Skip to content

Update third-party rules as of 2025-07-26 #1058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
octo-sts wants to merge 1 commit into from
Closed

Update third-party rules as of 2025-07-26 #1058

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions third_party/yara/bartblaze/APT/StormDNS.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
rule StormDNS
{
meta:
id = "75nX2TPCk53RAhU55yBeFd"
fingerprint = "v1_sha256_542a8af37bd4bc18218190cd82495146a4daa5d01db24804b9ff16ff04023a5a"
version = "1.0"
date = "2025-07-24"
modified = "2025-07-24"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies StormDNS, a DNS shell used by Storm-260 to receive and execute commands from a C2."
category = "MALWARE"
malware = "STORMDNS"
malware_type = "WEBSHELL"
reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
hash = "1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192"

strings:
$str_a = "Slept for %d seconds"
$str_b = "Failed to allocate memory"
$str_c = "cmd.exe /c %s 2>&1"
$str_d = "Failed to execute command"
$str_e = "Failed to reallocate memory"
$str_f = "Command executed with no output"
$str_g = "fragment_received"
$str_h = "result_received"
$str_i = "s%st%04zup%04zu"

$pdb_part = "\\work\\tools\\ak47c2\\"
$pdb_full = "C:\\Users\\Administrator\\Desktop\\work\\tools\\ak47c2\\dnsclinet-c\\dnsclient\\x64\\Release\\dnsclient.pdb"

condition:
8 of ($str_*) or any of ($pdb_*)
}
2 changes: 1 addition & 1 deletion third_party/yara/bartblaze/RELEASE
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
255135e922b571965ab942554fcd7b9b6162f091
cbd71a2d37ebf8178fcf23dc9a0cfbbc85400690
51 changes: 51 additions & 0 deletions third_party/yara/bartblaze/hacktools/Extract_MachineKey_SharePoint.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
import "dotnet"
rule Extract_MachineKey_SharePoint
{
meta:
id = "5rgC2cpznLmamBSQ9etlFh"
fingerprint = "v1_sha256_267976231782f0458c369172e8d922508daf670089ef3c91ad2570fe3600d6c4"
version = "1.0"
date = "2025-07-25"
modified = "2025-07-25"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies webshell that extracts SharePoint's MachineKey configuration."
category = "TOOL"
tool = "WEBSHELL"
reference = "https://x.com/Gi7w0rm/status/1948027800591466773"
hash = "3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997"

strings:
$xml = "<?xml" nocase

$httpcontext = "HttpContext" fullword
$validation = "MachineKeyValidation"

$mks_a = "MachineKeySection"
$mks_b = "System.Web.Configuration.MachineKeySection"

$str_a = "-------------------- .NET Properties --------------------"
$str_b = "Number of Logical Drives:"
$str_c = "List of Logical Drives:"
$str_d = "Computer Name:"
$str_e = "Full path of the system directory:"
$str_f = "Current Directory:"
$str_g = "Number of processors on this machine:"
$str_h = "Number of milliseconds since system start:"
$str_i = "Username of the user currently logged onto the operating system:"
$str_j = "Operating System Version:"
$str_k = ".NET Version:"
$str_l = "-------------------- Environment Variables --------------------"

