Update expl_cleo_dec24.yar

Neo23x0 · Neo23x0 · commit e3966f095be8 · 2024-12-10T17:16:51.000+01:00
diff --git a/yara/expl_cleo_dec24.yar b/yara/expl_cleo_dec24.yar
@@ -67,3 +67,44 @@ rule SUSP_EXPL_JAR_Indicators_Dec24 {
       and filesize < 20KB
       and all of them
 }
+
+rule EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_1_1 {
+   meta:
+      description = "Detects characteristics of JAVA files used during Cleo software exploitation (as reported by Huntress in December 2024) - files Cli, ScSlot, Slot, SrvSlot"
+      author = "Florian Roth"
+      reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
+      date = "2024-12-10"
+      score = 75
+      hash1 = "0c57b317b572d071afd8ccdb844dd6f117e20f818c6031d7ba8adcbd32be0617"
+   strings:
+      $a1 = "java/lang/StringBuffer"
+
+      $x1 = "Start-Sleep 3;del " ascii
+      $x2 = "sleep 3;rm -f '" ascii
+      $x3 = "powershell -Noninteractive -EncodedCommand " ascii
+      $x4 = "runDelFileCmd" ascii fullword
+   condition:
+      uint16(0) == 0xfeca
+      and filesize < 50KB
+      and $a1
+      and 1 of ($x*)
+}
+
+rule EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_2 {
+   meta:
+      description = "Detects characteristics of JAVA files used during Cleo software exploitation (as reported by Huntress in December 2024) - file Proc"
+      author = "Florian Roth"
+      reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
+      date = "2024-12-10"
+      score = 75
+      hash1 = "1ba95af21bac45db43ebf02f87ecedde802c7de4d472f33e74ee0a5b5015a726"
+   strings:
+      $s1 = "Timeout getting pipe-data" ascii fullword
+      $s2 = "Ftprootpath" ascii fullword
+      $s3 = "Rest cmd=" ascii fullword
+      $s4 = "writeToProc" ascii fullword
+   condition:
+      uint16(0) == 0xfeca
+      and filesize < 30KB
+      and 3 of them
+}
