From 8c33100f650e0a1ee2088684c2f230015251b6b7 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 28 Jul 2023 12:01:53 +0530 Subject: [PATCH] Add files via upload --- network/jarm/c2/generic-c2-jarm.yaml | 70 ++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 network/jarm/c2/generic-c2-jarm.yaml diff --git a/network/jarm/c2/generic-c2-jarm.yaml b/network/jarm/c2/generic-c2-jarm.yaml new file mode 100644 index 0000000000..c7157a3664 --- /dev/null +++ b/network/jarm/c2/generic-c2-jarm.yaml @@ -0,0 +1,70 @@ +id: generic-c2-jarm + +info: + name: Generic C2 JARM - Detect + author: pussycat0x + severity: info + description: | + Detect C2 Servers with JARM Hashes + reference: + - https://github.com/MichaelKoczwara/C2JARM + tags: network,c2,jarm,cti + +tcp: + - inputs: + - data: 2E + type: hex + + host: + - "{{Hostname}}" + matchers: + - type: dsl + dsl: + - "jarm(Hostname) == '00014d16d21d21d00042d41d00041df1e57cd0b3bf64d18696fb4fce056610'" + - "jarm(Hostname) == '00014d16d21d21d07c42d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926'" + - "jarm(Hostname) == '05d02d16d04d04d05c05d02d05d04d4606ef7946105f20b303b9a05200e829'" + - "jarm(Hostname) == '05d02d20d21d20d05c05d02d05d20dd7fc4c7c6ef19b77a4ca0787979cdc13'" + - "jarm(Hostname) == '05d13d20d21d20d05c05d13d05d20dd7fc4c7c6ef19b77a4ca0787979cdc13'" + - "jarm(Hostname) == '07d00016d21d21d00042d41d00041df1e57cd0b3bf64d18696fb4fce056610'" + - "jarm(Hostname) == '07d0bd0fd06d06d07c07d0bd07d06d9b2f5869a6985368a9dec764186a9175'" + - "jarm(Hostname) == '07d0bd0fd21d21d07c07d0bd07d21d9b2f5869a6985368a9dec764186a9175'" + - "jarm(Hostname) == '07d13d15d21d21d07c07d13d07d21dd7fc4c7c6ef19b77a4ca0787979cdc13'" + - "jarm(Hostname) == '07d14d16d21d21d00007d14d07d21d3fe87b802002478c27f1c0da514dbf80'" + - "jarm(Hostname) == '07d14d16d21d21d00042d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926'" + - "jarm(Hostname) == '07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2'" + - "jarm(Hostname) == '07d14d16d21d21d07c07d14d07d21d4606ef7946105f20b303b9a05200e829'" + - "jarm(Hostname) == '07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175'" + - "jarm(Hostname) == '07d14d16d21d21d07c07d14d07d21dee4eea372f163361c2623582546d06f8'" + - "jarm(Hostname) == '07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1'" + - "jarm(Hostname) == '07d14d16d21d21d07c42d41d00041d58c7162162b6a603d3d90a2b76865b53'" + - "jarm(Hostname) == '07d14d16d21d21d07c42d43d00041d24a458a375eef0c576d23a7bab9a9fb1'" + - "jarm(Hostname) == '07d19d1ad21d21d00007d19d07d21d25f4195751c61467fa54caf42f4e2e61'" + - "jarm(Hostname) == '15d15d15d3fd15d00042d42d00042d1279af56d3d287bbc5d38e226153ba9e'" + - "jarm(Hostname) == '15d3fd16d21d21d00042d43d000000fe02290512647416dcf0a400ccbc0b6b'" + - "jarm(Hostname) == '15d3fd16d29d29d00015d3fd15d29d1f9d8d2d24bf6c1a8572e99c89f1f5f0'" + - "jarm(Hostname) == '15d3fd16d29d29d00042d43d000000ed1cf37c9a169b41886e27ba8fad60b0'" + - "jarm(Hostname) == '15d3fd16d29d29d00042d43d000000fbc10435df141b3459e26f69e76d5947'" + - "jarm(Hostname) == '15d3fd16d29d29d00042d43d000000fe02290512647416dcf0a400ccbc0b6b'" + - "jarm(Hostname) == '16d16d16d00000022c43d43d00043d370cd49656587484eb806b90846875a0'" + - "jarm(Hostname) == '1dd28d28d00028d00042d41d00041df1e57cd0b3bf64d18696fb4fce056610'" + - "jarm(Hostname) == '1dd28d28d00028d1dc1dd28d1dd28d3fe87b802002478c27f1c0da514dbf80'" + - "jarm(Hostname) == '21b10b00021b21b21b21b10b21b21b3b0d229d76f2fd7cb8e23bb87da38a20'" + - "jarm(Hostname) == '21d10d00021d21d21c21d10d21d21d696c1bb221f80034f540b6754152d3b8'" + - "jarm(Hostname) == '21d19d00021d21d21c42d43d000000624c0617d7b1f32125cdb5240cd23ec9'" + - "jarm(Hostname) == '29d29d00029d29d00029d29d29d29de1a3c0d7ca6ad8388057924be83dfc6a'" + - "jarm(Hostname) == '29d29d00029d29d08c29d29d29d29dcd113334714fbefb4b0aba4000bcef62'" + - "jarm(Hostname) == '29d29d00029d29d21c29d29d29d29dce7a321e4956e8298ba917e9f2c22849'" + - "jarm(Hostname) == '29d29d15d29d29d21c29d29d29d29d7329fbe92d446436f2394e041278b8b2'" + - "jarm(Hostname) == '2ad00016d2ad2ad22c42d42d00042ddb04deffa1705e2edc44cae1ed24a4da'" + - "jarm(Hostname) == '2ad2ad0002ad2ad0002ad2ad2ad2ade1a3c0d7ca6ad8388057924be83dfc6a'" + - "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000301510f56407964db9434a9bb0d4ee4a'" + - "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d0000005d86ccb1a0567e012264097a0315d7a7'" + - "jarm(Hostname) == '2ad2ad0002ad2ad22c2ad2ad2ad2ad6a7bd8f51d54bfc07e1cd34e5ca50bb3'" + - "jarm(Hostname) == '2ad2ad0002ad2ad22c2ad2ad2ad2adce7a321e4956e8298ba917e9f2c22849'" + - "jarm(Hostname) == '2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da'" + - "jarm(Hostname) == '2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53'" + - "jarm(Hostname) == '2ad2ad16d2ad2ad22c42d42d00042de4f6cde49b80ad1e14c340f9e47ccd3a'" + - "jarm(Hostname) == '3fd3fd15d3fd3fd00042d42d00000061256d32ed7779c14686ad100544dc8d'" + - "jarm(Hostname) == '3fd3fd15d3fd3fd21c3fd3fd3fd3fdc110bab2c0a19e5d4e587c17ce497b15'" + - "jarm(Hostname) == '3fd3fd15d3fd3fd21c42d42d0000006f254909a73bf62f6b28507e9fb451b5'" + condition: or \ No newline at end of file