diff --git a/rules/cobalt_strike.yar b/rules/cobalt_strike.yar new file mode 100644 index 0000000..d2cae8f --- /dev/null +++ b/rules/cobalt_strike.yar @@ -0,0 +1,92 @@ +rule CobaltStrike_Beacon_Memory +{ + meta: + description = "Detects Cobalt Strike Beacon in process memory" + author = "Ghost Detection Engine" + threat_level = "critical" + mitre_attack = "T1055" + reference = "https://www.cobaltstrike.com/" + + strings: + $beacon_1 = "%s as %s\\%s: %d" wide + $beacon_2 = "beacon.dll" nocase + $beacon_3 = "beacon.x64.dll" nocase + $beacon_4 = { 69 68 69 68 69 6B ?? 69 6B 69 68 69 6B } + $config_marker = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 } + $sleep_mask = { 48 89 5C 24 08 57 48 83 EC 20 48 8B D9 33 FF } + + condition: + 2 of them +} + +rule CobaltStrike_Beacon_Config +{ + meta: + description = "Detects Cobalt Strike Beacon configuration structure" + author = "Ghost Detection Engine" + threat_level = "critical" + mitre_attack = "T1071" + + strings: + $config_1 = { 00 01 00 01 00 02 } + $config_2 = { 00 02 00 01 00 02 } + $config_3 = { 00 03 00 02 } + $http_header = "MZ" wide + $named_pipe = "\\\\.\\pipe\\" wide + + condition: + 2 of ($config_*) or ($config_1 and ($http_header or $named_pipe)) +} + +rule CobaltStrike_Named_Pipe_Beacon +{ + meta: + description = "Detects Cobalt Strike named pipe beacon patterns" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1090" + + strings: + $pipe_1 = "\\\\.\\pipe\\MSSE-" wide + $pipe_2 = "\\\\.\\pipe\\postex_" wide + $pipe_3 = "\\\\.\\pipe\\msagent_" wide + $pipe_4 = "\\\\.\\pipe\\status_" wide + + condition: + any of them +} + +rule CobaltStrike_Artifact_Kit_Payload +{ + meta: + description = "Detects Cobalt Strike Artifact Kit generated payloads" + author = "Ghost Detection Engine" + threat_level = "critical" + mitre_attack = "T1055.002" + + strings: + $artifact_1 = { 48 8D 05 ?? ?? 00 00 48 89 44 24 ?? 48 8D 05 } + $artifact_2 = { 48 89 5C 24 10 48 89 74 24 18 57 48 83 EC 20 } + $reflective_loader = "ReflectiveLoader" + + condition: + any of them +} + +rule CobaltStrike_Malleable_C2_Profile +{ + meta: + description = "Detects Cobalt Strike malleable C2 profile indicators" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1071.001" + + strings: + $header_1 = "Cookie: " nocase + $header_2 = "Accept: */*" nocase + $header_3 = "User-Agent: Mozilla/" nocase + $uri_pattern = /\/[a-z]{4,12}\/[a-z]{4,12}/ + + condition: + 3 of them +} diff --git a/rules/evasion.yar b/rules/evasion.yar new file mode 100644 index 0000000..4730565 --- /dev/null +++ b/rules/evasion.yar @@ -0,0 +1,174 @@ +rule Anti_Debug_Techniques +{ + meta: + description = "Detects anti-debugging techniques in memory" + author = "Ghost Detection Engine" + threat_level = "medium" + mitre_attack = "T1622" + + strings: + $isdebuggerpresent = "IsDebuggerPresent" nocase + $checkremotedebuggerpresent = "CheckRemoteDebuggerPresent" nocase + $ntqueryinformationprocess = "NtQueryInformationProcess" nocase + $outputdebugstring = "OutputDebugStringA" nocase + + // PEB BeingDebugged check + $peb_debug_1 = { 64 A1 30 00 00 00 80 78 02 00 } + $peb_debug_2 = { 65 48 8B 04 25 60 00 00 00 80 78 02 00 } + + // Debug register checks + $dr_check = { 8B 45 ?? 89 45 ?? 8B 45 ?? 