SYMBOLCOMMON_NAMEaka. SYNONYMS
win.session_manager (Back to overview)

SessionManager

Actor(s): Gelsemium


A malicious IIS module that allows up/download of files, remote command execution, and using the compromised server as a hop into the network behind.

References
2022-06-30KasperskyPierre Delcher
@online{delcher:20220630:sessionmanager:f171df2, author = {Pierre Delcher}, title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}}, date = {2022-06-30}, organization = {Kaspersky}, url = {https://securelist.com/the-sessionmanager-iis-backdoor/106868/}, language = {English}, urldate = {2022-07-05} } The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager
Yara Rules
[TLP:WHITE] win_session_manager_auto (20220808 | Detects win.session_manager.)
rule win_session_manager_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.session_manager."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.session_manager"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4156 4881ec10010000 498bd9 c744246818000000 498bf8 c744247801000000 488bf2 }
            // n = 7, score = 100
            //   4156                 | mov                 ecx, dword ptr [edx + edi*8 + 0x28580]
            //   4881ec10010000       | dec                 eax
            //   498bd9               | mov                 eax, ecx
            //   c744246818000000     | dec                 eax
            //   498bf8               | sar                 eax, 6
            //   c744247801000000     | dec                 eax
            //   488bf2               | lea                 edx, [0x13a39]

        $sequence_1 = { e8???????? 85c0 0f8485000000 488b442440 488d0dc3760100 488b04c1 f644283880 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f8485000000         | lea                 ecx, [ebp + 0x88]
            //   488b442440           | dec                 eax
            //   488d0dc3760100       | mov                 ecx, eax
            //   488b04c1             | nop                 
            //   f644283880           | dec                 eax

        $sequence_2 = { 4833c4 488945f0 4863f2 488d05e6920100 4c8bfe 458be1 49c1ff06 }
            // n = 7, score = 100
            //   4833c4               | dec                 eax
            //   488945f0             | mov                 ebx, eax
            //   4863f2               | je                  0x3ef
            //   488d05e6920100       | dec                 eax
            //   4c8bfe               | cmp                 eax, edi
            //   458be1               | je                  0x477
            //   49c1ff06             | dec                 ebp

        $sequence_3 = { 4883ec28 488d0dc5180200 ff15???????? 488d0dc01c0200 ff15???????? 488d0dfb180200 }
            // n = 6, score = 100
            //   4883ec28             | mov                 dword ptr [eax + 0x348], edi
            //   488d0dc5180200       | dec                 esp
            //   ff15????????         |                     
            //   488d0dc01c0200       | mov                 dword ptr [eax + 0x350], edi
            //   ff15????????         |                     
            //   488d0dfb180200       | dec                 esp

        $sequence_4 = { 488d4c2420 e8???????? 488d058e440100 488903 }
            // n = 4, score = 100
            //   488d4c2420           | sar                 eax, 6
            //   e8????????           |                     
            //   488d058e440100       | dec                 esp
            //   488903               | lea                 eax, [0x12ab4]

        $sequence_5 = { 4c8d058a960100 83e23f 488bcf 48c1f906 48c1e206 498b0cc8 c644113800 }
            // n = 7, score = 100
            //   4c8d058a960100       | mov                 dword ptr [eax + 0x3f0], edi
            //   83e23f               | dec                 esp
            //   488bcf               | mov                 dword ptr [eax + 0x3f8], edi
            //   48c1f906             | jmp                 0xe25
            //   48c1e206             | dec                 ecx
            //   498b0cc8             | mov                 edi, edi
            //   c644113800           | dec                 esp

        $sequence_6 = { ebdd 4533ff 418bdf 4c8d0dc254ffff 4885db 750d 488bc7 }
            // n = 7, score = 100
            //   ebdd                 | dec                 eax
            //   4533ff               | mov                 eax, ebx
            //   418bdf               | inc                 edx
            //   4c8d0dc254ffff       | mov                 byte ptr [eax + esi], 0
            //   4885db               | cmp                 byte ptr [esi], 0
            //   750d                 | dec                 eax
            //   488bc7               | cmp                 dword ptr [ebx + 0x18], 0x10

        $sequence_7 = { 4c897c2428 488d4c2444 48894c2420 4533c9 448b442444 488bd7 488bc8 }
            // n = 7, score = 100
            //   4c897c2428           | dec                 esp
            //   488d4c2444           | mov                 dword ptr [eax + 0x1568], edi
            //   48894c2420           | dec                 esp
            //   4533c9               | mov                 dword ptr [eax + 0x1640], edi
            //   448b442444           | dec                 esp
            //   488bd7               | mov                 dword ptr [eax + 0x1648], edi
            //   488bc8               | dec                 esp

        $sequence_8 = { e8???????? 33c0 488b4df0 4833cc e8???????? 4c8d9c2480000000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   33c0                 | dec                 eax
            //   488b4df0             | lea                 eax, [0x1d877]
            //   4833cc               | dec                 ebx
            //   e8????????           |                     
            //   4c8d9c2480000000     | dec                 eax

        $sequence_9 = { c70016000000 e8???????? 83c8ff e9???????? 4d8bf4 488d05308c0100 }
            // n = 6, score = 100
            //   c70016000000         | dec                 eax
            //   e8????????           |                     
            //   83c8ff               | mov                 dword ptr [ebx], ecx
            //   e9????????           |                     
            //   4d8bf4               | dec                 eax
            //   488d05308c0100       | lea                 edx, [ebx + 8]

    condition:
        7 of them and filesize < 372736
}
Download all Yara Rules