Update Miscelanea.yar

Deleted duplicate rule

malware/Miscelanea.yar

@@ -1576,47 +1576,3 @@ rule lsadump
 	condition:
 		($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey
 }
-
-rule Mimikatz_Memory_Rule_2 : APT {
-	meta:
-		description = "Mimikatz Rule generated from a memory dump"
-		author = "Florian Roth - Florian Roth"
-		reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
-		type = "memory"
-		score = 80
-	strings:
-		$s0 = "sekurlsa::" ascii
-		$x1 = "cryptprimitives.pdb" ascii
-		$x2 = "Now is t1O" ascii fullword
-		$x4 = "ALICE123" ascii
-		$x5 = "BOBBY456" ascii
-	condition:
-		$s0 and 1 of ($x*)
-}
-
-rule Mimikatz_Memory_Rule_1 : APT {
-	meta: 
-		author = "Florian Roth"
-		date = "12/22/2014"
-		score = 70
-		type = "memory"
-		description = "Detects password dumper mimikatz in memory"
-		reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
-	strings:
-		$s1 = "sekurlsa::msv" fullword ascii
-	    $s2 = "sekurlsa::wdigest" fullword ascii
-	    $s4 = "sekurlsa::kerberos" fullword ascii
-	    $s5 = "sekurlsa::tspkg" fullword ascii
-	    $s6 = "sekurlsa::livessp" fullword ascii
-	    $s7 = "sekurlsa::ssp" fullword ascii
-	    $s8 = "sekurlsa::logonPasswords" fullword ascii
-	    $s9 = "sekurlsa::process" fullword ascii
-	    $s10 = "ekurlsa::minidump" fullword ascii
-	    $s11 = "sekurlsa::pth" fullword ascii
-	    $s12 = "sekurlsa::tickets" fullword ascii
-	    $s13 = "sekurlsa::ekeys" fullword ascii
-	    $s14 = "sekurlsa::dpapi" fullword ascii
-	    $s15 = "sekurlsa::credman" fullword ascii
-	condition:
-		1 of them
-}
\ No newline at end of file