rule meterpreter_reverse_tcp_shellcode { meta: author = "FDD @ Cuckoo sandbox" description = "Rule for metasploit's meterpreter reverse tcp raw shellcode" strings: $s1 = { fce8 8?00 0000 60 } // shellcode prologe in metasploit $s2 = { 648b ??30 } // mov edx, fs:[???+0x30] $s3 = { 4c77 2607 } // kernel32 checksum $s4 = "ws2_" // ws2_32.dll $s5 = { 2980 6b00 } // WSAStartUp checksum $s6 = { ea0f dfe0 } // WSASocket checksum $s7 = { 99a5 7461 } // connect checksum condition: all of them and filesize < 5KB } rule meterpreter_reverse_tcp_shellcode_rev1 { meta: author = "FDD @ Cuckoo sandbox" description = "Meterpreter reverse TCP shell rev1" LHOST = 0xae LPORT = 0xb5 strings: $s1 = { 6a00 53ff d5 } condition: meterpreter_reverse_tcp_shellcode and $s1 in (270..filesize) } rule meterpreter_reverse_tcp_shellcode_rev2 { meta: author = "FDD @ Cuckoo sandbox" description = "Meterpreter reverse TCP shell rev2" LHOST = 194 LPORT = 201 strings: $s1 = { 75ec c3 } condition: meterpreter_reverse_tcp_shellcode and $s1 in (270..filesize) } rule meterpreter_reverse_tcp_shellcode_domain { meta: author = "FDD @ Cuckoo sandbox" description = "Variant used if the user specifies a domain instead of a hard-coded IP" strings: $s1 = { a928 3480 } // Checksum for gethostbyname $domain = /(\w+\.)+\w{2,6}/ condition: meterpreter_reverse_tcp_shellcode and all of them } rule metasploit_download_exec_shellcode_rev1 { meta: author = "FDD @ Cuckoo Sandbox" description = "Rule for metasploit's download and exec shellcode" name = "Metasploit download & exec payload" URL = 185 strings: $s1 = { fce8 8?00 0000 60 } // shellcode prologe in metasploit $s2 = { 648b ??30 } // mov edx, fs:[???+0x30] $s4 = { 4c77 2607 } // checksum for LoadLibraryA $s5 = { 3a56 79a7 } // checksum for InternetOpenA $s6 = { 5789 9fc6 } // checksum for InternetConnectA $s7 = { eb55 2e3b } // checksum for HTTPOpenRequestA $s8 = { 7546 9e86 } // checksum for InternetSetOptionA $s9 = { 2d06 187b } // checksum for HTTPSendRequestA $url = /\/[\w_\-\.]+/ condition: all of them and filesize < 5KB } rule metasploit_download_exec_shellcode_rev2 { meta: author = "FDD @ Cuckoo Sandbox" description = "Rule for metasploit's download and exec shellcode" name = "Metasploit download & exec payload" URL = 185 strings: $s1 = { fce8 8?00 0000 60 } // shellcode prologe in metasploit $s2 = { 648b ??30 } // mov edx, fs:[???+0x30] $s4 = { 4c77 2607 } // checksum for LoadLibraryA $s5 = { 3a56 79a7 } // checksum for InternetOpenA $s6 = { 5789 9fc6 } // checksum for InternetConnectA $s7 = { eb55 2e3b } // checksum for HTTPOpenRequestA $s9 = { 2d06 187b } // checksum for HTTPSendRequestA $url = /\/[\w_\-\.]+/ condition: all of them and filesize < 5KB } rule metasploit_bind_shell { meta: author = "FDD @ Cuckoo Sandbox" description = "Rule for metasploit's bind shell shellcode" name = "Metasploit bind shell payload" strings: $s1 = { fce8 8?00 0000 60 } // shellcode prologe in metasploit $s2 = { 648b ??30 } // mov edx, fs:[???+0x30] $s3 = { 4c77 2607 } // checksum for LoadLibraryA $s4 = { 2980 6b00 } // checksum for WSAStartup $s5 = { ea0f dfe0 } // checksum for WSASocketA $s6 = { c2db 3767 } // checksum for bind $s7 = { b7e9 38ff } // checksum for listen $s8 = { 74ec 3be1 } // checksum for accept condition: all of them and filesize < 5KB }