2016-08-10 07:35:08 +00:00
|
|
|
/*
|
|
|
|
Yara Rule Set
|
|
|
|
Author: Florian Roth
|
|
|
|
Date: 2016-07-19
|
|
|
|
Identifier: Invoke-Mimikatz
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
|
|
|
|
rule Invoke_Mimikatz {
|
|
|
|
meta:
|
|
|
|
description = "Detects Invoke-Mimikatz String"
|
2018-08-26 10:47:41 +00:00
|
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
2016-08-10 07:35:08 +00:00
|
|
|
author = "Florian Roth"
|
|
|
|
reference = "https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz"
|
|
|
|
date = "2016-08-03"
|
2017-07-23 16:15:49 +00:00
|
|
|
hash1 = "f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67"
|
2016-08-10 07:35:08 +00:00
|
|
|
strings:
|
2017-07-23 16:15:49 +00:00
|
|
|
$x2 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm" ascii
|
|
|
|
$x3 = "Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii
|
2016-08-10 07:35:08 +00:00
|
|
|
condition:
|
|
|
|
1 of them
|
|
|
|
}
|