search

cisagov / CHIRP

A DFIR tool written in Python.
Creative Commons Zero v1.0 Universal
1.04k stars 90 forks source link

Yara IoCs identifying themselves #15

Closed LaxVolt closed 3 years ago

LaxVolt commented 3 years ago

🐛 Summary

What's wrong? Please be specific.

Run on Windows 10 system from downloaded folder location.
Folder name changed to v1.0.2

I noticed this on one of my work systems that I was running the script through. Then ran on a personal non-connected system and received a similar response.

Steps to reproduce the behavior:

System Details: Windows 10, Installed VS Build Tools and Python v3.9.2

  1. Download Chirp from GitHub
  2. Change name of zip to "chirp v1.0.2.zip"
  3. Extract Zip
  4. Install via PowerShell with python install command
  5. Run via powershell CLI as "python chirp.py
  6. Wait for report

Expected behavior

YARA indicated file is from Chirp script directory, not base system itself. I would have expected any reported files to be outside of this directory.

Any helpful log output or screenshots

{"CrowdStrike Sunspot": {"description": "\"Identifies Sunspot backdoor dropper utilizing unique strings in key encryption material, mutexes, and logging.\"\n", "confidence": 10, "matches": [{"meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(1197, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (1270, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\\Users\\UserX\\Downloads\\chirp v1.0.2\\indicators\\crowdstrike_sunspot.yaml"}]}}

Add any screenshots of the problem here.

DeemOnSecurity commented 3 years ago

Good evening! Yes that rule does appear to detect itself (it does in our dev environment too). We attempted to add the cwd to the ignore list but it appears that is a bug that needs fixing.

LaxVolt commented 3 years ago

Thanks for all the work you are doing on this, it is much appreciated. Below is a copy of the first time I saw this.

Possibly do a validation on the file name or hash and not worry about the working directory.

On the first system I ran this on and was suspicious of it actually reported what I believe was the older version as it was in the recycle bin directory, when I dug into the directory it actually was a copy of the chirp directory for an old version that I removed.

{"CrowdStrike Sunspot": {"description": "\"Identifies Sunspot backdoor dropper utilizing unique strings in key encryption material, mutexes, and logging.\"\n", "confidence": 10, "matches": [{"meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}", "namespace": "CrowdStrike Sunspot", "rule": "CrowdStrike_SUNSPOT_02", "strings": "[(1197, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (1270, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]", "tags": "['artifact', 'stellarparticle', 'sunspot']", "file": "C:\\$Recycle.Bin\\S-1-5-21-2077907170-1886209480-1695163583-7785\\$RUT019A\\indicators\\crowdstrike_sunspot.yaml"}

DeemOnSecurity commented 3 years ago

When #33 is merged, I will build the release for this fix.