/*
      _____        __  __  ___        __      
     / ___/__  ___/ / /  |/  /__  ___/ /__    
    / (_ / _ \/ _  / / /|_/ / _ \/ _  / -_)   
    \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/    
     \ \/ / _ | / _ \/ _ |   / _ \__ __/ /__  
      \  / __ |/ , _/ __ |  / , _/ // / / -_) 
      /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/  
      Florian Roth - v0.2 May 2019
      
      A proof-of-concept rule that shows how easy it actually is to detect red teamer
      and threat group tools and code 
*/

rule IDDQD_Godmode_Rule {
   meta:
      description = "This is the most powerful YARA rule. It detects literally everything."
      author = "Florian Roth"
      reference = "Internal Research - find a Godmode rule set in Valhalla by Nextron Systems"
      date = "2019-05-14"
      score = 60
   strings:
      $ = "sekurlsa::logonpasswords" ascii wide nocase      /* Mimikatz Command */
      $ = "ERROR kuhl" wide                                 /* Mimikatz Error */
      $ = "@subtee" fullword ascii                          /* Red Team Tools */
      $ = " -w hidden " ascii wide                          /* Power Shell Params */
      $ = " -decode " ascii wide                            /* certutil command */
      $ = "Koadic." ascii                                   /* Koadic Framework */
      $ = "ReflectiveLoader" fullword ascii wide            /* Generic - Common Export Name */
      $ = "InjectDLL" fullword ascii wide                   /* DLL Injection Keyword */
      $ = "[System.Convert]::FromBase64String(" ascii wide  /* PowerShell - Base64 Encoded Payload */
      $ = /\\(Release|Debug)\\ms1[2-9]/ ascii               /* Exploit Codes / PoCs */
      $ = "windows/meterpreter" ascii                       /* Metasploit Framework - Meterpreter */
      $ = / (-e |-enc |'|")(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA)/ ascii wide  /* PowerShell Encoded Code */
      $ = /  (sEt|SEt|SeT|sET|seT)  / ascii wide            /* Casing Obfuscation */
      $ = ");iex " nocase ascii wide                        /* PowerShell - compact code */ 
      $ = / (cMd\.|cmD\.|CmD\.|cMD\.)/ ascii wide           /* Casing Obfuscation */
      $ = /(TW96aWxsYS|1vemlsbGEv|Nb3ppbGxhL|TQBvAHoAaQBsAGwAYQAv|0AbwB6AGkAbABsAGEAL|BNAG8AegBpAGwAbABhAC)/ ascii wide /* Base64 Encoded UA */
      $ = "Nir Sofer" fullword wide                         /* Hack Tool Producer */
      $ = "Web Shell By " nocase ascii                      /* Web Shell Copyright */
      $ = "impacket." ascii                                 /* Impacket Library */
      $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject|dump)/ nocase  /* Hack Tool Output Pattern */
      $ = "ecalper" fullword ascii wide                     /* Reversed String - often found in scripts or web shells */
      $ = "0000FEEDACDC}" ascii wide                        /* Squiblydoo - Class ID */
      $ = /(click enable editing|click enable content|"Enable Editing"|"Enable Content")/ ascii  /* Phishing Docs */
      $ = "vssadmin delete shadows"                         /* Shadow Copy Deletion - often used in Ransomware */
      $ = "stratum+tcp://"                                  /* Stratum Address - used in Crypto Miners */
      $ = ".onion" ascii wide                               /* Onion Address - Tor Network */
   condition:
      1 of them
}