{"id":19390629,"url":"https://github.com/mandiant/heyserial","last_synced_at":"2025-04-24T00:31:29.563Z","repository":{"id":54502836,"uuid":"435894078","full_name":"mandiant/heyserial","owner":"mandiant","description":"Programmatically create hunting rules for deserialization exploitation with multiple keywords, gadget chains, object types, encodings, and rule types","archived":true,"fork":false,"pushed_at":"2023-06-01T13:38:56.000Z","size":59066,"stargazers_count":141,"open_issues_count":0,"forks_count":20,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-02-24T20:59:42.058Z","etag":null,"topics":["deserialization","snort","snort-rules-generate","yara","yara-rule-generator","ysoserial"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mandiant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-07T13:37:14.000Z","updated_at":"2025-02-03T11:11:55.000Z","dependencies_parsed_at":"2024-11-10T10:36:13.078Z","dependency_job_id":null,"html_url":"https://github.com/mandiant/heyserial","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fheyserial","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fheyserial/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fheyserial/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fheyserial/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mandiant","download_url":"https://codeload.github.com/mandiant/heyserial/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250539411,"owners_count":21447303,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deserialization","snort","snort-rules-generate","yara","yara-rule-generator","ysoserial"],"created_at":"2024-11-10T10:22:25.745Z","updated_at":"2025-04-24T00:31:24.540Z","avatar_url":"https://github.com/mandiant.png","language":"YARA","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HEY SERIAL!\n**Author:**         Alyssa Rahman @ramen0x3f\n\n**Created:**        2021-10-27\n\n**Last Updated:**   2021-12-02\n\n**Blog:**           https://www.mandiant.com/resources/hunting-deserialization-exploits\n\nFor more details on this tool and the research process behind it, check out [our blog](https://www.mandiant.com/resources/hunting-deserialization-exploits)!\n\n### Description\nProgrammatically create hunting rules for deserialization exploitation with multiple\n\n- keywords (e.g. cmd.exe)\n- gadget chains (e.g. CommonsCollection)\n- object types (e.g. ViewState, Java, Python Pickle, PHP)\n- encodings (e.g. Base64, raw)\n- rule types (e.g. Snort, Yara)\n\n### Disclaimer\nRules generated by this tool are intended for hunting/research purposes and are not designed for high fidelity/blocking purposes.\n\nPlease *test thoroughly* before deploying to any production systems.\n\nThe Yara rules are primarily intended for scanning web server logs. Some of the \"object prefixes\" are only 2 bytes long, so they can make large scans a bit slow. _(Translation: please don't drop them all into VT Retrohunt.)_\n\n### Usage\nHelp:\n```python3 heyserial.py -h```\n\nExamples:\n```\npython3 heyserial.py -c 'ExampleChain::condition1+condition2' -t JavaObj\npython3 heyserial.py -k cmd.exe whoami 'This file cannot be run in DOS mode'\npython3 heyserial.py -k Process.Start -t NETViewState -e base64 \"base64+utf16le\"\n```\n\n# Utils\n\n### utils/checkyoself.py\nThis is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files. \n\nUsage:\n```python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap```\n\nExamples:\n```python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses```\n\n### utils/generate_payloads.ps1\nYSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory. \n\n- Source: https://github.com/pwntester/ysoserial.net\n- License: ysoserial.net_LICENSE.txt\n\n### utils/generate_payloads.sh\nYSoSerial payload generation. Run on Linux from the ./utils directory. \n\n- Source: https://github.com/frohoff/ysoserial\n- License: ysoserial_LICENSE.txt\n\n### utils/install_snort.sh\nInstalling Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here. \n\n_Use at your own risk *in a VM* that *you have snapshotted recently*._\n\n### utils/server.py\nSimple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests. \n\nHandy for generating test PCAPs. \n\n# License\nCopyright (C) 2021 Alyssa Rahman, Mandiant, Inc. All Rights Reserved.\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License.\nYou may obtain a copy of the License at: [package root]/LICENSE.txt\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and limitations under the License.\n\n# Contributing\nCheck out the Developers' guide (DEVELOPERS.md) for more details on extending HeySerial!\n\n# Prior Work/Related Resources\nTools\n- [Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet) – @GrrrDog\n- [Ysoserial](https://github.com/frohoff/ysoserial) - @frohoff \n- [MarshalSec](https://github.com/frohoff/marshalsec) - @frohoff\n- [Ysoserial (forked)](https://github.com/wh1t3p1g/ysoserial) - @wh1t3p1g\n- [Ysoserial.NET](https://github.com/pwntester/ysoserial.net) and [v2 branch](https://github.com/pwntester/ysoserial.net/tree/v2) - @pwntester \n- [ViewGen](https://github.com/0xacb/viewgen) – 0xacb\n- [Rogue-JNDI](https://github.com/veracode-research/rogue-jndi) - @veracode-research\n\nVulnerabilities\n- Log4J ([CVE-2021-44228](https://www.lunasec.io/docs/blog/log4j-zero-day/))\n- Exchange ([CVE-2021-42321](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42321))\n- Zoho ManageEngine ([CVE-2020-10189](https://nvd.nist.gov/vuln/detail/CVE-2020-10189))\n- Jira ([CVE-2020-36239](https://oxalis.io/atlassian-jira-data-centers-critical-vulnerability-what-you-need-to-know/))\n- Telerik ([CVE-2019-18935](https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui))\n- C1 CMS ([CVE-2019-18211](https://medium.com/@frycos/yet-another-net-deserialization-35f6ce048df7))\n- Jenkins ([CVE-2016-9299](https://nvd.nist.gov/vuln/detail/CVE-2016-9299))\n- [What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/) – @breenmachine, FoxGloveSecurity (2015) \n\nTalks and Write-Ups\n- [PSA: Log4Shell and the current state of JNDI injection](https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/) - Moritz Bechler (2021)\n- [This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits) – Chris Glyer, Dan Perez, Sarah Jones, Steve Miller (2020)\n- [Deep Dive into .NET ViewState deserialization and its exploitation](https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) – Swapneil Dash (2019)\n- [Exploiting Deserialization in ASP.NET via ViewState](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) – Soroush Dalili (2019)\n- [Use of Deserialization in .NET Framework Methods and Classes](https://research.nccgroup.com/wp-content/uploads/2020/07/whitepaper-new.pdf) – Soroush Dalili(2018)\n- [Friday the 13th, JSON Attacks](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf) – Alvaro Muños and Oleksandr Mirosh (2017)\n- [Exploiting .NET Managed DCOM](https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html) – James Forshaw, Project Zero (2017)\n- [Java Unmarshaller Security](https://github.com/frohoff/marshalsec/blob/master/marshalsec.pdf) – Moritz Bechler (2017)\n- [Deserialize My Shorts](https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization) – Chris Frohoff (2016)\n- [Pwning Your Java Messaging with Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf) – Matthias Kaiser (2016)\n- [Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf) – Alvaro Muños and Oleksandr Mirosh (2016)\n- [Marshalling Pickles](https://www.youtube.com/watch?v=KSA7vUkXGSg) – Chris Frohoff and Gabriel Lawrence (2015)\n- [Are you my Type? Breaking .NET Through Serialization](https://github.com/VulnerableGhost/.Net-Sterilized--Deserialization-Exploitation/blob/master/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf) – James Forshaw (2012)\n- [A Spirited Peek into ViewState](https://deadliestwebattacks.com/2011/05/13/a-spirited-peek-into-viewstate-part-i/) – Mike Shema (2011)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fheyserial","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmandiant%2Fheyserial","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fheyserial/lists"}