// Copyright 2020 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at: // https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt import "pe" rule APT_Backdoor_MSIL_SUNBURST_1 { meta: author = "FireEye" description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." strings: $cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide $cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D } $fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide $fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C } $fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide $fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C } $fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide $fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 } $fnv_xor = { 67 19 D8 A7 3B 90 AC 5B } condition: $fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) ) } rule APT_Backdoor_MSIL_SUNBURST_2 { meta: author = "FireEye" description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." strings: $a = "0y3Kzy8BAA==" wide $aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide $ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide $ac = "C88sSs1JLS4GAA==" wide $ad = "C/UEAA==" wide $ae = "C89MSU8tKQYA" wide $af = "8wvwBQA=" wide $ag = "cyzIz8nJBwA=" wide $ah = "c87JL03xzc/LLMkvysxLBwA=" wide $ai = "88tPSS0GAA==" wide $aj = "C8vPKc1NLQYA" wide $ak = "88wrSS1KS0xOLQYA" wide $al = "c87PLcjPS80rKQYA" wide $am = "Ky7PLNAvLUjRBwA=" wide $an = "06vIzQEA" wide $b = "0y3NyyxLLSpOzIlPTgQA" wide $c = "001OBAA=" wide $d = "0y0oysxNLKqMT04EAA==" wide $e = "0y3JzE0tLknMLQAA" wide $f = "003PyU9KzAEA" wide $h = "0y1OTS4tSk1OBAA=" wide $i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide $j = "c8rPSQEA" wide $k = "c8rPSfEsSczJTAYA" wide $l = "c60oKUp0ys9JAQA=" wide $m = "c60oKUp0ys9J8SxJzMlMBgA=" wide $n = "8yxJzMlMBgA=" wide $o = "88lMzygBAA==" wide $p = "88lMzyjxLEnMyUwGAA==" wide $q = "C0pNL81JLAIA" wide $r = "C07NzXTKz0kBAA==" wide $s = "C07NzXTKz0nxLEnMyUwGAA==" wide $t = "yy9IzStOzCsGAA==" wide $u = "y8svyQcA" wide $v = "SytKTU3LzysBAA==" wide $w = "C84vLUpOdc5PSQ0oygcA" wide $x = "C84vLUpODU4tykwLKMoHAA==" wide $y = "C84vLUpO9UjMC07MKwYA" wide $z = "C84vLUpO9UjMC04tykwDAA==" wide condition: ($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an)) } rule APT_Backdoor_MSIL_SUNBURST_3 { meta: author = "FireEye" description = "This rule is looking for certain portions of the SUNBURST backdoor that deal with C2 communications. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." strings: $sb1 = { 05 14 51 1? 0A 04 28 [2] 00 06 0? [0-16] 03 1F ?? 2E ?? 03 1F ?? 2E ?? 03 1F ?? 2E ?? 03 1F [1-32] 03 0? 05 28 [2] 00 06 0? [0-32] 03 [0-16] 59 45 06 } $sb2 = { FE 16 [2] 00 01 6F [2] 00 0A 1? 8D [2] 00 01 [0-32] 1? 1? 7B 9? [0-16] 1? 1? 7D 9? [0-16] 6F [2] 00 0A 28 [2] 00 0A 28 [2] 00 0A [0-32] 02 7B [2] 00 04 1? 6F [2] 00 0A [2-32] 02 7B [2] 00 04 20 [4] 6F [2] 00 0A [0-32] 13 ?? 11 ?? 11 ?? 6E 58 13 ?? 11 ?? 11 ?? 9? 1? [0-32] 60 13 ?? 0? 11 ?? 28 [4] 11 ?? 11 ?? 9? 28 [4] 28 [4-32] 9? 58 [0-32] 6? 5F 13 ?? 02 7B [2] 00 04 1? ?? 1? ?? 6F [2] 00 0A 8D [2] 00 01 } $ss1 = "\x00set_UseShellExecute\x00" $ss2 = "\x00ProcessStartInfo\x00" $ss3 = "\x00GetResponseStream\x00" $ss4 = "\x00HttpWebResponse\x00" condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule APT_Backdoor_MSIL_SUNBURST_4 { meta: author = "FireEye" description = "This rule is looking for specific methods used by the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." strings: $ss1 = "\x00set_UseShellExecute\x00" $ss2 = "\x00ProcessStartInfo\x00" $ss3 = "\x00GetResponseStream\x00" $ss4 = "\x00HttpWebResponse\x00" $ss5 = "\x00ExecuteEngine\x00" $ss6 = "\x00ParseServiceResponse\x00" $ss7 = "\x00RunTask\x00" $ss8 = "\x00CreateUploadRequest\x00" condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule APT_Dropper_Raw64_TEARDROP_1 { meta: author = "FireEye" description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory." strings: $sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF } $sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 } $sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 } condition: all of them } rule APT_Dropper_Win64_TEARDROP_2 { meta: author = "FireEye" description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory." strings: $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 } $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA } $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 } $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 } $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 } condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them }