Add the DRL License to the Community repo

LICENSE

@@ -0,0 +1,17 @@
+# Detection Rule License (DRL) 1.1
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions:
+
+If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
+
+2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable
+
+3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable
+
+If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
+
+THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES.

yara_rules/apt37_rokrat_macho.yar

@@ -0,0 +1,22 @@
+rule apt37_rokrat_macho {
+    meta:
+        id = "c54fb9ae-85fa-4c36-bab9-6c6d989262ba"
+        version = "1.0"
+        description = "Detects Public key of Macho samples of RokRAT"
+        author = "Sekoia.io"
+        creation_date = "2022-09-29"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $s1 = { 4D 49 49 42 49 6A 41 4E 42 67 6B 71 68 6B 69 47 39 77 30 42 41 51 45 46 41 41 4F 43 41 51 38 41 4D 49 49 42 43 67 4B 43 41 51 45 41 73 47 52 59 53 45 56 76 77 6D 66 42 46 4E 42 6A 4F 7A 2B 51}
+        $s2 = {70 61 78 35 72 7A 57 66 2F 4C 54 2F 79 46 55 51 41 31 7A 72 41 31 6E 6A 6A 79 49 48 72 7A 70 68 67 63 39 74 67 47 48 73 2F 37 74 73 57 70 38 65 35 64 4C 6B 41 59 73 56 47 68 57 41 50 73 6A 79}
+        $s3 = {31 67 78 30 64 72 62 64 4D 6A 6C 54 62 42 59 54 79 45 67 35 50 67 79 2F 35 4D 73 45 4E 44 64 6E 73 43 52 57 72 32 33 5A 61 4F 45 4C 76 48 48 56 56 38 43 4D 43 38 46 75 34 57 62 61 7A 38 30 4C}
+        $s4 = {47 68 67 38 69 73 56 50 45 48 43 38 48 2F 79 47 74 6A 48 50 59 46 56 65 36 6C 77 56 72 2F 4D 58 6F 4B 63 70 78 31 33 53 31 4B 38 6E 6D 44 51 4E 41 68 4D 70 54 31 61 4C 61 47 2F 36 51 69 6A 68}
+        $s5 = {57 34 50 2F 52 46 51 71 2B 46 64 69 61 33 66 46 65 68 50 67 35 44 74 59 44 39 30 72 53 33 73 64 46 4B 6D 6A 39 4E 36 4D 4F 30 2F 57 41 56 64 5A 7A 47 75 45 58 44 35 33 4C 48 7A 39 65 5A 77 52}
+        $s6 = {39 59 38 37 38 36 6E 56 44 72 6C 6D 61 35 59 43 4B 70 71 55 5A 35 63 34 36 77 57 33 67 59 57 69 33 73 59 2B 56 53 33 62 32 46 64 41 4B 43 4A 68 54 66 43 79 38 32 41 55 47 71 50 53 56 66 4C 61}
+        $s7 = {6D 51 49 44 41 51 41 42}
+
+    condition:
+        all of them
+}
+

yara_rules/apt_37_chinotto.yar

@@ -0,0 +1,51 @@
+rule apt_37_chinotto {
+    meta:
+        id = "eff8fd11-dc7a-4011-b083-181d0cca8790"
+        version = "1.0"
+        description = "Detects obfuscation and string of APT37 stealer"
+        author = "Sekoia.io"
+        creation_date = "2023-02-27"
+        classification = "TLP:CLEAR"
+        hash1 = "feab7940559392bbf38f29267509340569160e0a3b257fd86e5c65ae087ea014"
+        hash2 = "c9d2c8b6011a53e68e4a6c6e51142cef3348951d0b379e49b1a65a1891538df5"
+        hash3 = "2f5be3773e7e3a2f6806cdef154adfabc454c0e57a49e437c5889ce09b739302"
+        hash4 = "5bf170c95ca0e2079653d694f783b5bcd38f274ea875f67f0b60db4ac552a66c"
+        hash5 = "6fad04c836bc923f12ebaec8d8fb0c7091b044bf6f5c97e36d7bf46b8494f978"
+        hash6 = "64fe964f342acca6d85d247c4f67503e4222a58dfc5c644dedc2006a4b356d39"
+        hash7 = "6e216b265ea391f71f2a609df995f36b9ba8b17c8859f6d8e4ce4a076d351efd"
+        hash8 = "70dcc03cde3dd5c5ec6a6a240190cfb51667aaba9c867e20281e8dfc43afa891"
+        hash9 = "5053390bde150b771f8efe344b692c6c5718ba9203a4b23f5323af1ee9060ff2"
+        hash10 = "089e4dfd8b25afe596eff05baae86156a4e3243c84faa15416cff31a5120e107"
+        hash11 = "37e096338a78cb06d6236cb5a04cf125f191871ded3c9421f08a37890a095eb8"
+        hash12 = "b90a2b0249407b271a5d849fe82cbf4e9a31c2c6259caf515c9be3897e327414"
+        hash13 = "8f4751ed22619b04009c4b85ec45c8140b570835ca4c638c9e6019e7b7eb66c7"
+
+    strings:
+        $chunk_1 = {
+        C7 85 ?? ?? ?? ?? ?? ?? ?? 00
+        C7 85 ?? ?? ?? ?? ?? ?? ?? 00
+        33 C0
+        EB 03
+        8D 49 00
+        8B 8C 85 ?? ?? ?? ??
+        3B 8C 85 ?? ?? ?? ??
+        }
+
+        $chunk_2 = {
+        C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00
+        C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00
+        33 C0
+        EB 0D
+        8D A4 24 00 00 00 00
+        8D 9B 00 00 00 00
+        8B 8C 84 ?? ?? ?? ??
+        3B 8C 84 ?? ?? ?? ??
+        }
+
+        $movs_zip_dir_start = { C7 45 ?? 5A 69 70 20 C7 45 ?? 44 69 72 20 C7 45 ?? 53 74 61 72  C7 45 ?? 74 20 2D 20}
+
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 1MB and ($chunk_1 or $chunk_2) and $movs_zip_dir_start
+}
+

