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-15" | |
| reference = "https://en.wikipedia.org/wiki/Data_Encryption_Standard" | |
| implementation = "https://cs.opensource.google/go/go/+/master:src/crypto/des/block.go" | |
| strings: | |
| $permInit = { |
shellcromancer
/ tool_gscript.yara
Created
January 19, 2022 04:08
Detect the gscript dropper generator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule tool_gscript { | |
| meta: | |
| description = "Identify the gscript dropper generator." | |
| author = "@shellcromancer <root@shellcromancer.io>" | |
| version = "0.1" | |
| date = "2022-01-18" | |
| reference = "https://github.com/gen0cide/gscript" | |
| strings: | |
| $ = "gen0cide/gscript" ascii |