RepoMirrors
/
mimikatz
mirror of https://github.com/gentilkiwi/mimikatz
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Yara: PowerShell with PE Reflective Injection

This commit is contained in:
Benjamin DELPY 2015-05-15 23:24:29 +02:00
parent ee4ab682cf
commit a36e552549
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
kiwi_passwords.yar
View File

@ -89,3 +89,16 @@ rule lsadump
condition: condition:
($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey ($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey
} }
rule power_pe_injection
{
meta:
description = "PowerShell with PE Reflective Injection"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9"
condition:
$str_loadlib or $hex_loadlib
}