add: openioc_scan config

4n6ist · Jun 8, 2018 · 6648528 · 6648528
1 parent dc54ae3
commit 6648528
Show file tree

Hide file tree

Showing 24 changed files with 825 additions and 0 deletions.
diff --git a/KaniVola/KaniVola.csproj b/KaniVola/KaniVola.csproj
@@ -186,6 +186,10 @@
   <PropertyGroup>
     <PostBuildEvent>mkdir $(TargetDir)conf\
 copy $(ProjectDir)conf\* $(TargetDir)conf
+mkdir $(TargetDir)conf\IOCs
+copy $(ProjectDir)conf\IOCs\* $(TargetDir)conf\IOCs
+mkdir $(TargetDir)conf\PyIOCe_templates
+copy $(ProjectDir)conf\PyIOCe\* $(TargetDir)conf\PyIOCe
 copy $(ProjectDir)winpmem.exe $(TargetDir)
 copy $(ProjectDir)volatility.exe $(TargetDir)
 copy $(ProjectDir)MSCompression64.dll $(TargetDir)

diff --git a/KaniVola/conf/IOCs/generic/10d8f887-b625-426f-b134-8147a780c369_UAC_sdb.ioc b/KaniVola/conf/IOCs/generic/10d8f887-b625-426f-b134-8147a780c369_UAC_sdb.ioc
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='utf-8'?>
+<OpenIOC xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://openioc.org/schemas/OpenIOC_1.1" id="10d8f887-b625-426f-b134-8147a780c369" last-modified="2015-02-26T06:11:39" published-date="0001-01-01T00:00:00">
+  <metadata>
+    <short_description>UAC pop-up bypass (COM)</short_description>
+    <description>push    10840014h       ; (FOF_NOCONFIRMATION|FOF_SILENT|FOFX_SHOWELEVATIONPROMPT|FOFX_NOCOPYHOOKS|FOFX_REQUIREELEVATION|FOF_NOERRORUI)</description>
+    <authored_by>Takahiro Haruyama</authored_by>
+    <authored_date>2015-02-26T06:10:23</authored_date>
+    <links/>
+  </metadata>
+  <criteria>
+    <Indicator id="2aaad842-4d2e-4f79-8ea8-50f170f2130b" operator="OR"><IndicatorItem id="5efc4f13-b33c-4ddc-a65b-bb019ad63281" condition="matches" preserve-case="false" negate="false">
+          <Context document="ProcessItem" search="ProcessItem/StringList/string" type="volatility"/>
+          <Content type="string">\x68\x14\x00\x84\x10</Content>
+        </IndicatorItem>
+      </Indicator>
+  </criteria>
+  <parameters/>
+</OpenIOC>
diff --git a/KaniVola/conf/IOCs/generic/26f643d6-6af9-4691-bfc3-f1823d4e9047_code_injection_hook.ioc b/KaniVola/conf/IOCs/generic/26f643d6-6af9-4691-bfc3-f1823d4e9047_code_injection_hook.ioc
@@ -0,0 +1,25 @@
+<?xml version='1.0' encoding='utf-8'?>
+<OpenIOC xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://openioc.org/schemas/OpenIOC_1.1" id="26f643d6-6af9-4691-bfc3-f1823d4e9047" last-modified="2015-02-26T03:27:02" published-date="0001-01-01T00:00:00">
+  <metadata>
+    <short_description>process code injection (based on unknown hook)</short_description>
+    <description></description>
+    <authored_by>Takahiro Haruyama</authored_by>
+    <authored_date>2015-02-26T03:23:58</authored_date>
+    <links/>
+  </metadata>
+  <criteria>
+    <Indicator id="49cbcede-0d87-45af-ab17-fe080a9120ef" operator="OR">
+      <Indicator id="ce8ef07b-dfda-4866-a069-d8999a0bd254" operator="AND">
+        <IndicatorItem preserve-case="false" negate="false" id="c7ed9dc1-d6c2-4f3b-912c-847e987f3f29" condition="is">
+          <Context document="ProcessItem" search="ProcessItem/SectionList/MemorySection/Injected" type="volatility"/>
+          <Content type="string">true</Content>
+        </IndicatorItem>
+        <IndicatorItem preserve-case="false" negate="false" id="ef7fa64d-8487-469e-afa7-8f539f8e275e" condition="contains">
+          <Context document="ProcessItem" search="ProcessItem/Hooked/API/HookingModuleName" type="volatility"/>
+          <Content type="string">unknown</Content>
+        </IndicatorItem>
+      </Indicator>
+    </Indicator>
+  </criteria>
+  <parameters/>
+</OpenIOC>
diff --git a/...a/conf/IOCs/generic/2823537b-8c9a-454a-8bf4-3aa5ef76ec54_information-stealing_malware.ioc b/...a/conf/IOCs/generic/2823537b-8c9a-454a-8bf4-3aa5ef76ec54_information-stealing_malware.ioc
