From 1136574b46c82a81323b3f225e2e8845f3e70809 Mon Sep 17 00:00:00 2001 From: Kevin O'Reilly Date: Wed, 8 May 2024 15:21:24 +0100 Subject: [PATCH] Promote Sliver detection to proper malware family classification --- data/yara/CAPE/Sliver.yar | 20 ++++++++++++++++++++ data/yara/binaries/indicator_tools.yar | 20 -------------------- 2 files changed, 20 insertions(+), 20 deletions(-) create mode 100644 data/yara/CAPE/Sliver.yar diff --git a/data/yara/CAPE/Sliver.yar b/data/yara/CAPE/Sliver.yar new file mode 100644 index 00000000..3892faf8 --- /dev/null +++ b/data/yara/CAPE/Sliver.yar @@ -0,0 +1,20 @@ +rule Sliver { + meta: + author = "ditekSHen" + description = "Detects Sliver implant cross-platform adversary emulation/red team" + cape_type = "Sliver Payload" + strings: + $x1 = "github.com/bishopfox/sliver/protobuf/sliverpbb." ascii + $s1 = ".commonpb.ResponseR" ascii + $s2 = ".PortfwdProtocol" ascii + $s3 = ".WGTCPForwarder" ascii + $s4 = ".WGSocksServerR" ascii + $s5 = ".PivotEntryR" ascii + $s6 = ".BackdoorReq" ascii + $s7 = ".ProcessDumpReq" ascii + $s8 = ".InvokeSpawnDllReq" ascii + $s9 = ".SpawnDll" ascii + $s10 = ".TCPPivotReq" ascii + condition: + (uint16(0) == 0x5a4d or uint16(0) == 0x457f or uint16(0) == 0xfacf) and (1 of ($x*) or 5 of ($s*)) +} diff --git a/data/yara/binaries/indicator_tools.yar b/data/yara/binaries/indicator_tools.yar index af4b1498..107ab6b9 100644 --- a/data/yara/binaries/indicator_tools.yar +++ b/data/yara/binaries/indicator_tools.yar @@ -848,26 +848,6 @@ rule INDICATOR_TOOL_ChromeCookiesView { uint16(0) == 0x5a4d and (5 of ($s*) or (($pdb) and 2 of ($s*))) } -rule INDICATOR_TOOL_Sliver { - meta: - author = "ditekSHen" - description = "Detects Sliver implant cross-platform adversary emulation/red team" - strings: - $x1 = "github.com/bishopfox/sliver/protobuf/sliverpbb." ascii - $s1 = ".commonpb.ResponseR" ascii - $s2 = ".PortfwdProtocol" ascii - $s3 = ".WGTCPForwarder" ascii - $s4 = ".WGSocksServerR" ascii - $s5 = ".PivotEntryR" ascii - $s6 = ".BackdoorReq" ascii - $s7 = ".ProcessDumpReq" ascii - $s8 = ".InvokeSpawnDllReq" ascii - $s9 = ".SpawnDll" ascii - $s10 = ".TCPPivotReq" ascii - condition: - (uint16(0) == 0x5a4d or uint16(0) == 0x457f or uint16(0) == 0xfacf) and (1 of ($x*) or 5 of ($s*)) -} - rule INDICATOR_TOOL_OwlProxy { meta: author = "ditekSHen"