From 106ca7f7b44b13b0c4793b1982a79fdbd0a8a07f Mon Sep 17 00:00:00 2001
From: Benjamin DELPY <benjamin@gentilkiwi.com>
Date: Thu, 29 Jun 2017 01:01:43 +0200
Subject: [PATCH] Yara rule update to support recent mimikatz version (and
 logicaly Petya mimikatz module too)

---
 kiwi_passwords.yar | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kiwi_passwords.yar b/kiwi_passwords.yar
index 146c5e4..cccad24 100644
--- a/kiwi_passwords.yar
+++ b/kiwi_passwords.yar
@@ -12,9 +12,9 @@ rule mimikatz
 
 	strings:
 		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }
-		$exe_x86_2		= { 89 79 04 89 [0-3] 38 8d 04 b5 }
+		$exe_x86_2		= { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
 		
-		$exe_x64_1		= { 4c 03 d8 49 [0-3] 8b 03 48 89 }
+		$exe_x64_1		= { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
 		$exe_x64_2		= { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
 
 		$dll_1			= { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }