Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
red_team_tool_countermeasures/all-clam.ldb
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
26 lines (26 sloc)
10.5 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2020 by FireEye, Inc. | |
| # You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at: | |
| # https://github.com/fireeye/red_team_tool_countermeasures/blob/master/LICENSE.txt | |
| HackTool_PY_ImpacketObfuscation_1;Engine:81-255,Target:7;0&1&2&3&4&5&6;636c61737320636d6465786563;636c6173732072656d6f74657368656c6c;73656c662e73657276696365735f6e616d6573;696d706f72742072616e646f6d;0&1&2&3/self\.__output[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]\\\\\\\\127\.0\.0\.1\\\\[\x22\x27][\x09\x20]{0,32}\+[\x09\x20]{0,32}self\.__share[\x09\x20]{0,32}\+[\x09\x20]{0,32}\w{1,64}[\x09\x20]{0,32}\+[\x09\x20]{0,32}\w{1,64}/;4/self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]%comspec%[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/k [\x22\x27]/;5/self\.__servicename[\x09\x20]{0,32}=[\x09\x20]{0,32}self\.services_names\[random\.randint\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}len\(self\.services_names\)[\x09\x20]{0,32}-[\x09\x20]{0,32}1\)\]/ | |
| HackTool_PS1_EWSRT_2;Engine:81-255,Target:7;0&1;62356431323638302d393634372d313165382d396562362d353239323639666231343539;276765742d6d61696c696e666f272c20276765742d676c6f62616c616464726573736c697374272c2027696e766f6b652d696d706572736f6e6174656461757468272c2027696e766f6b652d6d61696c656e756d272c2027696e766f6b652d67656e6572617465686f6d6570616765272c20277365742d686f6d657061676527 | |
| APT_Loader_XOML_PGF_1;Engine:81-255,Target:7;0&1&2&3&4&5&6&7;3c73657175656e7469616c776f726b666c6f77616374697669747920783a636c6173733d;3c636f6465616374697669747920783a6e616d653d;3c783a636f64653e;3c215b63646174615b;73797374656d2e636f6e766572742e66726f6d626173653634737472696e6728;73797374656d2e746578742e656e636f64696e672e61736369692e676574627974657328;0&1&2&3&4&5/system\.string (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}\w{1,64}\.tostring\(\)\x3b[\x09\x20]{0,32}byte\[\] \w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}system\.convert\.frombase64string\(\1\)/;6/system\.string (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]\w{1,128}[\x22\x27]\x3b[\x09\x20]{0,32}byte\[\] (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}system\.text\.encoding\.ascii\.getbytes\(\1\)\x3b[\x09\x20]{0,32}for[\x09\x20]{0,32}\([\x09\x20]{0,32}int \w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x09\x20]{0,32}0\x3b[\x09\x20]{0,32}\w{1,64}[\x09\x20]{0,32}<[\x09\x20]{0,32}(\w{1,64})\.length[\x09\x20]{0,32}\x3b[\x09\x20]{0,32}\w{1,64}\+\+[\x09\x20]{0,32}\)[\x09\x20]{0,32}\3\[\w{1,64}\][\x09\x20]{0,32}=[\x09\x20]{0,32}\(\(byte\)\(\3\[\w{1,64}\][\x09\x20]{0,32}\^[\x09\x20]{0,32}\2\[\(\w{1,64}[\x09\x20]{0,32}%[\x09\x20]{0,32}\2\.length\)\]\)\)/ | |
| HackTool_HTML_EWSRT_1;Engine:81-255,Target:3;0&1&2&3;7365746170706c69636174696f6e3d{-30}2e6f75746c6f6f6b6170706c69636174696f6e;6170706c69636174696f6e2e6372656174656f626a65637428227368656c6c2e6170706c69636174696f6e2229;636c61737369643d22636c7369643a30303036663036332d303030302d303030302d633030302d30303030303030303030343622;2e7368656c6c6578656375746522706f7765727368656c6c2e657865222c222d6e6f702d7768696464656e2d656e636f646564636f6d6d616e64706f7765727368656c6c5f656e636f6465645f7061796c6f6164 | |
| Trojan_PS1_Generic_4;Engine:81-255,Target:7;0&1&2&3;203D205B747970655D2822;0/ = \[type\]\("(?:\{[0-5]\}){1,6}" -f[convert',]{6,36}\)/;0&1/\)\.value::\("(?:\{1?[0-9]\}){1,16}" -f[frombase64ting',]{16,96}\)\.invoke/;28206765742D7661726961626C65202822{1-32}222B22{1-32}2D76616C75656F6E6C792029 | |