09 45 } + + condition: + 2 of them +} + +rule Anti_VM_Techniques +{ + meta: + description = "Detects anti-VM and sandbox detection techniques" + author = "Ghost Detection Engine" + threat_level = "medium" + mitre_attack = "T1497.001" + + strings: + // VM detection strings + $vmware_1 = "VMware" nocase + $vmware_2 = "vmtoolsd" nocase + $virtualbox = "VirtualBox" nocase + $vbox = "VBOX" nocase + $qemu = "QEMU" nocase + $kvm = "KVMKVMKVM" nocase + + // Registry keys for VM detection + $reg_vm_1 = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port" nocase + $reg_vm_2 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase + + // CPUID VM detection + $cpuid_check = { 0F A2 81 FB ?? ?? ?? ?? } + + // Red Pill technique + $redpill = { 0F 01 0D 00 00 00 00 } + + condition: + 2 of them +} + +rule Timing_Attacks +{ + meta: + description = "Detects timing-based anti-analysis techniques" + author = "Ghost Detection Engine" + threat_level = "low" + mitre_attack = "T1497.003" + + strings: + $rdtsc = { 0F 31 } + $queryperformancecounter = "QueryPerformanceCounter" nocase + $gettickcount = "GetTickCount" nocase + $sleep = "Sleep" nocase + $timegettime = "timeGetTime" nocase + + condition: + 2 of them +} + +rule API_Hashing_Obfuscation +{ + meta: + description = "Detects API hashing for obfuscation" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1027" + + strings: + // ROR13 hash algorithm + $ror13 = { C1 C? 0D 03 ?? } + + // CRC32 hashing + $crc32 = { F7 D1 33 C8 C1 E? 08 } + + // DJB2 hash + $djb2 = { C1 E0 05 03 C? } + + // GetProcAddress via hash + $hash_resolve = { 8B 40 78 03 C? 8B 58 20 } + + condition: + 2 of them +} + +rule Memory_Evasion_Techniques +{ + meta: + description = "Detects memory-based evasion techniques" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1562.001" + + strings: + $virtualprotect = "VirtualProtect" nocase + $virtualprotectex = "VirtualProtectEx" nocase + $ntprotectvirtualmemory = "NtProtectVirtualMemory" nocase + + // Memory permission changes + $mem_perm_1 = { 6A 40 68 00 30 00 00 } + $mem_perm_2 = { 68 00 00 40 00 } + + condition: + any of them +} + +rule Heaven_Gate_Technique +{ + meta: + description = "Detects Heaven's Gate (WoW64 bypass) technique" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055" + + strings: + $heavens_gate_1 = { 33 C0 } + $far_jump = { EA ?? ?? ?? ?? 33 00 } + $segment_switch = { 48 89 E5 48 83 EC ?? } + $wow64_syscall = { 0F 05 } + + condition: + 2 of them +} + +rule AMSI_Bypass_Attempt +{ + meta: + description = "Detects AMSI bypass techniques" + author = "Ghost Detection Engine" + threat_level = "critical" + mitre_attack = "T1562.001" + + strings: + $amsi_string = "AmsiScanBuffer" nocase + $amsi_context = "AmsiInitialize" nocase + $amsi_patch_1 = { B8 57 00 07 80 C3 } + $amsi_patch_2 = { 31 C0 C3 } + $amsi_bypass = "amsi.dll" nocase + + condition: + 2 of them +} + +rule ETW_Bypass_Attempt +{ + meta: + description = "Detects ETW bypass techniques" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1562.001" + + strings: + $etw_string = "EtwEventWrite" nocase + $etw_provider = "EtwEventRegister" nocase + $etw_patch = { 33 C0 C2 14 00 } + + condition: + any of them +} diff --git a/rules/metasploit.yar b/rules/metasploit.yar new file mode 100644 index 0000000..cc02835 --- /dev/null +++ b/rules/metasploit.yar @@ -0,0 +1,72 @@ +rule Metasploit_Meterpreter_Payload +{ + meta: + description = "Detects Metasploit Meterpreter payload in memory" + author = "Ghost Detection Engine" + threat_level = "critical" + mitre_attack = "T1055" + + strings: + $meterpreter_1 = "metsrv.dll" nocase + $meterpreter_2 = "stdapi.dll" nocase + $meterpreter_3 = "ReflectiveLoader" nocase + $meterpreter_4 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 } + $meterpreter_sig = "meterpreter" nocase + $stage_marker = { 00 00 00 00 00 00 00 00 00 00 00 00 4d 65 74 65 72 70 72 65 74 65 72 } + + condition: + 2 of them +} + +rule Metasploit_Reverse_TCP_Shellcode +{ + meta: + description = "Detects Metasploit reverse TCP shellcode patterns" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055.001" + + strings: + // Windows reverse TCP patterns + $rev_tcp_1 = { 68 02 00 ?? ?? 89 E6 6A 10 56 57 68 99 A5 74 61 } + $rev_tcp_2 = { 68 7F 00 00 01 68 02 00 ?? ?? 89 E6 } + $winsock_2 = "ws2_32" nocase + $winsock_call = { FF 55 ?? 68 63 6D 64 00 } + + condition: + any of them +} + +rule Metasploit_Shikata_Ga_Nai_Encoder +{ + meta: + description = "Detects Metasploit Shikata Ga Nai polymorphic encoder" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1027" + + strings: + // Shikata Ga Nai decoder stub patterns + $shikata_1 = { D9 74 24 F4 5? B? ?? ?? ?? ?? 31 } + $shikata_2 = { D9 EE D9 74 24 F4 5? B? } + $shikata_3 = { D9 ?? D9 74 24 F4 5? ?? ?? ?? ?? ?? 29 C9 } + + condition: + any of them +} + +rule Metasploit_Inline_Egg_Stager +{ + meta: + description = "Detects Metasploit inline egg stager patterns" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055" + + strings: + $egg_tag = { 77 30 30 74 } + $egg_search = { 66 81 CA FF 0F 42 52 6A 02 58 CD 2E } + + condition: + any of them +} diff --git a/rules/process_injection.yar b/rules/process_injection.yar new file mode 100644 index 0000000..f1b9647 --- /dev/null +++ b/rules/process_injection.yar @@ -0,0 +1,175 @@ +rule Process_Hollowing_Indicators +{ + meta: + description = "Detects process hollowing technique indicators" + author = "Ghost Detection Engine" + threat_level = "critical" + mitre_attack = "T1055.012" + + strings: + // Common API sequences for process hollowing + $api_1 = "NtUnmapViewOfSection" nocase + $api_2 = "ZwUnmapViewOfSection" nocase + $api_3 = "VirtualAllocEx" nocase + $api_4 = "WriteProcessMemory" nocase + $api_5 = "SetThreadContext" nocase + $api_6 = "ResumeThread" nocase + + // Suspended process creation + $create_suspended = { 6A 04 5? 6A 00 } + + condition: + ($api_1 or $api_2) and 2 of ($api_3, $api_4, $api_5, $api_6) +} + +rule DLL_Injection_Classic +{ + meta: + description = "Detects classic DLL injection techniques" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055.001" + + strings: + $api_1 = "CreateRemoteThread" nocase + $api_2 = "LoadLibraryA" nocase + $api_3 = "LoadLibraryW" nocase + $api_4 = "VirtualAllocEx" nocase + $api_5 = "WriteProcessMemory" nocase + + condition: + $api_1 and ($api_2 or $api_3) and ($api_4 or $api_5) +} + +rule Reflective_DLL_Injection +{ + meta: + description = "Detects reflective DLL injection patterns" + author = "Ghost Detection Engine" + threat_level = "critical" + mitre_attack = "T1055.001" + + strings: + $reflective_1 = "ReflectiveLoader" nocase + $reflective_2 = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 49 8B F8 } + $reflective_3 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 } + $custom_loader = { 8B 45 3C 8B 54 05 78 03 D5 8B 4A 20 } + + condition: + any of them +} + +rule APC_Injection_Technique +{ + meta: + description = "Detects APC queue injection technique" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055.004" + + strings: + $api_1 = "QueueUserAPC" nocase + $api_2 = "NtQueueApcThread" nocase + $api_3 = "ZwQueueApcThread" nocase + $api_4 = "OpenThread" nocase + $api_5 = "VirtualAllocEx" nocase + + condition: + ($api_1 or $api_2 or $api_3) and ($api_4 or $api_5) +} + +rule Thread_Execution_Hijacking +{ + meta: + description = "Detects thread execution hijacking" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055.003" + + strings: + $api_1 = "SuspendThread" nocase + $api_2 = "GetThreadContext" nocase + $api_3 = "SetThreadContext" nocase + $api_4 = "ResumeThread" nocase + $api_5 = "VirtualAllocEx" nocase + + condition: + $api_1 and $api_2 and $api_3 and $api_4 +} + +rule AtomBombing_Technique +{ + meta: + description = "Detects AtomBombing injection technique" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055" + reference = "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows" + + strings: + $api_1 = "GlobalAddAtomA" nocase + $api_2 = "GlobalAddAtomW" nocase + $api_3 = "GlobalGetAtomNameA" nocase + $api_4 = "GlobalGetAtomNameW" nocase + $api_5 = "NtQueueApcThread" nocase + + condition: + ($api_1 or $api_2) and ($api_3 or $api_4) and $api_5 +} + +rule Process_Doppelganging +{ + meta: + description = "Detects process doppelganging technique" + author = "Ghost Detection Engine" + threat_level = "critical" + mitre_attack = "T1055.013" + + strings: + $api_1 = "NtCreateTransaction" nocase + $api_2 = "NtCreateSection" nocase + $api_3 = "NtRollbackTransaction" nocase + $api_4 = "RtlSetCurrentTransaction" nocase + + condition: + 3 of them +} + +rule PROPagate_Injection +{ + meta: + description = "Detects PROPagate injection using window properties" + author = "Ghost Detection Engine" + threat_level = "medium" + mitre_attack = "T1055" + + strings: + $api_1 = "SetPropA" nocase + $api_2 = "SetPropW" nocase + $api_3 = "EnumPropsA" nocase + $api_4 = "EnumPropsW" nocase + $api_5 = "CallWindowProcA" nocase + $api_6 = "CallWindowProcW" nocase + + condition: + ($api_1 or $api_2) and ($api_5 or $api_6) +} + +rule Early_Bird_Injection +{ + meta: + description = "Detects Early Bird APC injection technique" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055.004" + + strings: + $api_1 = "CreateProcessA" nocase + $api_2 = "CreateProcessW" nocase + $api_3 = "QueueUserAPC" nocase + $api_4 = "ResumeThread" nocase + $create_suspended = { 00 00 00 04 } + + condition: + ($api_1 or $api_2) and $api_3 and $api_4 +} diff --git a/rules/shellcode.yar b/rules/shellcode.yar new file mode 100644 index 0000000..0078b07 --- /dev/null +++ b/rules/shellcode.yar @@ -0,0 +1,158 @@ +rule Generic_Shellcode_Patterns +{ + meta: + description = "Detects generic shellcode patterns in memory" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055" + + strings: + // Common shellcode prologue patterns + $prologue_1 = { EB ?? 