>> RANSOMWARE DETECTION RULES
Detects LockBit ransomware family based on strings and behavior patterns. LockBit is one of the most prolific ransomware-as-a-service operations.
rule LockBit_Ransomware {
meta:
description = "Detects LockBit ransomware variants"
author = "VAULT 4624"
severity = "critical"
date = "2024-01-15"
strings:
$s1 = "LockBit" ascii wide
$s2 = ".lockbit" ascii wide
$s3 = "Your files are encrypted" ascii wide
$s4 = "contact@lockbitsupp" ascii wide
$hex1 = { 4C 6F 63 6B 42 69 74 }
condition:
uint16(0) == 0x5A4D and 2 of ($s*) or $hex1
}
Author: VAULT 4624
Updated: 2024-01-15
MITRE: T1486
Identifies BlackCat (ALPHV) ransomware written in Rust. Known for fast encryption and targeting enterprise environments.
rule BlackCat_ALPHV_Ransomware {
meta:
description = "Detects BlackCat/ALPHV ransomware"
author = "VAULT 4624"
severity = "critical"
strings:
$rust1 = "rust_begin_unwind" ascii
$rust2 = "rust_panic" ascii
$s1 = "RECOVER-" ascii wide
$s2 = "-FILES.txt" ascii wide
$s3 = "alphv" nocase ascii wide
$s4 = "BlackCat" ascii wide
condition:
uint16(0) == 0x5A4D and
1 of ($rust*) and 2 of ($s*)
}
MITRE: T1486
Family: BlackCat/ALPHV
Detects common ransomware note patterns across multiple families.
rule Generic_Ransomware_Note {
meta:
description = "Generic ransomware note detection"
author = "VAULT 4624"
strings:
$pay1 = "bitcoin" nocase ascii wide
$pay2 = "payment" nocase ascii wide
$enc1 = "encrypted" nocase ascii wide
$enc2 = "decrypt" nocase ascii wide
$warn1 = "do not" nocase ascii wide
$warn2 = "warning" nocase ascii wide
$contact1 = "contact us" nocase ascii wide
$contact2 = "email" nocase ascii wide
condition:
filesize < 100KB and
2 of ($pay*) and 2 of ($enc*) and
1 of ($warn*) and 1 of ($contact*)
}
Type: Document Analysis
MITRE: T1486
>> APT GROUP DETECTION RULES
Detects tools and techniques associated with APT29 (Cozy Bear), a Russian state-sponsored group.
rule APT29_CozyCar {
meta:
description = "APT29 CozyCar malware"
author = "VAULT 4624"
severity = "critical"
strings:
$s1 = "CozyDuke" ascii wide
$s2 = "CozyCar" ascii wide
$cmd1 = "cmd.exe /c" ascii wide
$cmd2 = "powershell" nocase ascii wide
$api1 = "WinHttp" ascii
$api2 = "InternetOpen" ascii
condition:
uint16(0) == 0x5A4D and
(1 of ($s*) or (1 of ($cmd*) and 1 of ($api*)))
}
Group: APT29
Origin: Russia
Identifies APT28 (Fancy Bear) malware components and C2 communication patterns.
rule APT28_Xagent {
meta:
description = "APT28 X-Agent implant"
author = "VAULT 4624"
strings:
$s1 = "X-Agent" ascii wide
$s2 = "sofacy" nocase ascii wide
$net1 = "User-Agent: Mozilla/5.0" ascii
$com1 = "cmd_exec" ascii
$com2 = "file_list" ascii
condition:
uint16(0) == 0x5A4D and
(1 of ($s*) or (1 of ($net*) and 1 of ($com*)))
}
Group: APT28
Origin: Russia
>> WEBSHELL DETECTION RULES
Detects China Chopper webshell, commonly used by Chinese threat actors for web server compromise.
rule ChinaChopper_Webshell {
meta:
description = "China Chopper webshell"
author = "VAULT 4624"
strings:
$php1 = "eval($_POST[" ascii nocase
$php2 = "assert($_POST[" ascii nocase
$asp1 = "eval(Request(" ascii nocase
$asp2 = "execute(Request(" ascii nocase
$short = /(eval|assert|execute)\s*\(\s*(Request|\$_(POST|GET|REQUEST))\[[\'\"][a-zA-Z0-9]{1,10}[\'\"]\]\s*\)/ nocase
condition:
(1 of ($php*) or 1 of ($asp*) or $short) and
filesize < 10KB
}
Type: Webshell
MITRE: T1505.003
Identifies common PHP webshell patterns and dangerous functions.
rule Generic_PHP_Webshell {
meta:
description = "Generic PHP webshell indicators"
author = "VAULT 4624"
strings:
$php = "
MITRE: T1505.003
>> TROJAN DETECTION RULES
Rules for detecting common trojan families...
>> RAT DETECTION RULES
Rules for detecting Remote Access Trojans...
>> CRYPTOMINER DETECTION RULES
Rules for detecting cryptocurrency mining malware...
>> EXPLOIT DETECTION RULES
Rules for detecting exploit code and payloads...