Modified mimikatz rule to exclude low performing expr

2024-11-06 18:15:20 +00:00 · 2018-08-26 12:38:07 +02:00 · 2018-08-26 12:38:07 +02:00 · 3fb661511c
commit 3fb661511c
parent bdafac9a25
1 changed files with 5 additions and 1 deletions
--- a/yara/thor-hacktools.yar
+++ b/yara/thor-hacktools.yar
@ -2848,14 +2848,18 @@ rule mimikatz
      $exe_x64_1      = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
      $exe_x64_2      = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }

+/*
      $dll_1         = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
      $dll_2         = { c7 0? 10 02 00 00 ?? 89 4? }
+*/

      $sys_x86      = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
      $sys_x64      = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }

   condition:
-      (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
+      (all of ($exe_x86_*)) or (all of ($exe_x64_*))
+      // or (all of ($dll_*))
+      or (any of ($sys_*))
 }

 rule wce