condition:
not $xml at 0 and (
($httpcontext and $validation and any of ($mks_*)) or (any of ($mks_*, $validation) and 8 of ($str_*)) or
dotnet.guids[0]=="64c708ee-5f26-4eef-b474-651321a0e469" or
dotnet.guids[0]=="a253a3d9-f7e6-484e-b392-685b0b7a9c5d" or
dotnet.guids[0]=="ab423cff-901e-4882-9939-bf1b54eddffb" or
dotnet.guids[0]=="63e8005d-08a3-423d-ab6b-53cc05629d457" or
dotnet.guids[0]=="de37ec6b-4312-4073-81ea-903f0a340a11"
)
}
39 changes: 39 additions & 0 deletions third_party/yara/bartblaze/hacktools/GhostShell_SharePoint.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
import "dotnet"
rule GhostShell_SharePoint
{
meta:
id = "3L2nePhWiYOjRbQGFIZjdc"
fingerprint = "v1_sha256_f5b1a1f487e7af2f315825c0a6657a84088bbfcdf57f3523de14c36e608bf287"
version = "1.0"
date = "2025-07-25"
modified = "2025-07-25"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies compiled Ghostfile.aspx, simple reverse shell / backdoor as also seen in the ToolShell (SharePoint) attacks."
category = "TOOL"
tool = "GHOSTSHELL"
reference = "https://x.com/marius_benthin/status/1948761502334267478"
hash = "7e9b77da1f51d03ee2f96bc976f6aeb781f801cf633862a4b8c356cbb555927d"

strings:
$aspx = ".aspx" ascii wide nocase

$cmd_a = "Usage: ?cmd=command" ascii wide

/*
string text2 = string.Concat(new string[] { "c", "m", "d", ".", "exe" });
string text3 = string.Join("", new string[] { "/c ", text });
*/
$cmd_b = {7209000070A2110717720D000070A21107187211000070A21107197215000070A211071A7219000070A21107280C00000A0B7221000070188D1300000113071107167223000070A211071706A21107280D00000A}

$layout_a = "/_layouts/" ascii wide nocase
$layout_b = "/layouts/" ascii wide nocase


condition:
$aspx and any of ($cmd_*) and any of ($layout_*) or
dotnet.guids[0]=="5497bdc1-57e4-4c5b-81eb-9dc7ca8b5aec" or
dotnet.guids[0]=="cbcef74f-0a3d-4d87-8c6a-7044755c24f8"
}
35 changes: 35 additions & 0 deletions third_party/yara/bartblaze/hacktools/IIS_Backdoor.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import "dotnet"
rule IIS_Backdoor
{
meta:
id = "4yJbnKKjfmtotBMpm2zK4F"
fingerprint = "v1_sha256_4c2d7551e42e643a2265a821c6e629b83cbbbf903afc5ab9577ab13197dd4daa"
version = "1.0"
date = "2025-07-24"
modified = "2025-07-24"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies an IIS backdoor used by Storm-2603."
category = "TOOL"
tool = "IISBACKDOOR"
reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
reference = "https://github.com/WBGlIl/IIS_backdoor"
hash = "6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619"

strings:
$iis_module = "IHttpModule"
$str_cmd = "cmd.exe"
$str_cookie = "sets-cookie"
$str_dll = "IIS_Server_dll"

$pdb_part = "\\david8866\\Desktop\\toolsnew\\"
$pdb_full = "C:\\Users\\david8866\\Desktop\\toolsnew\\backdoor\\IIS-backdoor\\method1-module\\module-backdoor\\IIS-module-cmd\\IIS_Server_dll.pdb"

condition:
($iis_module and 2 of ($str_*)) or
any of ($pdb_*) or
dotnet.guids[0]=="05b57f52-968e-4f0f-a3e7-dd0bc7376fc5" or
dotnet.guids[0]=="3fda4aa9-6fc1-473f-9048-7edc058c4f65"
}
8 changes: 4 additions & 4 deletions third_party/yara/bartblaze/hacktools/PowerTool.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,14 @@ rule PowerTool
version = "1.0"
creation_date = "2021-07-01"
first_imported = "2021-12-30"
last_modified = "2025-03-10"
last_modified = "2025-07-24"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies PowerTool, sometimes used by attackers to disable security software."
category = "MALWARE"
malware = "POWERTOOL"
category = "TOOL"
tool = "POWERTOOL"
reference = "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml"


