search

Neo23x0 / signature-base

YARA signature and IOC database for my scanners and tools
Other
2.45k stars 602 forks source link

Yara F/P with p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | hatman dividers #49

Closed nwf9 closed 5 years ago

nwf9 commented 5 years ago

Hi Florian,

i have a lot of F/P with two rules below

YARA rule match on process memory SCORE: 75 NAME: chrome.exe DESC: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs PID: 10564 CMD: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,1381225692283285303,12548745127206151242,131072 --service-pipe-token=10935207763610381885 --lang=fr --disable-dinosaur-easter-egg --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10935207763610381885 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1 RULE: Hacktool_Strings_p0wnedShell REFERENCE: https://github.com/Cn33liz/p0wnedShell

YARA rule match on process memory SCORE: 75 NAME: chrome.exe DESC: - PID: 11744 CMD: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1384,1381225692283285303,12548745127206151242,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=6827380407446322870 --mojo-platform-channel-handle=1400 --ignored=" --type=renderer " /prefetch:2 RULE: hatman_dividers

Neo23x0 commented 5 years ago

The first match isn't a false positive. It's a positive match on a relevant string in the process memory of the browser. https://github.com/Neo23x0/signature-base/blob/7c8745c59ed43cf60f1dd5bace2339f19824fc9c/yara/gen_p0wnshell.yar#L30

How often does this appear? On your system only?

The second match is some kind of error. I have no idea how a private rule can match on process memory. https://github.com/Neo23x0/signature-base/blob/c2634bfa232693ed03f189091384c50a73878d75/yara/apt_hatman.yar#L38

nwf9 commented 5 years ago

How it can be relevant for the browser process ? Do you recommend to exclude those process ? The correct behavior of the private rule is to analyze only the file present on disk ?

Neo23x0 commented 5 years ago

How it can be relevant for the browser process ?

Attackers use browsers on compromised systems to download tools.

Do you recommend to exclude those process ?

If you know that the user of that system with matches in the browser memory is allowed to surf to hacktool web pages and download such tools, yes. I'd filter it where you analyse the logs. (grep -v ...)

The correct behavior of the private rule is to analyze only the file present on disk ?

No. Privat rules shouldn't show up at all. They are use to be combined with other rules only. https://yara.readthedocs.io/en/v3.8.1/writingrules.html#private-rules

Neo23x0 commented 5 years ago

How it can be relevant for the browser process ?

Did you see false positives on machines of users that shouldn't visit hack tool sites?

nwf9 commented 5 years ago

Yes, if the user navigate to malware domain list you trigger a lot of F/P 😁.

nwf9 commented 5 years ago

Not F/P