diff --git a/third_party/yara/bartblaze/RELEASE b/third_party/yara/bartblaze/RELEASE index 2b501b206..f9a6693ca 100644 --- a/third_party/yara/bartblaze/RELEASE +++ b/third_party/yara/bartblaze/RELEASE @@ -1 +1 @@ -063fb36a398f8bec668ab715b17dc4596fdadb0f +cc2fab21ad5ba5f6dd74e57f44373bbcc6f0ce09 diff --git a/third_party/yara/bartblaze/generic/LNK_Ruleset.yar b/third_party/yara/bartblaze/generic/LNK_Ruleset.yar index 5abe877ee..453245f62 100644 --- a/third_party/yara/bartblaze/generic/LNK_Ruleset.yar +++ b/third_party/yara/bartblaze/generic/LNK_Ruleset.yar @@ -338,6 +338,7 @@ rule SMB_in_LNK source = "BARTBLAZE" author = "@bartblaze" category = "INFO" + description = "Identifies SMB in shortcut (LNK) files" strings: $ = "\\c$\\" ascii wide nocase diff --git a/third_party/yara/bartblaze/hacktools/Adfind.yar b/third_party/yara/bartblaze/hacktools/Adfind.yar index b2b1fb5eb..d4b55676a 100644 --- a/third_party/yara/bartblaze/hacktools/Adfind.yar +++ b/third_party/yara/bartblaze/hacktools/Adfind.yar @@ -12,7 +12,8 @@ rule Adfind source = "BARTBLAZE" author = "@bartblaze" description = "Identifies Adfind, a Command line Active Directory query tool." - category = "HACKTOOL" + category = "MALWARE" + malware_type = "HACKTOOL" tool = "ADFIND" mitre_att = "S0552" reference = "http://www.joeware.net/freetools/tools/adfind/" @@ -27,4 +28,4 @@ rule Adfind condition: any of them -} \ No newline at end of file +} diff --git a/third_party/yara/bartblaze/hacktools/CreateMiniDump.yar b/third_party/yara/bartblaze/hacktools/CreateMiniDump.yar index 0974944b6..89be5f0e2 100644 --- a/third_party/yara/bartblaze/hacktools/CreateMiniDump.yar +++ b/third_party/yara/bartblaze/hacktools/CreateMiniDump.yar @@ -12,7 +12,8 @@ rule CreateMiniDump source = "BARTBLAZE" author = "@bartblaze" description = "Identifies CreateMiniDump, tool to dump LSASS." - category = "HACKTOOL" + category = "MALWARE" + malware_type = "HACKTOOL" tool = "CREATEMINIDUMP" reference = "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass" @@ -20,15 +21,15 @@ rule CreateMiniDump strings: $ = "[+] Got lsass.exe PID:" ascii wide $ = "[+] lsass dumped successfully!" ascii wide - $ = { 40 55 57 4? 81 ec e8 04 00 00 4? 8d ?? ?4 40 4? 8b fc b9 3a 01 00 00 b8 cc cc cc cc f3 ab 4? - 8b 05 ?? ?? ?? ?? 4? 33 c5 4? 89 8? ?? ?? ?? ?? c7 4? ?? 00 00 00 00 4? c7 4? ?? 00 00 00 00 4? - c7 44 ?? ?? 00 00 00 00 c7 44 ?? ?? 80 00 00 00 c7 44 ?? ?? 02 00 00 00 45 33 c9 45 33 c0 ba 00 - 00 00 10 4? 8d 0d ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 4? 89 4? ?? 33 d2 b9 02 00 00 00 e8 ?? ?? ?? ?? + $ = { 40 55 57 4? 81 ec e8 04 00 00 4? 8d ?? ?4 40 4? 8b fc b9 3a 01 00 00 b8 cc cc cc cc f3 ab 4? + 8b 05 ?? ?? ?? ?? 4? 33 c5 4? 89 8? ?? ?? ?? ?? c7 4? ?? 00 00 00 00 4? c7 4? ?? 00 00 00 00 4? + c7 44 ?? ?? 00 00 00 00 c7 44 ?? ?? 80 00 00 00 c7 44 ?? ?? 02 00 00 00 45 33 c9 45 33 c0 ba 00 + 00 00 10 4? 