Create PAT_PassthehashToolkit.yar

malware/PAT_PassthehashToolkit.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+rule whosthere_alt {
+	meta:
+		description = "Auto-generated rule - file whosthere-alt.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de"
+	strings:
+		$s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '49.00' */
+		$s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
+		$s2 = "dump output to a file, -o filename" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
+		$s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii /* PEStudio Blacklist: strings */ /* score: '29.00' */
+		$s4 = "Error: pth.dll is not in the current directory!." fullword ascii /* score: '24.00' */
+		$s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s6 = ".\\pth.dll" fullword ascii /* score: '16.00' */
+		$s7 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 280KB and 2 of them
+}
+
+rule iam_alt_iam_alt {
+	meta:
+		description = "Auto-generated rule - file iam-alt.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90"
+	strings:
+		$s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
+		$s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.00' */
+		$s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.00' */
+		$s3 = "username:domainname:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
+		$s4 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
+		$s5 = "Error: Cannot open LSASS.EXE!." fullword ascii /* score: '12.00' */
+		$s6 = "nthash is too long!." fullword ascii /* score: '8.00' */
+		$s7 = "LSASS HANDLE: %x" fullword ascii /* score: '5.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
+}
+
+rule genhash_genhash {
+	meta:
+		description = "Auto-generated rule - file genhash.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f"
+	strings:
+		$s1 = "genhash.exe <password>" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
+		$s3 = "Password: %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */
+		$s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii /* score: '11.00' */
+		$s5 = "This tool generates LM and NT hashes." fullword ascii /* score: '10.00' */
+		$s6 = "(hashes format: LM Hash:NT hash)" fullword ascii /* score: '10.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
+}
+
+rule iam_iamdll {
+	meta:
+		description = "Auto-generated rule - file iamdll.dll"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602"
+	strings:
+		$s0 = "LSASRV.DLL" fullword ascii /* score: '21.00' */
+		$s1 = "iamdll.dll" fullword ascii /* score: '21.00' */
+		$s2 = "ChangeCreds" fullword ascii /* score: '12.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 115KB and all of them
+}
+
+rule iam_iam {
+	meta:
+		description = "Auto-generated rule - file iam.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231"
+	strings:
+		$s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */
+		$s2 = "iam.exe -h administrator:mydomain:"  ascii /* PEStudio Blacklist: strings */ /* score: '40.00' */
+		$s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii /* PEStudio Blacklist: strings */ /* score: '33.00' */
+		$s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */
+		$s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii /* score: '26.00' */
+		$s6 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */
+		$s7 = "Checking LSASRV.DLL...." fullword ascii /* score: '12.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule whosthere_alt_pth {
+	meta:
+		description = "Auto-generated rule - file pth.dll"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0"
+	strings:
+		$s0 = "c:\\debug.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */
+		$s1 = "pth.dll" fullword ascii /* score: '20.00' */
+		$s2 = "\"Primary\" string found at %.8Xh" fullword ascii /* score: '7.00' */
+		$s3 = "\"Primary\" string not found!" fullword ascii /* score: '6.00' */
+		$s4 = "segment 1 found at %.8Xh" fullword ascii /* score: '6.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 240KB and 4 of them
+}
+
+rule whosthere {
+	meta:
+		description = "Auto-generated rule - file whosthere.exe"
+		author = "Florian Roth"
+		reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit"
+		date = "2015-07-10"
+		score = 80
+		hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37"
+	strings:
+		$s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '48.00' */
+		$s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */
+		$s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */
+		$s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
+		$s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */
+		$s6 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 320KB and 2 of them
+}