-
Notifications
You must be signed in to change notification settings - Fork 20
/
SUSP_ntdlldll_mutation.yar
167 lines (151 loc) · 5.14 KB
/
SUSP_ntdlldll_mutation.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
rule SUSP_ntdlldll_mutation_flipflop {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_flipflop = "tnld.lldl" ascii wide nocase
condition:
all of them
}
rule SUSP_ntdlldll_mutation_reverse {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_reverse = "lld.lldtn" ascii wide nocase
condition:
all of them
}
rule SUSP_ntdlldll_mutation_hex_enc_str {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_hex_enc_str = "6e74646c6c2e646c6c" ascii wide nocase
condition:
all of them
}
rule SUSP_ntdlldll_mutation_decimal {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_decimal = "110 116 100 108 108 46 100 108 108" ascii wide nocase
condition:
all of them
}
rule SUSP_ntdlldll_mutation_fallchill {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_fallchill = "mgwoo.woo" ascii wide nocase
condition:
all of them
}
rule SUSP_ntdlldll_mutation_stackpush {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_stackpush = "hlhl.dlhntdl" ascii wide nocase
condition:
all of them
}
rule SUSP_ntdlldll_mutation_stackpushnull {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_stackpushnull = "hl\x00hl.dlhntdl" ascii wide nocase
condition:
all of them
}
rule SUSP_ntdlldll_mutation_stackpushdoublenull {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_stackpushdoublenull = "hl\x00\x00hl.dlhntdl" ascii wide nocase
condition:
all of them
}
rule SUSP_ntdlldll_mutation_hex_movebp {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_hex_movebp = {c645??6ec645??74c645??64c645??6cc645??6cc645??2ec645??64c645??6cc645??6c}
condition:
all of them
}
rule SUSP_ntdlldll_mutation_rot13 {
meta:
author = "Greg Lesnewich"
description = "track string mutations of ntdll.dll which can be used for syscalls"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "24/100"
strings:
$ntdlldll_rot13 = "agqyy.qyy" ascii wide nocase
condition:
all of them
}
rule ntdll_flipflop { strings: $ntdll_flipflop = "tnldl" nocase ascii wide condition: all of them }
rule ntdll_reverse { strings: $ntdll_reverse = "lldtn" nocase ascii wide condition: all of them }
rule ntdll_hex_enc_str { strings: $ntdll_hex_enc_str = "6e74646c6c" nocase ascii wide condition: all of them }
rule ntdll_decimal { strings: $ntdll_decimal = "110 116 100 108 108" nocase ascii wide condition: all of them }
rule ntdll_fallchill { strings: $ntdll_fallchill = "mgwoo" nocase ascii wide condition: all of them }
rule ntdll_stackpush { strings: $ntdll_stackpush = "hlhntdl" nocase ascii wide condition: all of them }
rule ntdll_stackpushnull { strings: $ntdll_stackpushnull = "hl\x00hntdl" nocase ascii wide condition: all of them }
rule ntdll_stackpushdoublenull { strings: $ntdll_stackpushdoublenull = "hl\x00\x00hntdl" nocase ascii wide condition: all of them }
rule ntdll_hex_movebp { strings: $ntdll_hex_movebp = {c645??6ec645??74c645??64c645??6cc645??6c} condition: all of them }
rule ntdll_rot13 { strings: $ntdll_rot13 = "agqyy" nocase ascii wide condition: all of them }
rule zSUSP_NTDLL_Stack_String_Padding
{
meta:
author = "Greg Lesnewich"
description = "detect ntdll.dll being moved to the stack with empty padding being used to clear the register prior to use"
date = "2024-01-23"
version = "1.0"
DaysofYARA = "23/100"
strings:
$0x1d5c1369a = { 20202020 ?? 6e74646c [10 - 20] 20202020 ?? 6c2e646c }
// 1d5c1369a 0d20202020 or eax, 0x20202020
// 1d5c1369f 3d6e74646c cmp eax, 'ntdl'
// 1d5c136a4 751b jne 0x1d5c136c1
// 1d5c136a6 488b4598 mov rax, qword [rbp-0x68 {var_80_1}]
// 1d5c136aa 4883c004 add rax, 0x4
// 1d5c136ae 8b00 mov eax, dword [rax]
// 1d5c136b0 0d20202020 or eax, 0x20202020
// 1d5c136b5 3d6c2e646c cmp eax, 'l.dl'
condition:
all of them
}