| Trojan_Macro_RESUMEPLEASE_1;Engine:81-255,Target:0;0&1&2&3&4&5;466f722042696e617279204173;52616e67652e54657874;456e7669726f6e28;434279746528;2e537061776e496e7374616e63655f;2e43726561746528 | |
| APT_Trojan_LNK_LNKSMASHER_2;Engine:81-255,Target:0;0&1;0:4C0000000114020000000000C0000000;5368656c6c457865635f52756e444c4c{-64}436d64{-64}464f52{-64}746f6b656e733d{-256}66696e64737472{-64}2e6c6e6b::wi | |
| APT_Loader_TT_PGF_1;Engine:81-255,Target:7;0&1&2&3;3c23402074656d706c617465206c616e67756167653d2263232220233e20;3c232b206e616d65737061636520;0&1/system\.string (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}\w{1,64}\.tostring\(\)\x3b[\x09\x20]{0,32}byte\[\] \w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}system\.convert\.frombase64string\(\1\)/;2/system\.string (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]\w{1,128}[\x22\x27]\x3b[\x09\x20]{0,32}byte\[\] (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}system\.text\.encoding\.ascii\.getbytes\(\1\)\x3b[\x09\x20]{0,32}for[\x09\x20]{0,32}\([\x09\x20]{0,32}int \w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x09\x20]{0,32}0\x3b[\x09\x20]{0,32}\w{1,64}[\x09\x20]{0,32}<[\x09\x20]{0,32}(\w{1,64})\.length[\x09\x20]{0,32}\x3b[\x09\x20]{0,32}\w{1,64}\+\+[\x09\x20]{0,32}\)[\x09\x20]{0,32}\3\[\w{1,64}\][\x09\x20]{0,32}=[\x09\x20]{0,32}\(\(byte\)\(\3\[\w{1,64}\][\x09\x20]{0,32}\^[\x09\x20]{0,32}\2\[\(\w{1,64}[\x09\x20]{0,32}%[\x09\x20]{0,32}\2\.length\)\]\)\)/ | |
| Dropper_HTA_Generic_1;Engine:81-255,Target:7;0&1&2&3;4765745370656369616C466F6C646572::i;0/&"" & \w{1,64}\.gettempname\(\)/;0&1/\.write chr\(clng\("&h" & mid\(\w{1,64},\w{1,64},2\)\)\)/;0&1&2/\.deletefile\(/ | |
| HackTool_HTML_EWSRT_2;Engine:81-255,Target:3;0&1&2&3;7365746170706c69636174696f6e3d{-30}2e6f75746c6f6f6b6170706c69636174696f6e;6170706c69636174696f6e2e6372656174656f626a65637428227368656c6c2e6170706c69636174696f6e2229;636c61737369643d22636c7369643a30303036663036332d303030302d303030302d633030302d30303030303030303030343622;2e7368656c6c6578656375746522636572747574696c2e657865222c222d75726c63616368652d73706c69742d66687474705f7061796c6f6164 | |
| Trojan_Script_Generic_2;Engine:81-255,Target:7;0&1=1&2=1;2e646573657269616c697a655f3228::i;2e656e7669726f6e6d656e7428{-5}70726f63657373::i;2e7265677265616428::i | |
| Trojan_PY_Generic_1;Engine:81-255,Target:7;0&1&2&3&4&5&6;706C6174666F726D2E6172636869746563747572652829;6374797065732E77696E646C6C2E;6B65726E656C33322E7669727475616C616C6C6F63;6372656174655F737472696E675F627566666572;637265617465746872656164;77616974666F7273696E676C656F626A656374;203D3D2022????626974223A | |
| APT_Builder_PY_PGF_1;Engine:51-255,Target:7;0&1&2&3;66726f6d206c69622e7061796c6f61642e746563686e697175657320696d706f727420;5f7368656c6c636f64655f696e6a6563745f626173652c;20696e207061796c6f616474656d706c6174652e737562636c617373657328293a;7061796c6f616474656d706c6174652e76617269616e7428617267732e746563686e697175652c20617267732e74656d706c61746529 | |
| APT_Builder_PY_MATRYOSHKA_1;Engine:81-255,Target:7;0&1&2&3&4&5&6;2e706f702830295d29;5b315d2e7265706c6163652827756e7369676e65642063686172206275665b5d203d202227;62696e61736369692e6865786c69667928662e726561642829292e6465636f646528;6f732e73797374656d2822636172676f206275696c64207b307d202d2d62696e207b317d222e666f726d617428;73687574696c2e7768696368282772757374632729;7e2f2e636172676f2f62696e;1/[\x22\x27]\\\\x[\x22\x27]\.join\(\[\w{1,64}\[\w{1,64}:\w{1,64}[\x09\x20]{0,32}\+[\x09\x20]{0,32}2\]/ | |
