2020-08-10 07:02:04 +00:00
|
|
|
import "pe"
|
2020-08-10 06:34:04 +00:00
|
|
|
|
|
|
|
/* Mimikatz */
|
|
|
|
|
|
|
|
rule Mimikatz_Memory_Rule_1 : APT {
|
|
|
|
meta:
|
|
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
|
|
author = "Florian Roth"
|
|
|
|
date = "12/22/2014"
|
|
|
|
score = 70
|
|
|
|
type = "memory"
|
|
|
|
description = "Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)"
|
|
|
|
strings:
|
|
|
|
$s1 = "sekurlsa::msv" fullword ascii
|
|
|
|
$s2 = "sekurlsa::wdigest" fullword ascii
|
|
|
|
$s4 = "sekurlsa::kerberos" fullword ascii
|
|
|
|
$s5 = "sekurlsa::tspkg" fullword ascii
|
|
|
|
$s6 = "sekurlsa::livessp" fullword ascii
|
|
|
|
$s7 = "sekurlsa::ssp" fullword ascii
|
|
|
|
$s8 = "sekurlsa::logonPasswords" fullword ascii
|
|
|
|
$s9 = "sekurlsa::process" fullword ascii
|
|
|
|
$s10 = "ekurlsa::minidump" fullword ascii
|
|
|
|
$s11 = "sekurlsa::pth" fullword ascii
|
|
|
|
$s12 = "sekurlsa::tickets" fullword ascii
|
|
|
|
$s13 = "sekurlsa::ekeys" fullword ascii
|
|
|
|
$s14 = "sekurlsa::dpapi" fullword ascii
|
|
|
|
$s15 = "sekurlsa::credman" fullword ascii
|
|
|
|
condition:
|
|
|
|
1 of them
|
|
|
|
}
|
|
|
|
|
|
|
|
rule Mimikatz_Memory_Rule_2 : APT {
|
|
|
|
meta:
|
|
|
|
description = "Mimikatz Rule generated from a memory dump"
|
|
|
|
author = "Florian Roth - Florian Roth"
|
|
|
|
type = "memory"
|
|
|
|
score = 80
|
|
|
|
strings:
|
|
|
|
$s0 = "sekurlsa::" ascii
|
|
|
|
$x1 = "cryptprimitives.pdb" ascii
|
|
|
|
$x2 = "Now is t1O" ascii fullword
|
|
|
|
$x4 = "ALICE123" ascii
|
|
|
|
$x5 = "BOBBY456" ascii
|
|
|
|
condition:
|
|
|
|
$s0 and 1 of ($x*)
|
|
|
|
}
|
|
|
|
|
|
|
|
rule mimikatz
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
description = "mimikatz"
|
|
|
|
author = "Benjamin DELPY (gentilkiwi)"
|
|
|
|
tool_author = "Benjamin DELPY (gentilkiwi)"
|
|
|
|
|
|
|
|
strings:
|
|
|
|
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
|
|
|
|
$exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
|
|
|
|
|
|
|
|
$exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
|
|
|
|
$exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
|
|
|
|
|
|
|
|
/*
|
|
|
|
$dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
|
|
|
|
$dll_2 = { c7 0? 10 02 00 00 ?? 89 4? }
|
|
|
|
*/
|
|
|
|
|
|
|
|
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
|
|
|
|
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
|
|
|
|
|
|
|
|
condition:
|
|
|
|
(all of ($exe_x86_*)) or (all of ($exe_x64_*))
|
|
|
|
// or (all of ($dll_*))
|
|
|
|
or (any of ($sys_*))
|
|
|
|
}
|
|
|
|
|
|
|
|
rule wce
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
description = "wce"
|
|
|
|
author = "Benjamin DELPY (gentilkiwi)"
|
|
|
|
tool_author = "Hernan Ochoa (hernano)"
|
|
|
|
strings:
|
|
|
|
$hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }
|
|
|
|
$hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }
|
|
|
|
$hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }
|
|
|
|
condition:
|
|
|
|
any of them
|
|
|
|
}
|
|
|
|
|
|
|
|
rule power_pe_injection
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
description = "PowerShell with PE Reflective Injection"
|
|
|
|
author = "Benjamin DELPY (gentilkiwi)"
|
|
|
|
strings:
|
|
|
|
$str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9"
|
|
|
|
condition:
|
|
|
|
$str_loadlib
|
|
|
|
}
|
|
|
|
|
|
|
|
rule Mimikatz_Logfile
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
description = "Detects a log file generated by malicious hack tool mimikatz"
|
|
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
|
|
author = "Florian Roth"
|
|
|
|
score = 80
|
|
|
|
date = "2015/03/31"
|
|
|
|
strings:
|
|
|
|
$s1 = "SID :" ascii fullword
|
|
|
|
$s2 = "* NTLM :" ascii fullword
|
|
|
|
$s3 = "Authentication Id :" ascii fullword
|
|
|
|
$s4 = "wdigest :" ascii fullword
|
|
|
|
condition:
|
|
|
|
all of them
|
|
|
|
}
|
|
|
|
|
|
|
|
rule Mimikatz_Strings {
|
|
|
|
meta:
|
|
|
|
description = "Detects Mimikatz strings"
|
|
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