yara_rules/apt_3cx_payload_stealer.yar

@@ -0,0 +1,21 @@
+rule apt_3cx_payload_stealer {
+    meta:
+        id = "1ca0605d-101f-4d1d-a476-9dfd93e74b4c"
+        version = "1.0"
+        description = "Detects stealer used in 3CX campaign"
+        author = "Sekoia.io"
+        creation_date = "2023-03-31"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $s1 = "******************************** %s ******************************" wide
+        $s2 = "\\3CXDesktopApp\\config.json" wide
+        $s3 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\":" wide
+        $s4 = "%s.old" wide
+
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 8MB and
+        all of them
+}
+

yara_rules/apt_agent_racoon_strings.yar

@@ -0,0 +1,25 @@
+rule apt_agent_racoon_strings {
+    meta:
+        id = "ec89f1db-0ba8-48c8-8c1a-c38c410f3e39"
+        version = "1.0"
+        description = "Detects Agent Racoon used by CL-STA-0002"
+        author = "Sekoia.io"
+        creation_date = "2023-12-05"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $ = "Command failed:" wide
+        $ = "Not uploaded:" wide
+        $ = "Not downloaded:" wide
+        $ = "xn--cc" wide
+        $ = "xn--ac" wide
+        $ = "xn--bc" wide
+        $ = "cmd.exe" wide
+        $ = ".xn--" wide
+
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+

yara_rules/apt_andariel_dorarat_strings.yar

@@ -0,0 +1,20 @@
+rule apt_andariel_dorarat_strings {
+    meta:
+        id = "30388291-a287-489f-a060-c90a16cda217"
+        version = "1.0"
+        description = "Detects Dora RAT based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-06-17"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $x1 = "/encryption.go" ascii fullword
+        $x2 = "/handshake.go" ascii fullword
+        $x3 = "/trans_module.go" ascii fullword
+        $enc_rsc = { 14 02 72 14 D3 4C 4A 49 55 36 14 DF 8D 6F 2D CF }
+
+    condition:
+        uint16be(0) == 0x4d5a and
+        (all of ($x*) or $enc_rsc)
+}
+

yara_rules/apt_andariel_keylogger_strings.yar

@@ -0,0 +1,20 @@
+rule apt_andariel_keylogger_strings {
+    meta:
+        id = "59e94bee-9bd4-4f72-9358-858956bb4787"
+        version = "1.0"
+        description = "Detects one of the Andariel keylogger"
+        author = "Sekoia.io"
+        creation_date = "2024-06-17"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $ = "Username:%s [%d/%02d/%02d %02d:%02d]" ascii fullword
+        $ = "-------[%d/%02d/%02d %02d:%02d]"
+        $ = "{Insert}"
+
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 300KB and
+        2 of them
+}
+

yara_rules/apt_andariel_nestdoor_variants_strings.yar

@@ -0,0 +1,22 @@
+rule apt_andariel_nestdoor_variants_strings {
+    meta:
+        id = "dcfc48ad-f17b-4224-912b-b01740080fea"
+        version = "1.0"
+        description = "Detects Nestdoor based on (weak) strings"
+        author = "Sekoia.io"
+        creation_date = "2024-06-17"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $v_11 = "Error occurs while reading" wide
+        $v_12 = "{DECIMAL}" wide
+        $v_13 = "lnk_" wide
+        $v_21 = "Cannot connect with your ip and your operating system." wide
+        $v_22 = "del /q /f %1" ascii
+        $v_23 = "/f /tn %2" ascii
+
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        (all of ($v_1*) or all of ($v_2*))
+}
+

yara_rules/apt_andariel_siennablue.yar

@@ -0,0 +1,21 @@
+rule apt_andariel_siennablue {
+    meta:
+        id = "ab3f8b49-0851-47a8-ac77-98d4e26f448e"
+        version = "1.0"
+        description = "Detects SiennaBlue based routine names"
+        author = "Sekoia.io"
+        creation_date = "2023-11-16"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $ = "main_cryptAVPass"
+        $ = "main_DecryptString"
+        $ = "main_DisableNetworkDevice"
+        $ = "main_DeleteSchTask"
+
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize > 4MB and filesize < 15MB and
+        all of them
+}
+