8d 0d ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 4? 89 4? ?? 33 d2 b9 02 00 00 00 e8 ?? ?? ?? ?? 4? 89 4? ?? 4? 8d ?? 90 00 00 00 4? 8b f8 33 c0 b9 38 02 00 00 f3 aa c7 8? ?? ?? ?? ?? 38 02 00 - 00 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 8d ?? 90 00 00 00 4? 8b 4? ?? e8 ?? ?? ?? ?? 85 - c0 74 ?? 4? 8d 15 ?? ?? ?? ?? 4? 8b ?? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 85 c0 74 ?? 4? 8d ?? 90 00 + 00 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 8d ?? 90 00 00 00 4? 8b 4? ?? e8 ?? ?? ?? ?? 85 + c0 74 ?? 4? 8d 15 ?? ?? ?? ?? 4? 8b ?? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 85 c0 74 ?? 4? 8d ?? 90 00 00 00 4? 8b 4? ?? e8 ?? ?? ?? ?? 4? 8d ?? bc 00 00 00 4? 89 8? ?? ?? ?? ?? 8b 8? ?? ?? ?? ?? 89 4? ?? } condition: any of them -} \ No newline at end of file +} diff --git a/third_party/yara/bartblaze/hacktools/NLBrute.yar b/third_party/yara/bartblaze/hacktools/NLBrute.yar index a82c6c154..f05b86360 100644 --- a/third_party/yara/bartblaze/hacktools/NLBrute.yar +++ b/third_party/yara/bartblaze/hacktools/NLBrute.yar @@ -12,11 +12,12 @@ rule NLBrute source = "BARTBLAZE" author = "@bartblaze" description = "Identifies NLBrute, an RDP brute-forcing tool." - category = "HACKTOOL" + category = "MALWARE" + malware_type = "HACKTOOL" strings: $ = "SERVER:PORT@DOMAIN\\USER;PASSWORD" ascii wide condition: any of them -} \ No newline at end of file +} diff --git a/third_party/yara/bartblaze/hacktools/Responder.yar b/third_party/yara/bartblaze/hacktools/Responder.yar index 485c4c731..4b1c47ab0 100644 --- a/third_party/yara/bartblaze/hacktools/Responder.yar +++ b/third_party/yara/bartblaze/hacktools/Responder.yar @@ -12,7 +12,8 @@ rule Responder source = "BARTBLAZE" author = "@bartblaze" description = "Identifies Responder, an LLMNR, NBT-NS and MDNS poisoner." - category = "HACKTOOL" + category = "MALWARE" + malware_type = "HACKTOOL" tool = "RESPONDER" mitre_att = "S0174" reference = "https://github.com/lgandx/Responder" @@ -35,4 +36,4 @@ rule Responder condition: any of them -} \ No newline at end of file +} diff --git a/third_party/yara/bartblaze/hacktools/Windows_Credentials_Editor.yar b/third_party/yara/bartblaze/hacktools/Windows_Credentials_Editor.yar index f9f5d5aec..da28a823d 100644 --- a/third_party/yara/bartblaze/hacktools/Windows_Credentials_Editor.yar +++ b/third_party/yara/bartblaze/hacktools/Windows_Credentials_Editor.yar @@ -12,7 +12,8 @@ rule Windows_Credentials_Editor source = "BARTBLAZE" author = "@bartblaze" description = "Identifies Windows Credentials Editor (WCE), post-exploitation tool." - category = "HACKTOOL" + category = "MALWARE" + malware_type = "HACKTOOL" tool = "WINDOWS CREDENTIAL EDITOR" mitre_att = "S0005" reference = "https://www.ampliasecurity.com/research/windows-credentials-editor/" @@ -42,4 +43,4 @@ rule Windows_Credentials_Editor condition: 3 of them -} \ No newline at end of file +}