Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
430bde62
Commit
430bde62
authored
Jun 04, 2015
by
Yara Rules
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Merge PR#21
parent
7aa47f57
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
78 additions
and
0 deletions
+78
-0
Miscelanea.yar
malware/Miscelanea.yar
+78
-0
No files found.
malware/Miscelanea.yar
View file @
430bde62
...
...
@@ -1543,3 +1543,80 @@ $my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E
condition:
$my_hex_string and $my_hex_string2
}
rule Mimikatz_Logfile
{
meta:
description = "Detects a log file generated by malicious hack tool mimikatz"
author = "Florian Roth"
score = 80
date = "2015/03/31"
reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
strings:
$s1 = "SID :" ascii fullword
$s2 = "* NTLM :" ascii fullword
$s3 = "Authentication Id :" ascii fullword
$s4 = "wdigest :" ascii fullword
condition:
all of them
}
rule lsadump
{
meta:
description = "LSA dump programe (bootkey/syskey) - pwdump and others"
author = "Benjamin DELPY (gentilkiwi)"
reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
strings:
$str_sam_inc = "\\Domains\\Account" ascii nocase
$str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
$hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
$str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
$hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
condition:
($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey
}
rule Mimikatz_Memory_Rule_2 : APT {
meta:
description = "Mimikatz Rule generated from a memory dump"
author = "Florian Roth - Florian Roth"
reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
type = "memory"
score = 80
strings:
$s0 = "sekurlsa::" ascii
$x1 = "cryptprimitives.pdb" ascii
$x2 = "Now is t1O" ascii fullword
$x4 = "ALICE123" ascii
$x5 = "BOBBY456" ascii
condition:
$s0 and 1 of ($x*)
}
rule Mimikatz_Memory_Rule_1 : APT {
meta:
author = "Florian Roth"
date = "12/22/2014"
score = 70
type = "memory"
description = "Detects password dumper mimikatz in memory"
reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
strings:
$s1 = "sekurlsa::msv" fullword ascii
$s2 = "sekurlsa::wdigest" fullword ascii
$s4 = "sekurlsa::kerberos" fullword ascii
$s5 = "sekurlsa::tspkg" fullword ascii
$s6 = "sekurlsa::livessp" fullword ascii
$s7 = "sekurlsa::ssp" fullword ascii
$s8 = "sekurlsa::logonPasswords" fullword ascii
$s9 = "sekurlsa::process" fullword ascii
$s10 = "ekurlsa::minidump" fullword ascii
$s11 = "sekurlsa::pth" fullword ascii
$s12 = "sekurlsa::tickets" fullword ascii
$s13 = "sekurlsa::ekeys" fullword ascii
$s14 = "sekurlsa::dpapi" fullword ascii
$s15 = "sekurlsa::credman" fullword ascii
condition:
1 of them
}
\ No newline at end of file
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
