Updating artifacts

yara/rules/Windows_Cryptominer_Generic.yar

@@ -18,3 +18,23 @@ rule Windows_Cryptominer_Generic_dd1e4d1a {
         all of them
 }
 
+rule Windows_Cryptominer_Generic_f53cfb9b {
+    meta:
+        author = "Elastic Security"
+        id = "f53cfb9b-0286-4e7e-895e-385b6f64c58a"
+        fingerprint = "2b66960ee7d423669d0d9e9dcd22ea6e1c0843893e5e04db92237b67b43d645c"
+        creation_date = "2024-03-05"
+        last_modified = "2024-06-12"
+        threat_name = "Windows.Cryptominer.Generic"
+        reference_sample = "a9870a03ddc6543a5a12d50f95934ff49f26b60921096b2c8f2193cb411ed408"
+        severity = 50
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = { 48 81 EC B8 00 00 00 0F AE 9C 24 10 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F AE 94 24 14 01 00 00 4C 8B A9 E0 00 00 00 4C 8B CA 4C 8B 51 20 4C 8B C1 4C 33 11 ?? ?? ?? ?? ?? ?? 4C 8B 59 28 }
+    condition:
+        all of them
+}
+

yara/rules/Windows_Exploit_CVE_2022_38028.yar

@@ -0,0 +1,20 @@
+rule Windows_Exploit_CVE_2022_38028_31fdb122 {
+    meta:
+        author = "Elastic Security"
+        id = "31fdb122-36fd-4fae-b605-542dc344575c"
+        fingerprint = "e489287412ee673f4d93c5efc9e61b5d26d877bb0f4ddf827926b4d5d87dc399"
+        creation_date = "2024-06-06"
+        last_modified = "2024-06-12"
+        threat_name = "Windows.Exploit.CVE-2022-38028"
+        reference_sample = "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = { 70 72 69 6E 74 54 69 63 6B 65 74 2E 58 6D 6C 4E 6F 64 65 2E 6C 6F 61 64 28 27 25 53 3A 2F 2F 67 6F 27 29 3B }
+    condition:
+        all of them
+}
+

yara/rules/Windows_Exploit_Generic.yar

@@ -0,0 +1,88 @@
+rule Windows_Exploit_Generic_e95cc41c {
+    meta:
+        author = "Elastic Security"
+        id = "e95cc41c-6cad-4b9c-b647-3c60e6614e25"
+        fingerprint = "78f78de7cee54107ee7c3de9b152ce3a242c1408115ab0950ccdfc278ed15a19"
+        creation_date = "2024-02-28"
+        last_modified = "2024-06-12"
+        threat_name = "Windows.Exploit.Generic"
+        reference_sample = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $s1 = "Got system privileges" nocase
+        $s2 = "Got SYSTEM token" nocase
+        $s3 = "Got a SYSTEM token" nocase
+        $s4 = "] Duplicating SYSTEM token" nocase
+        $s5 = "] Token Stealing is successful" nocase
+        $s6 = "] Exploit completed" nocase
+        $s7 = "] Got SYSTEM shell." nocase
+        $s8 = "] Spawning SYSTEM shell" nocase
+        $s9 = "we have a SYSTEM shell!" nocase
+        $s10 = "Dropping to System Shell." nocase
+        $s11 = "] Enjoy the NT AUTHORITY\\SYSTEM shell" nocase
+        $s12 = "] SMEP is disabled" nocase
+        $s13 = "] KUSER_SHARED_DATA"
+        $s14 = "] Found System EPROCESS"
+    condition:
+        any of them
+}
+
+rule Windows_Exploit_Generic_008359cf {
+    meta:
+        author = "Elastic Security"
+        id = "008359cf-5510-4f91-8cb1-7b4ff645bf2d"
+        fingerprint = "3ef3b6bbe2141cb8ce47a5ee7c7531e72773d4dc4e478bb792c9230e4948db02"
+        creation_date = "2024-02-28"
+        last_modified = "2024-06-12"
+        threat_name = "Windows.Exploit.Generic"
+        reference_sample = "73225a3a54560965f4c4fae73f7ee234e31217bc06ff8ba1d0b36ebab5e76a87"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = { C6 85 ?? 01 00 00 74 C6 85 ?? 01 00 00 58 C6 85 ?? 01 00 00 58 }
+        $a2 = { C6 45 ?? 41 C6 45 ?? 66 C6 45 ?? 64 C6 45 ?? 4F C6 45 ?? 70 C6 45 ?? 65 C6 45 ?? 6E C6 45 ?? 50 C6 45 ?? 61 C6 45 ?? 63 C6 45 ?? 6B C6 45 ?? 65 C6 45 ?? 74 C6 45 ?? 58 C6 45 ?? 58 }
+        $b1 = "NtCreateFile"
+        $b2 = "\\Device\\Afd\\Endpoint" wide nocase
+        $b3 = "\\Device\\Afd\\Endpoint" nocase
+        $b4 = "NtDeviceIoControlFile"
+    condition:
+        1 of ($a*) and 3 of ($b*)
+}
+
+rule Windows_Exploit_Generic_8c54846d {
+    meta:
+        author = "Elastic Security"
+        id = "8c54846d-07ee-43bc-93e1-72bf4162ab87"
+        fingerprint = "9acb35c06a21e35639c8026a18e919329db82a0629a8e2267f1f4fe00b3bb871"
+        creation_date = "2024-02-29"
+        last_modified = "2024-06-12"
+        threat_name = "Windows.Exploit.Generic"
+        reference_sample = "b6ea4815a38e606d4a2d6e6d711e610afec084db6899b7d6fc874491dd939495"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = { 5C 63 76 65 2D 32 30 ?? ?? 2D ?? ?? ?? ?? 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C }
+        $a2 = { 5C 43 56 45 2D 32 30 ?? ?? 2D ?? ?? ?? ?? 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C }
+        $a3 = { 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C 43 56 45 2D 32 30 ?? ?? 2D ?? ?? ?? ?? ?? 2E 70 64 62 }
+        $a4 = { 5C 52 65 6C 65 61 73 65 5C 43 56 45 2D 32 30 ?? ?? 2D }
+        $a5 = "\\x64\\Release\\CmdTest.pdb"
+        $a6 = "\\x64\\Release\\RunPS.pdb"
+        $a7 = "X:\\tools\\0day\\"
+        $a8 = "C:\\work\\volodimir_"
+        $a9 = { 78 36 34 5C 52 65 6C 65 61 73 65 5C 65 78 70 6C 6F 69 74 2E 70 64 62 }
+        $b1 = { 5C 43 56 45 2D 32 30 ?? ?? 2D }
+        $b2 = { 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C }
+    condition:
+        any of ($a*) or all of ($b*)
+}
+