signature-base/yara/generic_dumps.yar

/* Disabled due to Benjamin Delphys sig overlap
rule LSASS_memory_dump_file {
   meta:
      description = "Detects a LSASS memory dump file"
      license = "https://creativecommons.org/licenses/by-nc/4.0/"
      author = "Florian Roth"
      date = "2015/03/31"
      memory = 0
      score = 50
   strings:
      $s1 = "lsass.exe" ascii fullword
      $s2 = "wdigest.DLL" wide nocase
   condition:
        uint32(0) == 0x504D444D and all of them
} */

rule NTLM_Dump_Output {
   meta:
      description = "NTML Hash Dump output file - John/LC format"
      license = "https://creativecommons.org/licenses/by-nc/4.0/"
      author = "Florian Roth"
      date = "2015-10-01"
      score = 75
   strings:
      $s0 = "500:AAD3B435B51404EEAAD3B435B51404EE:" ascii
      $s1 = "500:aad3b435b51404eeaad3b435b51404ee:" ascii
   condition:
      1 of them
}

rule Gsecdump_password_dump_file {
   meta:
      description = "Detects a gsecdump output file"
      license = "https://creativecommons.org/licenses/by-nc/4.0/"
      author = "Florian Roth"
      reference = "https://t.co/OLIj1yVJ4m"
      date = "2018-03-06"
      score = 65
   strings:
      $x1 = "Administrator(current):500:" ascii
   condition:
      uint32be(0) == 0x41646d69 and filesize < 3000 and $x1 at 0
}

rule SUSP_ZIP_NtdsDIT : T1003_003 {
   meta:
      description = "Detects ntds.dit files in ZIP archives that could be a left over of administrative activity or traces of data exfiltration"
      author = "Florian Roth"
      score = 50
      reference = "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/"
      date = "2020-08-10"
   strings:
      $s1 = "ntds.dit" ascii 
   condition:
      uint16(0) == 0x4b50 and
      $s1 in (0..256)
}
First Signature Set 2016-02-15 09:22:28 +00:00			`/* Disabled due to Benjamin Delphys sig overlap`
			`rule LSASS_memory_dump_file {`
Updated generic dump files : gesecdump output 2018-03-08 17:48:40 +00:00			`meta:`
			`description = "Detects a LSASS memory dump file"`
rule: suspicious ntds.dit file in zip 2020-08-10 15:50:50 +00:00			`license = "https://creativecommons.org/licenses/by-nc/4.0/"`
Updated generic dump files : gesecdump output 2018-03-08 17:48:40 +00:00			`author = "Florian Roth"`
			`date = "2015/03/31"`
			`memory = 0`
			`score = 50`
			`strings:`
			`$s1 = "lsass.exe" ascii fullword`
			`$s2 = "wdigest.DLL" wide nocase`
			`condition:`
First Signature Set 2016-02-15 09:22:28 +00:00			`uint32(0) == 0x504D444D and all of them`
			`} */`

			`rule NTLM_Dump_Output {`
Updated generic dump files : gesecdump output 2018-03-08 17:48:40 +00:00			`meta:`
			`description = "NTML Hash Dump output file - John/LC format"`
rule: suspicious ntds.dit file in zip 2020-08-10 15:50:50 +00:00			`license = "https://creativecommons.org/licenses/by-nc/4.0/"`
Updated generic dump files : gesecdump output 2018-03-08 17:48:40 +00:00			`author = "Florian Roth"`
			`date = "2015-10-01"`
			`score = 75`
			`strings:`
			`$s0 = "500:AAD3B435B51404EEAAD3B435B51404EE:" ascii`
			`$s1 = "500:aad3b435b51404eeaad3b435b51404ee:" ascii`
			`condition:`
			`1 of them`
			`}`

			`rule Gsecdump_password_dump_file {`
			`meta:`
			`description = "Detects a gsecdump output file"`
rule: suspicious ntds.dit file in zip 2020-08-10 15:50:50 +00:00			`license = "https://creativecommons.org/licenses/by-nc/4.0/"`
Updated generic dump files : gesecdump output 2018-03-08 17:48:40 +00:00			`author = "Florian Roth"`
			`reference = "https://t.co/OLIj1yVJ4m"`
			`date = "2018-03-06"`
			`score = 65`
			`strings:`
			`$x1 = "Administrator(current):500:" ascii`
			`condition:`
			`uint32be(0) == 0x41646d69 and filesize < 3000 and $x1 at 0`
First Signature Set 2016-02-15 09:22:28 +00:00			`}`
rule: suspicious ntds.dit file in zip 2020-08-10 15:50:50 +00:00
			`rule SUSP_ZIP_NtdsDIT : T1003_003 {`
			`meta:`
			`description = "Detects ntds.dit files in ZIP archives that could be a left over of administrative activity or traces of data exfiltration"`
			`author = "Florian Roth"`
			`score = 50`
			`reference = "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/"`
			`date = "2020-08-10"`
			`strings:`
			`$s1 = "ntds.dit" ascii`
			`condition:`
			`uint16(0) == 0x4b50 and`
			`$s1 in (0..256)`
			`}`