We have deleted duplicated rules

We have deleted duplicated rules

We have deleted duplicated rules
02409127 · j0sm1 · f68a6c17 · 02409127 · f68a6c17
Commit 02409127 authored Oct 20, 2015 by j0sm1
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 260 deletions

Miscelanea.yar malware/Miscelanea.yar +0 -123

PAT_PassthehashToolkit.yar malware/PAT_PassthehashToolkit.yar +0 -137

No files found.
--- a/malware/Miscelanea.yar
+++ b/malware/Miscelanea.yar
@@ -602,28 +602,6 @@ rule OrcaRAT
        $MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*))
 }

-rule mimikatz
-{
-	meta:
-		description		= "mimikatz"
-		author			= "Benjamin DELPY (gentilkiwi)"
-		tool_author		= "Benjamin DELPY (gentilkiwi)"
-	strings:
-		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }
-		$exe_x86_2		= { 89 79 04 89 [0-3] 38 8d 04 b5 }
-		
-		$exe_x64_1		= { 4c 03 d8 49 [0-3] 8b 03 48 89 }
-		$exe_x64_2		= { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
-
-		$dll_1			= {	c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
-		$dll_2			= { c7 0? 10 02 00 00 ?? 89 4? }
-		
-		$sys_x86		= { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
-		$sys_x64		= { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
-	condition:
-		(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
-}
-
 rule mimikatz_lsass_mdmp
 {
 	meta:
@@ -635,31 +613,6 @@ rule mimikatz_lsass_mdmp
 		(uint32(0) == 0x504d444d) and $lsass
 }

-rule mimikatz_kirbi_ticket
-{
-	meta:
-		description		= "KiRBi ticket for mimikatz"
-		author			= "Benjamin DELPY (gentilkiwi)"
-	strings:
-		$asn1			= { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
-	condition:
-		$asn1 at 0
-}
-
-rule wce
-{
-	meta:
-		description		= "wce"
-		author			= "Benjamin DELPY (gentilkiwi)"
-		tool_author		= "Hernan Ochoa (hernano)"
-	strings:
-		$hex_legacy		= { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }
-		$hex_x86		= { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }
-		$hex_x64		= { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }
-	condition:
-		any of them
-}
-
 rule EmiratesStatement 
 {
 	meta:
@@ -699,66 +652,6 @@ rule PUP_InstallRex_AntiFWb {
 		uint16(0) == 0x5a4d and all of them
 }