|
|
author = "Florian Roth"
|
|
|
|
reference = "not set"
|
|
|
|
date = "2016-06-08"
|
|
|
|
score = 65
|
|
|
|
strings:
|
|
|
|
$x1 = "sekurlsa::logonpasswords" fullword wide ascii
|
|
|
|
$x2 = "List tickets in MIT/Heimdall ccache" fullword ascii wide
|
|
|
|
$x3 = "kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage %08x" fullword ascii wide
|
|
|
|
$x4 = "* Injecting ticket :" fullword wide ascii
|
|
|
|
$x5 = "mimidrv.sys" fullword wide ascii
|
|
|
|
$x6 = "Lists LM & NTLM credentials" fullword wide ascii
|
|
|
|
$x7 = "\\_ kerberos -" fullword wide ascii
|
|
|
|
$x8 = "* unknow :" fullword wide ascii
|
|
|
|
$x9 = "\\_ *Password replace ->" fullword wide ascii
|
|
|
|
$x10 = "KIWI_MSV1_0_PRIMARY_CREDENTIALS KO" ascii wide
|
|
|
|
$x11 = "\\\\.\\mimidrv" wide ascii
|
|
|
|
$x12 = "Switch to MINIDUMP :" fullword wide ascii
|
|
|
|
$x13 = "[masterkey] with password: %s (%s user)" fullword wide
|
|
|
|
$x14 = "Clear screen (doesn't work with redirections, like PsExec)" fullword wide
|
|
|
|
$x15 = "** Session key is NULL! It means allowtgtsessionkey is not set to 1 **" fullword wide
|
|
|
|
$x16 = "[masterkey] with DPAPI_SYSTEM (machine, then user): " fullword wide
|
|
|
|
condition:
|
|
|
|
(
|
|
|
|
( uint16(0) == 0x5a4d and 1 of ($x*) ) or
|
|
|
|
( 3 of them )
|
|
|
|
)
|
|
|
|
/* exclude false positives */
|
|
|
|
and not pe.imphash() == "77eaeca738dd89410a432c6bd6459907"
|
|
|
|
}
|
|
|
|
|
|
|
|
rule AppInitHook {
|
|
|
|
meta:
|
|
|
|
description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll"
|
|
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
|
|
author = "Florian Roth"
|
|
|
|
reference = "https://goo.gl/Z292v6"
|
|
|
|
date = "2015-07-15"
|
|
|
|
score = 70
|
|
|
|
hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45"
|
|
|
|
strings:
|
|
|
|
$s0 = "\\Release\\AppInitHook.pdb" ascii
|
|
|
|
$s1 = "AppInitHook.dll" fullword ascii
|
|
|
|
$s2 = "mimikatz.exe" fullword wide
|
|
|
|
$s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide
|
|
|
|
$s4 = "mhook\\disasm-lib\\disasm.c" fullword wide
|
|
|
|
$s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide
|
|
|
|
$s6 = "VoidFunc" fullword ascii
|
|
|
|
condition:
|
|
|
|
uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
|
|
|
|
}
|
|
|
|
|
|
|
|
rule HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1 {
|
|
|
|
meta:
|
|
|
|
description = "Detects Mimikatz SkeletonKey in Memory"
|
|
|
|
author = "Florian Roth"
|
|
|
|
reference = "https://twitter.com/sbousseaden/status/1292143504131600384?s=12"
|
|
|
|
date = "2020-08-09"
|
|
|
|
strings:
|
|
|
|
$x1 = { 60 ba 4f ca c7 44 24 34 dc 46 6c 7a c7 44 24 38
|
|
|
|
03 3c 17 81 c7 44 24 3c 94 c0 3d f6 }
|
|
|
|
condition:
|
|
|
|
1 of them
|
|
|
|
}
|
2020-08-27 16:14:20 +00:00
|
|
|
|
|
|
|
rule HKTL_mimikatz_memssp_hookfn {
|
|
|
|
meta:
|
|
|
|
description = "Detects Default Mimikatz memssp module in-memory"
|
|
|
|
author = "SBousseaden"
|
|
|
|
date = "2020-08-26"
|
|
|
|
reference = "https://github.com/sbousseaden/YaraHunts/blob/master/mimikatz_memssp_hookfn.yara"
|
|
|
|
score = 70
|
|
|
|
strings:
|
|
|
|
$xc1 = { 48 81 EC A8 00 00 00 C7 84 24 88 00 00 00 ?? ??
|
|
|
|
?? ?? C7 84 24 8C 00 00 00 ?? ?? ?? ?? C7 84 24
|
|
|
|
90 00 00 00 ?? ?? ?? 00 C7 84 24 80 00 00 00 61
|
|
|
|
00 00 00 C7 44 24 40 5B 00 25 00 C7 44 24 44 30
|
|
|
|
00 38 00 C7 44 24 48 78 00 3A 00 C7 44 24 4C 25
|
|
|
|
00 30 00 C7 44 24 50 38 00 78 00 C7 44 24 54 5D
|
|
|
|
00 20 00 C7 44 24 58 25 00 77 00 C7 44 24 5C 5A
|
|
|
|
00 5C 00 C7 44 24 60 25 00 77 00 C7 44 24 64 5A
|
|
|
|
00 09 00 C7 44 24 68 25 00 77 00 C7 44 24 6C 5A
|
|
|
|
00 0A 00 C7 44 24 70 00 00 00 00 48 8D 94 24 80
|
|
|
|
00 00 00 48 8D 8C 24 88 00 00 00 48 B8 A0 7D ??
|
|
|
|
?? ?? ?? 00 00 FF D0 } // memssp creds logging function
|
|
|
|
// $xc2 = {6D 69 6D 69 C7 84 24 8C 00 00 00 6C 73 61 2E C7 84 24 90 00 00 00 6C 6F 67} - mimilsa.log
|
|
|
|
condition:
|
|
|
|
$xc1 // you can set condition to $xc1 and not $xc2 to detect non lazy memssp users
|
|
|
|
}
|