-
Notifications
You must be signed in to change notification settings - Fork 110
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3b374fe
commit efd00ab
Showing
15 changed files
with
1,413 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
rule Windows_Exploit_CVE_2022_38028_31fdb122 { | ||
meta: | ||
author = "Elastic Security" | ||
id = "31fdb122-36fd-4fae-b605-542dc344575c" | ||
fingerprint = "e489287412ee673f4d93c5efc9e61b5d26d877bb0f4ddf827926b4d5d87dc399" | ||
creation_date = "2024-06-06" | ||
last_modified = "2024-06-12" | ||
threat_name = "Windows.Exploit.CVE-2022-38028" | ||
reference_sample = "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" | ||
severity = 100 | ||
arch_context = "x86" | ||
scan_context = "file, memory" | ||
license = "Elastic License v2" | ||
os = "windows" | ||
strings: | ||
$a = { 70 72 69 6E 74 54 69 63 6B 65 74 2E 58 6D 6C 4E 6F 64 65 2E 6C 6F 61 64 28 27 25 53 3A 2F 2F 67 6F 27 29 3B } | ||
condition: | ||
all of them | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
rule Windows_Exploit_Generic_e95cc41c { | ||
meta: | ||
author = "Elastic Security" | ||
id = "e95cc41c-6cad-4b9c-b647-3c60e6614e25" | ||
fingerprint = "78f78de7cee54107ee7c3de9b152ce3a242c1408115ab0950ccdfc278ed15a19" | ||
creation_date = "2024-02-28" | ||
last_modified = "2024-06-12" | ||
threat_name = "Windows.Exploit.Generic" | ||
reference_sample = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d" | ||
severity = 100 | ||
arch_context = "x86" | ||
scan_context = "file" | ||
license = "Elastic License v2" | ||
os = "windows" | ||
strings: | ||
$s1 = "Got system privileges" nocase | ||
$s2 = "Got SYSTEM token" nocase | ||
$s3 = "Got a SYSTEM token" nocase | ||
$s4 = "] Duplicating SYSTEM token" nocase | ||
$s5 = "] Token Stealing is successful" nocase | ||
$s6 = "] Exploit completed" nocase | ||
$s7 = "] Got SYSTEM shell." nocase | ||
$s8 = "] Spawning SYSTEM shell" nocase | ||
$s9 = "we have a SYSTEM shell!" nocase | ||
$s10 = "Dropping to System Shell." nocase | ||
$s11 = "] Enjoy the NT AUTHORITY\\SYSTEM shell" nocase | ||
$s12 = "] SMEP is disabled" nocase | ||
$s13 = "] KUSER_SHARED_DATA" | ||
$s14 = "] Found System EPROCESS" | ||
condition: | ||
any of them | ||
} | ||
|
||
rule Windows_Exploit_Generic_008359cf { | ||
meta: | ||
author = "Elastic Security" | ||
id = "008359cf-5510-4f91-8cb1-7b4ff645bf2d" | ||
fingerprint = "3ef3b6bbe2141cb8ce47a5ee7c7531e72773d4dc4e478bb792c9230e4948db02" | ||
creation_date = "2024-02-28" | ||
last_modified = "2024-06-12" | ||
threat_name = "Windows.Exploit.Generic" | ||
reference_sample = "73225a3a54560965f4c4fae73f7ee234e31217bc06ff8ba1d0b36ebab5e76a87" | ||
severity = 100 | ||
arch_context = "x86" | ||
scan_context = "file" | ||
license = "Elastic License v2" | ||
os = "windows" | ||
strings: | ||
$a1 = { C6 85 ?? 01 00 00 74 C6 85 ?? 01 00 00 58 C6 85 ?? 01 00 00 58 } | ||
$a2 = { C6 45 ?? 41 C6 45 ?? 66 C6 45 ?? 64 C6 45 ?? 4F C6 45 ?? 70 C6 45 ?? 65 C6 45 ?? 6E C6 45 ?? 50 C6 45 ?? 61 C6 45 ?? 63 C6 45 ?? 6B C6 45 ?? 65 C6 45 ?? 74 C6 45 ?? 58 C6 45 ?? 58 } | ||
$b1 = "NtCreateFile" | ||
$b2 = "\\Device\\Afd\\Endpoint" wide nocase | ||
$b3 = "\\Device\\Afd\\Endpoint" nocase | ||
$b4 = "NtDeviceIoControlFile" | ||
condition: | ||
1 of ($a*) and 3 of ($b*) | ||
} | ||
|
||
rule Windows_Exploit_Generic_8c54846d { | ||
meta: | ||
author = "Elastic Security" | ||
id = "8c54846d-07ee-43bc-93e1-72bf4162ab87" | ||
fingerprint = "9acb35c06a21e35639c8026a18e919329db82a0629a8e2267f1f4fe00b3bb871" | ||
creation_date = "2024-02-29" | ||
last_modified = "2024-06-12" | ||
threat_name = "Windows.Exploit.Generic" | ||
reference_sample = "b6ea4815a38e606d4a2d6e6d711e610afec084db6899b7d6fc874491dd939495" | ||
severity = 100 | ||
arch_context = "x86" | ||
scan_context = "file" | ||
license = "Elastic License v2" | ||
os = "windows" | ||
strings: | ||
$a1 = { 5C 63 76 65 2D 32 30 ?? ?? 2D ?? ?? ?? ?? 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C } | ||
$a2 = { 5C 43 56 45 2D 32 30 ?? ?? 2D ?? ?? ?? ?? 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C } | ||
$a3 = { 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C 43 56 45 2D 32 30 ?? ?? 2D ?? ?? ?? ?? ?? 2E 70 64 62 } | ||
$a4 = { 5C 52 65 6C 65 61 73 65 5C 43 56 45 2D 32 30 ?? ?? 2D } | ||
$a5 = "\\x64\\Release\\CmdTest.pdb" | ||
$a6 = "\\x64\\Release\\RunPS.pdb" | ||
$a7 = "X:\\tools\\0day\\" | ||
$a8 = "C:\\work\\volodimir_" | ||
$a9 = { 78 36 34 5C 52 65 6C 65 61 73 65 5C 65 78 70 6C 6F 69 74 2E 70 64 62 } | ||
$b1 = { 5C 43 56 45 2D 32 30 ?? ?? 2D } | ||
$b2 = { 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C } | ||
condition: | ||
any of ($a*) or all of ($b*) | ||
} | ||
|
Oops, something went wrong.