RepoMirrors
/
mimikatz
mirror of https://github.com/gentilkiwi/mimikatz
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Small update to Yara rules

This commit is contained in:
Benjamin DELPY 2015-05-14 13:53:04 +02:00
parent 65e1249269
commit ee4ab682cf
1 changed files with 86 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
kiwi_passwords.yar
View File

@ -9,6 +9,7 @@ rule mimikatz
description = "mimikatz" description = "mimikatz"
author = "Benjamin DELPY (gentilkiwi)" author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Benjamin DELPY (gentilkiwi)" tool_author = "Benjamin DELPY (gentilkiwi)"
strings: strings:
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd } $exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
$exe_x86_2 = { 89 79 04 89 [0-3] 38 8d 04 b5 } $exe_x86_2 = { 89 79 04 89 [0-3] 38 8d 04 b5 }
@ -21,42 +22,70 @@ rule mimikatz
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 } $sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 } $sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
condition: condition:
(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*)) (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
} }
rule mimikatz_lsass_mdmp rule mimikatz_lsass_mdmp
{ {
meta: meta:
description = "LSASS minidump file for mimikatz" description = "LSASS minidump file for mimikatz"
author = "Benjamin DELPY (gentilkiwi)" author = "Benjamin DELPY (gentilkiwi)"
strings: strings:
$lsass = "System32\\lsass.exe" wide nocase $lsass = "System32\\lsass.exe" wide nocase
condition: condition:
(uint32(0) == 0x504d444d) and $lsass (uint32(0) == 0x504d444d) and $lsass
} }
rule mimikatz_kirbi_ticket rule mimikatz_kirbi_ticket
{ {
meta: meta:
description = "KiRBi ticket for mimikatz" description = "KiRBi ticket for mimikatz"
author = "Benjamin DELPY (gentilkiwi)" author = "Benjamin DELPY (gentilkiwi)"
strings: strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 } $asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
condition: condition:
$asn1 at 0 $asn1 at 0
} }
rule wce rule wce
{ {
meta: meta:
description = "wce" description = "wce"
author = "Benjamin DELPY (gentilkiwi)" author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Hernan Ochoa (hernano)" tool_author = "Hernan Ochoa (hernano)"
strings: strings:
$hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 } $hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }
$hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 } $hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }
$hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 } $hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }
condition: condition:
any of them any of them
} }
rule lsadump
{
meta:
description = "LSA dump programe (bootkey/syskey) - pwdump and others"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$str_sam_inc = "\\Domains\\Account" ascii nocase
$str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
$hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
$str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
$hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
condition:
($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey
}