-rule Win7Elevatev2 {
-	meta:
-		description = "Detects Win7Elevate - Windows UAC bypass utility"
-		author = "Florian Roth"
-		reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html"
-		date = "2015-05-14"
-		hash1 = "4f53ff6a04e46eda92b403faf42219a545c06c29" /* x64 */
-		hash2 = "808d04c187a524db402c5b2be17ce799d2654bd1" /* x86 */
-		score = 60
-	strings:
-		$x1 = "This program attempts to bypass Windows 7's default UAC settings to run " wide
-		$x2 = "Win7ElevateV2\\x64\\Release\\" ascii
-		$x3 = "Run the command normally (without code injection)" wide	
-		$x4 = "Inject file copy && elevate command" fullword wide
-		$x5 = "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" fullword wide
-		$x6 = "For injection, pick any unelevated Windows process with ASLR on:" fullword wide
-		
-		$s1 = "\\cmd.exe" wide
-		$s2 = "runas" wide
-		$s3 = "explorer.exe" wide
-		$s4 = "Couldn't load kernel32.dll" wide
-		$s5 = "CRYPTBASE.dll" wide
-		$s6 = "shell32.dll" wide
-		$s7 = "ShellExecuteEx" ascii
-		$s8 = "COMCTL32.dll" ascii 
-		$s9 = "ShellExecuteEx" ascii
-		$s10 = "HeapAlloc" ascii
-	condition:
-		uint16(0) == 0x5a4d and ( 1 of ($x*) or all of ($s*) )
-}
-
-rule UACME_Akagi {
-	meta:
-		description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor"
-		author = "Florian Roth"
-		reference = "https://github.com/hfiref0x/UACME"
-		date = "2015-05-14"
-		hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a"
-		hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a"
-		score = 60
-	strings:
-		$x1 = "UACMe injected, Fubuki at your service." wide fullword
-		$x3 = "%temp%\\Hibiki.dll" fullword wide
-		$x4 = "[UCM] Cannot write to the target process memory." fullword wide
-		
-		$s1 = "%systemroot%\\system32\\cmd.exe" wide
-		$s2 = "D:(A;;GA;;;WD)" wide
-		$s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" fullword wide
-		$s4 = "/c wusa %ws /extract:%%windir%%\\system32" fullword wide
-		$s5 = "Fubuki.dll" ascii fullword
-		
-		$l1 = "ntdll.dll" ascii
-		$l2 = "Cabinet.dll" ascii
-		$l3 = "GetProcessHeap" ascii
-		$l4 = "WriteProcessMemory" ascii
-		$l5 = "ShellExecuteEx" ascii
-	condition:
-		( 1 of ($x*) ) or ( 3 of ($s*) and all of ($l*) ) 
-}
-
 rule LightFTP_fftp_x86_64 {
 	meta:
 		description = "Detects a light FTP server"
@@ -1536,19 +1429,3 @@ rule Mimikatz_Logfile
 	condition:
 		all of them
 }
-
-rule lsadump
-{
-	meta:
-		description = "LSA dump programe (bootkey/syskey) - pwdump and others"
-		author = "Benjamin DELPY (gentilkiwi)"
-		reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
-	strings:
-		$str_sam_inc = "\\Domains\\Account" ascii nocase
-		$str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
-		$hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
-		$str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
-		$hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
-	condition:
-		($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey
-}
--- a/malware/PAT_PassthehashToolkit.yar
+++ b/malware/PAT_PassthehashToolkit.yar
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-rule whosthere_alt {
-	meta:
-		description = "Auto-generated rule - file whosthere-alt.exe"
-		author = "Florian Roth"
-		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
-		date = "2015-07-10"
-		score = 80
-		hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de"
-	strings:
-		$s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '49.00' */
-		$s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
-		$s2 = "dump output to a file, -o filename" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
-		$s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii /* PEStudio Blacklist: strings */ /* score: '29.00' */
-		$s4 = "Error: pth.dll is not in the current directory!." fullword ascii /* score: '24.00' */
-		$s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
-		$s6 = ".\\pth.dll" fullword ascii /* score: '16.00' */
-		$s7 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
-	condition:
-		uint16(0) == 0x5a4d and filesize < 280KB and 2 of them
-}
-
-rule iam_alt_iam_alt {
-	meta:
-		description = "Auto-generated rule - file iam-alt.exe"
-		author = "Florian Roth"
-		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
-		date = "2015-07-10"
-		score = 80
-		hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90"
-	strings:
-		$s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
-		$s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.00' */
-		$s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.00' */
-		$s3 = "username:domainname:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
-		$s4 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
-		$s5 = "Error: Cannot open LSASS.EXE!." fullword ascii /* score: '12.00' */
-		$s6 = "nthash is too long!." fullword ascii /* score: '8.00' */
-		$s7 = "LSASS HANDLE: %x" fullword ascii /* score: '5.00' */
-	condition:
-		uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
-}
-
-rule genhash_genhash {
-	meta:
-		description = "Auto-generated rule - file genhash.exe"
-		author = "Florian Roth"
-		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
-		date = "2015-07-10"
-		score = 80
-		hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f"
-	strings:
-		$s1 = "genhash.exe <password>" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
-		$s3 = "Password: %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
-		$s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii /* score: '11.00' */
-		$s5 = "This tool generates LM and NT hashes." fullword ascii /* score: '10.00' */
-		$s6 = "(hashes format: LM Hash:NT hash)" fullword ascii /* score: '10.00' */
-	condition:
-		uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
-}
-
-rule iam_iamdll {
-	meta:
-		description = "Auto-generated rule - file iamdll.dll"
-		author = "Florian Roth"
-		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
-		date = "2015-07-10"
-		score = 80
-		hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602"
-	strings:
-		$s0 = "LSASRV.DLL" fullword ascii /* score: '21.00' */
-		$s1 = "iamdll.dll" fullword ascii /* score: '21.00' */
-		$s2 = "ChangeCreds" fullword ascii /* score: '12.00' */
-	condition:
-		uint16(0) == 0x5a4d and filesize < 115KB and all of them
-}
-
-rule iam_iam {
-	meta:
-		description = "Auto-generated rule - file iam.exe"
-		author = "Florian Roth"
-		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
-		date = "2015-07-10"
-		score = 80
-		hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231"
-	strings:
-		$s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
-		$s2 = "iam.exe -h administrator:mydomain:"  ascii /* PEStudio Blacklist: strings */ /* score: '40.00' */
-		$s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii /* PEStudio Blacklist: strings */ /* score: '33.00' */
-		$s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
-		$s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii /* score: '26.00' */
-		$s6 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
-		$s7 = "Checking LSASRV.DLL...." fullword ascii /* score: '12.00' */
-	condition:
-		uint16(0) == 0x5a4d and filesize < 300KB and all of them
-}
-
-rule whosthere_alt_pth {
-	meta:
-		description = "Auto-generated rule - file pth.dll"
-		author = "Florian Roth"
-		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
-		date = "2015-07-10"
-		score = 80
-		hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0"
-	strings:
-		$s0 = "c:\\debug.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */
-		$s1 = "pth.dll" fullword ascii /* score: '20.00' */
-		$s2 = "\"Primary\" string found at %.8Xh" fullword ascii /* score: '7.00' */
-		$s3 = "\"Primary\" string not found!" fullword ascii /* score: '6.00' */
-		$s4 = "segment 1 found at %.8Xh" fullword ascii /* score: '6.00' */
-	condition:
-		uint16(0) == 0x5a4d and filesize < 240KB and 4 of them
-}
-
-rule whosthere {
-	meta:
-		description = "Auto-generated rule - file whosthere.exe"
-		author = "Florian Roth"
-		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
-		date = "2015-07-10"
-		score = 80
-		hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37"
-	strings:
-		$s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '48.00' */
-		$s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
-		$s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */
-		$s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
-		$s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
-		$s6 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
-	condition:
-		uint16(0) == 0x5a4d and filesize < 320KB and 2 of them
-}