@@ -0,0 +1,33 @@
+<?xml version='1.0' encoding='utf-8'?>
+<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://openioc.org/schemas/OpenIOC_1.1" id="2823537b-8c9a-454a-8bf4-3aa5ef76ec54" last-modified="2015-07-13T08:20:14" published-date="0001-01-01T00:00:00">
+  <metadata>
+    <short_description>Information-Stealing Malware</short_description>
+    <description>Information-Stealing Malware (e.g., ZeuS, SpyEye, Citadel, Andromeda).</description>
+    <authored_by>Takahiro Haruyama</authored_by>
+    <authored_date>2014-09-01T08:21:19</authored_date>
+    <links/>
+  </metadata>
+  <criteria>
+    <Indicator operator="OR" id="484aae12-a6f9-44f4-9b87-a93a4df0c34b">
+      <Indicator operator="AND" id="03702f45-a600-4d92-9b3e-2f5f2cfd1c33">
+        <IndicatorItem id="d278f29b-d658-41d8-8aa1-656e1b54c693" condition="contains" preserve-case="false" negate="false">
+          <Context document="ProcessItem" search="ProcessItem/Hooked/API/FunctionName" type="volatility"/>
+          <Content type="string">HttpSendRequestA</Content>
+        </IndicatorItem>
+        <IndicatorItem id="6b5c91a6-6e7b-4aed-9a99-b0de43bc46dd" condition="contains" preserve-case="false" negate="false">
+          <Context document="ProcessItem" search="ProcessItem/Hooked/API/FunctionName" type="volatility"/>
+          <Content type="string">HttpSendRequestW</Content>
+        </IndicatorItem>
+        <IndicatorItem id="a9340d33-ac2d-4339-9d5e-20dc3c02b9c4" condition="contains" preserve-case="false" negate="false">
+          <Context document="ProcessItem" search="ProcessItem/Hooked/API/FunctionName" type="volatility"/>
+          <Content type="string">HttpSendRequestExA</Content>
+        </IndicatorItem>
+        <IndicatorItem id="f664600e-41e4-4420-b9e4-bb37accba122" condition="contains" preserve-case="false" negate="false">
+          <Context document="ProcessItem" search="ProcessItem/Hooked/API/FunctionName" type="volatility"/>
+          <Content type="string">HttpSendRequestExW</Content>
+        </IndicatorItem>
+      <IndicatorItem preserve-case="false" negate="false" id="3a4568dc-61e3-4993-8c48-c9cae0c8ea7f" condition="contains"><Context document="ProcessItem" search="ProcessItem/Hooked/API/HookingModuleName" type="volatility"/><Content type="string">unknown</Content></IndicatorItem></Indicator>
+    </Indicator>
+  </criteria>
+  <parameters><param id="efb1e12a-c86e-40fd-8e7f-a143bbe0bd00" ref-id="d278f29b-d658-41d8-8aa1-656e1b54c693" name="score"><value type="string">40</value></param><param id="6a3fb40b-0951-4495-87dd-3175a1c490e1" ref-id="6b5c91a6-6e7b-4aed-9a99-b0de43bc46dd" name="score"><value type="string">40</value></param><param id="b6563b3d-ea5c-4ede-91df-6bffa7108b1e" ref-id="a9340d33-ac2d-4339-9d5e-20dc3c02b9c4" name="score"><value type="string">40</value></param><param id="92581385-a29b-46aa-93fc-67785526c45d" ref-id="f664600e-41e4-4420-b9e4-bb37accba122" name="score"><value type="string">40</value></param><param id="73a0dbf3-ad70-4b55-816b-e160ffe624b6" ref-id="3a4568dc-61e3-4993-8c48-c9cae0c8ea7f" name="score"><value type="string">20</value></param></parameters>
+</OpenIOC>
diff --git a/KaniVola/conf/IOCs/generic/2b5527f3-e5c4-4f0b-b9fc-bcd2221c313c_PIC_PEB.ioc b/KaniVola/conf/IOCs/generic/2b5527f3-e5c4-4f0b-b9fc-bcd2221c313c_PIC_PEB.ioc
@@ -0,0 +1,22 @@
+<?xml version='1.0' encoding='utf-8'?>
+<OpenIOC xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://openioc.org/schemas/OpenIOC_1.1" id="2b5527f3-e5c4-4f0b-b9fc-bcd2221c313c" last-modified="2014-11-21T10:13:06" published-date="0001-01-01T00:00:00">
+  <metadata>
+    <short_description>position independent code (PEB)</short_description>
+    <description>This indicator focuses on 32-bit malware only</description>