5? 31 ?? 64 8B } + $prologue_2 = { 55 89 E5 83 EC } + $prologue_3 = { 48 89 5C 24 ?? 48 89 74 24 } + + // PEB/TEB access patterns (x86) + $peb_access_1 = { 64 A1 30 00 00 00 } + $peb_access_2 = { 64 8B 15 30 00 00 00 } + $peb_access_3 = { 64 8B 0D 30 00 00 00 } + + // PEB/TEB access patterns (x64) + $peb_access_x64_1 = { 65 48 8B 04 25 60 00 00 00 } + $peb_access_x64_2 = { 65 48 8B 0C 25 60 00 00 00 } + + // API hashing (ROR13) + $api_hash_ror13 = { C1 C? 0D 03 ?? 83 C? 04 } + + // GetProcAddress pattern + $getprocaddr = { 8B 40 78 03 C? 8B 58 20 03 D? } + + // LoadLibrary pattern + $loadlibrary = { 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 } + + condition: + 2 of them +} + +rule Windows_API_Call_Shellcode +{ + meta: + description = "Detects shellcode with Windows API call patterns" + author = "Ghost Detection Engine" + threat_level = "medium" + mitre_attack = "T1106" + + strings: + $api_1 = "kernel32" nocase + $api_2 = "ntdll" nocase + $api_3 = "advapi32" nocase + $api_call = { FF 5? ?? 85 C0 } + $stack_align = { 83 E4 F0 } + + condition: + 1 of ($api_*) and 1 of ($api_call, $stack_align) +} + +rule Egg_Hunter_Shellcode +{ + meta: + description = "Detects egg hunter shellcode patterns" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055" + + strings: + // 32-bit egg hunter (SEH method) + $egg_seh_32 = { 66 81 CA FF 0F 42 52 6A 02 58 CD 2E } + + // IsBadReadPtr egg hunter + $egg_isbad = { 8B FB 4F 4F B9 ?? ?? ?? ?? 40 } + + // NtDisplayString egg hunter + $egg_ntdisplay = { B8 ?? ?? ?? ?? 8D 54 24 04 CD 2E } + + condition: + any of them +} + +rule Position_Independent_Shellcode +{ + meta: + description = "Detects position-independent shellcode characteristics" + author = "Ghost Detection Engine" + threat_level = "medium" + mitre_attack = "T1027" + + strings: + // Call/Pop pattern to get EIP + $call_pop_1 = { E8 00 00 00 00 5? } + $call_pop_2 = { E8 ?? ?? ?? ?? 5? } + + // FSTENV trick + $fstenv = { D9 EE D9 74 24 F4 5? } + + // GetPC thunk + $getpc_thunk = { 8B 0C 24 C3 } + + condition: + any of them +} + +rule Stack_Pivot_Shellcode +{ + meta: + description = "Detects stack pivot operations common in shellcode" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1055" + + strings: + $pivot_1 = { 8B EC 81 EC ?? ?? 00 00 } + $pivot_2 = { 48 81 EC ?? ?? 00 00 } + $pivot_3 = { 54 5C } + $pivot_4 = { 94 } + + condition: + any of them +} + +rule NOP_Sled_Detection +{ + meta: + description = "Detects NOP sleds commonly used in exploits" + author = "Ghost Detection Engine" + threat_level = "low" + mitre_attack = "T1055" + + strings: + $nop_x86 = { 90 90 90 90 90 90 90 90 90 90 } + $nop_x64 = { 66 90 66 90 66 90 66 90 66 90 } + $multi_nop_1 = { 40 40 40 40 40 40 40 40 } + $multi_nop_2 = { 47 47 47 47 47 47 47 47 } + + condition: + any of them +} + +rule Polymorphic_Decoder_Stub +{ + meta: + description = "Detects polymorphic decoder stubs" + author = "Ghost Detection Engine" + threat_level = "high" + mitre_attack = "T1027.002" + + strings: + // XOR decoder + $xor_decoder_1 = { 30 ?? 40 E2 FA } + $xor_decoder_2 = { 80 ?? ?? E2 FA } + + // ADD/SUB decoder + $add_decoder = { 80 ?? ?? 40 3D ?? ?? ?? ?? 75 } + + // Loop-based decoder + $loop_decoder = { AC 34 ?? AA E2 FA } + + condition: + any of them +}