| APT_Loader_CSPROJ_PGF_1;Engine:81-255,Target:7;0&1&2&3&4&5&6;3c70726f6a65637420746f6f6c7376657273696f6e3d22342e302220786d6c6e733d22687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f646576656c6f7065722f6d736275696c642f;3c7573696e677461736b;7461736b666163746f72793d22636f64657461736b666163746f727922;3c636f646520747970653d22636c61737322206c616e67756167653d226373223e;7075626c6963206f7665727269646520626f6f6c20657865637574652829;0&1&2&3&4/system\.string (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}\w{1,64}\.tostring\(\)\x3b[\x09\x20]{0,32}byte\[\] \w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}system\.convert\.frombase64string\(\1\)/;5/system\.string (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]\w{1,128}[\x22\x27]\x3b[\x09\x20]{0,32}byte\[\] (\w{1,64})[\x09\x20]{0,32}=[\x09\x20]{0,32}system\.text\.encoding\.ascii\.getbytes\(\1\)\x3b[\x09\x20]{0,32}for[\x09\x20]{0,32}\([\x09\x20]{0,32}int \w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x09\x20]{0,32}0\x3b[\x09\x20]{0,32}\w{1,64}[\x09\x20]{0,32}<[\x09\x20]{0,32}(\w{1,64})\.length[\x09\x20]{0,32}\x3b[\x09\x20]{0,32}\w{1,64}\+\+[\x09\x20]{0,32}\)[\x09\x20]{0,32}\3\[\w{1,64}\][\x09\x20]{0,32}=[\x09\x20]{0,32}\(\(byte\)\(\3\[\w{1,64}\][\x09\x20]{0,32}\^[\x09\x20]{0,32}\2\[\(\w{1,64}[\x09\x20]{0,32}%[\x09\x20]{0,32}\2\.length\)\]\)\)/ | |
| APT_Trojan_LNK_LNKSMASHER_1;Engine:81-255,Target:0;0&1;0:4C0000000114020000000000C0000000;636f7079202f62202f79{-32}2e6c6e6b202561707064617461255c{-32}262620636420256170706461746125202626::awi | |
| Trojan_HTA_Generic_1;Engine:81-255,Target:7;0&1;66756E6374696F6E20{16-96}777363726970742E7368656C6C{8-128}2E72756E;EOF-64,64:2C302C74727565{1-8}656E642066756E6374696F6E{1-64}73656C662E636C6F7365 | |
| APT_HackTool_PY_ImpacketObfuscation_2;Engine:81-255,Target:7;0&1&2&3&4;696d706f72742072616e646f6d;636c61737320776d6965786563;636c6173732072656d6f74657368656c6c;0&1&2/=[\x09\x20]{0,32}str\(int\(time\.time\(\)\)[\x09\x20]{0,32}-[\x09\x20]{0,32}random\.randint\(\d{1,10}[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,10}\)\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}str\(uuid\.uuid4\(\)\)\.split\([\x22\x27]\-[\x22\x27]\)\[0\]/;3/self\.__shell[\x09\x20]{0,32}=[\x09\x20]{0,32}[\x22\x27]cmd.exe[\x09\x20]{1,32}\/q[\x09\x20]{1,32}\/k [\x22\x27]/ | |
| HackTool_PS1_EWSRT_1;Engine:81-255,Target:7;0&1&2;66756e6374696f6e206765742d6d61696c696e666f;69662821247073626f756e64706172616d65746572732e636f6e7461696e736b65792827656d61696c2729202d616e642021247073626f756e64706172616d65746572732e636f6e7461696e736b6579282770617373776f72642729202d616e642021247073626f756e64706172616d65746572732e636f6e7461696e736b657928276163636f756e747366696c656e616d65272929207b206765742d68656c7020246d79696e766f636174696f6e2e6d79636f6d6d616e642072657475726e207d;2470725f64656c657465645f6d6573736167655f73697a655f657874656e646564203d206e65772d6f626a656374206d6963726f736f66742e65786368616e67652e77656273657276696365732e646174612e657874656e64656470726f7065727479646566696e6974696f6e2832363236372c60205b6d6963726f736f66742e65786368616e67652e77656273657276696365732e646174612e6d61706970726f7065727479747970655d3a3a6c6f6e6729 | |
| Trojan_Script_Generic_1;Engine:81-255,Target:7;0,1-4&1,1-4&2,1-4;2e646573657269616c697a655f3228::i;53797374656d2e494f2e4d656d6f727953747265616d::i;53657269616c697a6174696f6e2e466f726d6174746572732e42696e6172792e42696e617279466f726d6174746572::i | |
| Trojan_VBS_Generic_4;Engine:81-255,Target:7;0&1&2&3&4&5&6;2E76697369626C653D;2E76657273696F6E2026;2E7265677772697465;2E776F726B626F6F6B732E6164642829;2E636F64656D6F64756C652E61646466726F6D737472696E67;2E72756E;0&1&2/&chr\(\d{2}\)&chr\(\d{2}\)&chr\(\d{2}\)/ | |
| Trojan_Script_Generic_3;Engine:81-255,Target:7;0&1,1-5&2=1;2e646573657269616c697a655f3228::i;4372656174654f626a65637428::i;2e5472616e73666f726d46696e616c426c6f636b28::i | |
| APT_Builder_PY_LNKSMASHER_1;Engine:81-255,Target:7;0&1&2;696d706f7274206f73;696d706f7274206172677061727365;72616e646f6d2e63686f69636528*62696e61736369692e6865786c69667928*223463303030303030303131343032303030303030303030306330303030303030303030303030*2e7772697465 |