+    <authored_by>Takahiro Haruyama</authored_by>
+    <authored_date>2014-11-21T10:12:37</authored_date>
+    <links/>
+  </metadata>
+  <criteria>
+    <Indicator id="80134cdd-247b-4984-9ab6-c8e423cdc95a" operator="OR"><IndicatorItem id="7979f975-ebac-4015-aba0-81f3640644fc" condition="matches" preserve-case="false" negate="false">
+          <Context document="ProcessItem" search="ProcessItem/StringList/string" type="volatility"/>
+          <Content type="string">\x64\xA1\x30\x00\x00\x00\x8B\x40\x0C</Content>
+        </IndicatorItem>
+      <IndicatorItem id="c2dd1da8-c622-4054-a25c-9d6ec1a1f261" condition="matches" preserve-case="false" negate="false">
+          <Context document="ProcessItem" search="ProcessItem/StringList/string" type="volatility"/>
+          <Content type="string">\x64\x8B.\x30\x8B.\x0C\x8B</Content>
+        </IndicatorItem>
+      </Indicator>
+  </criteria>
+  <parameters><param id="de307839-05cb-4e5b-ae3e-272809f75015" ref-id="5d20ae9a-e804-494d-ae8c-e8a36727bc7b" name="note"><value type="string">getting PEB #1</value></param><param id="aca2cddf-de52-440f-b69c-7263ac0eaf8a" ref-id="c2dd1da8-c622-4054-a25c-9d6ec1a1f261" name="note"><value type="string">PEB#2</value></param><param id="fa256c54-d74f-4451-997a-3f3b025ff494" ref-id="7979f975-ebac-4015-aba0-81f3640644fc" name="note"><value type="string">PEB#1</value></param><param id="bfc4b869-9866-4736-8f9c-d8330e376606" ref-id="08977335-ecfc-484c-9f79-2abfd90dcd1a" name="note"><value type="string">getPC</value></param><param id="b4e8a568-8881-4014-b0c9-889ed530273c" ref-id="f02b0b3c-06b9-49b6-9280-65c62bd2fe2f" name="note"><value type="string">ror13AddHash32</value></param><param id="090b5c42-e4db-44b5-a278-dc2fcc6a11e6" ref-id="9d5a2114-ce70-4d62-bfac-49edb2713129" name="note"><value type="string">rol13AddHash32</value></param><param id="9cbf7ba0-7ab8-41b5-b6ce-fb9293793583" ref-id="caee36f7-557b-4e42-9918-f2de810d8e94" name="note"><value type="string">poisonIvyHash</value></param><param id="5c091a62-6a84-47ed-b0c3-5e039093e678" ref-id="9bd28773-18da-4d19-ae7c-dda510039515" name="note"><value type="string">rol7AddHash32</value></param><param id="85c97df9-7076-43bd-92af-d86af5b103f0" ref-id="34116a72-e338-4414-bb0d-9e7970f259ef" name="note"><value type="string">rol5AddHash32</value></param><param id="e2c456e3-4358-41ed-84e1-bdf358504137" ref-id="993a9641-fe7e-4e44-b241-a2dd9750124e" name="note"><value type="string">rol3XorEax</value></param><param id="e1bb0d0e-d40f-4fdf-874b-4460054409f5" ref-id="ac76a17c-cbc4-4e7a-b910-ef25e8f19149" name="note"><value type="string">rol3XorEax2</value></param><param id="adcc4dad-441b-49e7-bb35-ef566c0c77d6" ref-id="8efcdc90-2e09-41b7-abaa-baee4f51626c" name="note"><value type="string">ror7AddHash32</value></param><param id="1d65ee01-eccc-45ba-869c-cc93813d5a82" ref-id="efe5d956-2bdb-41d5-862a-32eb1147308f" name="note"><value type="string">ror9AddHash32</value></param><param id="887f8da1-b4d9-4f04-b8da-3f1a62ae9c7a" ref-id="ee604897-9483-49e5-b45f-b3bf461294b9" name="note"><value type="string">ror11AddHash32</value></param><param id="430db37b-ecc9-477c-bc20-80e2ffb116b1" ref-id="a231bced-fdd5-4ef1-b590-6deacca7ff84" name="note"><value type="string">ror13AddHash32Sub1</value></param><param id="23854e51-bfb5-4a7f-b319-615fbecaf634" ref-id="f7072903-54c0-4f9e-8b73-d406b6d0319a" name="note"><value type="string">shl7shr19Hash32</value></param><param id="c575c92d-5533-4542-ba1b-f5e388c45c8e" ref-id="6e6f21d8-0aad-4715-8792-f4ffc47b69dc" name="note"><value type="string">sll1AddHash32</value></param><param id="60576093-9543-4997-85d9-8d06f093c874" ref-id="37815abf-e782-46ca-81e9-e48090c66c4e" name="note"><value type="string">msfHash32</value></param></parameters>
+</OpenIOC>