fix: moved lsadump rule from general rules to the ext vars file

2024-11-06 10:05:18 +00:00 · 2019-01-19 12:22:32 +01:00 · 2019-01-19 12:22:32 +01:00 · caef03b95b
commit caef03b95b
parent c7b875a932
3 changed files with 29 additions and 30 deletions
--- a/yara/apt_uscert_ta17-1117a.yar
+++ b/yara/apt_uscert_ta17-1117a.yar
@ -59,7 +59,7 @@ rule REDLEAVES_CoreImplant_UniqueStrings {
 rule PLUGX_RedLeaves {
    meta:
        author = "US-CERT Code Analysis Team"
-        date = "03042017"
+        date = "03.04.2017"
        reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
        incident = "10118538"
        date = "2017-04-03"
--- a/yara/thor-hacktools.yar
+++ b/yara/thor-hacktools.yar
@ -2992,35 +2992,6 @@ rule wce
      any of them
 }

-
-rule lsadump
-{
-   meta:
-      description      = "LSA dump programe (bootkey/syskey) - pwdump and others"
-      author         = "Benjamin DELPY (gentilkiwi)"
-      score         = 80
-      nodeepdive = 1
-   strings:
-      $str_sam_inc   = "\\Domains\\Account" ascii nocase
-      $str_sam_exc   = "\\Domains\\Account\\Users\\Names\\" ascii nocase
-      $hex_api_call   = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
-      $str_msv_lsa   = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
-      $hex_bkey      = { 4b 53 53 4d [20-70] 05 00 01 00}
-
-      $fp1 = "Sysinternals" ascii
-      $fp2 = "Apple Inc." ascii wide
-      $fp3 = "Kaspersky Lab" ascii fullword
-      $fp4 = "ESET Security" ascii
-   condition:
-      uint16(0) == 0x5a4d and
-      (($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey )
-      and not 1 of ($fp*)
-      and not filename contains "Regdat"
-      and not filetype == "EXE"
-      and not filepath contains "Dr Watson"
-      and not extension == "vbs"
-}
-
 rule power_pe_injection
 {
   meta:
--- a/yara/yara_mixed_ext_vars.yar
+++ b/yara/yara_mixed_ext_vars.yar
@ -310,3 +310,31 @@ rule mimikatz_lsass_mdmp
   condition:
      (uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /WER/
 }
+
+rule lsadump {
+   meta:
+      description      = "LSA dump programe (bootkey/syskey) - pwdump and others"
+      author         = "Benjamin DELPY (gentilkiwi)"
+      score         = 80
+      nodeepdive = 1
+   strings:
+      $str_sam_inc   = "\\Domains\\Account" ascii nocase
+      $str_sam_exc   = "\\Domains\\Account\\Users\\Names\\" ascii nocase
+      $hex_api_call   = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
+      $str_msv_lsa   = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
+      $hex_bkey      = { 4b 53 53 4d [20-70] 05 00 01 00}
+
+      $fp1 = "Sysinternals" ascii
+      $fp2 = "Apple Inc." ascii wide
+      $fp3 = "Kaspersky Lab" ascii fullword
+      $fp4 = "ESET Security" ascii
+      $fp5 = "Disaster Recovery Module" wide
+   condition:
+      uint16(0) == 0x5a4d and
+      (($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey )
+      and not 1 of ($fp*)
+      and not filename contains "Regdat"
+      and not filetype == "EXE"
+      and not filepath contains "Dr Watson"
+      and not extension == "vbs"
+}