yara_rules/apt_apt10_hui_loader.yar

@@ -0,0 +1,18 @@
+rule apt_apt10_hui_loader {
+    meta:
+        id = "97d17052-80d0-4f8e-8b3a-2e0d622522a9"
+        version = "1.0"
+        description = "Specific string for HUI Loader"
+        author = "Sekoia.io"
+        creation_date = "2022-07-04"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $s1 = "HUIHWASDIHWEIUDHDSFSFEFWEFEWFDSGEFERWGWEEFWFWEWD" wide fullword
+
+    condition:
+        (uint16be(0) == 0x4d5a) 
+        and filesize > 30KB and filesize < 100KB
+        and 1 of them
+}
+

yara_rules/apt_apt28_document_phishing_webpage.yar

@@ -0,0 +1,23 @@
+rule apt_apt28_document_phishing_webpage {
+    meta:
+        id = "585a8e23-c302-41d3-938f-eda60c82ef28"
+        version = "1.0"
+        description = "Detects APT28 document phishing webpage"
+        author = "Sekoia.io"
+        creation_date = "2024-04-08"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $ = "webhook.site"
+        $ = "document.createElement('img')"
+        $ = "brightness(15%) blur(7.0px)"
+        $ = "This document is not available from mobile devices."
+        $ = "Capture2.PNG"
+        $ = ">CLICK TO VIEW DOCUMENT<"
+        $ = "window.location.href = 's"
+        $ = ".oast."
+
+    condition:
+        4 of them and filesize < 20KB
+}
+

yara_rules/apt_apt28_htmlsmuggling.yar

@@ -0,0 +1,18 @@
+rule apt_apt28_htmlsmuggling {
+    meta:
+        id = "2e20c992-d971-4c0f-99b3-a7d528c7055a"
+        version = "1.0"
+        reference = "https://www.zscaler.com/blogs/security-research/steal-it-campaign"
+        description = "Detects some kind of HTMLSmuggling used by APT28"
+        author = "Sekoia.io"
+        creation_date = "2023-09-11"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $s1 = "click();" ascii
+        $s2 = "window.location.replace("
+
+    condition:
+        $s1 in (@s2..@s2-100)
+}
+

yara_rules/apt_apt28_htmlsmuggling_disclosing_ip.yar

@@ -0,0 +1,19 @@
+rule apt_apt28_htmlsmuggling_disclosing_ip {
+    meta:
+        id = "57adc227-2b72-457e-a786-97ca1a7300d8"
+        version = "1.0"
+        reference = "https://www.zscaler.com/blogs/security-research/steal-it-campaign"
+        description = "Detects some kind of HTMLSmuggling used by APT28"
+        author = "Sekoia.io"
+        creation_date = "2023-09-11"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $s1 = "ipapi.co/json"
+        $s2 = "a.download("
+        $s3 = "a.click("
+
+    condition:
+        $s1 and $s2 and $s3 and filesize < 5000
+}
+

yara_rules/apt_apt28_powershell_ntlm_stealer.yar

@@ -0,0 +1,20 @@
+rule apt_apt28_powershell_ntlm_stealer {
+    meta:
+        id = "3fb5c472-6b1c-490e-b38f-4d4f1c472f43"
+        version = "1.0"
+        description = "Detects the NTLM Stealer used by APT28 against UA energy sector"
+        author = "Sekoia.io"
+        creation_date = "2023-09-07"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $ = "'NTLM ' = [Convert]::ToBase64String"
+        $ = ".Prefixes.Add('http://localhost:8080/')"
+        $ = ".AddHeader('WWW-Authenticate', 'NTLM')"
+        $ = "GetValues('Authorization');"
+        $ = "[0] -split '\\s+';"
+
+    condition:
+        3 of them and filesize < 4000
+}
+

yara_rules/apt_apt28_susp_graphite_downloader.yar

@@ -0,0 +1,27 @@
+import "pe"
+
+rule apt_apt28_susp_graphite_downloader {
+    meta:
+        id = "9c9da5fe-ffd6-4c45-8ce1-9a6cf4fa2fda"
+        version = "1.0"
+        description = "Matches the routine which decrypts the RSA key blob in the Graphite downloader"
+        author = "Sekoia.io"
+        creation_date = "2022-01-26"
+        classification = "TLP:CLEAR"
+
+    strings:
+        $gen =  { 33 D2
+        8B C1
+        6A ??
+        5E
+        F7 F6
+        8A 82 ?? ?? ?? ??
+        30 81 ?? ?? ?? ??
+        41
+        81 F9 94 04 00 00
+        72 E2 }
+
+    condition:
+        uint16be(0) == 0x4d5a and $gen and pe.number_of_exports == 1
+}
+