Update third-party rules as of 2025-07-27 (#1060)

Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>

Author: octo-sts[bot]

third_party/yara/bartblaze/APT/StormDNS.yar

@@ -0,0 +1,36 @@
+rule StormDNS
+{
+    meta:
+        id = "75nX2TPCk53RAhU55yBeFd"
+        fingerprint = "v1_sha256_542a8af37bd4bc18218190cd82495146a4daa5d01db24804b9ff16ff04023a5a"
+        version = "1.0"
+        date = "2025-07-24"
+        modified = "2025-07-24"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies StormDNS, a DNS shell used by Storm-260 to receive and execute commands from a C2."
+        category = "MALWARE"
+        malware = "STORMDNS"
+        malware_type = "WEBSHELL"
+        reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
+        hash = "1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192"
+
+    strings:
+        $str_a = "Slept for %d seconds"
+        $str_b = "Failed to allocate memory"
+        $str_c = "cmd.exe /c %s 2>&1"
+        $str_d = "Failed to execute command"
+        $str_e = "Failed to reallocate memory"
+        $str_f = "Command executed with no output"
+        $str_g = "fragment_received"
+        $str_h = "result_received"
+        $str_i = "s%st%04zup%04zu"
+        
+        $pdb_part = "\\work\\tools\\ak47c2\\"
+        $pdb_full = "C:\\Users\\Administrator\\Desktop\\work\\tools\\ak47c2\\dnsclinet-c\\dnsclient\\x64\\Release\\dnsclient.pdb"
+
+    condition:
+        8 of ($str_*) or any of ($pdb_*)
+}

third_party/yara/bartblaze/RELEASE

@@ -1 +1 @@
-255135e922b571965ab942554fcd7b9b6162f091
+063fb36a398f8bec668ab715b17dc4596fdadb0f

third_party/yara/bartblaze/hacktools/Extract_MachineKey_SharePoint.yar

@@ -0,0 +1,51 @@
+import "dotnet"
+rule Extract_MachineKey_SharePoint
+{
+    meta:
+        id = "5rgC2cpznLmamBSQ9etlFh"
+        fingerprint = "v1_sha256_267976231782f0458c369172e8d922508daf670089ef3c91ad2570fe3600d6c4"
+        version = "1.0"
+        date = "2025-07-25"
+        modified = "2025-07-25"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies webshell that extracts SharePoint's MachineKey configuration."
+        category = "TOOL"
+        tool = "WEBSHELL"
+        reference = "https://x.com/Gi7w0rm/status/1948027800591466773"
+        hash = "3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997"
+
+    strings:
+        $xml = "<?xml" nocase
+	
+        $httpcontext = "HttpContext" fullword
+        $validation = "MachineKeyValidation"
+
+        $mks_a = "MachineKeySection"
+        $mks_b = "System.Web.Configuration.MachineKeySection"
+
+        $str_a = "-------------------- .NET Properties --------------------"
+        $str_b = "Number of Logical Drives:"
+        $str_c = "List of Logical Drives:"
+        $str_d = "Computer Name:"
+        $str_e = "Full path of the system directory:"
+        $str_f = "Current Directory:"
+        $str_g = "Number of processors on this machine:"
+        $str_h = "Number of milliseconds since system start:"
+        $str_i = "Username of the user currently logged onto the operating system:"
+        $str_j = "Operating System Version:"
+        $str_k = ".NET Version:"
+        $str_l = "-------------------- Environment Variables --------------------"
+
+    condition:
+        not $xml in (0..10) and (
+        ($httpcontext and $validation and any of ($mks_*)) or (any of ($mks_*, $validation) and 8 of ($str_*)) or
+        dotnet.guids[0]=="64c708ee-5f26-4eef-b474-651321a0e469" or
+        dotnet.guids[0]=="a253a3d9-f7e6-484e-b392-685b0b7a9c5d" or
+        dotnet.guids[0]=="ab423cff-901e-4882-9939-bf1b54eddffb" or
+        dotnet.guids[0]=="63e8005d-08a3-423d-ab6b-53cc05629d457" or
+        dotnet.guids[0]=="de37ec6b-4312-4073-81ea-903f0a340a11"
+		)
+}