Expand All @@ -30,4 +30,4 @@ rule PowerTool

condition:
any of them
}
}
39 changes: 39 additions & 0 deletions third_party/yara/bartblaze/hacktools/SharpAdidnsdump.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
import "dotnet"
rule SharpAdidnsdump
{
meta:
id = "6rWYf0SwQzWanysjEs2F3h"
fingerprint = "v1_sha256_81a0841b64b31da7c8e6f601913eaabbcf2d03868c46b6d5acf2da532964c200"
version = "1.0"
date = "2025-07-24"
modified = "2025-07-24"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies SharpAdidnsdump, which allows for AD integrated DNS dumping and also abused by attackers such as Storm-2603."
category = "TOOL"
tool = "SHARPAPIDNSDUMP"
reference = "https://github.com/b4rtik/SharpAdidnsdump"
reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
hash = "f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574"

strings:
$str_a = "IPAddress"
$str_b = "DirectorySearcher"
$str_c = "SearchResult"
$str_d = "IPHostEntry"
$str_e = "GetHostEntry"
$str_f = "DirectoryEntry"

$clear_a = "Error retriving data"
$clear_b = "dNSTombstoned"
$clear_c = "Running enumeration against"

$SharpAdidnsdump = "SharpAdidnsdump" fullword

condition:
(3 of ($str_*) and any of ($clear_*)) or
$SharpAdidnsdump or
dotnet.guids[0]=="8f985494-906c-485c-b3b3-0e90aa7d3ca7"
}
36 changes: 36 additions & 0 deletions third_party/yara/bartblaze/hacktools/SharpHostInfo.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
rule SharpHostInfo
{
meta:
id = "6pYAh7DjfYOnvcl9PJGDjY"
fingerprint = "v1_sha256_a9973815c925b2c564ef1f4c2d4019e2d7a854d398a2378a0d86e6e4c3feadb4"
version = "1.0"
date = "2025-07-24"
modified = "2025-07-24"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies SharpHostInfo, a tool used for quickly detecting intranet host information and also abused by attackers such as Storm-2603."
category = "TOOL"
tool = "SHARPHOSTINFO"
reference = "https://github.com/shmilylty/SharpHostInfo"
reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
hash = "d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d"

strings:
$str_a = "[!] Failed:"
$str_b = "[!] Error:"
$str_c = "manuf.json" fullword
$str_d = "Detect target:"
$str_e = "Detect Service:"
$str_f = "Detect thead:"
$str_g = "Detect timeout:"
$str_h = "The parsed detection target is empty"
$str_i = "An exception occurred while reading the file list!"
$str_j = "ParsingSocketStremResponse"

$sharphost = "SharpHostInfo" fullword

condition:
8 of ($str_*) or $sharphost
}
35 changes: 35 additions & 0 deletions third_party/yara/bartblaze/ransomware/Warlock.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
rule Warlock
{
meta:
id = "4jggrARzQ2bsxiH62DEQRz"
fingerprint = "v1_sha256_bae361b7df9cc56f933d73b72104c43f766f964dedd05603acc1249b23e1de6f"
version = "1.0"
date = "2025-07-24"
modified = "2025-07-24"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies Warlock ransomware used by Storm-2603. It is also known as x2anylock ransomware and is a Lockbit (Black) derivative."
category = "MALWARE"
malware = "WARLOCK"
malware_type = "RANSOMWARE"
reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities"
hash = "abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1"

strings:
$str_pw = "replacethispassword" fullword
$str_id = "Your decrypt ID:"
$str_qtox = "QTox ID Support:"
$str_email = "Email Support:"
$str_contact = "You can contact us in email or qtox."
$str_decrypt = "How to decrypt my data.log"

$ext = ".x2anylock" fullword
$pdb_part_work = "\\work\\tools\\ai\\ak47\\"
$pdb_part_end = "\\My7zdllhijacked.pdb"
$pdb_full = "C:\\Users\\Administrator\\Desktop\\work\\tools\\ai\\ak47\\cpp\\7zdllhijacked\\7zdllhijacked\\x64\\Release\\My7zdllhijacked.pdb"

condition:
5 of ($str_*) or $ext or any of ($pdb_*)
}
Loading