third_party/yara/bartblaze/hacktools/GhostShell_SharePoint.yar

@@ -0,0 +1,39 @@
+import "dotnet"
+rule GhostShell_SharePoint
+{
+    meta:
+        id = "3L2nePhWiYOjRbQGFIZjdc"
+        fingerprint = "v1_sha256_f5b1a1f487e7af2f315825c0a6657a84088bbfcdf57f3523de14c36e608bf287"
+        version = "1.0"
+        date = "2025-07-25"
+        modified = "2025-07-25"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies compiled Ghostfile.aspx, simple reverse shell / backdoor as also seen in the ToolShell (SharePoint) attacks."
+        category = "TOOL"
+        tool = "GHOSTSHELL"
+        reference = "https://x.com/marius_benthin/status/1948761502334267478"
+        hash = "7e9b77da1f51d03ee2f96bc976f6aeb781f801cf633862a4b8c356cbb555927d"
+
+    strings:
+        $aspx = ".aspx" ascii wide nocase
+
+        $cmd_a = "Usage: ?cmd=command" ascii wide
+
+        /*
+        string text2 = string.Concat(new string[] { "c", "m", "d", ".", "exe" });
+        string text3 = string.Join("", new string[] { "/c ", text });
+        */
+        $cmd_b = {7209000070A2110717720D000070A21107187211000070A21107197215000070A211071A7219000070A21107280C00000A0B7221000070188D1300000113071107167223000070A211071706A21107280D00000A}
+
+        $layout_a = "/_layouts/" ascii wide nocase
+        $layout_b = "/layouts/" ascii wide nocase
+
+
+    condition:
+        $aspx and any of ($cmd_*) and any of ($layout_*) or
+        dotnet.guids[0]=="5497bdc1-57e4-4c5b-81eb-9dc7ca8b5aec" or
+        dotnet.guids[0]=="cbcef74f-0a3d-4d87-8c6a-7044755c24f8"
+}

third_party/yara/bartblaze/hacktools/IIS_Backdoor.yar

@@ -0,0 +1,35 @@
+import "dotnet"
+rule IIS_Backdoor
+{
+    meta:
+        id = "4yJbnKKjfmtotBMpm2zK4F"
+        fingerprint = "v1_sha256_4c2d7551e42e643a2265a821c6e629b83cbbbf903afc5ab9577ab13197dd4daa"
+        version = "1.0"
+        date = "2025-07-24"
+        modified = "2025-07-24"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies an IIS backdoor used by Storm-2603."
+        category = "TOOL"
+        tool = "IISBACKDOOR"
+        reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
+        reference = "https://github.com/WBGlIl/IIS_backdoor"
+        hash = "6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619"
+
+    strings:
+        $iis_module = "IHttpModule"
+        $str_cmd = "cmd.exe"
+        $str_cookie = "sets-cookie"
+        $str_dll = "IIS_Server_dll"
+        
+        $pdb_part = "\\david8866\\Desktop\\toolsnew\\"
+        $pdb_full = "C:\\Users\\david8866\\Desktop\\toolsnew\\backdoor\\IIS-backdoor\\method1-module\\module-backdoor\\IIS-module-cmd\\IIS_Server_dll.pdb"
+
+    condition:
+        ($iis_module and 2 of ($str_*)) or
+        any of ($pdb_*) or 
+        dotnet.guids[0]=="05b57f52-968e-4f0f-a3e7-dd0bc7376fc5" or 
+        dotnet.guids[0]=="3fda4aa9-6fc1-473f-9048-7edc058c4f65"
+}

third_party/yara/bartblaze/hacktools/PowerTool.yar

@@ -8,14 +8,14 @@ rule PowerTool
         version = "1.0"
         creation_date = "2021-07-01"
         first_imported = "2021-12-30"
-        last_modified = "2025-03-10"
+        last_modified = "2025-07-24"
         status = "RELEASED"
         sharing = "TLP:WHITE"
         source = "BARTBLAZE"
         author = "@bartblaze"
         description = "Identifies PowerTool, sometimes used by attackers to disable security software."
-        category = "MALWARE"
-        malware = "POWERTOOL"
+        category = "TOOL"
+        tool = "POWERTOOL"
         reference = "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml"
 
 
@@ -30,4 +30,4 @@ rule PowerTool
 
     condition:
         any of them
-}
+}

third_party/yara/bartblaze/hacktools/SharpAdidnsdump.yar

@@ -0,0 +1,39 @@
+import "dotnet"
+rule SharpAdidnsdump
+{
+    meta:
+        id = "6rWYf0SwQzWanysjEs2F3h"
+        fingerprint = "v1_sha256_81a0841b64b31da7c8e6f601913eaabbcf2d03868c46b6d5acf2da532964c200"
+        version = "1.0"
+        date = "2025-07-24"
+        modified = "2025-07-24"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies SharpAdidnsdump, which allows for AD integrated DNS dumping and also abused by attackers such as Storm-2603."
+        category = "TOOL"
+        tool = "SHARPAPIDNSDUMP"
+        reference = "https://github.com/b4rtik/SharpAdidnsdump"
+        reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
+        hash = "f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574"
+
+    strings:
+        $str_a = "IPAddress"
+        $str_b = "DirectorySearcher"
+        $str_c = "SearchResult"
+        $str_d = "IPHostEntry"
+        $str_e = "GetHostEntry"
+        $str_f = "DirectoryEntry"
+        
+        $clear_a = "Error retriving data"
+        $clear_b = "dNSTombstoned"
+        $clear_c = "Running enumeration against"
+        
+        $SharpAdidnsdump = "SharpAdidnsdump" fullword
+
+    condition:
+        (3 of ($str_*) and any of ($clear_*)) or
+        $SharpAdidnsdump or
+        dotnet.guids[0]=="8f985494-906c-485c-b3b3-0e90aa7d3ca7"
+}

third_party/yara/bartblaze/hacktools/SharpHostInfo.yar

@@ -0,0 +1,36 @@
+rule SharpHostInfo
+{
+    meta:
+        id = "6pYAh7DjfYOnvcl9PJGDjY"
+        fingerprint = "v1_sha256_a9973815c925b2c564ef1f4c2d4019e2d7a854d398a2378a0d86e6e4c3feadb4"
+        version = "1.0"
+        date = "2025-07-24"
+        modified = "2025-07-24"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies SharpHostInfo, a tool used for quickly detecting intranet host information and also abused by attackers such as Storm-2603."
+        category = "TOOL"
+        tool = "SHARPHOSTINFO"
+        reference = "https://github.com/shmilylty/SharpHostInfo"
+        reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
+        hash = "d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d"
+
+    strings:
+        $str_a = "[!] Failed:"
+        $str_b = "[!] Error:"
+        $str_c = "manuf.json" fullword
+        $str_d = "Detect target:"
+        $str_e = "Detect Service:" 
+        $str_f = "Detect thead:"
+        $str_g = "Detect timeout:" 
+        $str_h = "The parsed detection target is empty"
+        $str_i = "An exception occurred while reading the file list!"
+        $str_j = "ParsingSocketStremResponse"
+
+        $sharphost = "SharpHostInfo" fullword
+
+    condition:
+        8 of ($str_*) or $sharphost
+}

third_party/yara/bartblaze/ransomware/Warlock.yar

@@ -0,0 +1,35 @@
+rule Warlock
+{
+    meta:
+        id = "4jggrARzQ2bsxiH62DEQRz"
+        fingerprint = "v1_sha256_bae361b7df9cc56f933d73b72104c43f766f964dedd05603acc1249b23e1de6f"
+        version = "1.0"
+        date = "2025-07-24"
+        modified = "2025-07-24"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies Warlock ransomware used by Storm-2603. It is also known as x2anylock ransomware and is a Lockbit (Black) derivative."
+        category = "MALWARE"
+        malware = "WARLOCK"
+        malware_type = "RANSOMWARE"
+        reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
+        hash = "abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1"
+
+    strings:
+        $str_pw = "replacethispassword" fullword
+        $str_id = "Your decrypt ID:"
+        $str_qtox = "QTox ID Support:"
+        $str_email = "Email Support:"
+        $str_contact = "You can contact us in email or qtox."
+        $str_decrypt = "How to decrypt my data.log"
+        
+        $ext = ".x2anylock" fullword
+        $pdb_part_work = "\\work\\tools\\ai\\ak47\\"
+        $pdb_part_end = "\\My7zdllhijacked.pdb"
+        $pdb_full = "C:\\Users\\Administrator\\Desktop\\work\\tools\\ai\\ak47\\cpp\\7zdllhijacked\\7zdllhijacked\\x64\\Release\\My7zdllhijacked.pdb"
+
+    condition:
+        5 of ($str_*) or $ext or any of ($pdb_*)
+}